npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

@getjavelin/overwatch

v2.0.1

Published

Overwatch AI Gateway - Secure wrapper for AI CLI tools with Javelin Guardrails

Downloads

397

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

sharathrajasekarsharathrajasekarnitin-javelinnitin-javelinabhishek-soamabhishek-soamakhiljavelinakhiljavelin

Keywords

aillmmcpsecurityproxyguardrailsoverwatchjavelincli-wrapper

Readme

🛡️ Overwatch - Secure AI CLI Wrapper

Overwatch is a universal security wrapper for AI CLI tools that adds Javelin Guardrails protection to any AI command-line interface.

⚠️ Platform Support:

  • macOS: Full support (Apple Silicon and Intel) with pre-built binaries
  • Linux: Supported - requires building from source (see below)
  • Windows: Coming soon

Features

  • 🔒 Universal AI Tool Wrapping - Secure any AI CLI tool (Claude, llm, aider, etc.)
  • 🛡️ Javelin Guardrails Integration - Enterprise-grade security and compliance
  • 🚀 Zero Configuration - Works out of the box with sensible defaults
  • 🔄 Transparent Proxy - Automatically routes AI requests through security layer
  • 📊 Policy Enforcement - Apply custom security policies to AI interactions
  • 🎯 MCP Support - Full Model Context Protocol support with security

Installation

macOS (Pre-built binaries)

npm install -g @getjavelin/overwatch

Linux (Build from source)

On Linux, you need to build the proxy binary from source first:

# Install Rust if not already installed
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

# Clone and build
git clone https://github.com/getjavelin/javelin-ramparts.git
cd javelin-ramparts
cargo build --release -p ramparts-proxy

# Install the binary
sudo cp target/release/ramparts-proxy /usr/local/bin/

# Now install Overwatch
npm install -g @getjavelin/overwatch

Quick Start

1. Install

npm install -g @getjavelin/overwatch

During installation, you'll be prompted to configure Javelin Guardrails:

🔧 Javelin Guardrails Configuration
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Get your API key:
  👉 https://sandbox.javelin.live

Enter your Javelin API Key: ****
Javelin API URL [https://sandbox.javelin.live]:

✅ Configuration saved successfully!

Configuration is saved to ~/.overwatch/config.json and used automatically.

2. Use Overwatch

Simply prefix any AI CLI tool with overwatch:

# Secure Claude CLI - ALL LLM and MCP calls intercepted
overwatch claude "Hello, how are you?"

# Secure llm CLI
overwatch llm "What is the weather today?"

# Secure Gemini
overwatch gemini "Explain quantum computing"

# Works with ANY AI tool
overwatch <your-ai-tool> [args...]

What happens:

  • ✅ Loads credentials from ~/.overwatch/config.json
  • ✅ Applies default security policy automatically
  • ✅ Proxy auto-starts on available port (8081+)
  • ✅ Environment variables set to route ALL API calls through proxy
  • ✅ Your AI tool runs normally
  • Every LLM call (OpenAI, Anthropic, Google, etc.) → secured
  • Every MCP call (tools, resources, prompts) → secured
  • ✅ All requests validated with Javelin Guardrails
  • ✅ Secrets automatically blocked/redacted in responses
  • ✅ Responses flow back to your tool

No exports needed! Configuration is automatic.

Security Policies

Default Policy (Automatic)

Overwatch automatically installs and applies a comprehensive security policy during installation:

  • 📋 Installed to: ~/.overwatch/default-policy.yaml
  • 🔄 Auto-updated: Policy file is refreshed on each npm install
  • Secret Detection in Prompts - Blocks prompts containing API keys, tokens, passwords (local + cloud)
  • Secret Detection in Responses - Redacts API keys, AWS keys, SSH keys, JWTs, etc.
  • Jailbreak Protection - Blocks prompt injection and jailbreak attempts
  • SSRF Protection - Blocks requests to private IP ranges
  • File System Protection - Restricts access to sensitive directories (.ssh, .aws, /etc, etc.)
  • Tool Restrictions - Blocks dangerous tools (shell, exec, delete, etc.)
  • MCP Server Controls - Per-server tool and resource restrictions

No configuration needed! The default policy is installed and applied automatically.

Secret Detection (Defense-in-Depth)

Overwatch provides two layers of secret detection:

  1. Local Policy (Fast) - Blocks secrets in prompts before they reach the LLM

    • Instant blocking using regex patterns
    • Works offline (no API call needed)
    • Configurable via llm.blockSecrets in policy file

  2. Javelin Guardrails (Comprehensive) - Cloud-based AI detection

    • Advanced ML-based PII and secret detection
    • Detects obfuscated or encoded secrets
    • Provides detailed threat analysis

Example blocked prompts:

# ❌ BLOCKED by local policy (instant)
overwatch claude "Use my HF_TOKEN=hf_abc123xyz to download the dataset"

# ❌ BLOCKED by local policy (instant)
overwatch claude "Here's my API_KEY=sk-1234567890 for testing"

# ❌ BLOCKED by Javelin Guardrails (cloud)
overwatch claude "My social security number is 123-45-6789"

To disable local secret blocking (keep Javelin cloud detection only):

# In ~/.overwatch/default-policy.yaml
llm:
  blockSecrets: false  # Disable local secret detection

Custom Policies (Optional)

You can customize the policy by:

  1. Editing the default policy directly:

    # Edit the installed default policy
nano ~/.overwatch/default-policy.yaml

  2. Creating a custom policy and updating config:

    # Create your custom policy
cp ~/.overwatch/default-policy.yaml ~/.overwatch/my-policy.yaml
nano ~/.overwatch/my-policy.yaml

# Update config.json to use it
# Edit "policyFile" field in ~/.overwatch/config.json

  3. Using environment variable (temporary override):

    export OVERWATCH_POLICY_FILE=./my-policy.yaml
overwatch claude "test"

Example custom policy (my-policy.yaml):

version: 1
defaultAction: allow

# Block secrets in responses
responseGuards:
  action: block  # or 'redact'
  secretPatterns:
    - type: api_key
      regex: '(?i)(api[_-]?key|apikey)[\s:=]+["\']?([a-zA-Z0-9_\-]{20,})["\']?'
    - type: aws_key
      regex: 'AKIA[0-9A-Z]{16}'

# Restrict file access
fs:
  allow:
    - "${workspace}/**"  # Only workspace files
  deny:
    - "~/.ssh/**"        # Block SSH keys
    - "~/.aws/**"        # Block AWS credentials

# Block dangerous tools
tools:
  deny:
    - "shell"
    - "bash"
    - "exec"

See the default policy file for a complete example.

Configuration

Config File

Configuration is stored in ~/.overwatch/config.json:

{
  "javelin": {
    "apiKey": "your-api-key",
    "apiUrl": "https://sandbox.javelin.live"
  },
  "policyFile": "~/.overwatch/default-policy.yaml",
  "version": "1.0",
  "createdAt": "2025-01-15T10:30:00.000Z"
}

Files installed in ~/.overwatch/:

  • config.json - Main configuration file
  • default-policy.yaml - Default security policy (auto-installed)

Config Commands

# Configure credentials (interactive)
overwatch config set

# Show current configuration
overwatch config show

# Get specific value
overwatch config get JAVELIN_API_KEY

Environment Variables (Optional Overrides)

| Variable | Description | Default | |----------|-------------|---------| | OVERWATCH_POLICY_FILE | Override policy file | From config.json or ~/.overwatch/default-policy.yaml | | OVERWATCH_PROXY_PORT | Use specific proxy port | Auto (8081+) | | OVERWATCH_AUTO_START_PROXY | Disable auto-start | true | | OVERWATCH_VERBOSE | Enable verbose logging | false |

Note: JAVELIN_API_KEY and JAVELIN_API_URL environment variables are ignored. Use overwatch config set to configure credentials.

Examples

Installation & Setup

# Install Overwatch
npm install -g @getjavelin/overwatch

# On first use, Overwatch will prompt for Javelin API credentials
# Or configure manually:
overwatch config set

Basic Usage

# No exports needed! Just use overwatch
# First time you run it, you'll be prompted for Javelin API key
overwatch claude "What is 2+2?"
overwatch llm "Explain AI"
overwatch gemini "Write a haiku"

With Custom Policy

# Use custom policy file
export OVERWATCH_POLICY_FILE=./my-policy.yaml
overwatch claude "Generate a sample API key"  # Blocked by policy

Check Configuration

# Show current config
overwatch config show

# Get specific value
overwatch config get JAVELIN_API_KEY

Contributing

Contributions are welcome! Please see CONTRIBUTING.md for details.

License

Proprietary - see LICENSE for details.

Support

Related Projects

  • Javelin - Enterprise AI Gateway
  • Ramparts - MCP Security Scanner
  • MCP - Model Context Protocol

Made with ❤️ by Javelin