// GLOSSARY -- POLICY ENFORCEMENT

What is Policy Hot Reload?

2 min read Updated

Policy hot reload is the ability to update policy files without restarting Intercept, with changes taking effect on the next tool call to enable zero-downtime policy updates.

WHY IT MATTERS

In production environments, restarting a proxy to update configuration is unacceptable. Active MCP sessions would be interrupted, in-flight tool calls dropped, and agents left without their tool infrastructure until the proxy comes back up. Hot reload eliminates this operational burden — you edit a YAML file, save it, and the new policy applies to the next tool call.

Hot reload also changes how teams work with policies. Without it, policy updates require a deployment — pull request, CI/CD pipeline, restart. With hot reload, a security engineer can respond to an incident by editing a policy file and having the change take effect in seconds. This operational agility is critical when an agent is misbehaving and you need to restrict its access immediately.

The implementation watches the policy directory for file changes using filesystem notifications, re-parses and validates the modified files, and atomically swaps the in-memory policy set. If the new file is invalid (syntax error, schema violation), Intercept logs the error and continues operating with the previous valid policy. This ensures a typo in a policy file never takes down the enforcement layer.

HOW POLICYLAYER USES THIS

Intercept watches the configured policy directory for filesystem changes using OS-native notification mechanisms (fsnotify on Linux, kqueue on macOS). When a policy file is modified, created, or deleted, Intercept validates the new file, and on success, atomically swaps the internal policy index. The swap is lock-free for readers, so in-flight evaluations are not blocked. If validation fails, the previous policy remains active and an error is logged with the file path and line number of the issue.

FREQUENTLY ASKED QUESTIONS

What happens if a hot-reloaded policy file has errors?
Intercept validates the file before applying it. If validation fails, the previous valid policy continues to be enforced and an error is logged with details about the issue. Your enforcement layer is never compromised by a malformed policy file.
Is there any delay between saving a file and the policy taking effect?
The delay is typically under 100 milliseconds — the time for the filesystem notification to propagate and Intercept to parse and validate the file. The next tool call after the reload completes uses the updated policy.
Can hot reload cause inconsistent policy evaluation?
No. Intercept performs an atomic swap of the entire policy set. A tool call is evaluated against either the old or the new policy — never a mix. There is no window where partial updates are visible.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.