Deterministic enforcement at the MCP layer

THE FIREWALL FOR AI AGENTS

One proxy between your agent and everything it can break.

npm install -g @policylayer/intercept

or

go install github.com/policylayer/intercept@latest
github.com/policylayer/intercept
intercept v1.0

Enforce policies on agents powered by

Claude GPT Gemini Llama Mistral Grok Qwen Command R DeepSeek Phi

Open source · Apache 2.0 · Single Go binary · Pre-built policies for 100+ servers

THE PROBLEM

YOUR AGENT HAS ROOT ACCESS

$47K drained in 90 seconds

The agent auto-approved a batch of refunds. No per-transaction cap. No daily limit. Finance found out on Monday.

create_refund amount: 4700000

1.2M customer records exposed

A reporting agent exported the full users table to a public S3 bucket. Names, emails, payment methods. Front-page news.

put_object bucket: "reports-public" key: "users-full.csv"

Production cluster terminated

A cleanup agent decided idle instances were unused. They were the primary API cluster. 23 minutes of downtime.

terminate_instances ids: ["i-0a1b2c3d", ...]

Domain hijacked for 6 hours

An agent updated the A record. Customer traffic redirected to an unknown IP. SOC found out from Twitter.

update_dns_record name: "app.company.com"

Private repo public for 9 hours

A CI agent toggled repository visibility to fix a permissions issue. Source code, API keys, and internal docs exposed to the internet.

update_repository visibility: "public"

800K rows dropped without backup

A migration agent dropped the users collection to "start fresh." No snapshot. No confirmation step. Recovery took 3 days.

drop_collection name: "users"

Every one of these is preventable with Intercept.

HOW IT WORKS

YOUR RULES. ENFORCED ON EVERY CALL.

Prompts are probabilistic. Enforcement must be deterministic.

Agent
Upstream
Intercept
create_charge
terminate_instances
list_issues
delete_repository
find
put_object
run_instances
drop_collection
create_issue
update_dns_record
create_pull_request
delete_customer
insert_one
update_repository
create_charge

Every tool call flows through Intercept. If it breaks a rule, it never executes.

GET STARTED

SCAN. DEFINE. ENFORCE.

Wrap any MCP server. Same tools, same schemas, complete control.

01 / Scan

Discover

Connect to any MCP server and generate a policy scaffold. Every tool listed, parameters documented.

intercept scan -o policy.yaml \
  -- npx -y server-github

02 / Edit

Define

Add rules to the generated YAML. Rate limits, spend caps, unconditional blocks. Every tool is already listed — just add your conditions.

delete_repository:
  rules:
    - name: "block deletion"
      action: "deny"
      on_deny: "Not permitted"

03 / Run

Enforce

Launch the proxy. It wraps the upstream server and enforces your policy on every tool call.

intercept -c policy.yaml \
  -- npx -y server-github
POLICIES

WHAT YOU CAN CONTROL

Your agent needs these tools. You need limits.

Spend caps

Stripe · Payments

Cap every charge at $500. Cap daily spend at $10K. Block refunds over $100.

create_charge amount lte 50000
create_charge daily_spend lt 1000000
create_refund amount lte 10000
✕ DENIED — Daily cap of $10,000 reached

Block destructive actions

GitHub · Repos

Block repo deletion. Rate-limit PRs to 3/hour. Hide 50 irrelevant tools from context.

delete_repository deny
create_pull_request rate_limit 3/hour
hide transfer_repository, create_deployment, +47
✕ DENIED — Repo deletion not permitted

Lock to approved regions

AWS · Infrastructure

Lock all calls to us-east-1. Block instance termination. Restrict to approved instance types.

* args.region in ["us-east-1"]
terminate_instances deny
run_instances args.type in ["t3.micro", "t3.small"]
✕ DENIED — Region eu-west-1 not allowed

Protect production data

MongoDB · Database

Block collection drops. Rate-limit writes to 100/hour. Default deny everything, allowlist reads.

default deny
find allow
insert_one rate_limit 100/hour
drop_collection deny
✕ DENIED — Collection drops not permitted

11 operators — express anything

eq neq lt lte gt gte in not_in regex contains exists
args.metadata.key

Nested path access

state.tool.counter

Stateful counters

"*"

Wildcard matching

POLICY LIBRARY

POLICY SCAFFOLDS FOR 100+ SERVERS

Pre-built policy files listing every tool, categorised. Copy one, add your rules, run.

GitHub
83 tools
repos issues pull requests actions
AWS
55 tools
s3 lambda dynamodb
Azure
49 tools
cloud infrastructure
MongoDB
36 tools
database atlas aggregation
Stripe
27 tools
payments billing subscriptions
Supabase
32 tools
postgres storage edge functions
Grafana
29 tools
dashboards prometheus loki
Sentry
25 tools
error tracking monitoring
Cloudflare
23 tools
workers dns r2
Docker
19 tools
containers images volumes
Datadog
20 tools
apm logs monitoring
Slack
8 tools
messaging channels

100+ servers. Thousands of tools. All open source.

Browse all policies on GitHub

BUILT FOR PRODUCTION

Fail-closed

If the proxy can't evaluate a call, the call is denied. Safety is the default, not the exception.

Hot reload

Edit policies live. Valid changes swap in instantly, invalid ones are rejected. Counters persist across reloads.

Sub-ms evaluation

Policy checks run in-process before forwarding. No network round-trips, no added latency to your agent.

Audit trail

Every decision logged as structured JSONL. Tool name, result, matched rule. Arguments hashed so logs stay safe to share.

Zero-config state

SQLite out of the box for rate limits and counters. Switch to Redis when you need shared state across instances.

Single binary

One Go binary. No runtime, no dependencies, no sidecar. Install and run in seconds on any platform.

FREQUENTLY ASKED QUESTIONS

SECURE YOUR AGENTS IN 5 MINUTES

Open source. One binary. Zero dependencies.

npm install -g @policylayer/intercept

or

go install github.com/policylayer/intercept@latest
github.com/policylayer/intercept