Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/PolicyLayer/Intercept

The control layer for AI agents. Intercept enforces hard limits on every MCP tool call before execution. Rate limits, spend caps, access controls. Open source.
https://github.com/PolicyLayer/Intercept

agent-framework agentic-ai agentic-workflow ai-agents ai-governance ai-safety claude control-plane golang guardrails llm-tools mcp mcp-proxy mcp-server model-context-protocol openai policy-engine proxy-server rate-limiting

Last synced: 10 days ago
JSON representation

The control layer for AI agents. Intercept enforces hard limits on every MCP tool call before execution. Rate limits, spend caps, access controls. Open source.

Awesome Lists containing this project

README 

          


  Intercept — The control layer for AI agents






  npm version

  License

  GitHub last commit




Intercept is an open-source proxy between AI agents and MCP servers. It enforces YAML-defined policies on every tool call: rate limits, spend caps, access controls, argument validation, human-in-the-loop approval. The call passes, gets held for approval, or gets blocked.





  How Intercept works






  Intercept demo — scan, define policy, enforce




## Try it in 30 seconds



See every tool your AI agent has access to, before adding any rules:



```sh

npx -y @policylayer/intercept scan -- npx -y @modelcontextprotocol/server-github

```



Connects to the server, discovers all tools, and shows the full attack surface. Add a policy to lock it down.



## Why Intercept, not system prompts?



| | System prompt | Intercept |

|---|---|---|

| **Enforcement** | Probabilistic | Deterministic, blocked at transport layer |

| **Bypassable** | Injection, reasoning, context overflow | Agent never sees the rules |

| **Stateful** | No memory of previous calls | Counters, spend tracking, sliding windows |

| **Auditable** | No structured log | Every decision logged (deny/approval includes reason) |

| **Latency** | N/A | Sub-millisecond per evaluation (p95) |



Prompts tell the agent what it should do. Intercept defines what it is allowed to do.



## What it does



- **Block tool calls.** Deny dangerous tools unconditionally (e.g. `delete_repository`)

- **Validate arguments.** Enforce constraints on tool arguments (`amount <= 500`, `currency in [usd, eur]`)

- **Rate limit.** Cap calls per minute, hour, or day with `rate_limit: 5/hour` shorthand

- **Track spend.** Stateful counters with dynamic increments (e.g. sum `args.amount` across calls)

- **Enforce budgets on paid tools.** When an MCP server charges via MPP (-32042), Intercept reads the price, checks your spend policy, and blocks over-budget calls before any money moves

- **Hide tools.** Strip tools from `tools/list` so the agent never sees them, saving context window tokens

- **Require approval.** Hold tool calls for human approval via CLI or admin API (`--enable-admin-api`) before execution

- **Idempotent enforcement.** Prevent duplicate actions from agent retries with `idempotency_window: 5m`

- **Default deny.** Allowlist mode where only explicitly listed tools are permitted

- **Hot reload.** Edit the policy file while running; changes apply immediately without restart

- **Validate policies.** `intercept validate -c policy.yaml` catches errors before deployment



## Real-world examples



**It drained a $230,000 treasury in six minutes**



```yaml

create_refund:

  rules:

    - name: "cap-refunds"

      rate_limit: "10/day"

      on_deny: "Daily refund limit reached"

```



**It deleted a production config**



```yaml

delete_file:

  rules:

    - name: "block-delete"

      action: deny

      on_deny: "File deletion blocked by policy"

```



**It provisioned infrastructure in a retry loop**



```yaml

create_resource:

  rules:

    - name: "limit-resource-creation"

      rate_limit: "10/hour"

      on_deny: "Resource creation rate limit reached"

```



**It issued a $4,200 refund without asking anyone**



```yaml

create_refund:

  rules:

    - name: "large-refund-approval"

      action: require_approval

      conditions:

        - path: "args.amount"

          op: "gt"

          value: 100000

      on_deny: "Refunds over $1,000.00 require human approval"

      approval_timeout: "30m"

```



**It emailed 400,000 customers a test template**



```yaml

messages_send:

  rules:

    - name: "limit-sends"

      rate_limit: "5/hour"

      on_deny: "Email send rate limit reached"

```



**It spent $800 on image generation overnight**



```yaml

generate_image:

  rules:

    - name: "image-budget"

      spend:

        per_call: 5.00

        daily: 50.00

```



[349 ready-made policy templates](https://policylayer.com/policies)



## Install



```sh

npx -y @policylayer/intercept

```



Or install permanently:



```sh

npm install -g @policylayer/intercept    # npm

go install github.com/policylayer/intercept@latest   # Go

```



Pre-built binaries available on [GitHub Releases](https://github.com/policylayer/intercept/releases).



## Quick start



**1. Generate a policy scaffold from a running MCP server:**



```sh

intercept scan -o policy.yaml -- npx -y @modelcontextprotocol/server-stripe

```



Connects to the server, discovers all tools, and writes a commented YAML file listing each tool with its parameters.



**2. Edit the policy to add rules:**



```yaml

version: "1"

description: "Stripe MCP server policies"



hide:

  - delete_customer

  - delete_product

  - delete_invoice



tools:

  create_charge:

    rules:

      - name: "max single charge"

        conditions:

          - path: "args.amount"

            op: "lte"

            value: 50000

        on_deny: "Single charge cannot exceed $500.00"



      - name: "daily spend cap"

        conditions:

          - path: "state.create_charge.daily_spend"

            op: "lte"

            value: 1000000

        on_deny: "Daily spending cap of $10,000.00 reached"

        state:

          counter: "daily_spend"

          window: "day"

          increment_from: "args.amount"



      - name: "allowed currencies"

        conditions:

          - path: "args.currency"

            op: "in"

            value: ["usd", "eur"]

        on_deny: "Only USD and EUR charges are permitted"



  create_refund:

    rules:

      - name: "refund limit"

        rate_limit: 10/day

        on_deny: "Daily refund limit (10) reached"



  generate_report:

    rules:

      - name: "report budget"

        spend:

          per_call: 10.00

          daily: 100.00

```



**3. Run the proxy:**



```sh

intercept -c policy.yaml --upstream https://mcp.stripe.com --header "Authorization: Bearer sk_live_..."

```



Hidden tools are stripped from the agent's view. Everything else is evaluated against your policy.



## Example policies



The `policies/` directory contains scaffolds for 349 MCP servers including GitHub, Stripe, AWS, Notion, and Slack. Each file lists every tool with its description, grouped by risk category.



Copy one as a starting point:



```sh

cp policies/stripe.yaml policy.yaml

# edit to add your rules, then:

intercept -c policy.yaml --upstream https://mcp.stripe.com

```



Browse all policies: [policies/](policies/)



## MCP client integration



To use Intercept with Claude Code (or any MCP client that reads `.mcp.json`), point the server command at Intercept:



```json

{

  "mcpServers": {

    "github": {

      "command": "intercept",

      "args": [

        "-c", "/path/to/policy.yaml",

        "--",

        "npx", "-y", "@modelcontextprotocol/server-github"

      ],

      "env": {

        "GITHUB_PERSONAL_ACCESS_TOKEN": "..."

      }

    }

  }

}

```



For remote HTTP servers, use `--upstream` instead of a command:



```json

{

  "mcpServers": {

    "stripe": {

      "command": "intercept",

      "args": [

        "-c", "/path/to/policy.yaml",

        "--upstream", "https://mcp.stripe.com",

        "--header", "Authorization: Bearer tok"

      ]

    }

  }

}

```



## State backends



Rate limits, spend counters, and approval records persist across restarts. SQLite is the default (zero config). Redis is supported for multi-instance deployments:



```sh

intercept -c policy.yaml --state-dsn redis://localhost:6379 --upstream https://mcp.stripe.com

```



## Enforcement boundary



Intercept governs tool calls that pass through the proxy. It does not govern:



- Direct API calls or HTTP requests the agent makes outside the MCP path

- Model reasoning, prompt content, or response generation

- Actions taken by tools after they receive the forwarded call



If a tool call is routed through Intercept, enforcement is hard: the call is physically blocked before reaching upstream. If traffic bypasses the proxy, Intercept has no visibility.



## Documentation



- [CLI reference](USAGE.md): all commands, flags, transport modes, state backends, event logging

- [Policy reference](POLICY.md): YAML format, conditions, operators, stateful counters, examples

- [Example policies](policies/): ready-made scaffolds for 349 MCP servers



## Contributing



Contributions welcome. Open an issue to discuss what you'd like to change.



```sh

make build    # build binary -> dist/

make test     # go test ./...

make lint     # golangci-lint (skips if not installed)

```



Key packages: `internal/engine/` (rule evaluation), `internal/proxy/` (request handler), `internal/state/` (counters and persistence), `internal/transport/` (stdio, SSE, HTTP), `internal/approvals/` (approval store and fingerprinting).



## License



[Apache 2.0](LICENSE)