Add recommended security policies for tool-level enforcement

[L1AD]

Summary

Adds three YAML policy files for use with PolicyLayer Intercept, an open-source MCP proxy that enforces rate limits, daily caps, and access control on individual tool calls.

The Cloudflare MCP servers expose tools that can delete D1 databases, R2 storage buckets, KV namespaces, and Hyperdrive configurations — as well as execute arbitrary commands in sandbox containers and run GraphQL queries against your account. Cloudflare OAuth controls which tools an agent can access, but not how aggressively it uses them once access is granted.

These policies add that layer without any changes to the servers themselves.

What's included

policies/
├── recommended.yaml   # Blocks destructive ops, rate limits writes, reads allowed freely
├── strict.yaml        # Default deny — only read and observability tools allowed
└── permissive.yaml    # Everything allowed, rate limits on destructive and creation ops

recommended.yaml — good starting point:

• Destructive tools (kv_namespace_delete, r2_bucket_delete, d1_database_delete, hyperdrive_config_delete, container_file_delete): blocked entirely
• Resource creation (*_create): 3–5/min burst, 10–20/hour cap
• Container execution (container_exec): 10/min burst, 60/hour cap
• D1 queries: 10/min burst, 120/hour cap
• GraphQL queries: 10/min burst, 60/hour cap
• Global safety net: 60/min across all tools

strict.yaml — read-only mode:

• Default deny, only read/list/get/observability tools are allowed
• Covers all 15 MCP servers: Workers Bindings, Observability, Builds, Logpush, AI Gateway, AutoRAG, Audit Logs, DNS Analytics, Browser Rendering, Radar, Container, Documentation, GraphQL, DEX, and CASB
• Every write, create, delete, and execute tool blocked unless explicitly opted in

permissive.yaml — for development:

• Everything allowed
• Destructive tools rate-limited to 5/hour
• Resource creation capped at 20/hour
• Container execution and GraphQL queries capped at 120/hour

Usage

Wrap the MCP server with Intercept (one line):

npx -y @policylayer/intercept \
  --policy policies/recommended.yaml \
  -- npx mcp-remote https://bindings.mcp.cloudflare.com/mcp

Or in your MCP client config:

{
  "mcpServers": {
    "cloudflare-bindings": {
      "command": "npx",
      "args": [
        "-y", "@policylayer/intercept",
        "--policy", "policies/recommended.yaml",
        "--", "npx", "mcp-remote",
        "https://bindings.mcp.cloudflare.com/mcp"
      ]
    }
  }
}

Also added a README section under "Tool-level policy enforcement" before the "Paid Features" section.

About PolicyLayer Intercept

• Open source (MIT): github.com/policylayer/intercept
• npm: @policylayer/intercept
• Sub-millisecond evaluation, fail-closed, deterministic (not prompt-based)
• Supports all MCP clients: Claude Desktop, Claude Code, Cursor, VS Code, Windsurf, etc.
• Zero changes to the MCP server — wraps the command transparently
• Structured JSON audit logs for every tool call decision