JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 228
  • Score
    100M100P100Q25303F
  • License SEE LICENSE IN LICENSE

Overwatch AI Gateway - Secure wrapper for AI CLI tools with Javelin Guardrails

Package Exports

  • @getjavelin/overwatch
  • @getjavelin/overwatch/dist/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@getjavelin/overwatch) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

🛡️ Overwatch - Secure AI CLI Wrapper

Overwatch is a universal security wrapper for AI CLI tools that adds Javelin Guardrails protection to any AI command-line interface.

Features

  • 🔒 Universal AI Tool Wrapping - Secure any AI CLI tool (Claude, llm, aider, etc.)
  • 🛡️ Javelin Guardrails Integration - Enterprise-grade security and compliance
  • 🚀 Zero Configuration - Works out of the box with sensible defaults
  • 🔄 Transparent Proxy - Automatically routes AI requests through security layer
  • 📊 Policy Enforcement - Apply custom security policies to AI interactions
  • 🎯 MCP Support - Full Model Context Protocol support with security

Installation

npm install -g @getjavelin/overwatch

Quick Start

1. Install

npm install -g @getjavelin/overwatch

During installation, you'll be prompted to configure Javelin Guardrails:

🔧 Javelin Guardrails Configuration
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Get your API key:
  👉 https://sandbox.javelin.live

Enter your Javelin API Key: ****
Javelin API URL [https://sandbox.javelin.live]:

✅ Configuration saved successfully!

Configuration is saved to ~/.overwatch/config.json and used automatically.

2. Use Overwatch

Simply prefix any AI CLI tool with overwatch:

# Secure Claude CLI - ALL LLM and MCP calls intercepted
overwatch claude "Hello, how are you?"

# Secure llm CLI
overwatch llm "What is the weather today?"

# Secure Gemini
overwatch gemini "Explain quantum computing"

# Works with ANY AI tool
overwatch <your-ai-tool> [args...]

What happens:

  • ✅ Loads credentials from ~/.overwatch/config.json
  • ✅ Applies default security policy automatically
  • ✅ Proxy auto-starts on available port (8081+)
  • ✅ Environment variables set to route ALL API calls through proxy
  • ✅ Your AI tool runs normally
  • Every LLM call (OpenAI, Anthropic, Google, etc.) → secured
  • Every MCP call (tools, resources, prompts) → secured
  • ✅ All requests validated with Javelin Guardrails
  • ✅ Secrets automatically blocked/redacted in responses
  • ✅ Responses flow back to your tool

No exports needed! Configuration is automatic.

Security Policies

Default Policy (Automatic)

Overwatch automatically applies a comprehensive security policy that includes:

  • Secret Detection - Blocks/redacts API keys, AWS keys, SSH keys, JWTs, etc.
  • SSRF Protection - Blocks requests to private IP ranges
  • File System Protection - Restricts access to sensitive directories (.ssh, .aws, /etc, etc.)
  • Tool Restrictions - Blocks dangerous tools (shell, exec, delete, etc.)
  • MCP Server Controls - Per-server tool and resource restrictions

No configuration needed! The default policy is applied automatically.

Custom Policies (Optional)

To use a custom policy instead of the default:

export OVERWATCH_POLICY_FILE=./my-policy.yaml
overwatch claude "test"

Example custom policy (my-policy.yaml):

version: 1
defaultAction: allow

# Block secrets in responses
responseGuards:
  action: block  # or 'redact'
  secretPatterns:
    - type: api_key
      regex: '(?i)(api[_-]?key|apikey)[\s:=]+["\']?([a-zA-Z0-9_\-]{20,})["\']?'
    - type: aws_key
      regex: 'AKIA[0-9A-Z]{16}'

# Restrict file access
fs:
  allow:
    - "${workspace}/**"  # Only workspace files
  deny:
    - "~/.ssh/**"        # Block SSH keys
    - "~/.aws/**"        # Block AWS credentials

# Block dangerous tools
tools:
  deny:
    - "shell"
    - "bash"
    - "exec"

See the default policy file for a complete example.

Configuration

Config File

Configuration is stored in ~/.overwatch/config.json:

{
  "javelin": {
    "apiKey": "your-api-key",
    "apiUrl": "https://sandbox.javelin.live"
  },
  "version": "1.0",
  "createdAt": "2025-01-15T10:30:00.000Z"
}

Config Commands

# Configure credentials (interactive)
overwatch config set

# Show current configuration
overwatch config show

# Get specific value
overwatch config get JAVELIN_API_KEY

Environment Variables (Optional Overrides)

Variable Description Default
JAVELIN_API_KEY Override configured API key From config file
JAVELIN_API_URL Override configured API URL From config file
OVERWATCH_POLICY_FILE Use custom policy file Default policy
OVERWATCH_PROXY_PORT Use specific proxy port Auto (8081+)
OVERWATCH_AUTO_START_PROXY Disable auto-start true

Examples

Installation & Setup

# Install Overwatch (prompts for configuration automatically)
npm install -g @getjavelin/overwatch

# Configuration is saved automatically during install!
# If you skipped it, run:
overwatch config set

Basic Usage

# No exports needed! Just use overwatch
overwatch claude "What is 2+2?"
overwatch llm "Explain AI"
overwatch gemini "Write a haiku"

With Custom Policy

# Use custom policy file
export OVERWATCH_POLICY_FILE=./my-policy.yaml
overwatch claude "Generate a sample API key"  # Blocked by policy

Check Configuration

# Show current config
overwatch config show

# Get specific value
overwatch config get JAVELIN_API_KEY

Contributing

Contributions are welcome! Please see CONTRIBUTING.md for details.

License

Proprietary - see LICENSE for details.

Support

  • Javelin - Enterprise AI Gateway
  • Ramparts - MCP Security Scanner
  • MCP - Model Context Protocol

Made with ❤️ by Javelin