Intercept is a deterministic enforcement proxy for the Model Context Protocol (MCP). It sits between an AI agent and an MCP server, evaluating every tools/call request against YAML-defined policies. Violating calls are blocked at the transport layer before reaching the upstream server.
See every tool your AI agent has access to — before adding any rules:
npx -y @policylayer/intercept scan -- npx -y @modelcontextprotocol/server-githubThis connects to the server, discovers all available tools, and shows you the full attack surface. Then add a policy to lock it down.
| System prompt | Intercept | |
|---|---|---|
| Enforcement | Probabilistic — model can ignore | Deterministic — blocked at transport layer |
| Bypassable | Yes — injection, reasoning, context overflow | No — agent never sees the rules |
| Stateful | No — no memory of previous calls | Yes — counters, spend tracking, sliding windows |
| Auditable | No — no structured log of decisions | Yes — every allow/deny logged with reason |
| Latency | N/A | <1ms per evaluation |
Prompt guardrails are suggestions to an intelligence. Intercept is a lock on the door.
- Block tool calls — deny dangerous tools unconditionally (e.g.
delete_repository) - Validate arguments — enforce constraints on tool arguments (
amount <= 500,currency in [usd, eur]) - Rate limit — cap calls per minute, hour, or day with
rate_limit: 5/hourshorthand - Track spend — stateful counters with dynamic increments (e.g. sum
args.amountacross calls) - Hide tools — strip tools from
tools/listso the agent never sees them, saving context window tokens - Default deny — allowlist mode where only explicitly listed tools are permitted
- Hot reload — edit the policy file while running; changes apply immediately without restart
- Validate policies —
intercept validate -c policy.yamlcatches errors before deployment
Your agent batch-refunds $14,000 before anyone notices
create_refund:
rules:
- name: "cap-refunds"
rate_limit: "10/day"
on_deny: "Daily refund limit reached"Your agent deletes a production repository
delete_file:
rules:
- name: "block-delete"
action: deny
on_deny: "File deletion blocked by policy"Your agent spins up 50 EC2 instances overnight
create_resource:
rules:
- name: "limit-resource-creation"
rate_limit: "10/hour"
on_deny: "Resource creation rate limit reached"Your agent sends an email to the wrong person
messages_send:
rules:
- name: "limit-sends"
rate_limit: "5/hour"
on_deny: "Email send rate limit reached"Ready-made policies for all of these: 130+ policy templates
npx:
npx -y @policylayer/intercept -c policy.yaml --upstream https://mcp.stripe.com --header "Authorization: Bearer sk_live_..."npm:
npm install -g @policylayer/interceptGo:
go install github.com/policylayer/intercept@latestPre-built binaries:
Download from GitHub Releases and place the binary on your PATH.
1. Generate a policy scaffold from a running MCP server:
intercept scan -o policy.yaml -- npx -y @modelcontextprotocol/server-stripeThis connects to the server, discovers all available tools, and writes a commented YAML file listing each tool with its parameters.
2. Edit the policy to add rules:
version: "1"
description: "Stripe MCP server policies"
hide:
- delete_customer
- delete_product
- delete_invoice
tools:
create_charge:
rules:
- name: "max single charge"
conditions:
- path: "args.amount"
op: "lte"
value: 50000
on_deny: "Single charge cannot exceed $500.00"
- name: "daily spend cap"
conditions:
- path: "state.create_charge.daily_spend"
op: "lte"
value: 1000000
on_deny: "Daily spending cap of $10,000.00 reached"
state:
counter: "daily_spend"
window: "day"
increment_from: "args.amount"
- name: "allowed currencies"
conditions:
- path: "args.currency"
op: "in"
value: ["usd", "eur"]
on_deny: "Only USD and EUR charges are permitted"
create_refund:
rules:
- name: "refund limit"
rate_limit: 10/day
on_deny: "Daily refund limit (10) reached"3. Run the proxy:
intercept -c policy.yaml --upstream https://mcp.stripe.com --header "Authorization: Bearer sk_live_..."Intercept proxies all MCP traffic and enforces your policy on every tool call. Hidden tools are stripped from the agent's view entirely.
The policies/ directory contains ready-made policy scaffolds for 130+ popular MCP servers including GitHub, Stripe, AWS, Notion, Slack, and more. Each file lists every tool with its description, grouped by category (Read, Write, Execute, Financial, Destructive).
Copy one as a starting point:
cp policies/stripe.yaml policy.yaml
# edit to add your rules, then:
intercept -c policy.yaml --upstream https://mcp.stripe.comBrowse all policies → policies/
To use Intercept with Claude Code (or any MCP client that reads .mcp.json), point the server command at Intercept:
{
"mcpServers": {
"github": {
"command": "intercept",
"args": [
"-c", "/path/to/policy.yaml",
"--",
"npx", "-y", "@modelcontextprotocol/server-github"
],
"env": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "..."
}
}
}
}For remote HTTP servers, use --upstream instead of a command:
{
"mcpServers": {
"stripe": {
"command": "intercept",
"args": [
"-c", "/path/to/policy.yaml",
"--upstream", "https://mcp.stripe.com",
"--header", "Authorization: Bearer tok"
]
}
}
}Rate limits and counters persist across restarts. SQLite is the default (zero config). Redis is supported for multi-instance deployments:
intercept -c policy.yaml --state-dsn redis://localhost:6379 --upstream https://mcp.stripe.com- CLI reference: all commands, flags, transport modes, state backends, event logging
- Policy reference: YAML format, conditions, operators, stateful counters, examples
- Example policies: ready-made scaffolds for 130+ MCP servers
Contributions welcome — open an issue to discuss what you'd like to change.