SkillAgentSearch skills...

Intercept

The control layer for AI agents. Intercept enforces hard limits on every MCP tool call before execution. Rate limits, spend caps, access controls. Open source.

GenerateConvertImprove

Install / Use

/learn @PolicyLayer/Intercept
About this skill

Quality Score

0/100

Supported Platforms

Claude Code
Claude Desktop
Cursor

README

<p align="center"> <img src=".github/assets/banner.svg" alt="Intercept — The control layer for AI agents" width="700" /> </p> <p align="center"> <a href="https://www.npmjs.com/package/@policylayer/intercept"><img src="https://img.shields.io/npm/v/@policylayer/intercept.svg" alt="npm version" /></a> <a href="https://github.com/PolicyLayer/Intercept/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-Apache%202.0-blue.svg" alt="License" /></a> <a href="https://github.com/PolicyLayer/Intercept/commits/main"><img src="https://img.shields.io/github/last-commit/PolicyLayer/Intercept.svg" alt="GitHub last commit" /></a> </p>

Intercept is the open-source control layer for AI agents in production. It sits between your agent and your MCP server, enforcing YAML-defined policies on every tool call. Rate limits, spend caps, access controls, argument validation. The call passes or it doesn't.

<p align="center"> <img src=".github/assets/architecture.svg" alt="How Intercept works" width="700" /> </p> <p align="center"> <img src="demo.gif" alt="Intercept demo — scan, define policy, enforce" width="700" /> </p>

Try it in 30 seconds

See every tool your AI agent has access to — before adding any rules:

npx -y @policylayer/intercept scan -- npx -y @modelcontextprotocol/server-github

This connects to the server, discovers all available tools, and shows you the full attack surface. Then add a policy to lock it down.

Why Intercept, not system prompts?

| | System prompt | Intercept | |---|---|---| | Enforcement | Probabilistic — model can ignore | Deterministic — blocked at transport layer | | Bypassable | Yes — injection, reasoning, context overflow | No — agent never sees the rules | | Stateful | No — no memory of previous calls | Yes — counters, spend tracking, sliding windows | | Auditable | No — no structured log of decisions | Yes — every allow/deny logged with reason | | Latency | N/A | <1ms per evaluation |

Prompts tell the agent what it should do. Intercept defines what it is allowed to do.

What it does

  • Block tool calls — deny dangerous tools unconditionally (e.g. delete_repository)
  • Validate arguments — enforce constraints on tool arguments (amount <= 500, currency in [usd, eur])
  • Rate limit — cap calls per minute, hour, or day with rate_limit: 5/hour shorthand
  • Track spend — stateful counters with dynamic increments (e.g. sum args.amount across calls)
  • Hide tools — strip tools from tools/list so the agent never sees them, saving context window tokens
  • Default deny — allowlist mode where only explicitly listed tools are permitted
  • Hot reload — edit the policy file while running; changes apply immediately without restart
  • Validate policiesintercept validate -c policy.yaml catches errors before deployment

Real-world examples

It drained a $230,000 treasury in six minutes

create_refund:
  rules:
    - name: "cap-refunds"
      rate_limit: "10/day"
      on_deny: "Daily refund limit reached"

It deleted a production config

delete_file:
  rules:
    - name: "block-delete"
      action: deny
      on_deny: "File deletion blocked by policy"

It provisioned infrastructure in a retry loop

create_resource:
  rules:
    - name: "limit-resource-creation"
      rate_limit: "10/hour"
      on_deny: "Resource creation rate limit reached"

It emailed 400,000 customers a test template

messages_send:
  rules:
    - name: "limit-sends"
      rate_limit: "5/hour"
      on_deny: "Email send rate limit reached"

Ready-made policies for all of these: 130+ policy templates

Install

npx:

npx -y @policylayer/intercept -c policy.yaml --upstream https://mcp.stripe.com --header "Authorization: Bearer sk_live_..."

npm:

npm install -g @policylayer/intercept

Go:

go install github.com/policylayer/intercept@latest

Pre-built binaries:

Download from GitHub Releases and place the binary on your PATH.

Quick start

1. Generate a policy scaffold from a running MCP server:

intercept scan -o policy.yaml -- npx -y @modelcontextprotocol/server-stripe

This connects to the server, discovers all available tools, and writes a commented YAML file listing each tool with its parameters.

2. Edit the policy to add rules:

version: "1"
description: "Stripe MCP server policies"

hide:
  - delete_customer
  - delete_product
  - delete_invoice

tools:
  create_charge:
    rules:
      - name: "max single charge"
        conditions:
          - path: "args.amount"
            op: "lte"
            value: 50000
        on_deny: "Single charge cannot exceed $500.00"

      - name: "daily spend cap"
        conditions:
          - path: "state.create_charge.daily_spend"
            op: "lte"
            value: 1000000
        on_deny: "Daily spending cap of $10,000.00 reached"
        state:
          counter: "daily_spend"
          window: "day"
          increment_from: "args.amount"

      - name: "allowed currencies"
        conditions:
          - path: "args.currency"
            op: "in"
            value: ["usd", "eur"]
        on_deny: "Only USD and EUR charges are permitted"

  create_refund:
    rules:
      - name: "refund limit"
        rate_limit: 10/day
        on_deny: "Daily refund limit (10) reached"

3. Run the proxy:

intercept -c policy.yaml --upstream https://mcp.stripe.com --header "Authorization: Bearer sk_live_..."

Intercept proxies all MCP traffic and enforces your policy on every tool call. Hidden tools are stripped from the agent's view entirely.

Example policies

The policies/ directory contains ready-made policy scaffolds for 130+ popular MCP servers including GitHub, Stripe, AWS, Notion, Slack, and more. Each file lists every tool with its description, grouped by category (Read, Write, Execute, Financial, Destructive).

Copy one as a starting point:

cp policies/stripe.yaml policy.yaml
# edit to add your rules, then:
intercept -c policy.yaml --upstream https://mcp.stripe.com

Browse all policies → policies/

MCP client integration

To use Intercept with Claude Code (or any MCP client that reads .mcp.json), point the server command at Intercept:

{
  "mcpServers": {
    "github": {
      "command": "intercept",
      "args": [
        "-c", "/path/to/policy.yaml",
        "--",
        "npx", "-y", "@modelcontextprotocol/server-github"
      ],
      "env": {
        "GITHUB_PERSONAL_ACCESS_TOKEN": "..."
      }
    }
  }
}

For remote HTTP servers, use --upstream instead of a command:

{
  "mcpServers": {
    "stripe": {
      "command": "intercept",
      "args": [
        "-c", "/path/to/policy.yaml",
        "--upstream", "https://mcp.stripe.com",
        "--header", "Authorization: Bearer tok"
      ]
    }
  }
}

State backends

Rate limits and counters persist across restarts. SQLite is the default (zero config). Redis is supported for multi-instance deployments:

intercept -c policy.yaml --state-dsn redis://localhost:6379 --upstream https://mcp.stripe.com

Documentation

  • CLI reference: all commands, flags, transport modes, state backends, event logging
  • Policy reference: YAML format, conditions, operators, stateful counters, examples
  • Example policies: ready-made scaffolds for 130+ MCP servers

Contributing

Contributions welcome — open an issue to discuss what you'd like to change.

License

Apache 2.0

PolicyLayer

View profile

View on GitHub
GitHub Stars20
CategoryDevelopment
Updated1d ago
Forks3
PolicyLayer/Intercept

Languages

Go

Security Score

95/100

Audited on Mar 19, 2026

No findings