From ee1b99f9826902af9f3e41a45926e9b605cb29b0 Mon Sep 17 00:00:00 2001 From: LIAD Date: Wed, 4 Mar 2026 16:07:30 +0000 Subject: [PATCH] feat: add policy templates for 43 MCP servers with browse page Add ready-made YAML policy scaffolds for popular MCP servers (GitHub, Stripe, AWS, Slack, Notion, etc.) with tools grouped by category. Include a policies browser page on the site and update README/POLICY.md to reference the new templates. --- .gitignore | 1 + POLICY.md | 2 + README.md | 15 + policies/asana.yaml | 70 ++++ policies/atlassian.yaml | 86 +++++ policies/aws.yaml | 192 +++++++++++ policies/azure.yaml | 172 ++++++++++ policies/brave-search.yaml | 41 +++ policies/chargebee.yaml | 29 ++ policies/circleci.yaml | 71 ++++ policies/clickhouse.yaml | 36 ++ policies/cloudflare.yaml | 94 +++++ policies/datadog.yaml | 84 +++++ policies/docker.yaml | 84 +++++ policies/elevenlabs.yaml | 55 +++ policies/exa.yaml | 48 +++ policies/figma.yaml | 46 +++ policies/filesystem.yaml | 61 ++++ policies/firecrawl.yaml | 45 +++ policies/git.yaml | 67 ++++ policies/github.yaml | 277 +++++++++++++++ policies/gitlab.yaml | 70 ++++ policies/google-drive.yaml | 26 ++ policies/grafana.yaml | 112 ++++++ policies/linear.yaml | 93 +++++ policies/memory.yaml | 53 +++ policies/mixpanel.yaml | 81 +++++ policies/mongodb.yaml | 134 ++++++++ policies/neo4j.yaml | 36 ++ policies/neon.yaml | 114 +++++++ policies/notion.yaml | 73 ++++ policies/paypal.yaml | 116 +++++++ policies/playwright.yaml | 98 ++++++ policies/postgres.yaml | 26 ++ policies/postman.yaml | 116 +++++++ policies/puppeteer.yaml | 45 +++ policies/qdrant.yaml | 30 ++ policies/semgrep.yaml | 49 +++ policies/sentry.yaml | 100 ++++++ policies/shopify.yaml | 42 +++ policies/slack.yaml | 49 +++ policies/square.yaml | 33 ++ policies/stripe.yaml | 106 ++++++ policies/supabase.yaml | 123 +++++++ policies/tavily.yaml | 36 ++ policies/twilio.yaml | 133 ++++++++ site/index.html | 161 ++++++++- site/policies.html | 683 +++++++++++++++++++++++++++++++++++++ 48 files changed, 4310 insertions(+), 4 deletions(-) create mode 100644 policies/asana.yaml create mode 100644 policies/atlassian.yaml create mode 100644 policies/aws.yaml create mode 100644 policies/azure.yaml create mode 100644 policies/brave-search.yaml create mode 100644 policies/chargebee.yaml create mode 100644 policies/circleci.yaml create mode 100644 policies/clickhouse.yaml create mode 100644 policies/cloudflare.yaml create mode 100644 policies/datadog.yaml create mode 100644 policies/docker.yaml create mode 100644 policies/elevenlabs.yaml create mode 100644 policies/exa.yaml create mode 100644 policies/figma.yaml create mode 100644 policies/filesystem.yaml create mode 100644 policies/firecrawl.yaml create mode 100644 policies/git.yaml create mode 100644 policies/github.yaml create mode 100644 policies/gitlab.yaml create mode 100644 policies/google-drive.yaml create mode 100644 policies/grafana.yaml create mode 100644 policies/linear.yaml create mode 100644 policies/memory.yaml create mode 100644 policies/mixpanel.yaml create mode 100644 policies/mongodb.yaml create mode 100644 policies/neo4j.yaml create mode 100644 policies/neon.yaml create mode 100644 policies/notion.yaml create mode 100644 policies/paypal.yaml create mode 100644 policies/playwright.yaml create mode 100644 policies/postgres.yaml create mode 100644 policies/postman.yaml create mode 100644 policies/puppeteer.yaml create mode 100644 policies/qdrant.yaml create mode 100644 policies/semgrep.yaml create mode 100644 policies/sentry.yaml create mode 100644 policies/shopify.yaml create mode 100644 policies/slack.yaml create mode 100644 policies/square.yaml create mode 100644 policies/stripe.yaml create mode 100644 policies/supabase.yaml create mode 100644 policies/tavily.yaml create mode 100644 policies/twilio.yaml create mode 100644 site/policies.html diff --git a/.gitignore b/.gitignore index 1adbc09..3e28c89 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .claude /intercept dist/ +scripts/generate-policies/ diff --git a/POLICY.md b/POLICY.md index fc27b93..991a60e 100644 --- a/POLICY.md +++ b/POLICY.md @@ -6,6 +6,8 @@ This document covers the YAML policy file format used by Intercept to enforce ru A policy file defines which tool calls are allowed, denied, or rate-limited. Intercept loads the policy on startup and evaluates every incoming `tools/call` request against it. Calls that pass all rules are forwarded to the upstream MCP server. Calls that fail any rule receive a denial message instead. +> **Quick start:** The [`policies/`](policies/) directory contains ready-made scaffolds for 43 MCP servers. Copy one and add your rules. + ## Top-level structure ```yaml diff --git a/README.md b/README.md index 27f9702..c1e2d9c 100644 --- a/README.md +++ b/README.md @@ -117,6 +117,20 @@ intercept -c policy.yaml --upstream https://mcp.stripe.com --header "Authorizati Intercept proxies all MCP traffic and enforces your policy on every tool call. Hidden tools are stripped from the agent's view entirely. +## Example policies + +The `policies/` directory contains ready-made policy scaffolds for 43 popular MCP servers including GitHub, Stripe, AWS, Notion, Slack, and more. Each file lists every tool with its description, grouped by category (Read, Write, Execute, Financial, Destructive). + +Copy one as a starting point: + +```sh +cp policies/stripe.yaml policy.yaml +# edit to add your rules, then: +intercept -c policy.yaml --upstream https://mcp.stripe.com +``` + +Browse all policies → [policies/](policies/) + ## MCP client integration To use Intercept with Claude Code (or any MCP client that reads `.mcp.json`), point the server command at Intercept: @@ -168,6 +182,7 @@ intercept -c policy.yaml --state-dsn redis://localhost:6379 --upstream https://m - [CLI reference](USAGE.md): all commands, flags, transport modes, state backends, event logging - [Policy reference](POLICY.md): YAML format, conditions, operators, stateful counters, examples +- [Example policies](policies/): ready-made scaffolds for 43 MCP servers ## License diff --git a/policies/asana.yaml b/policies/asana.yaml new file mode 100644 index 0000000..97c9b50 --- /dev/null +++ b/policies/asana.yaml @@ -0,0 +1,70 @@ +# ───────────────────────────────────────────────────────── +# Policy: Asana MCP Server +# Server: roychri/mcp-server-asana +# Homepage: https://github.com/roychri/mcp-server-asana +# Tags: asana, project-management, tasks, collaboration +# Tools: 15 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for roychri/mcp-server-asana" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # asana_get_project: Get detailed information about a specific project + asana_get_project: + rules: [] + # asana_get_task: Get detailed information about a specific task + asana_get_task: + rules: [] + # asana_get_task_stories: Get comments and stories for a specific task + asana_get_task_stories: + rules: [] + # asana_get_tasks_by_tag: Get tasks associated with a specific tag + asana_get_tasks_by_tag: + rules: [] + # asana_list_project_sections: Retrieve sections within a project + asana_list_project_sections: + rules: [] + # asana_list_tags: Get tags in a workspace + asana_list_tags: + rules: [] + # asana_list_workspaces: List all available workspaces in Asana + asana_list_workspaces: + rules: [] + # asana_search_projects: Search for projects within a workspace by name + asana_search_projects: + rules: [] + # asana_search_tasks: Search tasks within a workspace with advanced filters + asana_search_tasks: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # asana_add_comment: Add a comment to a task + asana_add_comment: + rules: [] + # asana_create_subtask: Create a subtask under an existing parent task + asana_create_subtask: + rules: [] + # asana_create_task: Create a new task in a specified project + asana_create_task: + rules: [] + # asana_set_parent: Set or reassign the parent of a task + asana_set_parent: + rules: [] + # asana_update_task: Update an existing task's details + asana_update_task: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # asana_batch_get_tasks: Batch retrieve up to 25 tasks at once + asana_batch_get_tasks: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/atlassian.yaml b/policies/atlassian.yaml new file mode 100644 index 0000000..139cd1f --- /dev/null +++ b/policies/atlassian.yaml @@ -0,0 +1,86 @@ +# ───────────────────────────────────────────────────────── +# Policy: Atlassian Rovo MCP Server +# Server: atlassian/atlassian-mcp-server +# Homepage: https://github.com/atlassian/atlassian-mcp-server +# Tags: atlassian, jira, confluence, project-management +# Tools: 20 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for atlassian/atlassian-mcp-server" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # getCompassComponent: Get a Compass component + getCompassComponent: + rules: [] + # getConfluencePage: Get a specific Confluence page by ID + getConfluencePage: + rules: [] + # getConfluenceSpace: Get details of a Confluence space + getConfluenceSpace: + rules: [] + # getJiraIssue: Get details of a specific Jira issue + getJiraIssue: + rules: [] + # getVisibleJiraProjects: Get Jira projects visible to the authenticated user + getVisibleJiraProjects: + rules: [] + # listConfluenceSpaces: List all Confluence spaces + listConfluenceSpaces: + rules: [] + # lookupJiraAccountId: Look up account IDs of users by display name or email + lookupJiraAccountId: + rules: [] + # searchCompassComponents: Search Compass components + searchCompassComponents: + rules: [] + # searchConfluenceContent: Search Confluence content using CQL + searchConfluenceContent: + rules: [] + # searchJiraIssuesUsingJql: Search Jira issues using a JQL query + searchJiraIssuesUsingJql: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # addCommentToJiraIssue: Add a comment to an existing Jira issue + addCommentToJiraIssue: + rules: [] + # createCompassComponent: Create a new Compass component + createCompassComponent: + rules: [] + # createConfluencePage: Create a new Confluence page + createConfluencePage: + rules: [] + # createJiraIssue: Create a new Jira issue + createJiraIssue: + rules: [] + # editJiraIssue: Update the details of an existing Jira issue + editJiraIssue: + rules: [] + # updateCompassComponent: Update a Compass component + updateCompassComponent: + rules: [] + # updateConfluencePage: Update an existing Confluence page + updateConfluencePage: + rules: [] + # ── Destructive Tools ─────────────────────────────────────────── + # deleteCompassComponent: Delete a Compass component + deleteCompassComponent: + rules: [] + # deleteConfluencePage: Delete a Confluence page + deleteConfluencePage: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # transitionJiraIssue: Transition a Jira issue to a new status + transitionJiraIssue: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/aws.yaml b/policies/aws.yaml new file mode 100644 index 0000000..95c33f5 --- /dev/null +++ b/policies/aws.yaml @@ -0,0 +1,192 @@ +# ───────────────────────────────────────────────────────── +# Policy: AWS MCP Servers +# Server: awslabs/mcp +# Homepage: https://github.com/awslabs/mcp +# Tags: aws, cloud, infrastructure, serverless, s3, lambda, dynamodb +# Tools: 55 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for awslabs/mcp" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # describe_log_groups: List metadata about log groups + describe_log_groups: + rules: [] + # get_active_alarms: Identify currently active alarms + get_active_alarms: + rules: [] + # get_alarm_history: Retrieve historical state changes for alarms + get_alarm_history: + rules: [] + # get_bestpractices: Get guidance on AWS development and deployment + get_bestpractices: + rules: [] + # get_cdk_best_practices: Retrieve AWS CDK best practices + get_cdk_best_practices: + rules: [] + # get_cloudwatch_logs: Access CloudWatch logs for EKS + get_cloudwatch_logs: + rules: [] + # get_cloudwatch_metrics: Retrieve CloudWatch metrics for EKS + get_cloudwatch_metrics: + rules: [] + # get_eks_vpc_config: Retrieve VPC configuration + get_eks_vpc_config: + rules: [] + # get_k8s_events: List Kubernetes events + get_k8s_events: + rules: [] + # get_logs_insight_query_results: Retrieve query execution results + get_logs_insight_query_results: + rules: [] + # get_pod_logs: Retrieve pod logs + get_pod_logs: + rules: [] + # get_regional_availability: Check regional availability for services and features + get_regional_availability: + rules: [] + # get_resource: Retrieve specific resource details + get_resource: + rules: [] + # get_schema: Return CloudFormation schema for resources + get_schema: + rules: [] + # list_api_versions: List available Kubernetes API versions + list_api_versions: + rules: [] + # list_k8s_resources: List Kubernetes resources by kind + list_k8s_resources: + rules: [] + # list_knowledge_bases: List available Bedrock knowledge bases + list_knowledge_bases: + rules: [] + # list_regions: List all AWS regions with identifiers + list_regions: + rules: [] + # list_resources: Enumerate resources of specified types + list_resources: + rules: [] + # query_sql: Execute read-only SQL queries against S3 Tables + query_sql: + rules: [] + # read_documentation: Retrieve AWS docs converted to markdown + read_documentation: + rules: [] + # retrieve_agent_sop: Search and retrieve AWS operational procedures + retrieve_agent_sop: + rules: [] + # search_cdk_documentation: Access CDK docs and constructs + search_cdk_documentation: + rules: [] + # search_cfn_documentation: Query CloudFormation docs and patterns + search_cfn_documentation: + rules: [] + # search_documentation: Search across AWS documentation and API references + search_documentation: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # create_resource: Create AWS resources declaratively + create_resource: + rules: [] + # create_table_from_csv: Convert CSV files to S3 Tables + create_table_from_csv: + rules: [] + # update_resource: Update existing resources + update_resource: + rules: [] + # ── Execute Tools ─────────────────────────────────────────── + # call_aws: Execute authenticated AWS API calls + call_aws: + rules: [] + # execute_log_insights_query: Run CloudWatch Logs Insights queries + execute_log_insights_query: + rules: [] + # invoke_lambda: Execute Lambda functions as MCP tools + invoke_lambda: + rules: [] + # ── Destructive Tools ─────────────────────────────────────────── + # delete_resource: Delete AWS resources + delete_resource: + rules: [] + # tf_destroy: Destroy infrastructure + tf_destroy: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # analyze_log_group: Detect anomalies, patterns, and errors in logs + analyze_log_group: + rules: [] + # analyze_metric: Analyze CloudWatch metric trends and statistical properties + analyze_metric: + rules: [] + # analyze_stack_failures: Diagnose failed CloudFormation stacks + analyze_stack_failures: + rules: [] + # azureterraformbestpractices: Get Terraform best practices for Azure resources + azureterraformbestpractices: + rules: [] + # bedrock_kb_retrieve: Query knowledge bases for relevant information + bedrock_kb_retrieve: + rules: [] + # cancel_logs_insight_query: Cancel in-progress queries + cancel_logs_insight_query: + rules: [] + # check_cdk_nag_suppressions: Validate CDK Nag suppressions + check_cdk_nag_suppressions: + rules: [] + # dynamodb_data_model_validation: Validate models against actual DynamoDB + dynamodb_data_model_validation: + rules: [] + # dynamodb_data_modeling: Interactive data modeling with design patterns + dynamodb_data_modeling: + rules: [] + # explain_cdk_nag_rule: Explain specific CDK Nag security rules + explain_cdk_nag_rule: + rules: [] + # manage_eks_stacks: Manage EKS CloudFormation stacks + manage_eks_stacks: + rules: [] + # manage_k8s_resource: Read/create/update/delete Kubernetes resources + manage_k8s_resource: + rules: [] + # source_db_analyzer: Extract schema from existing databases + source_db_analyzer: + rules: [] + # suggest_aws_commands: Get AWS CLI command descriptions and syntax help + suggest_aws_commands: + rules: [] + # tf_apply: Apply Terraform changes + tf_apply: + rules: [] + # tf_init: Initialize Terraform working directory + tf_init: + rules: [] + # tf_output: Retrieve output values + tf_output: + rules: [] + # tf_plan: Generate Terraform execution plan + tf_plan: + rules: [] + # tf_state_list: List resources in state + tf_state_list: + rules: [] + # tf_validate: Validate Terraform configuration + tf_validate: + rules: [] + # validate_cfn_security: Check compliance via cfn-guard + validate_cfn_security: + rules: [] + # validate_cfn_template: Validate CloudFormation syntax and schema + validate_cfn_template: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/azure.yaml b/policies/azure.yaml new file mode 100644 index 0000000..3a4c6fd --- /dev/null +++ b/policies/azure.yaml @@ -0,0 +1,172 @@ +# ───────────────────────────────────────────────────────── +# Policy: Azure MCP Server +# Server: Azure/azure-mcp +# Homepage: https://github.com/Azure/azure-mcp +# Tags: azure, cloud, infrastructure, microsoft +# Tools: 49 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for Azure/azure-mcp" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # search: Manage Azure AI Search resources, indexes, and queries + search: + rules: [] + # ── Financial Tools ─────────────────────────────────────────── + # pricing: Get Azure retail pricing, cost estimates, and billing details + pricing: + rules: [] + # subscription: List Azure subscriptions + subscription: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # acr: List Azure Container Registry instances + acr: + rules: [] + # advisor: Get recommendations to optimise Azure resources + advisor: + rules: [] + # aks: List Azure Kubernetes Service clusters + aks: + rules: [] + # appconfig: Manage centralized application settings and feature flags + appconfig: + rules: [] + # applens: Diagnose and analyze application performance issues + applens: + rules: [] + # applicationinsights: List Application Insights resources + applicationinsights: + rules: [] + # appservice: Manage Azure App Service instances + appservice: + rules: [] + # azuremigrate: Get step-by-step guidance for Platform Landing Zone changes + azuremigrate: + rules: [] + # bicepschema: Retrieve Bicep schemas for Azure resources + bicepschema: + rules: [] + # cloudarchitect: Design cloud systems with guided questions + cloudarchitect: + rules: [] + # communication: Send SMS and email messages via Azure Communication Services + communication: + rules: [] + # compute: Get details for Azure VMs, scale sets, and managed disks + compute: + rules: [] + # confidentialledger: Manage Azure Confidential Ledger resources + confidentialledger: + rules: [] + # cosmos: Work with Azure Cosmos DB accounts, databases, and containers + cosmos: + rules: [] + # datadog: Work with Azure Native ISV services including Datadog + datadog: + rules: [] + # deploy: Deploy and manage Azure resources using templates + deploy: + rules: [] + # eventgrid: Manage Azure Event Grid resources and subscriptions + eventgrid: + rules: [] + # eventhubs: Manage Azure Event Hubs namespaces and event hubs + eventhubs: + rules: [] + # extension: Find Azure CLI commands and get installation instructions + extension: + rules: [] + # fileshares: Manage Azure file shares + fileshares: + rules: [] + # foundry: Work with Azure AI Foundry models, deployments, and endpoints + foundry: + rules: [] + # functionapp: List Azure Functions + functionapp: + rules: [] + # grafana: List Azure Managed Grafana workspaces + grafana: + rules: [] + # group: List Azure resource groups + group: + rules: [] + # keyvault: List and create keys, secrets, certificates in Azure Key Vault + keyvault: + rules: [] + # kusto: Work with Azure Data Explorer clusters, databases, and queries + kusto: + rules: [] + # loadtesting: Create, run, and see load testing + loadtesting: + rules: [] + # managedlustre: Manage Azure Managed Lustre file systems + managedlustre: + rules: [] + # marketplace: Discover Azure Marketplace products and offers + marketplace: + rules: [] + # monitor: Query Azure Monitor logs and metrics + monitor: + rules: [] + # mysql: Manage Azure Database for MySQL servers and databases + mysql: + rules: [] + # policy: Manage Azure Policy assignments, definitions, and initiatives + policy: + rules: [] + # postgres: Manage Azure Database for PostgreSQL servers and databases + postgres: + rules: [] + # quota: Manage Azure resource quotas and limits + quota: + rules: [] + # redis: Create and list Azure Redis resources + redis: + rules: [] + # resourcehealth: Check the health status of Azure resources + resourcehealth: + rules: [] + # role: View and manage Azure role-based access control assignments + role: + rules: [] + # servicebus: Work with Azure Service Bus messaging services + servicebus: + rules: [] + # servicefabric: Manage Service Fabric managed clusters + servicefabric: + rules: [] + # signalr: Manage Azure SignalR resources and runtimes + signalr: + rules: [] + # speech: Manage Azure AI Speech resources + speech: + rules: [] + # sql: Work with Azure SQL Database servers, databases, and firewall rules + sql: + rules: [] + # storage: Manage Azure Storage accounts, containers, blobs, and tables + storage: + rules: [] + # storagesync: Manage Azure file sync services + storagesync: + rules: [] + # virtualdesktop: Manage Azure Virtual Desktop host pools and sessions + virtualdesktop: + rules: [] + # workbooks: Create, manage, and update Azure Workbooks + workbooks: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/brave-search.yaml b/policies/brave-search.yaml new file mode 100644 index 0000000..e22b620 --- /dev/null +++ b/policies/brave-search.yaml @@ -0,0 +1,41 @@ +# ───────────────────────────────────────────────────────── +# Policy: Brave Search MCP Server +# Server: brave/brave-search-mcp-server +# Homepage: https://github.com/brave/brave-search-mcp-server +# Tags: brave, search, web-search, news, images +# Tools: 6 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for brave/brave-search-mcp-server" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Other Tools ─────────────────────────────────────────── + # brave_image_search: Performs an image search + brave_image_search: + rules: [] + # brave_local_search: Searches for local businesses and places + brave_local_search: + rules: [] + # brave_news_search: Searches for current news articles + brave_news_search: + rules: [] + # brave_summarizer: Retrieves AI-generated summaries of web search results + brave_summarizer: + rules: [] + # brave_video_search: Searches for videos with metadata and thumbnails + brave_video_search: + rules: [] + # brave_web_search: Returns web results with title, description, and URL + brave_web_search: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/chargebee.yaml b/policies/chargebee.yaml new file mode 100644 index 0000000..57cce0e --- /dev/null +++ b/policies/chargebee.yaml @@ -0,0 +1,29 @@ +# ───────────────────────────────────────────────────────── +# Policy: Chargebee MCP Server +# Server: chargebee/agentkit +# Homepage: https://github.com/chargebee/agentkit +# Tags: chargebee, billing, subscriptions, payments, saas +# Tools: 2 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for chargebee/agentkit" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Financial Tools ─────────────────────────────────────────── + # chargebee_code_planner: Generate structured code outlines and sample code for Chargebee API integration + chargebee_code_planner: + rules: [] + # chargebee_documentation_search: Search Chargebee documentation for detailed information and usage guides + chargebee_documentation_search: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/circleci.yaml b/policies/circleci.yaml new file mode 100644 index 0000000..feaea81 --- /dev/null +++ b/policies/circleci.yaml @@ -0,0 +1,71 @@ +# ───────────────────────────────────────────────────────── +# Policy: CircleCI MCP Server +# Server: CircleCI-Public/mcp-server-circleci +# Homepage: https://github.com/CircleCI-Public/mcp-server-circleci +# Tags: circleci, ci-cd, testing, pipelines, deployment +# Tools: 15 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for CircleCI-Public/mcp-server-circleci" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # find_flaky_tests: Identify flaky tests by analysing test execution history + find_flaky_tests: + rules: [] + # find_underused_resource_classes: Find jobs with underused compute resources + find_underused_resource_classes: + rules: [] + # get_build_failure_logs: Retrieve detailed failure logs from builds + get_build_failure_logs: + rules: [] + # get_job_test_results: Retrieve test metadata and results for jobs + get_job_test_results: + rules: [] + # get_latest_pipeline_status: Get status of latest pipeline for a branch + get_latest_pipeline_status: + rules: [] + # list_component_versions: List all versions for a CircleCI component + list_component_versions: + rules: [] + # list_followed_projects: List all CircleCI projects you are following + list_followed_projects: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # create_prompt_template: Generate structured prompt templates for AI applications + create_prompt_template: + rules: [] + # ── Execute Tools ─────────────────────────────────────────── + # run_pipeline: Trigger a pipeline to run + run_pipeline: + rules: [] + # run_rollback_pipeline: Trigger a rollback for a project + run_rollback_pipeline: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # analyse_diff: Analyse git diffs against cursor rules for violations + analyse_diff: + rules: [] + # config_helper: Validate and get guidance for CircleCI configuration + config_helper: + rules: [] + # download_usage_api_data: Download usage data from CircleCI Usage API + download_usage_api_data: + rules: [] + # recommend_prompt_template_tests: Generate test cases for prompt templates + recommend_prompt_template_tests: + rules: [] + # rerun_workflow: Rerun workflow from start or from failed job + rerun_workflow: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/clickhouse.yaml b/policies/clickhouse.yaml new file mode 100644 index 0000000..0f3d3cb --- /dev/null +++ b/policies/clickhouse.yaml @@ -0,0 +1,36 @@ +# ───────────────────────────────────────────────────────── +# Policy: ClickHouse MCP Server +# Server: ClickHouse/mcp-clickhouse +# Homepage: https://github.com/ClickHouse/mcp-clickhouse +# Tags: clickhouse, analytics, database, sql, olap +# Tools: 4 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for ClickHouse/mcp-clickhouse" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # list_databases: List all databases on ClickHouse cluster + list_databases: + rules: [] + # list_tables: List tables in a database with pagination and optional metadata + list_tables: + rules: [] + # ── Execute Tools ─────────────────────────────────────────── + # run_chdb_select_query: Execute SQL queries using chDB embedded engine + run_chdb_select_query: + rules: [] + # run_query: Execute SQL queries on ClickHouse cluster + run_query: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/cloudflare.yaml b/policies/cloudflare.yaml new file mode 100644 index 0000000..7563939 --- /dev/null +++ b/policies/cloudflare.yaml @@ -0,0 +1,94 @@ +# ───────────────────────────────────────────────────────── +# Policy: Cloudflare MCP Server +# Server: cloudflare/mcp-server-cloudflare +# Homepage: https://github.com/cloudflare/mcp-server-cloudflare +# Tags: cloudflare, workers, kv, r2, d1, dns +# Tools: 23 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for cloudflare/mcp-server-cloudflare" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # accounts_list: List all accounts in your Cloudflare account + accounts_list: + rules: [] + # query_worker_observability: Query the Workers Observability API + query_worker_observability: + rules: [] + # search_cloudflare_documentation: Search the Cloudflare documentation + search_cloudflare_documentation: + rules: [] + # workers_get_worker: Get the details of a Cloudflare Worker + workers_get_worker: + rules: [] + # workers_get_worker_code: Get the source code of a Cloudflare Worker + workers_get_worker_code: + rules: [] + # workers_list: List Cloudflare Workers + workers_list: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # set_active_account: Set active account for tool calls + set_active_account: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # d1_database_create: Create a new D1 database + d1_database_create: + rules: [] + # d1_database_delete: Delete a D1 database + d1_database_delete: + rules: [] + # d1_database_get: Get a D1 database + d1_database_get: + rules: [] + # d1_database_query: Query a D1 database + d1_database_query: + rules: [] + # d1_databases_list: List all D1 databases + d1_databases_list: + rules: [] + # kv_namespace_create: Create a new KV namespace + kv_namespace_create: + rules: [] + # kv_namespace_delete: Delete a KV namespace + kv_namespace_delete: + rules: [] + # kv_namespace_get: Get details of a KV namespace + kv_namespace_get: + rules: [] + # kv_namespace_update: Update the title of a KV namespace + kv_namespace_update: + rules: [] + # kv_namespaces_list: List KV namespaces + kv_namespaces_list: + rules: [] + # observability_keys: Find keys in the Workers Observability Data + observability_keys: + rules: [] + # observability_values: Find values in the Workers Observability Data + observability_values: + rules: [] + # r2_bucket_create: Create a new R2 bucket + r2_bucket_create: + rules: [] + # r2_bucket_delete: Delete an R2 bucket + r2_bucket_delete: + rules: [] + # r2_bucket_get: Get details about a specific R2 bucket + r2_bucket_get: + rules: [] + # r2_buckets_list: List R2 buckets + r2_buckets_list: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/datadog.yaml b/policies/datadog.yaml new file mode 100644 index 0000000..31f9948 --- /dev/null +++ b/policies/datadog.yaml @@ -0,0 +1,84 @@ +# ───────────────────────────────────────────────────────── +# Policy: Datadog MCP Server +# Server: winor30/mcp-server-datadog +# Homepage: https://github.com/winor30/mcp-server-datadog +# Tags: datadog, monitoring, observability, apm, logs +# Tools: 20 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for winor30/mcp-server-datadog" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # get_active_hosts_count: Get the total number of active hosts + get_active_hosts_count: + rules: [] + # get_dashboard: Retrieve a specific dashboard by ID + get_dashboard: + rules: [] + # get_incident: Retrieve detailed information about a specific incident + get_incident: + rules: [] + # get_logs: Search and retrieve logs from Datadog + get_logs: + rules: [] + # get_monitors: Fetch the status of Datadog monitors + get_monitors: + rules: [] + # get_rum_applications: Get all RUM applications in the organisation + get_rum_applications: + rules: [] + # get_rum_events: Search and retrieve RUM events from Datadog + get_rum_events: + rules: [] + # get_rum_grouped_event_count: Search, group and count RUM events by dimension + get_rum_grouped_event_count: + rules: [] + # get_rum_page_performance: Get page performance metrics from RUM data + get_rum_page_performance: + rules: [] + # get_rum_page_waterfall: Retrieve RUM page waterfall data + get_rum_page_waterfall: + rules: [] + # list_dashboards: Get a list of dashboards from Datadog + list_dashboards: + rules: [] + # list_downtimes: List scheduled downtimes from Datadog + list_downtimes: + rules: [] + # list_hosts: Get list of hosts from Datadog + list_hosts: + rules: [] + # list_incidents: Retrieve a list of incidents from Datadog + list_incidents: + rules: [] + # list_traces: Retrieve a list of APM traces from Datadog + list_traces: + rules: [] + # query_metrics: Retrieve metrics data from Datadog + query_metrics: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # cancel_downtime: Cancel a scheduled downtime in Datadog + cancel_downtime: + rules: [] + # mute_host: Mute a host in Datadog + mute_host: + rules: [] + # schedule_downtime: Schedule a downtime in Datadog + schedule_downtime: + rules: [] + # unmute_host: Unmute a host in Datadog + unmute_host: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/docker.yaml b/policies/docker.yaml new file mode 100644 index 0000000..71e0cd4 --- /dev/null +++ b/policies/docker.yaml @@ -0,0 +1,84 @@ +# ───────────────────────────────────────────────────────── +# Policy: Docker MCP Server +# Server: ckreiling/mcp-server-docker +# Homepage: https://github.com/ckreiling/mcp-server-docker +# Tags: docker, containers, images, volumes, networks +# Tools: 19 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for ckreiling/mcp-server-docker" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # fetch_container_logs: Retrieve container output + fetch_container_logs: + rules: [] + # list_containers: Display all containers + list_containers: + rules: [] + # list_images: View available Docker images + list_images: + rules: [] + # list_networks: Show all networks + list_networks: + rules: [] + # list_volumes: Display all volumes + list_volumes: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # create_container: Initialize a new container + create_container: + rules: [] + # create_network: Establish a new network + create_network: + rules: [] + # create_volume: Create persistent storage + create_volume: + rules: [] + # push_image: Upload an image to a registry + push_image: + rules: [] + # ── Execute Tools ─────────────────────────────────────────── + # run_container: Launch a container + run_container: + rules: [] + # ── Destructive Tools ─────────────────────────────────────────── + # remove_container: Delete a container + remove_container: + rules: [] + # remove_image: Delete an image + remove_image: + rules: [] + # remove_network: Delete a network + remove_network: + rules: [] + # remove_volume: Delete a volume + remove_volume: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # build_image: Create an image from a Dockerfile + build_image: + rules: [] + # pull_image: Download an image from a registry + pull_image: + rules: [] + # recreate_container: Rebuild an existing container + recreate_container: + rules: [] + # start_container: Activate a stopped container + start_container: + rules: [] + # stop_container: Halt a running container + stop_container: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/elevenlabs.yaml b/policies/elevenlabs.yaml new file mode 100644 index 0000000..b3c4e3b --- /dev/null +++ b/policies/elevenlabs.yaml @@ -0,0 +1,55 @@ +# ───────────────────────────────────────────────────────── +# Policy: ElevenLabs MCP Server +# Server: elevenlabs/elevenlabs-mcp +# Homepage: https://github.com/elevenlabs/elevenlabs-mcp +# Tags: elevenlabs, text-to-speech, voice, audio, ai +# Tools: 10 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for elevenlabs/elevenlabs-mcp" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # get_models: Return available text-to-speech and transcription models + get_models: + rules: [] + # get_voices: Retrieve available voices + get_voices: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # add_voice_to_library: Add a custom voice to the library + add_voice_to_library: + rules: [] + # create_voice: Clone a voice from audio samples + create_voice: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # convert_audio: Apply voice conversion effects to audio + convert_audio: + rules: [] + # design_voice: Generate a new voice from a text description + design_voice: + rules: [] + # generate_sound_effect: Generate sound effects from text descriptions + generate_sound_effect: + rules: [] + # isolate_audio: Isolate speech from background noise + isolate_audio: + rules: [] + # text_to_speech: Convert text into natural-sounding speech + text_to_speech: + rules: [] + # transcribe_audio: Transcribe audio to text with optional speaker labelling + transcribe_audio: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/exa.yaml b/policies/exa.yaml new file mode 100644 index 0000000..909a219 --- /dev/null +++ b/policies/exa.yaml @@ -0,0 +1,48 @@ +# ───────────────────────────────────────────────────────── +# Policy: Exa MCP Server +# Server: exa-labs/exa-mcp-server +# Homepage: https://github.com/exa-labs/exa-mcp-server +# Tags: exa, search, semantic-search, research, web +# Tools: 8 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for exa-labs/exa-mcp-server" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # get_code_context_exa: Find code examples, documentation, and programming solutions + get_code_context_exa: + rules: [] + # people_search_exa: Find people and their professional profiles + people_search_exa: + rules: [] + # web_search_advanced_exa: Advanced web search with full control over filters and domains + web_search_advanced_exa: + rules: [] + # web_search_exa: Real-time semantic web search with clean content + web_search_exa: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # company_research_exa: Research companies for business information and news + company_research_exa: + rules: [] + # crawling_exa: Retrieve full content of a specific webpage + crawling_exa: + rules: [] + # deep_researcher_check: Check status and retrieve results from a deep research task + deep_researcher_check: + rules: [] + # deep_researcher_start: Start an AI research agent that searches, reads, and writes reports + deep_researcher_start: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/figma.yaml b/policies/figma.yaml new file mode 100644 index 0000000..9f97f6d --- /dev/null +++ b/policies/figma.yaml @@ -0,0 +1,46 @@ +# ───────────────────────────────────────────────────────── +# Policy: Figma MCP Server +# Server: figma/figma-mcp-server +# Homepage: https://developers.figma.com/docs/figma-mcp-server +# Tags: figma, design, ui, prototyping, design-systems +# Tools: 7 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for figma/figma-mcp-server" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # get_code_connect_suggestions: Finds suggestions for mapping Figma node IDs to code components + get_code_connect_suggestions: + rules: [] + # get_figjam: Returns metadata for FigJam diagrams in XML format including screenshots + get_figjam: + rules: [] + # get_metadata: Returns a sparse XML representation of a Figma selection with layer IDs, names, types, and sizes + get_metadata: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # create_design_system_rules: Generates custom design system rules for the user's codebase + create_design_system_rules: + rules: [] + # send_code_connect_mappings: Confirms the suggested Code Connect mappings + send_code_connect_mappings: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # generate_diagram: Generates a FigJam diagram from Mermaid syntax + generate_diagram: + rules: [] + # whoami: Returns the identity of the authenticated Figma user + whoami: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/filesystem.yaml b/policies/filesystem.yaml new file mode 100644 index 0000000..c61224a --- /dev/null +++ b/policies/filesystem.yaml @@ -0,0 +1,61 @@ +# ───────────────────────────────────────────────────────── +# Policy: Filesystem MCP Server +# Server: modelcontextprotocol/server-filesystem +# Homepage: https://github.com/modelcontextprotocol/servers/tree/main/src/filesystem +# Tags: filesystem, files, directories, local-storage +# Tools: 12 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for modelcontextprotocol/server-filesystem" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # get_file_info: Retrieve detailed metadata about a file or directory + get_file_info: + rules: [] + # list_allowed_directories: Returns the list of directories the server can access + list_allowed_directories: + rules: [] + # list_directory: Get a detailed listing of files and directories + list_directory: + rules: [] + # read_media_file: Read an image or audio file + read_media_file: + rules: [] + # read_multiple_files: Read the contents of multiple files simultaneously + read_multiple_files: + rules: [] + # read_text_file: Read complete contents of a file as text + read_text_file: + rules: [] + # search_files: Recursively search for files and directories + search_files: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # create_directory: Create a new directory or ensure it exists + create_directory: + rules: [] + # edit_file: Make selective edits using advanced pattern matching + edit_file: + rules: [] + # move_file: Move or rename files and directories + move_file: + rules: [] + # write_file: Create a new file or overwrite an existing file + write_file: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # directory_tree: Get a recursive tree view of files and directories + directory_tree: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/firecrawl.yaml b/policies/firecrawl.yaml new file mode 100644 index 0000000..4e951f1 --- /dev/null +++ b/policies/firecrawl.yaml @@ -0,0 +1,45 @@ +# ───────────────────────────────────────────────────────── +# Policy: Firecrawl MCP Server +# Server: firecrawl/firecrawl-mcp-server +# Homepage: https://github.com/mendableai/firecrawl-mcp-server +# Tags: firecrawl, web-scraping, crawling, extraction +# Tools: 7 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for firecrawl/firecrawl-mcp-server" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # firecrawl_search: Web search to locate information across the internet + firecrawl_search: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # firecrawl_agent: Handle complex multi-source research tasks + firecrawl_agent: + rules: [] + # firecrawl_batch_scrape: Process multiple URLs efficiently with rate limiting + firecrawl_batch_scrape: + rules: [] + # firecrawl_browser: Interactive browser automation + firecrawl_browser: + rules: [] + # firecrawl_crawl: Multi-page extraction for entire site sections + firecrawl_crawl: + rules: [] + # firecrawl_map: Discover URLs by mapping website structure and links + firecrawl_map: + rules: [] + # firecrawl_scrape: Extract content from a single URL + firecrawl_scrape: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/git.yaml b/policies/git.yaml new file mode 100644 index 0000000..1a1f13a --- /dev/null +++ b/policies/git.yaml @@ -0,0 +1,67 @@ +# ───────────────────────────────────────────────────────── +# Policy: Git MCP Server +# Server: modelcontextprotocol/server-git +# Homepage: https://github.com/modelcontextprotocol/servers/tree/main/src/git +# Tags: git, version-control, repositories, commits +# Tools: 14 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for modelcontextprotocol/server-git" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # git_show: Shows the contents of a commit + git_show: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # git_add: Adds file contents to the staging area + git_add: + rules: [] + # git_create_branch: Creates a new branch from an optional base branch + git_create_branch: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # git_branch: List Git branches + git_branch: + rules: [] + # git_checkout: Switches branches + git_checkout: + rules: [] + # git_clone: Clones a repository + git_clone: + rules: [] + # git_commit: Records changes to the repository + git_commit: + rules: [] + # git_diff: Shows differences between branches or commits + git_diff: + rules: [] + # git_diff_staged: Shows changes staged for the next commit + git_diff_staged: + rules: [] + # git_diff_unstaged: Shows changes in the working directory not yet staged + git_diff_unstaged: + rules: [] + # git_init: Initialises a new Git repository + git_init: + rules: [] + # git_log: Shows the commit logs + git_log: + rules: [] + # git_reset: Unstages all staged changes + git_reset: + rules: [] + # git_status: Shows the working tree status + git_status: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/github.yaml b/policies/github.yaml new file mode 100644 index 0000000..5fc43b5 --- /dev/null +++ b/policies/github.yaml @@ -0,0 +1,277 @@ +# ───────────────────────────────────────────────────────── +# Policy: GitHub MCP Server +# Server: github/github-mcp-server +# Homepage: https://github.com/github/github-mcp-server +# Tags: github, repositories, issues, pull-requests, actions +# Tools: 83 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for github/github-mcp-server" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # actions_get: Get details of GitHub Actions resources + actions_get: + rules: [] + # actions_list: List GitHub Actions workflows in a repository + actions_list: + rules: [] + # get_code_scanning_alert: Get code scanning alert + get_code_scanning_alert: + rules: [] + # get_commit: Get commit details + get_commit: + rules: [] + # get_copilot_space: Get Copilot Space + get_copilot_space: + rules: [] + # get_dependabot_alert: Get dependabot alert + get_dependabot_alert: + rules: [] + # get_discussion: Get discussion + get_discussion: + rules: [] + # get_discussion_comments: Get discussion comments + get_discussion_comments: + rules: [] + # get_file_contents: Get file or directory contents + get_file_contents: + rules: [] + # get_gist: Get Gist Content + get_gist: + rules: [] + # get_global_security_advisory: Get a global security advisory + get_global_security_advisory: + rules: [] + # get_job_logs: Get GitHub Actions workflow job logs + get_job_logs: + rules: [] + # get_label: Get a specific label from a repository + get_label: + rules: [] + # get_latest_release: Get latest release + get_latest_release: + rules: [] + # get_me: Get my user profile + get_me: + rules: [] + # get_notification_details: Get notification details + get_notification_details: + rules: [] + # get_release_by_tag: Get a release by tag name + get_release_by_tag: + rules: [] + # get_repository_tree: Get repository tree + get_repository_tree: + rules: [] + # get_secret_scanning_alert: Get secret scanning alert + get_secret_scanning_alert: + rules: [] + # get_tag: Get tag details + get_tag: + rules: [] + # get_team_members: Get team members + get_team_members: + rules: [] + # get_teams: Get teams + get_teams: + rules: [] + # issue_read: Get issue details + issue_read: + rules: [] + # list_branches: List branches + list_branches: + rules: [] + # list_code_scanning_alerts: List code scanning alerts + list_code_scanning_alerts: + rules: [] + # list_commits: List commits + list_commits: + rules: [] + # list_copilot_spaces: List Copilot Spaces + list_copilot_spaces: + rules: [] + # list_dependabot_alerts: List dependabot alerts + list_dependabot_alerts: + rules: [] + # list_discussion_categories: List discussion categories + list_discussion_categories: + rules: [] + # list_discussions: List discussions + list_discussions: + rules: [] + # list_gists: List Gists + list_gists: + rules: [] + # list_global_security_advisories: List global security advisories + list_global_security_advisories: + rules: [] + # list_issue_types: List available issue types + list_issue_types: + rules: [] + # list_issues: List issues + list_issues: + rules: [] + # list_label: List labels from a repository + list_label: + rules: [] + # list_notifications: List notifications + list_notifications: + rules: [] + # list_org_repository_security_advisories: List org repository security advisories + list_org_repository_security_advisories: + rules: [] + # list_pull_requests: List pull requests + list_pull_requests: + rules: [] + # list_releases: List releases + list_releases: + rules: [] + # list_repository_security_advisories: List repository security advisories + list_repository_security_advisories: + rules: [] + # list_secret_scanning_alerts: List secret scanning alerts + list_secret_scanning_alerts: + rules: [] + # list_starred_repositories: List starred repositories + list_starred_repositories: + rules: [] + # list_tags: List tags + list_tags: + rules: [] + # projects_get: Get details of GitHub Projects resources + projects_get: + rules: [] + # projects_list: List GitHub Projects resources + projects_list: + rules: [] + # search_code: Search code + search_code: + rules: [] + # search_issues: Search issues + search_issues: + rules: [] + # search_orgs: Search organisations + search_orgs: + rules: [] + # search_pull_requests: Search pull requests + search_pull_requests: + rules: [] + # search_repositories: Search repositories + search_repositories: + rules: [] + # search_users: Search users + search_users: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # add_comment_to_pending_review: Add review comment to pending pull request review + add_comment_to_pending_review: + rules: [] + # add_issue_comment: Add comment to issue + add_issue_comment: + rules: [] + # add_reply_to_pull_request_comment: Add reply to pull request comment + add_reply_to_pull_request_comment: + rules: [] + # create_branch: Create branch + create_branch: + rules: [] + # create_gist: Create Gist + create_gist: + rules: [] + # create_or_update_file: Create or update file + create_or_update_file: + rules: [] + # create_pull_request: Open new pull request + create_pull_request: + rules: [] + # create_pull_request_with_copilot: Perform task with GitHub Copilot coding agent + create_pull_request_with_copilot: + rules: [] + # create_repository: Create repository + create_repository: + rules: [] + # issue_write: Create or update issue + issue_write: + rules: [] + # label_write: Write operations on repository labels + label_write: + rules: [] + # projects_write: Modify GitHub Project items + projects_write: + rules: [] + # push_files: Push files to repository + push_files: + rules: [] + # update_gist: Update Gist + update_gist: + rules: [] + # update_pull_request: Edit pull request + update_pull_request: + rules: [] + # update_pull_request_branch: Update pull request branch + update_pull_request_branch: + rules: [] + # ── Execute Tools ─────────────────────────────────────────── + # actions_run_trigger: Trigger GitHub Actions workflow actions + actions_run_trigger: + rules: [] + # ── Financial Tools ─────────────────────────────────────────── + # manage_notification_subscription: Manage notification subscription + manage_notification_subscription: + rules: [] + # manage_repository_notification_subscription: Manage repository notification subscription + manage_repository_notification_subscription: + rules: [] + # ── Destructive Tools ─────────────────────────────────────────── + # delete_file: Delete file + delete_file: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # assign_copilot_to_issue: Assign Copilot to issue + assign_copilot_to_issue: + rules: [] + # dismiss_notification: Dismiss notification + dismiss_notification: + rules: [] + # fork_repository: Fork repository + fork_repository: + rules: [] + # github_support_docs_search: Search GitHub product and support documentation + github_support_docs_search: + rules: [] + # mark_all_notifications_read: Mark all notifications as read + mark_all_notifications_read: + rules: [] + # merge_pull_request: Merge pull request + merge_pull_request: + rules: [] + # pull_request_read: Get details for a single pull request + pull_request_read: + rules: [] + # pull_request_review_write: Write operations on pull request reviews + pull_request_review_write: + rules: [] + # request_copilot_review: Request Copilot review + request_copilot_review: + rules: [] + # star_repository: Star repository + star_repository: + rules: [] + # sub_issue_write: Change sub-issue + sub_issue_write: + rules: [] + # unstar_repository: Unstar repository + unstar_repository: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/gitlab.yaml b/policies/gitlab.yaml new file mode 100644 index 0000000..bcb5368 --- /dev/null +++ b/policies/gitlab.yaml @@ -0,0 +1,70 @@ +# ───────────────────────────────────────────────────────── +# Policy: GitLab MCP Server +# Server: gitlab-org/gitlab-mcp-server +# Homepage: https://docs.gitlab.com/user/gitlab_duo/model_context_protocol/mcp_server_tools/ +# Tags: gitlab, repositories, merge-requests, ci-cd, issues +# Tools: 15 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for gitlab-org/gitlab-mcp-server" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # get_issue: Retrieves detailed information about a specific issue + get_issue: + rules: [] + # get_mcp_server_version: Returns the current version of the GitLab MCP server + get_mcp_server_version: + rules: [] + # get_merge_request: Retrieves detailed information about a merge request + get_merge_request: + rules: [] + # get_merge_request_commits: Retrieves the list of commits in a merge request + get_merge_request_commits: + rules: [] + # get_merge_request_diffs: Retrieves the diffs for a merge request + get_merge_request_diffs: + rules: [] + # get_merge_request_pipelines: Retrieves the pipelines for a merge request + get_merge_request_pipelines: + rules: [] + # get_pipeline_jobs: Retrieves the jobs for a CI/CD pipeline + get_pipeline_jobs: + rules: [] + # get_workitem_notes: Retrieves comments from a work item + get_workitem_notes: + rules: [] + # gitlab_search: Searches across the GitLab instance + gitlab_search: + rules: [] + # search_labels: Searches for labels in a project or group + search_labels: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # create_issue: Creates a new issue in a GitLab project + create_issue: + rules: [] + # create_merge_request: Creates a merge request in a GitLab project + create_merge_request: + rules: [] + # create_workitem_note: Adds a comment to a work item + create_workitem_note: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # manage_pipeline: Manages a GitLab CI/CD pipeline + manage_pipeline: + rules: [] + # semantic_code_search: Searches for code snippets through semantic search + semantic_code_search: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/google-drive.yaml b/policies/google-drive.yaml new file mode 100644 index 0000000..e239b08 --- /dev/null +++ b/policies/google-drive.yaml @@ -0,0 +1,26 @@ +# ───────────────────────────────────────────────────────── +# Policy: Google Drive MCP Server +# Server: modelcontextprotocol/server-gdrive +# Homepage: https://github.com/modelcontextprotocol/servers/tree/main/src/gdrive +# Tags: google-drive, files, documents, cloud-storage +# Tools: 1 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for modelcontextprotocol/server-gdrive" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # search: Search for files in Google Drive + search: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/grafana.yaml b/policies/grafana.yaml new file mode 100644 index 0000000..cf0e663 --- /dev/null +++ b/policies/grafana.yaml @@ -0,0 +1,112 @@ +# ───────────────────────────────────────────────────────── +# Policy: Grafana MCP Server +# Server: grafana/mcp-grafana +# Homepage: https://github.com/grafana/mcp-grafana +# Tags: grafana, observability, dashboards, prometheus, loki +# Tools: 29 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for grafana/mcp-grafana" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # get_dashboard_by_uid: Retrieve complete dashboard details + get_dashboard_by_uid: + rules: [] + # get_dashboard_panel_queries: Extract panel titles, queries, and datasource info + get_dashboard_panel_queries: + rules: [] + # get_dashboard_property: Extract specific parts using JSONPath + get_dashboard_property: + rules: [] + # get_dashboard_summary: Obtain compact overview without full JSON + get_dashboard_summary: + rules: [] + # get_datasource: Retrieve datasource details by UID or name + get_datasource: + rules: [] + # get_panel_image: Render dashboards as PNG + get_panel_image: + rules: [] + # get_query_examples: Access sample queries for learning syntax + get_query_examples: + rules: [] + # get_role_details: Role permission inspection + get_role_details: + rules: [] + # list_alert_rules: View alerting configurations + list_alert_rules: + rules: [] + # list_all_roles: Available role listings + list_all_roles: + rules: [] + # list_annotations: Query dashboard annotations + list_annotations: + rules: [] + # list_cloudwatch_namespaces: AWS service discovery + list_cloudwatch_namespaces: + rules: [] + # list_datasources: View all configured datasources + list_datasources: + rules: [] + # list_incidents: Browse Grafana Incident records + list_incidents: + rules: [] + # list_loki_label_names: Log label exploration + list_loki_label_names: + rules: [] + # list_prometheus_metric_names: Available metrics discovery + list_prometheus_metric_names: + rules: [] + # list_teams: View Grafana teams + list_teams: + rules: [] + # list_users_by_org: Organisation user directory + list_users_by_org: + rules: [] + # query_clickhouse: Execute SQL with macro substitution + query_clickhouse: + rules: [] + # query_cloudwatch: Run AWS CloudWatch metric queries + query_cloudwatch: + rules: [] + # query_elasticsearch: Search using Lucene or Query DSL + query_elasticsearch: + rules: [] + # query_loki_logs: Run LogQL queries for logs and metrics + query_loki_logs: + rules: [] + # query_prometheus: Execute PromQL against Prometheus + query_prometheus: + rules: [] + # search_dashboards: Locate dashboards by title or metadata + search_dashboards: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # create_alert_rule: Define new alert conditions + create_alert_rule: + rules: [] + # create_incident: Initiate new incidents + create_incident: + rules: [] + # update_dashboard: Create or modify dashboards + update_dashboard: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # generate_deeplinks: Create accurate Grafana resource URLs + generate_deeplinks: + rules: [] + # patch_dashboard: Apply targeted changes without full JSON + patch_dashboard: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/linear.yaml b/policies/linear.yaml new file mode 100644 index 0000000..cd87359 --- /dev/null +++ b/policies/linear.yaml @@ -0,0 +1,93 @@ +# ───────────────────────────────────────────────────────── +# Policy: Linear MCP Server +# Server: linear-mcp-server +# Homepage: https://linear.app/docs/mcp +# Tags: linear, project-management, issues, sprints +# Tools: 23 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for linear-mcp-server" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # get_document: Get a specific document's content + get_document: + rules: [] + # get_issue: Get detailed information about a specific issue + get_issue: + rules: [] + # get_issue_status: Get details about a specific issue workflow status + get_issue_status: + rules: [] + # get_project: Get detailed information about a specific project + get_project: + rules: [] + # get_team: Get detailed information about a specific team + get_team: + rules: [] + # get_user: Get detailed information about a specific user + get_user: + rules: [] + # list_comments: List comments on an issue + list_comments: + rules: [] + # list_cycles: List cycles in the workspace + list_cycles: + rules: [] + # list_documents: List documents in the workspace + list_documents: + rules: [] + # list_issue_labels: List labels associated with a given team + list_issue_labels: + rules: [] + # list_issue_statuses: List workflow statuses for a team + list_issue_statuses: + rules: [] + # list_issues: List issues with filtering by team, status, assignee, and more + list_issues: + rules: [] + # list_project_labels: List project-level labels + list_project_labels: + rules: [] + # list_projects: List projects in the workspace + list_projects: + rules: [] + # list_teams: List teams in the workspace + list_teams: + rules: [] + # list_users: List users with their ids, names, and emails + list_users: + rules: [] + # search_documentation: Search Linear's documentation for feature guidance + search_documentation: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # create_comment: Add a comment to an issue + create_comment: + rules: [] + # create_issue: Create a new issue or sub-issue + create_issue: + rules: [] + # create_issue_label: Create a new issue label + create_issue_label: + rules: [] + # create_project: Create a new project + create_project: + rules: [] + # update_issue: Update an existing issue + update_issue: + rules: [] + # update_project: Update an existing project + update_project: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/memory.yaml b/policies/memory.yaml new file mode 100644 index 0000000..dc9d039 --- /dev/null +++ b/policies/memory.yaml @@ -0,0 +1,53 @@ +# ───────────────────────────────────────────────────────── +# Policy: Memory MCP Server +# Server: modelcontextprotocol/server-memory +# Homepage: https://github.com/modelcontextprotocol/servers/tree/main/src/memory +# Tags: memory, knowledge-graph, entities, relations +# Tools: 9 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for modelcontextprotocol/server-memory" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # read_graph: Read the entire knowledge graph + read_graph: + rules: [] + # search_nodes: Search for nodes based on query + search_nodes: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # add_observations: Add new observations to existing entities + add_observations: + rules: [] + # create_entities: Create multiple new entities in the knowledge graph + create_entities: + rules: [] + # create_relations: Create multiple new relations between entities + create_relations: + rules: [] + # ── Destructive Tools ─────────────────────────────────────────── + # delete_entities: Delete multiple entities and their relations + delete_entities: + rules: [] + # delete_observations: Delete specific observations from entities + delete_observations: + rules: [] + # delete_relations: Delete multiple relations from the knowledge graph + delete_relations: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # open_nodes: Open specific nodes by their names + open_nodes: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/mixpanel.yaml b/policies/mixpanel.yaml new file mode 100644 index 0000000..10a3090 --- /dev/null +++ b/policies/mixpanel.yaml @@ -0,0 +1,81 @@ +# ───────────────────────────────────────────────────────── +# Policy: Mixpanel MCP Server +# Server: mixpanel-mcp-server +# Homepage: https://github.com/mixpanel/mixpanel-mcp-server +# Tags: mixpanel, analytics, product-analytics, events, funnels +# Tools: 18 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for mixpanel-mcp-server" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # Get-Event-Details: Get full metadata for an event + Get-Event-Details: + rules: [] + # Get-Events: Get event names for a Mixpanel project + Get-Events: + rules: [] + # Get-Issues: Get data quality issues for a project + Get-Issues: + rules: [] + # Get-Lexicon-URL: Get Lexicon URL for an event or property + Get-Lexicon-URL: + rules: [] + # Get-Projects: Get projects accessible to current user + Get-Projects: + rules: [] + # Get-Property-Names: Get event or user property names + Get-Property-Names: + rules: [] + # Get-Property-Values: Get values for a specific property + Get-Property-Values: + rules: [] + # Get-User-Replays-Data: Get session replay information + Get-User-Replays-Data: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # Create-Tag: Create a tag for organising events and properties + Create-Tag: + rules: [] + # Edit-Event: Edit event metadata including ownership and visibility + Edit-Event: + rules: [] + # Edit-Property: Edit property metadata including sensitivity classification + Edit-Property: + rules: [] + # Rename-Tag: Rename an existing tag + Rename-Tag: + rules: [] + # ── Execute Tools ─────────────────────────────────────────── + # Run-Frequency-Query: Run a frequency query on user actions + Run-Frequency-Query: + rules: [] + # Run-Funnels-Query: Run a funnels query with conversion steps + Run-Funnels-Query: + rules: [] + # Run-Retention-Query: Run a retention query on user return behaviour + Run-Retention-Query: + rules: [] + # Run-Segmentation-Query: Run a segmentation query on events + Run-Segmentation-Query: + rules: [] + # ── Destructive Tools ─────────────────────────────────────────── + # Delete-Tag: Delete a tag from a project + Delete-Tag: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # Dismiss-Issues: Dismiss data quality issues + Dismiss-Issues: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/mongodb.yaml b/policies/mongodb.yaml new file mode 100644 index 0000000..6c003a4 --- /dev/null +++ b/policies/mongodb.yaml @@ -0,0 +1,134 @@ +# ───────────────────────────────────────────────────────── +# Policy: MongoDB MCP Server +# Server: mongodb-js/mongodb-mcp-server +# Homepage: https://github.com/mongodb-js/mongodb-mcp-server +# Tags: mongodb, database, nosql, atlas, aggregation +# Tools: 36 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for mongodb-js/mongodb-mcp-server" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # atlas-get-performance-advisor: Get Atlas performance advisor recommendations + atlas-get-performance-advisor: + rules: [] + # atlas-list-alerts: List MongoDB Atlas alerts + atlas-list-alerts: + rules: [] + # atlas-list-clusters: List MongoDB Atlas clusters + atlas-list-clusters: + rules: [] + # atlas-list-db-users: List MongoDB Atlas database users + atlas-list-db-users: + rules: [] + # atlas-list-orgs: List MongoDB Atlas organisations + atlas-list-orgs: + rules: [] + # atlas-list-projects: List MongoDB Atlas projects + atlas-list-projects: + rules: [] + # find: Run a find query against a MongoDB collection + find: + rules: [] + # list-collections: List all collections for a given database + list-collections: + rules: [] + # list-databases: List all databases for a MongoDB connection + list-databases: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # atlas-create-access-list: Allow IP/CIDR ranges to access Atlas clusters + atlas-create-access-list: + rules: [] + # atlas-create-db-user: Create a MongoDB Atlas database user + atlas-create-db-user: + rules: [] + # atlas-create-free-cluster: Create a free MongoDB Atlas cluster + atlas-create-free-cluster: + rules: [] + # atlas-create-project: Create a MongoDB Atlas project + atlas-create-project: + rules: [] + # create-collection: Creates a new collection in a database + create-collection: + rules: [] + # create-index: Create an index for a collection + create-index: + rules: [] + # insert-many: Insert an array of documents into a collection + insert-many: + rules: [] + # rename-collection: Renames a collection in a database + rename-collection: + rules: [] + # update-many: Updates all documents that match the filter + update-many: + rules: [] + # ── Destructive Tools ─────────────────────────────────────────── + # delete-many: Removes all documents that match the filter + delete-many: + rules: [] + # drop-collection: Removes a collection or view from the database + drop-collection: + rules: [] + # drop-database: Removes the specified database + drop-database: + rules: [] + # drop-index: Drop an index for a collection + drop-index: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # aggregate: Run an aggregation against a MongoDB collection + aggregate: + rules: [] + # atlas-connect-cluster: Connect to a MongoDB Atlas cluster + atlas-connect-cluster: + rules: [] + # atlas-inspect-access-list: Inspect IP/CIDR ranges with access to Atlas + atlas-inspect-access-list: + rules: [] + # atlas-inspect-cluster: Inspect metadata of a MongoDB Atlas cluster + atlas-inspect-cluster: + rules: [] + # collection-indexes: Describe the indexes for a collection + collection-indexes: + rules: [] + # collection-schema: Describe the schema for a collection + collection-schema: + rules: [] + # collection-storage-size: Gets the size of the collection + collection-storage-size: + rules: [] + # connect: Connect to a MongoDB instance + connect: + rules: [] + # count: Gets the number of documents in a collection + count: + rules: [] + # db-stats: Returns statistics for a single database + db-stats: + rules: [] + # explain: Returns execution statistics for the winning query plan + explain: + rules: [] + # export: Export query or aggregation results in EJSON format + export: + rules: [] + # mongodb-logs: Returns the most recent logged mongod events + mongodb-logs: + rules: [] + # switch-connection: Switch to a different MongoDB connection + switch-connection: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/neo4j.yaml b/policies/neo4j.yaml new file mode 100644 index 0000000..69436ab --- /dev/null +++ b/policies/neo4j.yaml @@ -0,0 +1,36 @@ +# ───────────────────────────────────────────────────────── +# Policy: Neo4j MCP Server +# Server: neo4j/mcp +# Homepage: https://github.com/neo4j/mcp +# Tags: neo4j, graph-database, cypher, knowledge-graph +# Tools: 4 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for neo4j/mcp" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # get-schema: Introspect labels, relationship types, and property keys + get-schema: + rules: [] + # list-gds-procedures: List Graph Data Science procedures available + list-gds-procedures: + rules: [] + # read-cypher: Execute arbitrary Cypher queries in read mode + read-cypher: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # write-cypher: Execute Cypher with write capabilities + write-cypher: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/neon.yaml b/policies/neon.yaml new file mode 100644 index 0000000..5738fde --- /dev/null +++ b/policies/neon.yaml @@ -0,0 +1,114 @@ +# ───────────────────────────────────────────────────────── +# Policy: Neon MCP Server +# Server: neondatabase/mcp-server-neon +# Homepage: https://github.com/neondatabase/mcp-server-neon +# Tags: neon, postgres, serverless, database, branching +# Tools: 29 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for neondatabase/mcp-server-neon" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # complete_query_tuning: Apply tuning changes + complete_query_tuning: + rules: [] + # describe_branch: Fetch branch details + describe_branch: + rules: [] + # describe_project: Retrieve detailed project information + describe_project: + rules: [] + # describe_table_schema: Get detailed table structure + describe_table_schema: + rules: [] + # fetch: Retrieve specific resource details + fetch: + rules: [] + # get_connection_string: Return database connection details + get_connection_string: + rules: [] + # get_database_tables: List database tables + get_database_tables: + rules: [] + # get_doc_resource: Fetch documentation pages + get_doc_resource: + rules: [] + # list_branch_computes: Display compute endpoints for a branch + list_branch_computes: + rules: [] + # list_docs_resources: Index documentation + list_docs_resources: + rules: [] + # list_organizations: Show accessible organisations + list_organizations: + rules: [] + # list_projects: List Neon projects in account + list_projects: + rules: [] + # list_shared_projects: Display projects shared with current user + list_shared_projects: + rules: [] + # list_slow_queries: Identify query bottlenecks + list_slow_queries: + rules: [] + # prepare_query_tuning: Analyse query optimisations + prepare_query_tuning: + rules: [] + # search: Find organisations, projects, and branches + search: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # create_branch: Create a development branch within a project + create_branch: + rules: [] + # create_project: Create a new Neon project + create_project: + rules: [] + # ── Execute Tools ─────────────────────────────────────────── + # run_sql: Execute individual SQL queries + run_sql: + rules: [] + # run_sql_transaction: Run multiple queries in a transaction + run_sql_transaction: + rules: [] + # ── Destructive Tools ─────────────────────────────────────────── + # delete_branch: Remove an existing branch + delete_branch: + rules: [] + # delete_project: Remove a project and its resources + delete_project: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # compare_database_schema: Show schema differences between branches + compare_database_schema: + rules: [] + # complete_database_migration: Apply finalised migrations + complete_database_migration: + rules: [] + # explain_sql_statement: Provide execution plans + explain_sql_statement: + rules: [] + # prepare_database_migration: Initiate schema changes safely + prepare_database_migration: + rules: [] + # provision_neon_auth: Set up authentication infrastructure + provision_neon_auth: + rules: [] + # provision_neon_data_api: Enable HTTP database access + provision_neon_data_api: + rules: [] + # reset_from_parent: Revert branch to parent state + reset_from_parent: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/notion.yaml b/policies/notion.yaml new file mode 100644 index 0000000..c41b6a8 --- /dev/null +++ b/policies/notion.yaml @@ -0,0 +1,73 @@ +# ───────────────────────────────────────────────────────── +# Policy: Notion MCP Server +# Server: notion-mcp-server +# Homepage: https://developers.notion.com/docs/mcp +# Tags: notion, productivity, databases, pages, collaboration +# Tools: 16 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for notion-mcp-server" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # notion-fetch: Fetch a Notion resource by URL + notion-fetch: + rules: [] + # notion-get-block-children: Get child blocks of a page or block + notion-get-block-children: + rules: [] + # notion-get-comments: Get comments on a Notion page + notion-get-comments: + rules: [] + # notion-get-databases: Get a Notion database + notion-get-databases: + rules: [] + # notion-get-page: Get a Notion page by ID + notion-get-page: + rules: [] + # notion-query-data-sources: Query a Notion database + notion-query-data-sources: + rules: [] + # notion-search: Search across Notion pages and databases + notion-search: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # notion-create-comment: Create a comment on a page + notion-create-comment: + rules: [] + # notion-create-database: Create a new database + notion-create-database: + rules: [] + # notion-create-pages: Create new Notion pages + notion-create-pages: + rules: [] + # notion-move-pages: Move pages to a different parent + notion-move-pages: + rules: [] + # notion-update-block: Update a block + notion-update-block: + rules: [] + # notion-update-database: Update a database + notion-update-database: + rules: [] + # notion-update-page: Update a Notion page + notion-update-page: + rules: [] + # ── Destructive Tools ─────────────────────────────────────────── + # notion-delete-block: Delete a block + notion-delete-block: + rules: [] + # notion-delete-page: Delete a Notion page + notion-delete-page: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/paypal.yaml b/policies/paypal.yaml new file mode 100644 index 0000000..4809597 --- /dev/null +++ b/policies/paypal.yaml @@ -0,0 +1,116 @@ +# ───────────────────────────────────────────────────────── +# Policy: PayPal MCP Server +# Server: paypal/paypal-mcp-server +# Homepage: https://github.com/paypal/paypal-mcp-server +# Tags: paypal, payments, invoices, subscriptions, e-commerce +# Tools: 30 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for paypal/paypal-mcp-server" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # get_dispute: Retrieve detailed information of a specific dispute + get_dispute: + rules: [] + # get_order: Retrieve the details of an order + get_order: + rules: [] + # get_shipment_tracking: Retrieve shipment tracking information + get_shipment_tracking: + rules: [] + # list_disputes: Retrieve a summary of all open disputes + list_disputes: + rules: [] + # list_products: List products with optional pagination and filtering + list_products: + rules: [] + # list_transactions: List transactions with optional filtering + list_transactions: + rules: [] + # show_product_details: Retrieve details of a specific product + show_product_details: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # create_order: Create an order in PayPal + create_order: + rules: [] + # create_product: Create a new product in the PayPal catalogue + create_product: + rules: [] + # create_shipment_tracking: Create a shipment tracking record + create_shipment_tracking: + rules: [] + # update_plan: Update an existing subscription plan + update_plan: + rules: [] + # update_product: Update an existing product + update_product: + rules: [] + # ── Financial Tools ─────────────────────────────────────────── + # cancel_sent_invoice: Cancel a sent invoice + cancel_sent_invoice: + rules: [] + # cancel_subscription: Cancel an active subscription + cancel_subscription: + rules: [] + # create_invoice: Create a new invoice + create_invoice: + rules: [] + # create_refund: Process a refund for a captured payment + create_refund: + rules: [] + # create_subscription: Create a new subscription + create_subscription: + rules: [] + # create_subscription_plan: Create a new subscription plan + create_subscription_plan: + rules: [] + # generate_invoice_qr_code: Generate a QR code for an invoice + generate_invoice_qr_code: + rules: [] + # get_invoice: Retrieve details of a specific invoice + get_invoice: + rules: [] + # get_refund: Get the details for a specific refund + get_refund: + rules: [] + # list_invoices: List invoices with optional pagination and filtering + list_invoices: + rules: [] + # list_subscription_plans: List subscription plans + list_subscription_plans: + rules: [] + # pay_order: Process payment for an authorised order + pay_order: + rules: [] + # send_invoice: Send an invoice to recipients + send_invoice: + rules: [] + # send_invoice_reminder: Send a reminder for an existing invoice + send_invoice_reminder: + rules: [] + # show_subscription_details: Retrieve details of a specific subscription + show_subscription_details: + rules: [] + # show_subscription_plan_details: Retrieve details of a specific subscription plan + show_subscription_plan_details: + rules: [] + # update_subscription: Update an existing subscription + update_subscription: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # accept_dispute_claim: Accept a dispute claim + accept_dispute_claim: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/playwright.yaml b/policies/playwright.yaml new file mode 100644 index 0000000..f7e0c8b --- /dev/null +++ b/policies/playwright.yaml @@ -0,0 +1,98 @@ +# ───────────────────────────────────────────────────────── +# Policy: Playwright MCP Server +# Server: microsoft/playwright-mcp +# Homepage: https://github.com/microsoft/playwright-mcp +# Tags: playwright, browser, testing, automation, microsoft +# Tools: 25 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for microsoft/playwright-mcp" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Other Tools ─────────────────────────────────────────── + # browser_click: Click an element on the page + browser_click: + rules: [] + # browser_close: Close the browser + browser_close: + rules: [] + # browser_console_messages: Retrieve browser console messages + browser_console_messages: + rules: [] + # browser_drag: Drag an element from one location to another + browser_drag: + rules: [] + # browser_file_upload: Upload a file to a file input element + browser_file_upload: + rules: [] + # browser_generate_playwright_test: Generate a Playwright test script from recorded actions + browser_generate_playwright_test: + rules: [] + # browser_handle_dialog: Handle a browser dialog + browser_handle_dialog: + rules: [] + # browser_hover: Hover over an element on the page + browser_hover: + rules: [] + # browser_install: Install the browser binary + browser_install: + rules: [] + # browser_navigate: Navigate to a URL in the browser + browser_navigate: + rules: [] + # browser_navigate_back: Navigate back in browser history + browser_navigate_back: + rules: [] + # browser_navigate_forward: Navigate forward in browser history + browser_navigate_forward: + rules: [] + # browser_network_requests: Retrieve network requests made by the page + browser_network_requests: + rules: [] + # browser_pdf_save: Save the current page as a PDF + browser_pdf_save: + rules: [] + # browser_press_key: Press a keyboard key or key combination + browser_press_key: + rules: [] + # browser_resize: Resize the browser window + browser_resize: + rules: [] + # browser_select_option: Select an option from a dropdown + browser_select_option: + rules: [] + # browser_snapshot: Capture an accessibility snapshot of the current page + browser_snapshot: + rules: [] + # browser_tab_close: Close a specific tab + browser_tab_close: + rules: [] + # browser_tab_list: List all open browser tabs + browser_tab_list: + rules: [] + # browser_tab_new: Open a new browser tab + browser_tab_new: + rules: [] + # browser_tab_select: Switch to a specific tab + browser_tab_select: + rules: [] + # browser_take_screenshot: Capture a screenshot of the current page + browser_take_screenshot: + rules: [] + # browser_type: Type text into an input field + browser_type: + rules: [] + # browser_wait_for: Wait for a specified condition or text to appear + browser_wait_for: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/postgres.yaml b/policies/postgres.yaml new file mode 100644 index 0000000..ea6a6e3 --- /dev/null +++ b/policies/postgres.yaml @@ -0,0 +1,26 @@ +# ───────────────────────────────────────────────────────── +# Policy: PostgreSQL MCP Server +# Server: modelcontextprotocol/server-postgres +# Homepage: https://github.com/modelcontextprotocol/servers/tree/main/src/postgres +# Tags: postgresql, database, sql, queries +# Tools: 1 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for modelcontextprotocol/server-postgres" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # query: Execute a read-only SQL query against the connected database + query: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/postman.yaml b/policies/postman.yaml new file mode 100644 index 0000000..b75850c --- /dev/null +++ b/policies/postman.yaml @@ -0,0 +1,116 @@ +# ───────────────────────────────────────────────────────── +# Policy: Postman MCP Server +# Server: postmanlabs/postman-mcp-server +# Homepage: https://github.com/postmanlabs/postman-mcp-server +# Tags: postman, api, testing, collections, workspaces +# Tools: 30 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for postmanlabs/postman-mcp-server" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # getApi: Get API details + getApi: + rules: [] + # getCollection: Retrieve collection details + getCollection: + rules: [] + # getEnvironment: Get environment details + getEnvironment: + rules: [] + # getMock: Get mock server details + getMock: + rules: [] + # getMonitor: Get monitor details + getMonitor: + rules: [] + # getWorkspace: Get information about a specific workspace + getWorkspace: + rules: [] + # listApis: List APIs in a workspace + listApis: + rules: [] + # listCollections: List collections in a workspace + listCollections: + rules: [] + # listEnvironments: List environments in a workspace + listEnvironments: + rules: [] + # listMocks: List mock servers + listMocks: + rules: [] + # listMonitors: List monitors + listMonitors: + rules: [] + # listWorkspaces: List all workspaces + listWorkspaces: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # createApi: Create a new API + createApi: + rules: [] + # createCollection: Create a new collection + createCollection: + rules: [] + # createEnvironment: Create a new environment + createEnvironment: + rules: [] + # createMock: Create a mock server + createMock: + rules: [] + # createMonitor: Create a monitor + createMonitor: + rules: [] + # createWorkspace: Create a new workspace + createWorkspace: + rules: [] + # updateApi: Update an API + updateApi: + rules: [] + # updateCollection: Update a collection + updateCollection: + rules: [] + # updateEnvironment: Update an environment + updateEnvironment: + rules: [] + # updateMock: Update a mock server + updateMock: + rules: [] + # updateWorkspace: Update a workspace + updateWorkspace: + rules: [] + # ── Execute Tools ─────────────────────────────────────────── + # runMonitor: Run a monitor + runMonitor: + rules: [] + # ── Destructive Tools ─────────────────────────────────────────── + # deleteApi: Delete an API + deleteApi: + rules: [] + # deleteCollection: Delete a collection + deleteCollection: + rules: [] + # deleteEnvironment: Delete an environment + deleteEnvironment: + rules: [] + # deleteMock: Delete a mock server + deleteMock: + rules: [] + # deleteMonitor: Delete a monitor + deleteMonitor: + rules: [] + # deleteWorkspace: Delete a workspace + deleteWorkspace: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/puppeteer.yaml b/policies/puppeteer.yaml new file mode 100644 index 0000000..bb98143 --- /dev/null +++ b/policies/puppeteer.yaml @@ -0,0 +1,45 @@ +# ───────────────────────────────────────────────────────── +# Policy: Puppeteer MCP Server +# Server: modelcontextprotocol/server-puppeteer +# Homepage: https://github.com/modelcontextprotocol/servers/tree/main/src/puppeteer +# Tags: puppeteer, browser, automation, web-scraping +# Tools: 7 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for modelcontextprotocol/server-puppeteer" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Execute Tools ─────────────────────────────────────────── + # puppeteer_evaluate: Execute JavaScript in the browser console + puppeteer_evaluate: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # puppeteer_click: Click elements on the page + puppeteer_click: + rules: [] + # puppeteer_fill: Fill out input fields + puppeteer_fill: + rules: [] + # puppeteer_hover: Hover elements on the page + puppeteer_hover: + rules: [] + # puppeteer_navigate: Navigate to any URL in the browser + puppeteer_navigate: + rules: [] + # puppeteer_screenshot: Capture screenshots of the entire page or specific elements + puppeteer_screenshot: + rules: [] + # puppeteer_select: Select an element with SELECT tag + puppeteer_select: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/qdrant.yaml b/policies/qdrant.yaml new file mode 100644 index 0000000..22f83bc --- /dev/null +++ b/policies/qdrant.yaml @@ -0,0 +1,30 @@ +# ───────────────────────────────────────────────────────── +# Policy: Qdrant MCP Server +# Server: qdrant/mcp-server-qdrant +# Homepage: https://github.com/qdrant/mcp-server-qdrant +# Tags: qdrant, vector-database, semantic-search, embeddings +# Tools: 2 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for qdrant/mcp-server-qdrant" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # qdrant-find: Retrieve relevant information via semantic search + qdrant-find: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # qdrant-store: Store information in Qdrant database with optional metadata + qdrant-store: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/semgrep.yaml b/policies/semgrep.yaml new file mode 100644 index 0000000..24b3d14 --- /dev/null +++ b/policies/semgrep.yaml @@ -0,0 +1,49 @@ +# ───────────────────────────────────────────────────────── +# Policy: Semgrep MCP Server +# Server: semgrep/mcp +# Homepage: https://github.com/semgrep/mcp +# Tags: semgrep, security, code-analysis, sast, vulnerability-scanning +# Tools: 8 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for semgrep/mcp" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # get_abstract_syntax_tree: Output the Abstract Syntax Tree of code + get_abstract_syntax_tree: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # write_custom_semgrep_rule: Provide guidance for creating Semgrep rules + write_custom_semgrep_rule: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # security_check: Scan code for security vulnerabilities + security_check: + rules: [] + # semgrep_findings: Fetch findings from the Semgrep AppSec Platform API + semgrep_findings: + rules: [] + # semgrep_rule_schema: Fetch the latest Semgrep rule JSON Schema + semgrep_rule_schema: + rules: [] + # semgrep_scan: Scan code files with a given config string + semgrep_scan: + rules: [] + # semgrep_scan_with_custom_rule: Scan code files using a custom Semgrep rule + semgrep_scan_with_custom_rule: + rules: [] + # supported_languages: Return the list of languages Semgrep supports + supported_languages: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/sentry.yaml b/policies/sentry.yaml new file mode 100644 index 0000000..ca00a66 --- /dev/null +++ b/policies/sentry.yaml @@ -0,0 +1,100 @@ +# ───────────────────────────────────────────────────────── +# Policy: Sentry MCP Server +# Server: getsentry/sentry-mcp +# Homepage: https://github.com/getsentry/sentry-mcp +# Tags: sentry, error-tracking, monitoring, debugging +# Tools: 25 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for getsentry/sentry-mcp" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # find_dsns: List all Sentry DSNs for a specific project + find_dsns: + rules: [] + # find_organizations: Find organisations the user has access to + find_organizations: + rules: [] + # find_projects: Find projects in a Sentry organisation + find_projects: + rules: [] + # find_releases: Find releases in a Sentry organisation + find_releases: + rules: [] + # find_teams: Find teams in an organisation + find_teams: + rules: [] + # get_doc: Fetch the full markdown content of a Sentry documentation page + get_doc: + rules: [] + # get_event_attachment: Download attachments from a Sentry event + get_event_attachment: + rules: [] + # get_issue_details: Get detailed information about a specific issue + get_issue_details: + rules: [] + # get_issue_tag_values: Get tag value distribution for a specific issue + get_issue_tag_values: + rules: [] + # get_sentry_resource: Fetch a Sentry resource by URL or by type and ID + get_sentry_resource: + rules: [] + # get_trace_details: Get detailed information about a specific trace + get_trace_details: + rules: [] + # list_events: Search events using Sentry query syntax + list_events: + rules: [] + # list_issue_events: List events within a specific issue + list_issue_events: + rules: [] + # list_issues: List issues using Sentry query syntax + list_issues: + rules: [] + # search_docs: Search Sentry documentation + search_docs: + rules: [] + # search_events: Search for events and perform counts and aggregations + search_events: + rules: [] + # search_issue_events: Search and filter events within a specific issue + search_issue_events: + rules: [] + # search_issues: Search for grouped issues and problems in Sentry + search_issues: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # create_dsn: Create an additional DSN for an existing project + create_dsn: + rules: [] + # create_project: Create a new project in Sentry + create_project: + rules: [] + # create_team: Create a new team in Sentry + create_team: + rules: [] + # update_issue: Update an issue's status or assignment in Sentry + update_issue: + rules: [] + # update_project: Update project settings in Sentry + update_project: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # analyze_issue_with_seer: Use Seer to analyse production errors and get root cause analysis + analyze_issue_with_seer: + rules: [] + # whoami: Identify the authenticated user in Sentry + whoami: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/shopify.yaml b/policies/shopify.yaml new file mode 100644 index 0000000..7cec089 --- /dev/null +++ b/policies/shopify.yaml @@ -0,0 +1,42 @@ +# ───────────────────────────────────────────────────────── +# Policy: Shopify Dev MCP Server +# Server: Shopify/dev-mcp +# Homepage: https://github.com/Shopify/dev-mcp +# Tags: shopify, e-commerce, graphql, themes, storefronts +# Tools: 6 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for Shopify/dev-mcp" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # fetch_full_docs: Retrieve complete documentation for specific paths + fetch_full_docs: + rules: [] + # search_docs_chunks: Search across all shopify.dev documentation + search_docs_chunks: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # introspect_admin_schema: Explore and search Shopify GraphQL schemas + introspect_admin_schema: + rules: [] + # learn_shopify_api: Learn about supported Shopify APIs and generate a conversation ID + learn_shopify_api: + rules: [] + # validate_graphql_codeblocks: Validate GraphQL code blocks against schema + validate_graphql_codeblocks: + rules: [] + # validate_theme_codeblocks: Validate JavaScript and TypeScript code blocks containing Shopify components + validate_theme_codeblocks: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/slack.yaml b/policies/slack.yaml new file mode 100644 index 0000000..c2befab --- /dev/null +++ b/policies/slack.yaml @@ -0,0 +1,49 @@ +# ───────────────────────────────────────────────────────── +# Policy: Slack MCP Server +# Server: modelcontextprotocol/server-slack +# Homepage: https://github.com/modelcontextprotocol/servers/tree/main/src/slack +# Tags: slack, messaging, channels, team-communication +# Tools: 8 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for modelcontextprotocol/server-slack" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # slack_get_channel_history: Get recent messages from a channel + slack_get_channel_history: + rules: [] + # slack_get_thread_replies: Get all replies in a message thread + slack_get_thread_replies: + rules: [] + # slack_get_user_profile: Get detailed profile information for a specific user + slack_get_user_profile: + rules: [] + # slack_get_users: Get list of workspace users with basic profile information + slack_get_users: + rules: [] + # slack_list_channels: List public or pre-defined channels in the workspace + slack_list_channels: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # slack_add_reaction: Add an emoji reaction to a message + slack_add_reaction: + rules: [] + # slack_post_message: Post a new message to a Slack channel + slack_post_message: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # slack_reply_to_thread: Reply to a specific message thread + slack_reply_to_thread: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/square.yaml b/policies/square.yaml new file mode 100644 index 0000000..897bf39 --- /dev/null +++ b/policies/square.yaml @@ -0,0 +1,33 @@ +# ───────────────────────────────────────────────────────── +# Policy: Square MCP Server +# Server: square/square-mcp-server +# Homepage: https://github.com/square/square-mcp-server +# Tags: square, payments, commerce, pos, inventory +# Tools: 3 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for square/square-mcp-server" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # get_service_info: Discover methods available for a Square service + get_service_info: + rules: [] + # get_type_info: Get detailed parameter requirements for API calls + get_type_info: + rules: [] + # ── Execute Tools ─────────────────────────────────────────── + # make_api_request: Execute API calls to Square services + make_api_request: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/stripe.yaml b/policies/stripe.yaml new file mode 100644 index 0000000..2676299 --- /dev/null +++ b/policies/stripe.yaml @@ -0,0 +1,106 @@ +# ───────────────────────────────────────────────────────── +# Policy: Stripe MCP Server +# Server: stripe/agent-toolkit +# Homepage: https://docs.stripe.com/mcp +# Tags: stripe, payments, billing, subscriptions, invoices +# Tools: 27 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for stripe/agent-toolkit" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # fetch_stripe_resources: Retrieve Stripe objects + fetch_stripe_resources: + rules: [] + # get_stripe_account_info: Retrieve account information + get_stripe_account_info: + rules: [] + # list_coupons: List coupons + list_coupons: + rules: [] + # list_customers: List customers + list_customers: + rules: [] + # list_disputes: List disputes + list_disputes: + rules: [] + # list_prices: List prices + list_prices: + rules: [] + # list_products: List products + list_products: + rules: [] + # list_setup_intents: List SetupIntents + list_setup_intents: + rules: [] + # retrieve_balance: Retrieve balance + retrieve_balance: + rules: [] + # search_stripe_documentation: Search Stripe knowledge + search_stripe_documentation: + rules: [] + # search_stripe_resources: Search Stripe resources + search_stripe_resources: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # create_coupon: Create coupon + create_coupon: + rules: [] + # create_customer: Create customer + create_customer: + rules: [] + # create_price: Create price + create_price: + rules: [] + # create_product: Create product + create_product: + rules: [] + # update_dispute: Update dispute + update_dispute: + rules: [] + # ── Financial Tools ─────────────────────────────────────────── + # cancel_subscription: Cancel subscription + cancel_subscription: + rules: [] + # create_invoice: Create invoice + create_invoice: + rules: [] + # create_invoice_item: Create invoice item + create_invoice_item: + rules: [] + # create_payment_link: Create payment link + create_payment_link: + rules: [] + # create_refund: Create refund + create_refund: + rules: [] + # finalize_invoice: Finalise invoice + finalize_invoice: + rules: [] + # list_charges: List charges + list_charges: + rules: [] + # list_invoices: List invoices + list_invoices: + rules: [] + # list_payment_intents: List PaymentIntents + list_payment_intents: + rules: [] + # list_subscriptions: List subscriptions + list_subscriptions: + rules: [] + # update_subscription: Update subscription + update_subscription: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/supabase.yaml b/policies/supabase.yaml new file mode 100644 index 0000000..f463c40 --- /dev/null +++ b/policies/supabase.yaml @@ -0,0 +1,123 @@ +# ───────────────────────────────────────────────────────── +# Policy: Supabase MCP Server +# Server: supabase-community/supabase-mcp +# Homepage: https://github.com/supabase-community/supabase-mcp +# Tags: supabase, database, postgres, edge-functions, storage +# Tools: 32 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for supabase-community/supabase-mcp" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # get_advisors: Gets advisory notices for a Supabase project + get_advisors: + rules: [] + # get_cost: Gets the cost of a new project or branch + get_cost: + rules: [] + # get_edge_function: Retrieves file contents for an Edge Function + get_edge_function: + rules: [] + # get_logs: Gets logs for a Supabase project by service type + get_logs: + rules: [] + # get_organization: Gets details for an organisation + get_organization: + rules: [] + # get_project: Gets details for a project + get_project: + rules: [] + # get_project_url: Gets the API URL for a project + get_project_url: + rules: [] + # get_publishable_keys: Gets the anonymous API keys for a project + get_publishable_keys: + rules: [] + # get_storage_config: Gets the storage config for a project + get_storage_config: + rules: [] + # list_branches: Lists all development branches + list_branches: + rules: [] + # list_edge_functions: Lists all Edge Functions in a project + list_edge_functions: + rules: [] + # list_extensions: Lists all extensions in the database + list_extensions: + rules: [] + # list_migrations: Lists all migrations in the database + list_migrations: + rules: [] + # list_organizations: Lists all organisations the user is a member of + list_organizations: + rules: [] + # list_projects: Lists all Supabase projects for the user + list_projects: + rules: [] + # list_storage_buckets: Lists all storage buckets in a project + list_storage_buckets: + rules: [] + # list_tables: Lists all tables within the specified schemas + list_tables: + rules: [] + # search_docs: Searches Supabase documentation + search_docs: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # create_branch: Creates a development branch with migrations + create_branch: + rules: [] + # create_project: Creates a new Supabase project + create_project: + rules: [] + # update_storage_config: Updates the storage config for a project + update_storage_config: + rules: [] + # ── Execute Tools ─────────────────────────────────────────── + # execute_sql: Executes raw SQL in the database + execute_sql: + rules: [] + # ── Destructive Tools ─────────────────────────────────────────── + # delete_branch: Deletes a development branch + delete_branch: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # apply_migration: Applies a SQL migration to the database + apply_migration: + rules: [] + # confirm_cost: Confirms the user's understanding of costs + confirm_cost: + rules: [] + # deploy_edge_function: Deploys a new Edge Function to a project + deploy_edge_function: + rules: [] + # generate_typescript_types: Generates TypeScript types from the database schema + generate_typescript_types: + rules: [] + # merge_branch: Merges migrations from dev branch to production + merge_branch: + rules: [] + # pause_project: Pauses a project + pause_project: + rules: [] + # rebase_branch: Rebases development branch on production + rebase_branch: + rules: [] + # reset_branch: Resets migrations of a development branch + reset_branch: + rules: [] + # restore_project: Restores a project + restore_project: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/tavily.yaml b/policies/tavily.yaml new file mode 100644 index 0000000..b88e4be --- /dev/null +++ b/policies/tavily.yaml @@ -0,0 +1,36 @@ +# ───────────────────────────────────────────────────────── +# Policy: Tavily MCP Server +# Server: tavily-ai/tavily-mcp +# Homepage: https://github.com/tavily-ai/tavily-mcp +# Tags: tavily, search, web-search, extraction, research +# Tools: 4 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for tavily-ai/tavily-mcp" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # tavily-search: Real-time web search with structured results and relevance scores + tavily-search: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # tavily-crawl: Graph-based website crawler with parallel exploration + tavily-crawl: + rules: [] + # tavily-extract: Intelligent data extraction from web pages + tavily-extract: + rules: [] + # tavily-map: Create a structured map of website architecture + tavily-map: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/policies/twilio.yaml b/policies/twilio.yaml new file mode 100644 index 0000000..acd753f --- /dev/null +++ b/policies/twilio.yaml @@ -0,0 +1,133 @@ +# ───────────────────────────────────────────────────────── +# Policy: Twilio MCP Server +# Server: twilio-labs/mcp +# Homepage: https://github.com/twilio-labs/mcp +# Tags: twilio, sms, voice, messaging, communications +# Tools: 36 +# Generated: 2026-03-04T16:57:07Z + +# Generated by Intercept — https://intercept.policylayer.com +# Control what AI agents can do — enforce policies on every MCP tool call. +# ───────────────────────────────────────────────────────── +version: "1" +description: "Policy for twilio-labs/mcp" +# Set to "deny" to reject tool calls not listed below +default: "allow" +tools: + # ── Read Tools ─────────────────────────────────────────── + # get_account: Get account details + get_account: + rules: [] + # get_call: Get details of a specific call + get_call: + rules: [] + # get_flow: Get details of a Studio flow + get_flow: + rules: [] + # get_incoming_phone_number: Get details of a specific phone number + get_incoming_phone_number: + rules: [] + # get_message: Get details of a specific message + get_message: + rules: [] + # list_accounts: List accounts + list_accounts: + rules: [] + # list_calls: List voice calls with optional filters + list_calls: + rules: [] + # list_conversations: List conversations + list_conversations: + rules: [] + # list_environments: List environments for a service + list_environments: + rules: [] + # list_executions: List executions of a Studio flow + list_executions: + rules: [] + # list_flows: List Studio flows + list_flows: + rules: [] + # list_functions: List functions in a service + list_functions: + rules: [] + # list_incoming_phone_numbers: List phone numbers on the account + list_incoming_phone_numbers: + rules: [] + # list_messages: List messages with optional filters + list_messages: + rules: [] + # list_services: List serverless services + list_services: + rules: [] + # list_task_queues: List task queues in a workspace + list_task_queues: + rules: [] + # list_verification_services: List verification services + list_verification_services: + rules: [] + # list_workers: List workers in a workspace + list_workers: + rules: [] + # list_workspaces: List TaskRouter workspaces + list_workspaces: + rules: [] + # lookup_phone_number: Look up information about a phone number + lookup_phone_number: + rules: [] + # ── Write Tools ─────────────────────────────────────────── + # add_conversation_participant: Add a participant to a conversation + add_conversation_participant: + rules: [] + # create_call: Initiate a voice call + create_call: + rules: [] + # create_conversation: Create a new conversation + create_conversation: + rules: [] + # create_deployment: Create a deployment + create_deployment: + rules: [] + # create_execution: Trigger a Studio flow execution + create_execution: + rules: [] + # create_function: Create a serverless function + create_function: + rules: [] + # create_incoming_phone_number: Purchase a phone number + create_incoming_phone_number: + rules: [] + # create_service: Create a serverless service + create_service: + rules: [] + # create_task: Create a task in a workspace + create_task: + rules: [] + # create_verification: Start a verification via SMS, call, or email + create_verification: + rules: [] + # create_verification_service: Create a verification service + create_verification_service: + rules: [] + # send_conversation_message: Send a message in a conversation + send_conversation_message: + rules: [] + # send_message: Send an SMS or MMS message + send_message: + rules: [] + # update_call: Modify an in-progress call + update_call: + rules: [] + # update_incoming_phone_number: Update phone number configuration + update_incoming_phone_number: + rules: [] + # ── Other Tools ─────────────────────────────────────────── + # check_verification: Check a verification code + check_verification: + rules: [] + + # Uncomment to apply a global rate limit across all tools: + # "*": + # rules: + # - name: "global rate limit" + # rate_limit: 60/minute diff --git a/site/index.html b/site/index.html index b75ec80..3341f2a 100644 --- a/site/index.html +++ b/site/index.html @@ -28,6 +28,8 @@ --white: #ffffff; --grid-line: #d1d1d1; --accent: #f9f9f9; + --muted: #666666; + --code-bg: #f0f0f0; } * { @@ -282,6 +284,12 @@ margin-bottom: 15px; } + /* ─── TINTED SECTIONS ─── */ + + .section-tinted { + background: var(--accent); + } + /* ─── SPEC TABLE ─── */ .spec-table { @@ -380,6 +388,76 @@ word-break: normal; } + /* ─── POLICY LIBRARY GRID ─── */ + + .policy-grid { + display: grid; + grid-template-columns: repeat(auto-fit, minmax(220px, 1fr)); + gap: 0; + border: 2px solid var(--black); + margin-top: 30px; + } + + .policy-card { + padding: 24px; + border-right: 2px solid var(--black); + border-bottom: 2px solid var(--black); + text-decoration: none; + color: var(--black); + transition: background 0.15s; + } + + .policy-card:hover { + background: var(--accent); + } + + .policy-card-name { + font-weight: 900; + font-size: 1rem; + margin-bottom: 6px; + } + + .policy-card-meta { + font-size: 0.75rem; + color: var(--muted); + margin-bottom: 8px; + } + + .policy-card-tags { + display: flex; + flex-wrap: wrap; + gap: 4px; + } + + .tag { + font-size: 0.6rem; + text-transform: uppercase; + letter-spacing: 1px; + background: var(--code-bg); + padding: 2px 8px; + font-weight: bold; + color: var(--muted); + } + + .policy-browse { + display: block; + text-align: center; + padding: 20px; + font-weight: 900; + font-size: 0.85rem; + text-transform: uppercase; + text-decoration: none; + color: var(--black); + border: 2px solid var(--black); + border-top: none; + margin-top: 0; + transition: background 0.15s; + } + + .policy-browse:hover { + background: var(--accent); + } + /* ─── ASCII DIAGRAM ─── */ .ascii-diagram { @@ -705,6 +783,18 @@ margin: 0; } + .policy-grid { + grid-template-columns: 1fr 1fr; + } + + .policy-card { + border-right: none; + } + + .policy-card:nth-child(odd) { + border-right: 2px solid var(--black); + } + .int-grid { border: none; border-top: 2px solid var(--black); @@ -838,7 +928,7 @@
- +