Skip to content

Add recommended security policies for tool-level enforcement#2294

Open
L1AD wants to merge 1 commit intogithub:mainfrom
PolicyLayer:add-mcp-policies
Open

Add recommended security policies for tool-level enforcement#2294
L1AD wants to merge 1 commit intogithub:mainfrom
PolicyLayer:add-mcp-policies

Conversation

@L1AD
Copy link
Copy Markdown

@L1AD L1AD commented Apr 4, 2026

Summary

Adds three YAML policy files for use with PolicyLayer Intercept, an open-source MCP proxy that enforces rate limits, daily caps, and access control on individual tool calls.

This complements the existing policies and governance doc, which covers access control via PATs, OAuth, and SSO. Those controls determine which tools an agent can access — these policies control how aggressively an agent uses them once access is granted.

The governance doc explicitly lists "granular, action-by-action audit logs" as a current limitation. Intercept provides exactly this: structured JSON logs for every tool call decision.

What's included

policies/
├── recommended.yaml   # Rate limits on writes, blocks delete_file, caps merges/pushes
├── strict.yaml        # Default deny — only read tools allowed
└── permissive.yaml    # Everything allowed, rate limits on destructive ops

recommended.yaml highlights:

  • delete_file: hidden and blocked entirely
  • merge_pull_request: 2/min burst, 10/hour cap
  • push_files: 3/min burst, 20/hour cap
  • actions_run_trigger: 5/hour (prevents runaway CI)
  • create_repository / fork_repository: 5/hour
  • Write tools (issues, PRs, comments): 20-30/hour
  • Global safety net: 120/min across all tools

strict.yaml — read-only mode:

  • Default deny, only read/list/search/get tools allowed
  • Every write, execute, and destructive tool blocked unless explicitly opted in

permissive.yaml — for development:

  • Everything allowed, delete_file still blocked
  • Rate limits only on merges, pushes, workflow triggers, and repo creation

Usage

npx -y @policylayer/intercept \
  --policy policies/recommended.yaml \
  -- docker run -i --rm -e GITHUB_PERSONAL_ACCESS_TOKEN ghcr.io/github/github-mcp-server

Also added a README section under "Tool-level policy enforcement" and a prerequisite link in the Remote Server section.

About PolicyLayer Intercept

  • Open source (MIT): github.com/policylayer/intercept
  • npm: @policylayer/intercept
  • Sub-millisecond evaluation, fail-closed, deterministic (not prompt-based)
  • Zero changes to the MCP server — wraps the command transparently
  • Structured JSON audit logs for every tool call decision

@L1AD
Add recommended security policies for tool-level enforcement
1ffe9d3 
Three YAML policy presets for use with PolicyLayer Intercept,
an open-source MCP proxy that adds rate limits, daily caps,
and access control on individual tool calls.

Complements existing PAT/OAuth/SSO governance with per-tool
enforcement — rate limiting writes, blocking destructive ops
like delete_file, and capping merges and workflow triggers.
@L1AD L1AD requested a review from a team as a code owner April 4, 2026 17:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@L1AD