Open-source MCP proxy

THE FIREWALL FOR
AI AGENTS

Wraps any MCP server and checks every tool call before it runs.
Works with Claude Desktop, Cursor, Windsurf, and custom agents. No code changes.

npx -y @policylayer/intercept
or
go install github.com/policylayer/intercept@latest
(npm runs instantly · Go binary for permanent install)
Agent
Upstream
Intercept
stripe.create_charge
aws.terminate_instances
github.list_issues
github.delete_repository
mongo.find
aws.put_object
aws.describe_instances
mongo.drop_collection
github.create_issue
cloudflare.update_dns_record
github.create_pull_request
stripe.delete_customer
mongo.insert_one
github.update_repository
stripe.create_charge
GitHub AWS Stripe MongoDB Cloudflare Supabase Docker
THE PROBLEM

YOUR AGENT HAS ROOT ACCESS

$47K drained in 90 seconds

The agent auto-approved a batch of refunds. No per-transaction cap. No daily limit.

The fix
create_refund amount lte 10000 # cents
✓ Refunds capped at $100 per transaction
1.2M customer records exposed

A reporting agent exported the full users table to a public S3 bucket. Front-page news.

The fix
put_object args.acl neq "public-read"
✓ Public ACL blocked
Production cluster terminated

A cleanup agent decided idle instances were unused. They were the primary API cluster.

The fix
terminate_instances deny
✓ Termination blocked
Domain hijacked for 6 hours

An agent updated the A record. Customer traffic redirected to an unknown IP.

The fix
update_dns_record deny
✓ DNS changes blocked
Private repo public for 9 hours

A CI agent toggled repo visibility. Source code, API keys, internal docs exposed.

The fix
update_repository args.visibility neq "public"
✓ Public visibility blocked
800K rows dropped without backup

A migration agent dropped the users collection to "start fresh." Recovery took 3 days.

The fix
drop_collection deny
✓ Collection drops blocked

Every one of these is one YAML rule.

SCAN. DEFINE. ENFORCE.

Wrap any MCP server. Agent sees the same tools. Intercept decides what runs.

01
Scan
intercept scan -o policy.yaml -- npx -y @modelcontextprotocol/server-filesystem
02
Define
version: "1"

tools:
  write_file:
    rules:
      - name: "restrict paths"
        conditions:
          - path: "args.path"
            op: "regex"
            value: "^/app/src/"
        on_deny: "Writes restricted to /app/src"

  edit_file:
    rules:
      - name: "throttle edits"
        rate_limit: 20/minute

  move_file:
    rules:
      - name: "block moves"
        action: "deny"
        on_deny: "File moves not permitted"
03
Enforce
intercept -c policy.yaml -- npx -y @modelcontextprotocol/server-filesystem
Caps · pattern matching · set membership · nested paths · stateful counters · wildcards
args.amount lt 10000
Less than — cap values
args.region in ["us-east-1", "eu-west-1"]
Set membership — lock regions
args.email regex ".*@company\\.com$"
Pattern match — validate formats
args.metadata.env neq "production"
Nested paths — deep argument access
state.tool.counter lte 100
Stateful counters — track across calls
args.body contains "DROP TABLE"
Substring check — catch dangerous content

See all 11 operators →

READY-TO-USE POLICIES FOR 100+ SERVERS

Pre-built policy files listing every tool, categorised. Copy one, add your rules, run.

GitHub
83 tools
repos issues pull requests actions
AWS
55 tools
s3 lambda dynamodb
Azure
49 tools
cloud infrastructure
MongoDB
36 tools
database atlas aggregation
Stripe
27 tools
payments billing subscriptions
Supabase
32 tools
postgres storage edge functions
Grafana
29 tools
dashboards prometheus loki
Sentry
25 tools
error tracking monitoring
Cloudflare
23 tools
workers dns r2
Docker
19 tools
containers images volumes
Datadog
20 tools
apm logs monitoring
Slack
8 tools
messaging channels

100+ servers. Thousands of tools. All open source.

Browse all policies on GitHub →

No Surprises in Production

Fail-closed

If the proxy can't evaluate a call, the call is denied. Safety is the default, not the exception.

Hot reload

Edit policies live. Valid changes swap in instantly, invalid ones are rejected. Counters persist across reloads.

Sub-ms evaluation

Policy checks run in-process before forwarding. No network round-trips, no added latency to your agent.

Audit trail

Every decision logged as structured JSONL. Tool name, result, matched rule. Arguments hashed so logs stay safe to share.

SQLite by default

Rate limits and counters work out of the box. Switch to Redis when you need shared state across instances.

Single binary

One Go binary. No runtime, no dependencies, no sidecar. Install and run in seconds on any platform.

FREQUENTLY ASKED QUESTIONS

An open-source proxy that wraps any MCP server. One line change in .mcp.json.

Point your agent at intercept -c policy.yaml -- followed by the original server command. Intercept launches the upstream server as a subprocess, proxies stdio, and evaluates every tools/call against your YAML policies before forwarding. The agent sees the same tools, same schemas — it doesn't know Intercept is there.

Anything expressible as a condition on tool name, arguments, or state.

  • Unconditional blocks — prevent destructive tools from ever running (delete_repository, drop_collection)
  • Argument validation — check values before execution (args.amount lte 50000, args.region in ["us-east-1"])
  • Spend caps — track cumulative totals across calls (state.create_charge.daily_spend lt 1000000)
  • Rate limits — cap calls per minute, hour, or day
  • Tool hiding — remove tools from the agent's context entirely
  • Wildcard rules — apply a condition to every tool at once with *

Yes. Any client that speaks MCP over stdio.

Claude Desktop, Cursor, Windsurf, custom agents — if it connects to MCP servers, Intercept can sit in front of them. No client-side changes required.

Negligible. Policy evaluation runs in-process.

No network round-trips for policy checks. The added latency is sub-millisecond. The only network dependency is if you use Redis for shared state, which adds a single round-trip per stateful rule.

SECURE YOUR AGENTS IN 5 MINUTES

Open source. One binary. Zero dependencies.

npx -y @policylayer/intercept
or
go install github.com/policylayer/intercept@latest

Then run intercept scan -o policy.yaml -- your-server to generate a policy for any MCP server.

github.com/policylayer/intercept