The Lunch Money MCP server exposes tools that can move money, delete data, or destroy resources. Without policy enforcement, an autonomous agent has unrestricted access to every one of them.
Financial operations (create_transactions) can move real money. An agent caught in a loop could drain accounts before anyone notices.
Destructive tools (delete_category, delete_transaction_group, force_delete_category) permanently delete resources. There is no undo. An agent calling these in a retry loop causes irreversible damage.
Write operations (add_to_category_group, create_asset, create_category) modify state. Without rate limits, an agent can make hundreds of changes in seconds -- faster than any human can review or revert.
Execute tools (trigger_plaid_fetch) trigger processes with side effects. Builds, notifications, workflows -- all fired without throttling.
These Lunch Money tools can modify, create, or destroy resources. Without a policy, your agent has unrestricted access to all of them.
add_to_category_group Add categories to a group Write create_asset Create a new asset entry Write create_category Create a new spending category Write create_category_group Create a category group Write create_transaction_group Create a transaction group Write update_asset Update asset properties Write update_category Update category properties Write update_manual_crypto Update balance for manually-managed crypto Write update_transaction Update an existing transaction record Write upsert_budget Create or update budget amounts Write create_transactions Create new financial transactions Financial delete_category Delete a spending category Destructive delete_transaction_group Delete a transaction group Destructive force_delete_category Force delete category with data cleanup Destructive remove_budget Remove a budget for a category Destructive unsplit_transactions Remove transactions from split groups Destructive trigger_plaid_fetch Trigger fetch of latest data from Plaid Execute These rules are based on the tool categories exposed by the Lunch Money MCP server. Adjust the limits to match your use case.
create_transactions:
rules:
- action: deny
on_deny: "Financial operations require approval" Financial tools should be explicitly enabled per use case, not open by default.
delete_category:
rules:
- action: deny
on_deny: "Destructive operations blocked by policy" Destructive tools should never be available to autonomous agents without human approval.
add_to_category_group:
rules:
- name: "write-rate-limit"
rate_limit: 30/hour
on_deny: "Write rate limit reached" Prevents bulk unintended modifications from agents caught in loops.
get_all_assets:
rules:
- action: allow
rate_limit: 60/minute Controls API costs and prevents retry loops from exhausting upstream rate limits.
This is the complete policy file for Lunch Money. It lists every tool with suggested default rules. Download it, adjust the limits, and run with Intercept.
version: "1" default: "deny" tools: delete_category: rules: - action: deny on_deny: "Destructive operation blocked by policy" delete_transaction_group: rules: - action: deny on_deny: "Destructive operation blocked by policy" force_delete_category: rules: - action: deny on_deny: "Destructive operation blocked by policy" remove_budget: rules: - action: deny on_deny: "Destructive operation blocked by policy" unsplit_transactions: rules: - action: deny on_deny: "Destructive operation blocked by policy" trigger_plaid_fetch: rules: - action: allow rate_limit: 10/hour validate: required_args: true create_transactions: rules: - action: deny on_deny: "Financial operation requires approval" get_all_assets: rules: - action: allow rate_limit: 60/minute get_all_categories: rules: - action: allow rate_limit: 60/minute get_all_crypto: rules: - action: allow rate_limit: 60/minute get_all_plaid_accounts: rules: - action: allow rate_limit: 60/minute get_all_tags: rules: - action: allow rate_limit: 60/minute get_budget_summary: rules: - action: allow rate_limit: 60/minute get_recurring_items: rules: - action: allow rate_limit: 60/minute get_single_category: rules: - action: allow rate_limit: 60/minute get_single_transaction: rules: - action: allow rate_limit: 60/minute get_transaction_group: rules: - action: allow rate_limit: 60/minute get_transactions: rules: - action: allow rate_limit: 60/minute get_user: rules: - action: allow rate_limit: 60/minute add_to_category_group: rules: - action: allow rate_limit: 30/hour create_asset: rules: - action: allow rate_limit: 30/hour create_category: rules: - action: allow rate_limit: 30/hour create_category_group: rules: - action: allow rate_limit: 30/hour create_transaction_group: rules: - action: allow rate_limit: 30/hour update_asset: rules: - action: allow rate_limit: 30/hour update_category: rules: - action: allow rate_limit: 30/hour update_manual_crypto: rules: - action: allow rate_limit: 30/hour update_transaction: rules: - action: allow rate_limit: 30/hour upsert_budget: rules: - action: allow rate_limit: 30/hour
Download the policy
curl -o lunch-money.yaml https://raw.githubusercontent.com/policylayer/intercept/main/policies/lunch-money.yaml
Run Intercept in front of the server
intercept -c lunch-money.yaml -- npx -y @@akutishevsky/lunchmoney-mcp
Works with any MCP client:
Every tool call is now checked against your policy before it reaches Lunch Money. Denied calls are blocked and logged. Allowed calls pass through with no latency impact.
Open source. One binary. Zero dependencies.
npx -y @policylayer/intercept