Heimdall is a transparent MCP proxy that logs every tool call as an OpenTelemetry span. But here s what matters in v1.2: a policy layer that gives you complete control.Why should you care? Imagine defining exactly which tools, prompts, and resources each MCP server can expose. It s not magic, it s security with purpose.Two configuration levels merge with security-first semantics — global deny always wins. If you block something at ~/.config/heimdall, no local project can override it. Policies are law.Here s where it gets good. Blocked calls never reach the real server. They return JSON-RPC error -32001 and get traced with policy.blocked=true for auditing. List responses are filtered too — denied entries disappear before the agent even sees them.Two new CLI commands make this work. Heimdall-mcp init scaffolds your config. Heimdall-mcp health validates and previews the merged policy so you know exactly what s allowed.It s simple. It s useful. It s what everyone needed but nobody asked for explicitly. That s what builds credibility.Website: https://stack.cardor.dev/heimdallGitHub: https://github.com/enmanuelmag/heimdall-mcp