// GLOSSARY -- POLICY ENFORCEMENT

What is a Policy Condition?

2 min read Updated

A policy condition is a constraint within a policy rule that evaluates tool call arguments against defined criteria (e.g. amount < 1000, branch != "main"), determining whether the rule matches a given tool call.

WHY IT MATTERS

Without conditions, policies are limited to binary allow/deny decisions per tool. This is rarely sufficient. Consider a Stripe MCP server: you want agents to create charges (that is the whole point), but not unlimited charges. You want them to refund orders, but only within 30 days. You want them to update customers, but not change billing addresses. Conditions make these nuanced policies expressible.

Conditions operate on the arguments passed to an MCP tool call. Every MCP tool defines its expected arguments (amount, currency, file_path, branch, etc.), and conditions evaluate these values against constraints before the call reaches the server. This is fundamentally different from output filtering — the tool call never executes if the condition fails.

The condition language is deliberately simple: comparison operators (==, !=, <, >, <=, >=), string matching (contains, starts_with, matches), existence checks (exists, not_exists), and boolean combinators (all, any). This covers real-world policy needs without the complexity and security risks of a full expression language. If you can state the constraint in plain English, you can almost certainly express it as a condition.

HOW POLICYLAYER USES THIS

Intercept evaluates conditions against the JSON arguments of each MCP tool call. Conditions are defined inline within policy rules and support dot-notation for accessing nested argument fields (e.g. metadata.environment). Multiple conditions on a single rule are combined with AND logic by default — all must pass for the rule to match. Intercept validates condition syntax at policy load time and reports errors with the offending rule and line number.

FREQUENTLY ASKED QUESTIONS

What operators are available for conditions?
Intercept supports comparison operators (==, !=, <, >, <=, >=), string operations (contains, starts_with, ends_with, matches for regex), existence checks (exists, not_exists), and set operations (in, not_in) for checking values against lists.
Can I combine multiple conditions with OR logic?
By default, multiple conditions on a rule use AND logic. To express OR, use the 'any' combinator that groups conditions and matches if at least one passes. You can nest 'all' and 'any' for complex boolean expressions.
What happens if a condition references an argument that does not exist?
If a condition references a non-existent argument, the condition evaluates to false (the rule does not match). You can use the 'exists' check explicitly to handle optional arguments in your policy logic.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.