What is a Policy File?
A policy file is the physical YAML file (e.g. stripe.yaml, github.yaml) that contains policy rules for one or more MCP servers, stored alongside your configuration and version-controlled in git.
WHY IT MATTERS
Separating policy from application code is a foundational principle of secure systems. When policies live in dedicated files rather than being embedded in agent logic, they become independently auditable, reviewable, and deployable. A policy file is a first-class artefact — it goes through code review, has a change history, and can be rolled back like any other configuration.
The convention of naming policy files after the server they govern (stripe.yaml, github.yaml, postgres.yaml) makes the policy surface immediately legible. A new team member can list the policy directory and instantly understand which MCP servers are governed and what constraints exist. This discoverability is crucial for security posture — you cannot enforce what you cannot find.
Policy files also enable environment-specific configurations. A development environment might use permissive policies with log-only actions, while production uses strict deny-by-default rules. Because files are plain YAML, environment-specific overrides can be managed with standard tooling — separate directories, environment variables, or CI/CD templating.
HOW POLICYLAYER USES THIS
Intercept loads policy files from a configurable directory at startup. Each file is parsed, validated against the policy schema, and indexed by server name for fast runtime lookup. When a file changes on disc, Intercept detects it and hot-reloads the updated policy without restarting. Policy files support includes and composition, allowing teams to share common rules across environments while maintaining environment-specific overrides.