PolicyLayer Intercept — open-source policy enforcement proxy for MCP

[L1AD]

Pre-submission Checklist

• This post follows the MCP community guidelines

What would you like to share?

We built Intercept, a transparent proxy that enforces YAML policies on every MCP tool call before it reaches the upstream server.

The problem: when you connect an agent to an MCP server, it gets access to every tool with no granular controls. There's no protocol-level way to say "read-only," "max 5 calls per hour," or "block deletions."

Intercept sits between the agent and the server. You write a YAML policy file, and every tool call is evaluated before it's forwarded. If the policy says no, the call never reaches upstream.

What it supports:

• Unconditional blocks (deny specific tools entirely)
• Rate limits (sliding window counters)
• Argument validation (regex, allowlists, numeric bounds)
• Spend caps (stateful daily/hourly counters)
• Full audit logging

Example policy:

delete_repository:
  rules:
    - name: "block repo deletion"
      action: "deny"
      on_deny: "Repo deletion not permitted via AI agents"

create_issue:
  rules:
    - name: "hourly issue limit"
      rate_limit: 5/hour
      on_deny: "Hourly limit of 5 new issues reached"

Run it:

intercept -c policy.yaml -- npx -y @modelcontextprotocol/server-github

Enforcement is at the transport layer — below the model, invisible to the agent. No agent or server code changes needed. Works with any MCP server. Apache 2.0 licensed.

The main challenge was designing the policy language to be expressive enough for real use cases without becoming a nightmare to configure. We landed on YAML with a "first match wins" rule evaluation — same mental model as firewall rules.

Would love feedback from the MCP community on what policy primitives matter most as agents get more autonomous.

Relevant Links

GitHub repository: https://github.com/policylayer/intercept
Site: https://intercept.policylayer.com/
Policy reference: https://github.com/policylayer/intercept/blob/main/POLICY.md
Usage guide: https://github.com/policylayer/intercept/blob/main/USAGE.md

[peycheff-com]

Nice work on Intercept — YAML-based policy evaluation at the transport layer is exactly the right place to enforce controls.

We're building something complementary called HELM AI Kernel that fills a different gap: post-decision tamper-evident proof. Where Intercept enforces whether a call goes through, HELM produces a signed receipt for every ALLOW/DENY/ESCALATE decision and bundles them into an offline-verifiable EvidencePack that proves what actually ran after the session ends.

The two tools compose naturally:

• Intercept: YAML policy enforcement, rate limits, argument validation at the transport layer
• HELM Kernel: signed receipts + EvidencePack audit trail that survives the session independently of any logs

Feedback question for you: does Intercept currently produce any artifact that's cryptographically signed per-decision — or does audit logging stay in the mutable log file? If the latter, HELM's receipt layer might be worth combining.

Repo: https://github.com/Mindburn-Labs/helm-ai-kernel

Local proof (~5 min):

brew install mindburnlabs/tap/helm-ai-kernel
helm-ai-kernel serve --policy ./release.high_risk.v3.toml
helm-ai-kernel boundary status --json
helm-ai-kernel receipts tail --agent agent.demo.exec --server http://127.0.0.1:7714
helm-ai-kernel verify evidence-pack.tar