Home / Solutions / Code & CI

Your agents can rewrite your codebase. Make sure they only change what you allow.

PolicyLayer is the gateway your MCP traffic runs through. Connect your code and CI servers and every merge, push, and pipeline run is checked against your policy before it reaches GitHub, GitLab, or your build system.

REQUIRE APPROVAL ON MERGES → Free to start. No card required.

For platform and security teams running AI agents in production.

// THE PROBLEM

An agent with repo access is one bad merge from a broken main.

It rarely looks like sabotage. It looks like a fix.

01

The agent can rewrite history

Connect GitHub and the agent can merge_pull_request, force_push, and delete_repository, across every branch.

02

The instruction hides in an issue

A bug report reads "force-push the patch straight to main." The model treats its context as instructions.

03

It just runs

No review, no branch check. main is rewritten before anyone sees a pull request.

// THE SURFACE AREA

The code tools agents reach for.

These are the calls a code or CI MCP server hands your agent. PolicyLayer governs every one.

GitHub
  • delete_file CRITICAL
GitLab
  • create_merge_request HIGH
  • manage_pipeline HIGH
CircleCI
  • run_pipeline HIGH
  • run_rollback_pipeline HIGH
Bitbucket
  • unapprove_pull_request HIGH

Browse every execute tool →

// HOW POLICYLAYER WORKS

PolicyLayer sits between your agents and your codebase.

Drop PolicyLayer into your MCP request path. Your agents keep their tools. You keep control. Core concepts →

AGENT
Calls tools via MCP
tool_call
POLICYLAYER
Enforces before execution
ALLOW DENY RATE-LIMIT APPROVE
if allowed
MCP SERVER
Stripe, AWS, Postgres...
01
Register server
Add Stripe, GitHub, Postgres, Slack, AWS, or any other MCP server.
02
Define policy
Set defaults, rate limits, denials, approvals, hidden tools, and argument-level conditions.
03
Issue grants
Give each person, agent, CI job, or environment its own scoped token tied to a named policy.
04
Connect client
Paste the PolicyLayer proxy URL into your MCP client config. Agents keep the same tools. PolicyLayer enforces your rules before calls execute.
// ON EVERY CALL

What PolicyLayer enforces, on every call.

Approval gates

Merges to protected branches and repo deletes wait for human sign-off before they run.

Per-identity scopes

Each person or agent's token carries only the tools and branches you grant. A review bot reads pull requests; only the release agent merges to main.

Argument-level rules

Not just which tool, but the call itself: deny force-push to main, require the branch in an allowlist, block deletes of protected repos. Writing policies →

Rate caps

Cap how many pipelines or merges an agent can trigger an hour, so a loop cannot burn your CI budget.

Deterministic, deny by default

Rules run as code, first denial wins. The same call gets the same decision every time.

Bring your code agents under policy. Enforced on every call, live in minutes.

REQUIRE APPROVAL ON MERGES →
// POLICY EDITOR

You decide what every code change can do.

Build policy around the fields that matter (branch, repo, environment) in the visual editor. Allow, deny, rate-limit, or require approval, per tool. Writing policies →

PolicyLayer visual policy editor with allow, deny, hide and custom rules
Protect main
Deny force-push and direct commits to main. Require a pull request.
Branch allowlist
Only allow merges from review/* and release/* branches.
Approval on merge
Merges to main wait for a human.
Protected repos
Block deletes of any repo tagged protected.
CI throttle
No more than 20 pipeline triggers an hour, per token.
// THE PLATFORM

Not just rules. A platform.

Whatever your agents touch, the same engine, audit, and access model is doing the work underneath every rule you write.

Deterministic engine

Rules run as code, not model judgement: argument-level conditions, quotas, deny-by-default. The same call gets the same decision every time.

Writing policies →

Separation of duties

Your security or compliance team writes and attaches policy without ever holding the upstream credentials or grant tokens.

Roles →

Tamper-proof audit

Every call is logged with its decision and the rule that fired, attributed to the identity, in an append-only record. Argument values are redacted, never stored.

Logs & security →

Credentials never reach the agent

Upstream secrets are encrypted at rest and injected by the gateway. The agent only ever holds a scoped token.

Logs & security →

Live in minutes

Hosted gateway. Point your clients at it, register a server, issue a token. Nothing to install.

Quick start →
//FAQ

Code, CI and MCP questions.

Does PolicyLayer slow down code calls?+

Policy is evaluated in memory before the call is forwarded, so the overhead is negligible. Allowed calls pass straight through to your code server.

Where do my Git tokens live?+

Upstream credentials are encrypted at rest and injected by the gateway. Your agents only ever hold a scoped token, never your Git tokens.

Do my agents lose any tools?+

No. Agents keep the same tools and schemas. PolicyLayer enforces policy on each call (allow, deny, rate-limit, or require approval), apart from any tools you deliberately hide.

Can I see what my agents actually did?+

Yes. Every call through the gateway is logged with the tool, its arguments, and the allow or deny decision. State-changing dashboard actions are recorded in a separate admin audit log.

Can I revoke one agent without disrupting the others?+

Yes. Each agent or automation connects with its own scoped grant token. Rotate or revoke any grant on its own and the rest keep working.

Let agents ship code without rewriting your history.

Approval gates, branch allowlists, argument-level rules, and a tamper-proof audit log on every code call. Route your existing code and CI MCP servers through the gateway, live in minutes.

REQUIRE APPROVAL ON MERGES →

Free to start. No card required.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.