# PolicyLayer > PolicyLayer lets teams run AI agents in production with enforceable limits. Intercept is an open-source proxy that sits at the MCP transport layer, enforcing YAML-defined policies on every tool call. It blocks dangerous actions before they execute -- deterministic enforcement, not system prompt alignment. > For the complete database of 349 MCP servers and 4,835 tools, see: https://policylayer.com/llms-full.txt ## The Problem AI agents connected to MCP servers have unrestricted access to every tool those servers expose. There are no built-in rate limits, spend caps, access controls, or audit trails in the MCP protocol. A misconfigured or misbehaving agent can delete databases, drain payment accounts, email thousands of customers, or terminate production infrastructure -- and nothing in the protocol stops it. Most existing safety mechanisms rely on system prompts or model alignment. These are probabilistic: the agent can ignore, misinterpret, or be injected past them. There is no hard stop. PolicyLayer moves enforcement to infrastructure. Tool calls are intercepted and evaluated against policy at the transport layer, before they reach the upstream server. The agent cannot reason around it, inject past it, or ignore it -- it never sees the enforcement logic. ## How Intercept Works Intercept is a drop-in proxy between an AI agent and one or more MCP servers. One line change in your MCP config -- no code changes to your agent or server. The agent sees the same tools, same schemas, same behaviour. The proxy is invisible until a policy is violated. When the agent makes a tool call (tools/call), Intercept evaluates it against a YAML policy file: - **Allowed calls** are forwarded to the upstream server and the response is returned to the agent. - **Denied calls** are blocked before reaching the server. The agent receives an error with the policy rule that fired. - **Rate-limited calls** are tracked with stateful counters across sliding time windows (per-minute, per-hour, per-day). When a limit is hit, subsequent calls are denied until the window resets. Policy evaluation adds less than 5ms of latency. The proxy supports stdio, HTTP/SSE, and bridged transports. ### Policy Example ```yaml version: "1" default: deny hide: - delete_repository - merge_pull_request tools: create_refund: rules: - name: "daily cap" rate_limit: 10/day write_file: rules: - name: "safe paths" conditions: - path: "args.path" op: "regex" value: "^/app/src/" list_issues: rules: - action: allow ``` This policy blocks all tools by default, hides destructive tools from the agent entirely, caps refunds at 10 per day, restricts file writes to a safe directory, and allows read-only operations explicitly. ### Key Properties - **Deterministic**: policies compile to rules, not suggestions. A denied call is blocked at the transport layer before it reaches the server. - **Stateful**: the engine tracks call counts, spend totals, and argument patterns across sessions using sliding time windows. It evaluates projected state -- checking what the total would be after this call, preventing overshoot. - **Fail-closed**: if Intercept goes down or encounters an error, all calls are blocked. Safety over availability. - **Hot reload**: policy changes are applied without restarting the proxy. Invalid config keeps last-known-good active. - **Transparent**: tool names and schemas pass through unchanged. The agent does not know Intercept is running until a limit is hit. - **Single binary**: one Go binary with no runtime dependencies. Also available via npm (`npx @policylayer/intercept`). ### Installation ``` npx -y @policylayer/intercept ``` or ``` go install github.com/policylayer/intercept@latest ``` ### Workflow 1. **Scan**: `intercept scan` analyses an MCP server and classifies every tool by risk (Read, Write, Execute, Destructive, Financial). 2. **Generate**: `intercept scan -o policy.yaml` creates a starting policy based on the scan results. 3. **Enforce**: `intercept -c policy.yaml -- ` runs the proxy with policy enforcement active. Every decision is logged as structured JSONL: what was called, what the decision was, and which rule fired. ## MCP Security Scanner The fastest way to see what your agent can do. Free tool that analyses MCP configurations and shows every tool an AI agent can access, categorised by risk level. Available at policylayer.com/scan or via CLI (`npx policylayer scan`). - Database: 349 MCP servers, 4,835 tools, each classified by category and risk score - Supports Claude Code, Cursor, VS Code, Windsurf, Zed, Gemini CLI, and Codex configurations - Generates shareable reports with tool maps, permission matrices, and per-server risk breakdowns - Privacy: only server identifiers are sent for matching. Secrets and credentials are stripped before analysis. We never connect to actual MCP servers. ## Tool Risk Categories PolicyLayer classifies every MCP tool into one of five categories based on what it can do: - **Read**: retrieves data without modification (low risk) - **Write**: creates or modifies data and resources (medium risk) - **Execute**: runs code or triggers processes (medium risk) - **Destructive**: permanently deletes or revokes resources (high risk) - **Financial**: moves real money -- charges, payments, refunds, transfers (critical risk) ## Enforcement Boundary PolicyLayer governs tool calls that pass through the Intercept proxy. It does not govern direct API calls, raw HTTP requests, or agent actions outside the MCP path. Out-of-band actions that bypass the proxy are not covered. ## Pages - policylayer.com -- Homepage - policylayer.com/scan -- Free MCP security scanner - policylayer.com/policies -- Policy reference for 349 MCP servers with tool breakdowns and YAML policies - policylayer.com/tools -- Individual pages for 4,835 MCP tools with risk scores and recommended policies - policylayer.com/secure -- Security guides for each MCP server showing dangerous tools and threat scenarios - policylayer.com/blog -- Technical blog on MCP security, policy enforcement, and agent control - github.com/policylayer/intercept -- Source code (Apache 2.0) - npmjs.com/package/@policylayer/intercept -- Intercept proxy (npm) - npmjs.com/package/policylayer -- MCP scanner CLI (npm) ## Common Questions **What is MCP?** Model Context Protocol is the standard for connecting AI agents to external tools and data sources. Created by Anthropic, adopted by OpenAI, Google, Microsoft, and Amazon. MCP servers expose tools that agents can call to read data, modify records, execute code, delete resources, or move money. The protocol defines how agents call tools. It does not define what agents are allowed to do. **What is the difference between PolicyLayer and system prompts?** System prompts tell the agent what it should do. Intercept defines what it is allowed to do. A system prompt is a suggestion to an intelligence -- it can be ignored, misinterpreted, or bypassed through prompt injection. An Intercept policy is enforced at the transport layer: the tool call is physically blocked before it reaches the server. There is nothing for the agent to reason around. You cannot cap spend with a prompt. You cannot make a tool genuinely read-only with a prompt. With Intercept, either the call is within policy or it is not. **What can I enforce?** Tool access (allow, deny, hide), rate limits (per-minute, per-hour, per-day), argument validation (regex, ranges, allow-lists), path restrictions, spend caps, and deny-by-default mode. Policies are YAML files committed to version control. **Do I need to change my agent?** No. One line change in your MCP configuration. The agent connects to Intercept instead of directly to the server. Same tools, same schemas, same behaviour. No code changes. **Is PolicyLayer free?** The scanner and Intercept are free and open source. Intercept is licensed under Apache 2.0. **Who is PolicyLayer for?** Developers and teams running AI agents with access to real systems through MCP. Start by securing MCP in development -- scan your setup, generate a policy, enforce limits while you build. Carry the same policy file into production when agents run unattended. Common environments: internal operations, support workflows, DevOps automation, finance-adjacent flows, or any workflow involving destructive writes, sensitive data, or spend risk.