Bootstrap the AIDE development environment into a project. Returns structured JSON for agent consumption — not prose. The tool uses a two-call pattern for progressive disclosure: **First call (no `category` param):** Returns a lightweight summary — every step with `name`, `status` (would-create...
Accepts file system path (path); Bulk/mass operation — affects multiple targets
Part of the Server MCP server. Enforce policies on this tool with Intercept, the open-source MCP proxy.
AI agents invoke aide_init to trigger processes or run actions in Server. Execute operations can have side effects beyond the immediate call -- triggering builds, sending notifications, or starting workflows. Rate limits and argument validation are essential to prevent runaway execution.
aide_init can trigger processes with real-world consequences. An uncontrolled agent might start dozens of builds, send mass notifications, or kick off expensive compute jobs. Intercept enforces rate limits and validates arguments to keep execution within safe bounds.
Execute tools trigger processes. Rate-limit and validate arguments to prevent unintended side effects.
tools:
aide_init:
rules:
- action: allow
rate_limit:
max: 10
window: 60
validate:
required_args: trueSee the full Server policy for all 7 tools.
Agents calling execute-class tools like aide_init have been implicated in these attack patterns. Read the full case and prevention policy for each:
Other tools in the Execute risk category across the catalogue. The same policy patterns (rate-limit, validate) apply to each.
aide_init is one of the high-risk operations in Server. For the full severity-focused view — only the high-risk tools with their recommended policies — see the breakdown for this server, or browse all high-risk tools across every MCP server.
Bootstrap the AIDE development environment into a project. Returns structured JSON for agent consumption — not prose. The tool uses a two-call pattern for progressive disclosure: **First call (no `category` param):** Returns a lightweight summary — every step with `name`, `status` (would-create/would-skip/exists), `category`, and `filePath`, but NO `content` fields. Also returns `brainHints` (vault candidates) and detected `framework`. Use this to understand what needs to be done. **Second call (with `category` param):** The tool writes all `would-create` files directly to disk itself and returns a manifest — steps with `filePath`, `status` (`created` or `exists`), and `name`, but NO `content`. The agent never sees file content and never uses the Write tool for new files. **Exception — MCP steps:** For MCP steps, the manifest includes `prescription` data (key name and entry object) so the agent can read the existing config, merge, and write. The tool never touches MCP config directly. **Exception — brain category:** When calling with `category=brain`, also pass `brainPath` with the user-confirmed vault path. The tool creates the vault scaffold directories directly. **Exception — IDE VS Code steps:** IDE steps that need external tooling (VS Code CLI) return instructions for the agent to execute, since those aren't simple file writes. **IMPORTANT — one-at-a-time wizard pattern using AskUserQuestion:** Do NOT present a summary table of all categories. Do NOT offer "all" as an option. Do NOT ask conversational questions — use the `AskUserQuestion` tool with structured options at every pause point. Walk the user through ONE category at a time: 1. Call without `category` first to get the metadata 2. Present ONLY the detected framework — use AskUserQuestion with Yes/{alternatives} options. STOP. 3. Present ONLY the first category with would-create steps — use AskUserQuestion with Yes/Skip options. STOP. 4. If confirmed, call again with `category=X` (and `brainPath` when category is brain). The tool writes files and returns a manifest. Report what was created, then present the NEXT category with AskUserQuestion. STOP. 5. Repeat step 4 for each remaining category in order: methodology, commands, agents, skills, mcp, brain, ide, readme 6. For brain: use AskUserQuestion with brainHints as labeled options (user can pick Other for custom path). STOP. 7. For MCP: use AskUserQuestion with Merge/Skip options. Merge the `prescription` entry into the existing config yourself (read → merge → write). STOP. 8. For IDE: use AskUserQuestion with multiSelect for Zed/VS Code/Neither. STOP. Each step is ONE AskUserQuestion → wait for selection → then proceed. Never show multiple categories at once. Never ask open-ended conversational questions. Do NOT auto-apply steps without user confirmation.. It is categorised as a Execute tool in the Server MCP Server, which means it can trigger actions or run processes. Use rate limits and argument validation.
Add a rule in your Intercept YAML policy under the tools section for aide_init. You can allow, deny, rate-limit, or validate arguments. Then run Intercept as a proxy in front of the Server MCP server.
aide_init is a Execute tool with high risk. Execute tools should be rate-limited and have argument validation enabled.
Yes. Add a rate_limit block to the aide_init rule in your Intercept policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the Intercept policy for aide_init. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
aide_init is provided by the Server MCP server (@aidemd-mcp/server). Intercept sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Open source. One binary. Zero dependencies.
npx -y @policylayer/intercept