OPEN SOURCE

YOUR AGENT DOESN'T KNOW WHEN TO STOP

It mass-refunded $14,000. It deleted a production config. It opened 200 GitHub issues in a loop.

Not because it was hacked. Because nobody set a limit.

Intercept gives you the limits. Rate limits, spend caps, access controls, and audit logs for every MCP tool call. One YAML file. Zero code changes.

npx -y @policylayer/intercept
or
go install github.com/policylayer/intercept@latest
Agent
Upstream
Intercept
stripe.create_charge
aws.terminate_instances
github.list_issues
github.delete_repository
mongo.find
aws.put_object
aws.describe_instances
mongo.drop_collection
github.create_issue
cloudflare.update_dns_record
github.create_pull_request
stripe.delete_customer
mongo.insert_one
github.update_repository
stripe.create_charge

YOUR AGENT CAN CALL EVERY TOOL YOUR MCP SERVER EXPOSES. THERE ARE NO LIMITS BUILT IN.

27 tools
Stripe gives your agent 27 tools
create_refund cancel_subscription create_payment_link

There is no rate limit. If your agent loops, it loops on your money.

No rate limits. No access controls.
83 tools
GitHub gives your agent 83 tools
delete_file push_files merge_pull_request

There is no read-only mode. Every tool is writable by default.

No rate limits. No access controls.
55 tools
AWS gives your agent 55 tools
create_resource delete_resource tf_destroy

One retry loop can spin up 50 EC2 instances before anyone notices.

No rate limits. No access controls.

ONE YAML FILE. THAT'S IT.

policy.yaml
version: "1" default: deny hide: - delete_repository - merge_pull_request tools: create_refund: rules: - name: "daily cap" rate_limit: 10/day write_file: rules: - name: "safe paths" conditions: - path: "args.path" op: "regex" value: "^/app/src/"
default: deny
Nothing runs unless you allow it.
hide:
These tools vanish from the agent's view entirely.
rate_limit: 10/day
Agent can refund 10 times per day. Call 11 is blocked.
regex: ^/app/src/
Writes only allowed inside /app/src. Everything else is denied.

THE CALL IS CHECKED BEFORE THE TOOL RUNS.

Tool Call
create_refund
amount: $2,500
daily total: $850
Result
DENY
Daily refund cap reached.
rule: "daily cap" / rate_limit: 10/day
Tool Call
write_file
path: /etc/config/prod.yaml
Result
DENY
Writes restricted to /app/src.
rule: "safe paths" / op: regex
Tool Call
list_customers
call #31 this minute
Result
DENY
Global rate limit reached.
rule: "global rate limit" / 30/minute

FROM ZERO TO ENFORCED IN UNDER TWO MINUTES.

01 Scan

See every tool the server exposes.

intercept scan -o policy.yaml -- npx -y @modelcontextprotocol/server-filesystem
02 Set limits

Block what you don't need. Rate limit the rest. Commit the file.

policy.yaml lives in your repo, not in a client setting
03 Run

Put Intercept in front of the MCP server. Every call is checked. Every decision is logged.

intercept -c policy.yaml -- npx -y @modelcontextprotocol/server-filesystem

POLICIES FOR THE TOOLS YOU ALREADY USE

Start with a generated policy, trim it to what your agent actually needs, and run.

GitHub
83 tools

Repos, issues, pull requests, actions, and code search.

View policy
AWS
55 tools

S3, Lambda, DynamoDB, EC2, and infrastructure management.

View policy
Stripe
27 tools

Payments, refunds, subscriptions, and customer management.

View policy
Filesystem
12 tools

Read, write, move, and search files on the local system.

View policy

130+ servers. Thousands of tools. All open source.

Browse all policies

NO SURPRISES WHEN THE AGENT GOES LIVE

Single binary. Sub-ms evaluation. No dependencies.

Fail-closed

If the proxy can't evaluate a call, the call is denied. Not the other way round.

Hot reload

Edit policies while running. Valid changes swap in instantly. Invalid ones are rejected.

Sub-ms evaluation

Policy checks run in-process. No network calls. No added latency.

Audit trail

Every decision logged as structured JSONL. Tool, result, rule, hashed arguments.

SQLite by default

Rate limits and counters work out of the box. Redis when you need shared state.

Single binary

One Go binary. No runtime. No dependencies. Runs on anything.

QUESTIONS

An open-source proxy that wraps any MCP server. You define limits in a YAML file. Intercept enforces them on every tool call before it reaches the upstream server. The agent doesn't know it's there.

Anything. Block tools entirely. Rate limit by minute, hour, or day. Cap spend with cumulative tracking. Restrict arguments (paths, regions, values). Hide tools so the agent never sees them. Start with deny-by-default and open access from there.

No. One line change in your MCP config. The agent sees the same tools, same schemas. Intercept is invisible until a limit is hit.

System prompts are suggestions. The model can ignore them, get injected past them, or reason around them. Intercept enforces limits at the transport layer. The agent never sees the rules. There is nothing to reason around.

YOU HAVE THE INTELLIGENCE. YOU HAVE THE TOOLS. NOW YOU NEED THE LIMITS.

npx -y @policylayer/intercept
or
go install github.com/policylayer/intercept@latest
github.com/policylayer/intercept