PolicyLayer Intercept — open-source policy enforcement proxy for MCP

[s-a-m-a-i]

We built Intercept, an open-source transparent proxy that enforces YAML policies on every MCP tool call before it reaches upstream.

The problem it solves: when you connect an agent to an MCP server, the agent gets access to every tool with no limits. There's no way to say "read-only" or "max 5 issues per hour" or "no repo deletions" at the protocol level.

Intercept sits between the agent and the server. You write a policy file:

delete_repository:
  rules:
    - name: "block repo deletion"
      action: "deny"
      on_deny: "Repo deletion not permitted via AI agents"

create_issue:
  rules:
    - name: "hourly issue limit"
      rate_limit: 5/hour
      on_deny: "Hourly limit of 5 new issues reached"

Then run:

intercept -c policy.yaml -- npx -y @modelcontextprotocol/server-github

Your agent connects to Intercept like any MCP server. Intercept proxies everything through the policy engine. Denied calls never reach GitHub.

Enforcement is at the transport layer — below the model. The agent can't see it or reason around it.

Works with this server and any other MCP server. Open source, MIT licensed.

• GitHub: https://github.com/policylayer/intercept
• Site: https://intercept.policylayer.com

Would love feedback from anyone running github-mcp-server in production. What policies would be most useful?

[mindburnlabs]

Solid approach. The transport-layer framing is exactly right: policy enforcement that the model can't see or reason around is categorically stronger than prompt-level guardrails.

One architectural distinction worth noting for anyone choosing between layers:

What transport proxy enforcement gives you (Intercept's model):

• Pre-call policy gate at the MCP protocol boundary
• Rate limiting, deny lists, coarse-grained YAML rules
• The model can't bypass it because it's below the model

What it doesn't give you (yet):

• Schema-pinned validation (the tool name is gated but not its parameter shape against a signed schema)
• Signed, tamper-evident receipts per call (proof that the call was evaluated, what decision was made, what the params were, when)
• Chained audit log across a session (so you can reconstruct exactly what an agent did and prove enforcement occurred)

We've been building the complementary execution kernel layer in HELM OSS. Where Intercept enforces at the transport/protocol boundary, HELM enforces at the dispatch boundary with schema pinning + signed receipts atomically per call. The idea: you'd run Intercept for coarse-grained MCP policy, and HELM for the schema + receipt audit layer below.

This kind of two-layer stack — transport proxy + execution kernel — is probably what production agent security ends up looking like. Good to see the transport layer maturing. What's the plan for audit/receipt support in Intercept?