Add recommended security policies for MCP server

[L1AD]

Summary

Adds three YAML policy files for use with PolicyLayer Intercept, an open-source MCP proxy that enforces rate limits, spend caps, and access control on tool calls.

The Stripe MCP server exposes 27 tools — including create_refund, finalize_invoice, cancel_subscription, and create_payment_link — which can move money or destroy data. Restricted API Keys control which tools appear, but there's no rate limiting, spend capping, or audit logging on how those tools are used once available.

These policies add that layer without any changes to the server itself.

What's included

policies/
├── recommended.yaml   # Sensible defaults for most teams
├── strict.yaml        # Read-only. Default deny, explicit allowlist
└── permissive.yaml    # Everything allowed, rate limits on financial ops

recommended.yaml — good starting point:

• Financial tools (create_refund, finalize_invoice): 3/minute burst + daily caps
• Destructive tools (cancel_subscription): 2/minute burst + 10/day cap
• Write tools (create_customer, create_product, etc.): 30/hour
• Read tools: allowed, 60/minute global limit

strict.yaml — for production/compliance:

• Default deny — only read tools are allowed
• All writes, financial ops, and destructive ops blocked unless you explicitly opt in

permissive.yaml — for development:

• Everything allowed, rate limits only on financial and destructive operations

Usage

Wrap the MCP server with Intercept (one line):

npx -y @policylayer/intercept \
  --policy policies/recommended.yaml \
  -- npx -y @stripe/mcp --api-key=$STRIPE_SECRET_KEY

Or in Claude Desktop config:

{
  "mcpServers": {
    "stripe": {
      "command": "npx",
      "args": [
        "-y", "@policylayer/intercept",
        "--policy", "policies/recommended.yaml",
        "--", "npx", "-y", "@stripe/mcp",
        "--api-key", "sk_..."
      ]
    }
  }
}

Why this matters

RAKs control access but not behaviour. An agent with create_refund permission can issue unlimited refunds with no rate limit, no daily cap, and no audit trail. These policies add deterministic, transport-layer enforcement that complements RAK permissions.

About PolicyLayer Intercept

• Open source (MIT): github.com/policylayer/intercept
• npm: @policylayer/intercept
• Sub-millisecond evaluation, fail-closed, deterministic (not prompt-based)
• Supports all MCP clients: Claude Desktop, Claude Code, Cursor, VS Code, Windsurf, etc.
• Zero changes to the MCP server — wraps the command transparently

[cla-assistant]

All committers have signed the CLA.