feat: add policy templates for 43 MCP servers with browse page

.gitignore

@@ -1,3 +1,4 @@
 .claude
 /intercept
 dist/
+scripts/generate-policies/

POLICY.md

@@ -6,6 +6,8 @@ This document covers the YAML policy file format used by Intercept to enforce ru
 
 A policy file defines which tool calls are allowed, denied, or rate-limited. Intercept loads the policy on startup and evaluates every incoming `tools/call` request against it. Calls that pass all rules are forwarded to the upstream MCP server. Calls that fail any rule receive a denial message instead.
 
+> **Quick start:** The [`policies/`](policies/) directory contains ready-made scaffolds for 43 MCP servers. Copy one and add your rules.
+
 ## Top-level structure
 
 ```yaml

README.md

@@ -117,6 +117,20 @@ intercept -c policy.yaml --upstream https://mcp.stripe.com --header "Authorizati
 
 Intercept proxies all MCP traffic and enforces your policy on every tool call. Hidden tools are stripped from the agent's view entirely.
 
+## Example policies
+
+The `policies/` directory contains ready-made policy scaffolds for 43 popular MCP servers including GitHub, Stripe, AWS, Notion, Slack, and more. Each file lists every tool with its description, grouped by category (Read, Write, Execute, Financial, Destructive).
+
+Copy one as a starting point:
+
+```sh
+cp policies/stripe.yaml policy.yaml
+# edit to add your rules, then:
+intercept -c policy.yaml --upstream https://mcp.stripe.com
+```
+
+Browse all policies → [policies/](policies/)
+
 ## MCP client integration
 
 To use Intercept with Claude Code (or any MCP client that reads `.mcp.json`), point the server command at Intercept:
@@ -168,6 +182,7 @@ intercept -c policy.yaml --state-dsn redis://localhost:6379 --upstream https://m
 
 - [CLI reference](USAGE.md): all commands, flags, transport modes, state backends, event logging
 - [Policy reference](POLICY.md): YAML format, conditions, operators, stateful counters, examples
+- [Example policies](policies/): ready-made scaffolds for 43 MCP servers
 
 ## License
 

policies/asana.yaml

@@ -0,0 +1,70 @@
+#  ─────────────────────────────────────────────────────────
+#  Policy: Asana MCP Server
+#  Server: roychri/mcp-server-asana
+#  Homepage: https://github.com/roychri/mcp-server-asana
+#  Tags: asana, project-management, tasks, collaboration
+#  Tools: 15
+#  Generated: 2026-03-04T16:57:07Z
+
+#  Generated by Intercept — https://intercept.policylayer.com
+#  Control what AI agents can do — enforce policies on every MCP tool call.
+#  ─────────────────────────────────────────────────────────
+version: "1"
+description: "Policy for roychri/mcp-server-asana"
+#  Set to "deny" to reject tool calls not listed below
+default: "allow"
+tools:
+    #  ── Read Tools ───────────────────────────────────────────
+    #  asana_get_project: Get detailed information about a specific project
+    asana_get_project:
+        rules: []
+    #  asana_get_task: Get detailed information about a specific task
+    asana_get_task:
+        rules: []
+    #  asana_get_task_stories: Get comments and stories for a specific task
+    asana_get_task_stories:
+        rules: []
+    #  asana_get_tasks_by_tag: Get tasks associated with a specific tag
+    asana_get_tasks_by_tag:
+        rules: []
+    #  asana_list_project_sections: Retrieve sections within a project
+    asana_list_project_sections:
+        rules: []
+    #  asana_list_tags: Get tags in a workspace
+    asana_list_tags:
+        rules: []
+    #  asana_list_workspaces: List all available workspaces in Asana
+    asana_list_workspaces:
+        rules: []
+    #  asana_search_projects: Search for projects within a workspace by name
+    asana_search_projects:
+        rules: []
+    #  asana_search_tasks: Search tasks within a workspace with advanced filters
+    asana_search_tasks:
+        rules: []
+    #  ── Write Tools ───────────────────────────────────────────
+    #  asana_add_comment: Add a comment to a task
+    asana_add_comment:
+        rules: []
+    #  asana_create_subtask: Create a subtask under an existing parent task
+    asana_create_subtask:
+        rules: []
+    #  asana_create_task: Create a new task in a specified project
+    asana_create_task:
+        rules: []
+    #  asana_set_parent: Set or reassign the parent of a task
+    asana_set_parent:
+        rules: []
+    #  asana_update_task: Update an existing task's details
+    asana_update_task:
+        rules: []
+    #  ── Other Tools ───────────────────────────────────────────
+    #  asana_batch_get_tasks: Batch retrieve up to 25 tasks at once
+    asana_batch_get_tasks:
+        rules: []
+
+  # Uncomment to apply a global rate limit across all tools:
+  # "*":
+  #   rules:
+  #     - name: "global rate limit"
+  #       rate_limit: 60/minute

policies/atlassian.yaml

@@ -0,0 +1,86 @@
+#  ─────────────────────────────────────────────────────────
+#  Policy: Atlassian Rovo MCP Server
+#  Server: atlassian/atlassian-mcp-server
+#  Homepage: https://github.com/atlassian/atlassian-mcp-server
+#  Tags: atlassian, jira, confluence, project-management
+#  Tools: 20
+#  Generated: 2026-03-04T16:57:07Z
+
+#  Generated by Intercept — https://intercept.policylayer.com
+#  Control what AI agents can do — enforce policies on every MCP tool call.
+#  ─────────────────────────────────────────────────────────
+version: "1"
+description: "Policy for atlassian/atlassian-mcp-server"
+#  Set to "deny" to reject tool calls not listed below
+default: "allow"
+tools:
+    #  ── Read Tools ───────────────────────────────────────────
+    #  getCompassComponent: Get a Compass component
+    getCompassComponent:
+        rules: []
+    #  getConfluencePage: Get a specific Confluence page by ID
+    getConfluencePage:
+        rules: []
+    #  getConfluenceSpace: Get details of a Confluence space
+    getConfluenceSpace:
+        rules: []
+    #  getJiraIssue: Get details of a specific Jira issue
+    getJiraIssue:
+        rules: []
+    #  getVisibleJiraProjects: Get Jira projects visible to the authenticated user
+    getVisibleJiraProjects:
+        rules: []
+    #  listConfluenceSpaces: List all Confluence spaces
+    listConfluenceSpaces:
+        rules: []
+    #  lookupJiraAccountId: Look up account IDs of users by display name or email
+    lookupJiraAccountId:
+        rules: []
+    #  searchCompassComponents: Search Compass components
+    searchCompassComponents:
+        rules: []
+    #  searchConfluenceContent: Search Confluence content using CQL
+    searchConfluenceContent:
+        rules: []
+    #  searchJiraIssuesUsingJql: Search Jira issues using a JQL query
+    searchJiraIssuesUsingJql:
+        rules: []
+    #  ── Write Tools ───────────────────────────────────────────
+    #  addCommentToJiraIssue: Add a comment to an existing Jira issue
+    addCommentToJiraIssue:
+        rules: []
+    #  createCompassComponent: Create a new Compass component
+    createCompassComponent:
+        rules: []
+    #  createConfluencePage: Create a new Confluence page
+    createConfluencePage:
+        rules: []
+    #  createJiraIssue: Create a new Jira issue
+    createJiraIssue:
+        rules: []
+    #  editJiraIssue: Update the details of an existing Jira issue
+    editJiraIssue:
+        rules: []
+    #  updateCompassComponent: Update a Compass component
+    updateCompassComponent:
+        rules: []
+    #  updateConfluencePage: Update an existing Confluence page
+    updateConfluencePage:
+        rules: []
+    #  ── Destructive Tools ───────────────────────────────────────────
+    #  deleteCompassComponent: Delete a Compass component
+    deleteCompassComponent:
+        rules: []
+    #  deleteConfluencePage: Delete a Confluence page
+    deleteConfluencePage:
+        rules: []
+    #  ── Other Tools ───────────────────────────────────────────
+    #  transitionJiraIssue: Transition a Jira issue to a new status
+    transitionJiraIssue:
+        rules: []
+
+  # Uncomment to apply a global rate limit across all tools:
+  # "*":
+  #   rules:
+  #     - name: "global rate limit"
+  #       rate_limit: 60/minute

policies/aws.yaml

@@ -0,0 +1,192 @@
+#  ─────────────────────────────────────────────────────────
+#  Policy: AWS MCP Servers
+#  Server: awslabs/mcp
+#  Homepage: https://github.com/awslabs/mcp
+#  Tags: aws, cloud, infrastructure, serverless, s3, lambda, dynamodb
+#  Tools: 55
+#  Generated: 2026-03-04T16:57:07Z
+
+#  Generated by Intercept — https://intercept.policylayer.com
+#  Control what AI agents can do — enforce policies on every MCP tool call.
+#  ─────────────────────────────────────────────────────────
+version: "1"
+description: "Policy for awslabs/mcp"
+#  Set to "deny" to reject tool calls not listed below
+default: "allow"
+tools:
+    #  ── Read Tools ───────────────────────────────────────────
+    #  describe_log_groups: List metadata about log groups
+    describe_log_groups:
+        rules: []
+    #  get_active_alarms: Identify currently active alarms
+    get_active_alarms:
+        rules: []
+    #  get_alarm_history: Retrieve historical state changes for alarms
+    get_alarm_history:
+        rules: []
+    #  get_bestpractices: Get guidance on AWS development and deployment
+    get_bestpractices:
+        rules: []
+    #  get_cdk_best_practices: Retrieve AWS CDK best practices
+    get_cdk_best_practices:
+        rules: []
+    #  get_cloudwatch_logs: Access CloudWatch logs for EKS
+    get_cloudwatch_logs:
+        rules: []
+    #  get_cloudwatch_metrics: Retrieve CloudWatch metrics for EKS
+    get_cloudwatch_metrics:
+        rules: []
+    #  get_eks_vpc_config: Retrieve VPC configuration
+    get_eks_vpc_config:
+        rules: []
+    #  get_k8s_events: List Kubernetes events
+    get_k8s_events:
+        rules: []
+    #  get_logs_insight_query_results: Retrieve query execution results
+    get_logs_insight_query_results:
+        rules: []
+    #  get_pod_logs: Retrieve pod logs
+    get_pod_logs:
+        rules: []
+    #  get_regional_availability: Check regional availability for services and features
+    get_regional_availability:
+        rules: []
+    #  get_resource: Retrieve specific resource details
+    get_resource:
+        rules: []
+    #  get_schema: Return CloudFormation schema for resources
+    get_schema:
+        rules: []
+    #  list_api_versions: List available Kubernetes API versions
+    list_api_versions:
+        rules: []
+    #  list_k8s_resources: List Kubernetes resources by kind
+    list_k8s_resources:
+        rules: []
+    #  list_knowledge_bases: List available Bedrock knowledge bases
+    list_knowledge_bases:
+        rules: []
+    #  list_regions: List all AWS regions with identifiers
+    list_regions:
+        rules: []
+    #  list_resources: Enumerate resources of specified types
+    list_resources:
+        rules: []
+    #  query_sql: Execute read-only SQL queries against S3 Tables
+    query_sql:
+        rules: []
+    #  read_documentation: Retrieve AWS docs converted to markdown
+    read_documentation:
+        rules: []
+    #  retrieve_agent_sop: Search and retrieve AWS operational procedures
+    retrieve_agent_sop:
+        rules: []
+    #  search_cdk_documentation: Access CDK docs and constructs
+    search_cdk_documentation:
+        rules: []
+    #  search_cfn_documentation: Query CloudFormation docs and patterns
+    search_cfn_documentation:
+        rules: []
+    #  search_documentation: Search across AWS documentation and API references
+    search_documentation:
+        rules: []
+    #  ── Write Tools ───────────────────────────────────────────
+    #  create_resource: Create AWS resources declaratively
+    create_resource:
+        rules: []
+    #  create_table_from_csv: Convert CSV files to S3 Tables
+    create_table_from_csv:
+        rules: []
+    #  update_resource: Update existing resources
+    update_resource:
+        rules: []
+    #  ── Execute Tools ───────────────────────────────────────────
+    #  call_aws: Execute authenticated AWS API calls
+    call_aws:
+        rules: []
+    #  execute_log_insights_query: Run CloudWatch Logs Insights queries
+    execute_log_insights_query:
+        rules: []
+    #  invoke_lambda: Execute Lambda functions as MCP tools
+    invoke_lambda:
+        rules: []
+    #  ── Destructive Tools ───────────────────────────────────────────
+    #  delete_resource: Delete AWS resources
+    delete_resource:
+        rules: []
+    #  tf_destroy: Destroy infrastructure
+    tf_destroy:
+        rules: []
+    #  ── Other Tools ───────────────────────────────────────────
+    #  analyze_log_group: Detect anomalies, patterns, and errors in logs
+    analyze_log_group:
+        rules: []
+    #  analyze_metric: Analyze CloudWatch metric trends and statistical properties
+    analyze_metric:
+        rules: []
+    #  analyze_stack_failures: Diagnose failed CloudFormation stacks
+    analyze_stack_failures:
+        rules: []
+    #  azureterraformbestpractices: Get Terraform best practices for Azure resources
+    azureterraformbestpractices:
+        rules: []
+    #  bedrock_kb_retrieve: Query knowledge bases for relevant information
+    bedrock_kb_retrieve:
+        rules: []
+    #  cancel_logs_insight_query: Cancel in-progress queries
+    cancel_logs_insight_query:
+        rules: []
+    #  check_cdk_nag_suppressions: Validate CDK Nag suppressions
+    check_cdk_nag_suppressions:
+        rules: []
+    #  dynamodb_data_model_validation: Validate models against actual DynamoDB
+    dynamodb_data_model_validation:
+        rules: []
+    #  dynamodb_data_modeling: Interactive data modeling with design patterns
+    dynamodb_data_modeling:
+        rules: []
+    #  explain_cdk_nag_rule: Explain specific CDK Nag security rules
+    explain_cdk_nag_rule:
+        rules: []
+    #  manage_eks_stacks: Manage EKS CloudFormation stacks
+    manage_eks_stacks:
+        rules: []
+    #  manage_k8s_resource: Read/create/update/delete Kubernetes resources
+    manage_k8s_resource:
+        rules: []
+    #  source_db_analyzer: Extract schema from existing databases
+    source_db_analyzer:
+        rules: []
+    #  suggest_aws_commands: Get AWS CLI command descriptions and syntax help
+    suggest_aws_commands:
+        rules: []
+    #  tf_apply: Apply Terraform changes
+    tf_apply:
+        rules: []
+    #  tf_init: Initialize Terraform working directory
+    tf_init:
+        rules: []
+    #  tf_output: Retrieve output values
+    tf_output:
+        rules: []
+    #  tf_plan: Generate Terraform execution plan
+    tf_plan:
+        rules: []
+    #  tf_state_list: List resources in state
+    tf_state_list:
+        rules: []
+    #  tf_validate: Validate Terraform configuration
+    tf_validate:
+        rules: []
+    #  validate_cfn_security: Check compliance via cfn-guard
+    validate_cfn_security:
+        rules: []
+    #  validate_cfn_template: Validate CloudFormation syntax and schema
+    validate_cfn_template:
+        rules: []
+
+  # Uncomment to apply a global rate limit across all tools:
+  # "*":
+  #   rules:
+  #     - name: "global rate limit"
+  #       rate_limit: 60/minute