The Agent Control Plane
Unified identity, governance, cost control, and compliance for AI agents.
Website · npm · Quick Start · Architecture
You deploy 50 AI agents. Each one calls tools autonomously. Now you need to answer:
- Who called what? Which agent called
DELETE /usersat 3am? - Who's allowed to? Can the intern's agent really access production databases?
- How much did it cost? That research agent just burned $400 in 20 minutes.
- What happened? Show me an audit trail for compliance.
Overwatch is the control plane that sits between your agents and the tools they call.
┌─────────────────────────────────────────────────┐
│ AI Agents │
│ ┌──────┐ ┌──────┐ ┌──────┐ ┌──────┐ │
│ │GPT-4 │ │Claude│ │Gemini│ │Custom│ ... │
│ └──┬───┘ └──┬───┘ └──┬───┘ └──┬───┘ │
└─────┼────────┼────────┼────────┼────────────────┘
│ │ │ │
└────────┴────────┴────────┘
│
┌─────────▼──────────┐
│ Overwatch Gateway │ ← MCP Proxy
│ │
│ ┌── Identity ────┐ │ Verify JWT / API key
│ ├── Policy ──────┤ │ Allow or deny tool call
│ ├── Cost ────────┤ │ Track spend, enforce budget
│ ├── Audit ───────┤ │ Immutable log of every action
│ └── Observability┘ │ Distributed traces
└─────────┬──────────┘
│
┌─────────────┼─────────────┐
│ │ │
┌───▼───┐ ┌────▼────┐ ┌────▼────┐
│Slack │ │Database │ │GitHub │ ...
│Server │ │Server │ │Server │
└───────┘ └─────────┘ └─────────┘
MCP Tool Servers
Every tools/call flows through a middleware chain:
- Observe — Start a trace span
- Auth — Verify the agent's identity
- Policy — Check if this agent can call this tool with these args
- Cost — Check budget, record usage
- Audit — Log the call and result to a tamper-evident ledger
npm install @overwatch/gatewayimport { createGateway } from '@overwatch/gateway';
const gateway = await createGateway({
upstreamServers: [
{ name: 'my-tools', url: 'http://localhost:8080/mcp' },
],
});
await gateway.start();
// [overwatch-gateway] Listening on :3100Point your agents at http://localhost:3100/mcp instead of directly at tool servers. Done.
import { createGateway } from '@overwatch/gateway';
import { wireServices } from '@overwatch/gateway/wiring';
// Connects to PostgreSQL + Redis for persistent identity, policies, budgets, audit
const deps = wireServices();
const gateway = await createGateway(deps);
await gateway.start();Overwatch is a monorepo with composable packages:
| Package | Description |
|---|---|
@overwatch/gateway |
MCP proxy server — the main entry point |
@overwatch/core |
Config, database, types, errors |
@overwatch/identity |
JWT + API key authentication for agents |
@overwatch/policy |
Rule engine for tool-level access control |
@overwatch/cost |
Usage tracking and budget enforcement |
@overwatch/audit |
Tamper-evident audit log (SHA-256 hash chain) |
@overwatch/observability |
Distributed tracing with spans |
@overwatch/registry |
Agent registration and lifecycle management |
@overwatch/api |
REST API for dashboard and management |
@overwatch/core (foundation)
│
├── @overwatch/identity
├── @overwatch/policy
├── @overwatch/cost
├── @overwatch/audit
├── @overwatch/observability
└── @overwatch/registry
│
┌────────┴────────┐
│ │
@overwatch/gateway @overwatch/api
# Prerequisites: Node.js >= 20, pnpm, Docker
# Clone and install
git clone https://github.com/overwatch-dev/overwatch.git
cd overwatch
pnpm install
# Start PostgreSQL + Redis
pnpm setup
# Build all packages
pnpm build
# Run tests
pnpm test
# Start the gateway in dev mode
pnpm dev:gateway| Variable | Default | Description |
|---|---|---|
GATEWAY_PORT |
3000 |
Gateway listen port |
GATEWAY_HOST |
0.0.0.0 |
Gateway bind host |
API_PORT |
3001 |
REST API listen port |
DATABASE_URL |
— | PostgreSQL connection string |
REDIS_URL |
— | Redis connection string |
JWT_ISSUER |
https://useoverwatch.dev |
JWT issuer claim |
JWT_AUDIENCE |
overwatch-gateway |
JWT audience claim |
- Model Context Protocol (MCP) — The open standard for AI tool use
- Fastify — High-performance HTTP server
- Kysely — Type-safe SQL query builder
- Turborepo — Monorepo build system
- Zod — Runtime type validation
MIT — useoverwatch.dev