stripe.create_refund aws.tf_destroy github.delete_repository postgres.drop_table gmail.batchDelete kubectl.delete cloudflare.update_dns_record stripe.cancel_subscription mongo.drop_database drive.emptyTrash aws.delete_resource pagerduty.delete_team stripe.create_refund aws.tf_destroy github.delete_repository postgres.drop_table gmail.batchDelete kubectl.delete cloudflare.update_dns_record stripe.cancel_subscription mongo.drop_database drive.emptyTrash aws.delete_resource pagerduty.delete_team
OPEN SOURCE · MCP CONTROL LAYER

Run agents in production.
Keep complete control.

DENY It drained a $230,000 treasury in six minutes.
DENY It emailed 400,000 customers a test template.
DENY It mass-cancelled 12,000 active subscriptions.

Intercept gives your team hard limits over every MCP tool call. Rate limits, spend caps, access controls, audit logs. One YAML file. No code changes.

npx -y @policylayer/intercept
or
go install github.com/policylayer/intercept@latest
github.com/policylayer/intercept →
// THE GAP

MCP servers expose tools. The limits are your job.

There's no built-in way to make tools read-only, cap spend, or stop a runaway loop. You have to define that yourself.

STRIPE
27
tools exposed
DENY
create_refund
cancel_subscription
delete_customer

You can't cap daily refunds or rate limit by default. Every call goes through.

POSTGRES
32
tools exposed
DENY
execute_query
drop_table
delete_rows

No read-only mode. Every tool can write. You can't restrict queries to specific schemas out of the box.

AWS
55
tools exposed
DENY
create_resource
delete_resource
tf_destroy

No built-in retry limits or resource caps. A loop runs until you notice.

// HOW IT WORKS

Every tool call is checked before it runs.

Intercept sits between your agent and your MCP server. Your policy file decides what runs, what's blocked, and what gets logged.

TOOL CALL DECISION WHY
create_refund $47,200
DENY
Daily refund cap (10/day)
terminate_instances i-09f3a*
DENY
Tool blocked (deny-by-default)
drop_table users
DENY
Table not in allow-list
send_email to: all_customers
DENY
Recipient cap (50/batch)
list_issues repo: my-org/api
ALLOW
Read-only, within limits
// WHY NOT SYSTEM PROMPTS
SYSTEM PROMPTS

Tell the agent what it should do.

You can't enforce a rate limit with a prompt.
You can't make a tool read-only with a prompt.
You can't cap spend with a prompt.
There's no audit trail.
INTERCEPT

Define what it is allowed to do.

Rate limits that actually enforce.
Tools that are genuinely read-only.
Spend caps with hard cutoffs.
Every decision logged automatically.
// CONFIGURATION

One YAML file. That's it.

Commit it to your repo. Deploy it with your agent. The file is the policy.

policy.yaml 
version: "1"
default: deny

hide:
  - delete_repository
  - merge_pull_request

tools:
  create_refund:
    rules:
      - name: "daily cap"
        rate_limit: 10/day

  write_file:
    rules:
      - name: "safe paths"
        conditions:
          - path: "args.path"
            op: "regex"
            value: "^/app/src/"
default: deny
Every tool is blocked until you explicitly allow it. New tools added upstream don't automatically reach the agent.
hide:
Removed from the agent's context entirely -- no schema, no description, no token cost.
rate_limit: 10/day
Shared counter across all agent instances. Hard cutoff, not a suggestion.
op: "regex"
Scope any tool to a subset of what it can do -- specific paths, regions, table names, account IDs.
// SETUP

Zero to enforced in under two minutes.

No architecture changes. One line in your MCP config.

01
Scan

See every tool the server exposes.

intercept scan -o policy.yaml \
  -- npx -y @stripe/mcp-server
02
Set limits

Block what you don't need. Rate limit the rest. Commit the file -- policy.yaml lives in your repo, not in a client setting.

03
Run

Put Intercept in front of the MCP server. Every call is checked. Every decision is logged.

intercept -c policy.yaml \
  -- npx -y @stripe/mcp-server
// PROPERTIES

Built for production, not demos.

Invisible until a limit is hit. Completely transparent about why when one is.

Fail-closed

If Intercept goes down, nothing runs. Your agent doesn't get a free pass.

Hot reload

Push a policy change without restarting. Useful when you're tightening limits mid-incident.

Sub-ms evaluation

Policy checks run in-process. No network calls. No latency hit. Your agent doesn't know it's there.

Audit trail

Every tool call logged: what was called, what the decision was, what rule fired. Reconstruct exactly what happened.

SQLite by default

Rate limits and counters work out of the box. Redis when you need shared state across instances.

Single binary

One Go binary. No runtime. No dependencies. Runs on anything.

// POLICIES

Policies for the tools you already use.

Start with a generated policy for the tools your agent already uses. Trim it down. Ship it.

Stripe
27 tools

Payments, refunds, subscriptions, customers.

VIEW POLICY →
AWS
55 tools

S3, Lambda, DynamoDB, EC2, infrastructure.

VIEW POLICY →
Supabase
32 tools

Postgres, edge functions, storage, auth.

VIEW POLICY →
PagerDuty
62 tools

Incidents, on-call, alerts, escalations.

VIEW POLICY →
130+ servers · Thousands of tools · All open source BROWSE ALL POLICIES →
// FAQ

Questions.

What is Intercept? +

An open-source control layer for AI agents in production. You define what each MCP tool is allowed to do in a YAML file -- rate limits, spend caps, access controls, argument restrictions. Intercept enforces those rules on every tool call. One line change in your MCP config. No changes to your agent.

What can I limit? +

Tool access, spend, call volume, arguments, paths, and destructive actions. Block tools entirely. Rate limit by minute, hour, or day. Cap cumulative spend. Restrict which paths a file tool can write to, which regions AWS can touch, which tables a database tool can modify. Start with deny-by-default and open up from there.

Do I need to change my agent? +

No. One line change in your MCP config. The agent sees the same tools and the same schemas. Nothing looks different until a limit is hit -- then the call is blocked and logged.

How is this different from system prompts? +

Prompts tell the agent what it should do. Intercept defines what it is allowed to do. A prompt is a best-effort instruction. A policy is a hard limit. You can't cap spend with a prompt. You can't make a tool genuinely read-only with a prompt. With Intercept, either the call is within policy or it isn't. No probability involved.

policylayer/intercept

Set the limits.
Ship the agent.

Takes two minutes. Version-controlled. Open source.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.