// MCP SERVER POLICY
How to secure AbraFlexi →

AbraFlexi MCP Policy

Enforce policies on every tool call to the AbraFlexi MCP Server. 21 tools with suggested default rules ready to customise.

Last updated:

14 can modify or destroy data
7 read-only
21 tools total
// TOOL MAP
Read (7) Write / Execute (8) Destructive / Financial (6)
// GET STARTED

This policy includes sensible default rules. Download it, adjust the limits to match your use case, and run with Intercept.

terminal

# Download policy with default rules

curl -o abraflexi.yaml https://raw.githubusercontent.com/policylayer/intercept/main/policies/abraflexi.yaml

# Run with Intercept

intercept --policy abraflexi.yaml -- npx -y @abraflexi-mcp-server

Server documentation: https://github.com/VitexSoftware/abraflexi-mcp-server

// ALL TOOLS
READ 7 tools
Read bank_transaction_get 2/5 Read contact_get 2/5 Read evidence_get 2/5 Read evidence_list 2/5 Read invoice_issued_get 2/5 Read invoice_received_get 2/5 Read product_get 2/5
WRITE 8 tools
Write contact_create 3/5 Write contact_update 3/5 Write evidence_create 4/5 Write evidence_update 4/5 Write invoice_issued_update 4/5 Write invoice_received_create 4/5 Write product_create 3/5 Write product_update 3/5
DESTRUCTIVE 4 tools
Destructive contact_delete 4/5 Destructive evidence_delete 5/5 Destructive invoice_issued_delete 5/5 Destructive product_delete 4/5
FINANCIAL 2 tools
Financial bank_transaction_create 5/5 Financial invoice_issued_create 5/5
// POLICY YAML

This policy includes suggested default rules for common use cases. Adjust rate limits, add argument validation, or remove rules you don't need.

abraflexi.yaml 
version: "1"
description: "Policy for abraflexi-mcp-server"
# Set to "deny" to reject tool calls not listed below
default: "allow"

tools:
    # -- Financial Tools ----------------------------------------
    # bank_transaction_create: Create new bank transaction records
    bank_transaction_create:
        rules:
          - action: deny
            on_deny: "Financial operation requires approval"
    # invoice_issued_create: Create and issue new invoices
    invoice_issued_create:
        rules:
          - action: deny
            on_deny: "Financial operation requires approval"

    # -- Destructive Tools ----------------------------------------
    # contact_delete: Delete contact records permanently
    contact_delete:
        rules:
          - action: deny
            on_deny: "Destructive operation blocked by policy"
    # evidence_delete: Delete a record from any evidence type
    evidence_delete:
        rules:
          - action: deny
            on_deny: "Destructive operation blocked by policy"
    # invoice_issued_delete: Delete issued invoices permanently
    invoice_issued_delete:
        rules:
          - action: deny
            on_deny: "Destructive operation blocked by policy"
    # product_delete: Delete products from the price list
    product_delete:
        rules:
          - action: deny
            on_deny: "Destructive operation blocked by policy"

    # -- Write Tools ----------------------------------------
    # contact_create: Create new contact records
    contact_create:
        rules:
          - action: allow
            rate_limit: 30/hour
    # contact_update: Update existing contact records
    contact_update:
        rules:
          - action: allow
            rate_limit: 30/hour
    # evidence_create: Create a record in any evidence type
    evidence_create:
        rules:
          - action: allow
            rate_limit: 30/hour
    # evidence_update: Update a record in any evidence type
    evidence_update:
        rules:
          - action: allow
            rate_limit: 30/hour
    # invoice_issued_update: Update existing issued invoices
    invoice_issued_update:
        rules:
          - action: allow
            rate_limit: 30/hour
    # invoice_received_create: Create new received invoice records
    invoice_received_create:
        rules:
          - action: allow
            rate_limit: 30/hour
    # product_create: Create new products in the price list
    product_create:
        rules:
          - action: allow
            rate_limit: 30/hour
    # product_update: Update existing product details
    product_update:
        rules:
          - action: allow
            rate_limit: 30/hour

    # -- Read Tools ----------------------------------------
    # bank_transaction_get: Retrieve bank transaction records
    bank_transaction_get:
        rules:
          - action: allow
            rate_limit: 60/minute
    # contact_get: Retrieve contacts and company records
    contact_get:
        rules:
          - action: allow
            rate_limit: 60/minute
    # evidence_get: Get records from any evidence type
    evidence_get:
        rules:
          - action: allow
            rate_limit: 60/minute
    # evidence_list: List all available evidence types
    evidence_list:
        rules:
          - action: allow
            rate_limit: 60/minute
    # invoice_issued_get: Retrieve issued invoices
    invoice_issued_get:
        rules:
          - action: allow
            rate_limit: 60/minute
    # invoice_received_get: Retrieve received invoices
    invoice_received_get:
        rules:
          - action: allow
            rate_limit: 60/minute
    # product_get: Retrieve products from the price list
    product_get:
        rules:
          - action: allow
            rate_limit: 60/minute
// RELATED POLICIES
Aibtc 288 tools
paymentsadmin
Indigo 59 tools
paymentsadmin
Midnight Nextjs 35 tools
paymentsadmin
Quickbooks 34 tools
paymentsadmin
// FAQ
Can an AI agent move money through the AbraFlexi MCP server? +

Yes. The AbraFlexi server exposes 2 financial tools including bank_transaction_create, invoice_issued_create. Without a policy, an autonomous agent can call these with no spend caps, no rate limits, and no approval flow. Intercept lets you block financial tools by default or set per-tool rate limits.

Can an AI agent delete data through the AbraFlexi MCP server? +

Yes. The AbraFlexi server exposes 4 destructive tools including contact_delete, evidence_delete, invoice_issued_delete. These permanently remove resources with no undo. Intercept blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through AbraFlexi? +

The AbraFlexi server has 8 write tools including contact_create, contact_update, evidence_create. Set rate limits in your policy file -- for example, rate_limit: 10/hour prevents an agent from making more than 10 modifications per hour. Intercept enforces this at the transport layer.

How many tools does the AbraFlexi MCP server expose? +

21 tools across 4 categories: Destructive, Financial, Read, Write. 7 are read-only. 14 can modify, create, or delete data.

How do I add Intercept to my AbraFlexi setup? +

One line change. Instead of running the AbraFlexi server directly, prefix it with Intercept: intercept -c abraflexi.yaml -- npx -y @abraflexi-mcp-server. Download a pre-built policy from policylayer.com/policies/abraflexi and adjust the limits to match your use case.

Enforce policies on AbraFlexi

Open source. One binary. Zero dependencies.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.