Configuring Policies
Overwatch uses the Cedar policy language to define security policies that control access to MCP tools, servers, file systems, and HTTP endpoints. Policies are evaluated for every request, providing fine-grained security controls that protect your AI agents from malicious or dangerous operations.
Overview
Cedar Policy Language
Overwatch uses Cedar, an industry-standard policy language designed for authorization decisions. Cedar provides:
- Expressiveness - Complex security rules with conditional logic
- Performance - Optimized evaluation with built-in caching
- Analyzability - Policy validation and reasoning tools
- Standardization - Widely adopted policy language
Cedar policies replace the previous YAML-based policy system, providing more powerful and maintainable security controls.
Default vs Custom Policies
Overwatch automatically installs and applies a comprehensive default policy that includes:
- Command injection prevention
- Prompt injection protection
- Secret detection and blocking
- File system access restrictions
- SSRF protection
- Tool and server controls
You can customize these policies by creating your own Cedar policy file to meet your organization's specific security requirements.
Policy File Locations
Policy files are stored in different locations depending on your Overwatch deployment:
IDE Extension:
- Default:
~/.overwatch/policy.cedar - Custom: Path specified in extension settings (
Overwatch: Policy File)
CLI Tool:
- Default:
~/.overwatch/policy.cedar - Custom: Path specified via
OVERWATCH_POLICY_FILEenvironment variable
Default Policy
The default policy is automatically installed and provides comprehensive security protection out of the box.
Security Controls Included
The default policy includes the following security controls:
Command Execution Prevention
Blocks dangerous system commands and shell access:
shell,bash,shcommand executionsystem.execcallsprocess.spawnoperations- File deletion operations (
fs.delete)
Prompt Injection Protection
Prevents prompt injection and jailbreak attempts:
- Instruction override patterns (e.g., "ignore all previous instructions")
- Mode manipulation attempts (e.g., "developer mode", "god mode")
- System prompt extraction attempts
- Role manipulation patterns
- Code injection patterns
Secret Detection
Blocks and redacts sensitive information:
- API keys and tokens
- AWS access keys and secrets
- GitHub tokens
- SSH private keys
- JWT tokens
- Bearer tokens
File System Protection
Restricts access to sensitive directories:
- System directories (
/etc,/var,/proc,/sys,/root) - Credential files (
.env,.pem,id_*,.ssh/*,.aws/*) - Allows workspace and temporary file access
SSRF Protection
Prevents Server-Side Request Forgery attacks:
- Blocks requests to private IP ranges (RFC1918)
- Blocks loopback addresses
- Blocks link-local addresses
MCP Server Controls
Controls access to MCP servers and their tools:
- Per-server tool restrictions
- Server connection authorization
- Resource access controls
Auto-Installation and Updates
The default policy is:
- Auto-installed during first-time setup
- Auto-updated when policy improvements are available
- Loaded automatically on Overwatch startup
No manual configuration is required to benefit from default protection.
Custom Policy Creation
You can create custom Cedar policies to meet your organization's specific security requirements.
Creating a Custom Policy File
Configure Overwatch to use your custom policy:
IDE Extension:
- Open Settings (Cmd/Ctrl + ,)
- Search for "Overwatch: Policy File"
- Enter the path to your custom policy file
CLI Tool:
export OVERWATCH_POLICY_FILE=~/.overwatch/my-custom-policy.cedar
Policy File Structure
Cedar policies consist of permit and forbid statements that define authorization rules:
// Default: allow all requests
permit (principal, action, resource);
// Specific restrictions
forbid (
principal == User::"mcp_client",
action == Action::"call_tool",
resource == Tool::"shell"
);
Policy Entities
Cedar policies use entities to represent principals, resources, and actions:
| Entity Type | Description | Examples |
|---|---|---|
User | Principals making requests | User::"mcp_client", User::"security_scanner" |
Tool | MCP tools | Tool::"read_file", Tool::"shell", Tool::"write_file" |
Server | MCP servers | Server::"filesystem", Server::"web_search" |
Resource | Generic resources | Resource::"threat_analysis" |
HttpEndpoint | HTTP URLs | HttpEndpoint::"https://api.example.com" |
FilePath | File system paths | FilePath::"/etc/passwd" |
Actions
Actions represent operations that can be performed:
| Action | Description |
|---|---|
call_tool | Execute an MCP tool |
connect_server | Connect to an MCP server |
access_resource | Access an MCP resource |
http_request | Make an HTTP request |
read_file | Read a file |
write_file | Write a file |
process_prompt | Process an LLM prompt |
Context Attributes
Policies can reference context attributes to make authorization decisions:
| Attribute | Type | Description |
|---|---|---|
file_path | String | File system path being accessed |
url | String | HTTP URL being requested |
prompt_text | String | LLM prompt content |
server_name | String | Name of the MCP server |
contains_secrets | Boolean | Whether secrets were detected |
yara_threats | Array | YARA threat detection results |
max_threat_severity | Integer | Highest threat severity level (0-4) |
is_within_workspace | Boolean | Whether file path is within workspace |
Policy Examples
Tool Restrictions
Block specific dangerous tools:
// Block shell command execution
forbid (
principal == User::"mcp_client",
action == Action::"call_tool",
resource == Tool::"shell"
);
// Block file deletion
forbid (
principal == User::"mcp_client",
action == Action::"call_tool",
resource == Tool::"fs.delete"
);
Allow specific tools with conditions:
// Allow read_file only for workspace files
permit (
principal == User::"mcp_client",
action == Action::"call_tool",
resource == Tool::"read_file"
) when {
context has file_path &&
context has is_within_workspace &&
context.is_within_workspace == true
};
Server Controls
Block access to specific MCP servers:
// Block all tools from a specific server
forbid (
principal == User::"mcp_client",
action == Action::"call_tool",
resource
) when {
context has server_name &&
context.server_name == "playwright"
};
Allow specific tools per server:
// Allow only read operations for filesystem server
permit (
principal == User::"mcp_client",
action == Action::"call_tool",
resource
) when {
context has server_name &&
context.server_name == "filesystem" &&
(resource == Tool::"read_file" ||
resource == Tool::"list_directory")
};
File Path Restrictions
Block access to sensitive directories:
// Block access to sensitive system directories
forbid (
principal == User::"mcp_client",
action in [Action::"read_file", Action::"write_file"],
resource
) when {
context has path &&
(context.path like "/etc/*" ||
context.path like "*/.ssh/*" ||
context.path like "*/.aws/*" ||
context.path like "*/.env")
};
Allow workspace-only access:
// Allow workspace and temporary file access
permit (
principal == User::"mcp_client",
action in [Action::"read_file", Action::"write_file"],
resource
) when {
context has path &&
((context has is_within_workspace &&
context.is_within_workspace == true) ||
context.path like "/tmp/*" ||
context.path like "*/tmp/*")
};
HTTP Endpoint Allowlists
Prevent SSRF attacks by blocking private networks:
// Block requests to private/internal networks
forbid (
principal == User::"mcp_client",
action == Action::"http_request",
resource
) when {
context has ip_address &&
(context.ip_address like "10.*" ||
context.ip_address like "172.16.*" ||
context.ip_address like "192.168.*" ||
context.ip_address == "127.0.0.1")
};
Allow specific external endpoints:
// Allow requests to approved external APIs
permit (
principal == User::"mcp_client",
action == Action::"http_request",
resource == HttpEndpoint::"https://api.example.com"
);
Prompt Injection Patterns
Block prompt injection attempts:
// Block instruction override attempts
forbid (
principal == User::"mcp_client",
action == Action::"process_prompt",
resource
) when {
context has prompt_text &&
(context.prompt_text like "*ignore all*" ||
context.prompt_text like "*ignore previous*" ||
context.prompt_text like "*forget instructions*" ||
context.prompt_text like "*jailbreak*")
};
Allow legitimate queries while blocking injections:
// Allow legitimate system-related queries
permit (
principal == User::"mcp_client",
action == Action::"process_prompt",
resource
) when {
context has prompt_text &&
(context.prompt_text like "*how to ignore errors*" ||
context.prompt_text like "*git ignore file*" ||
context.prompt_text like "*system requirements*")
};
Secret Detection Rules
Block prompts containing secrets:
// Block prompts containing secrets
forbid (
principal == User::"mcp_client",
action == Action::"process_prompt",
resource
) when {
context has contains_secrets &&
context.contains_secrets == true
};
Block responses containing specific secret patterns:
// Block AWS access keys in responses
forbid (
principal,
action,
resource
) when {
context has response_content &&
context.response_content like "*AKIA*"
};
// Block SSH private keys in responses
forbid (
principal,
action,
resource
) when {
context has response_content &&
(context.response_content like "*-----BEGIN PRIVATE KEY-----*" ||
context.response_content like "*-----BEGIN RSA PRIVATE KEY-----*")
};
Configuration
Extension Settings
Configure the policy file path in VS Code/Cursor settings:
- Open Settings (Cmd/Ctrl + ,)
- Search for "Overwatch"
- Set
Overwatch: Policy Fileto your custom policy file path
The policy file is automatically reloaded when changed, so you can test policy updates without restarting the IDE.
CLI Environment Variables
Use environment variables to configure the CLI tool:
# Set custom policy file
export OVERWATCH_POLICY_FILE=~/.overwatch/my-custom-policy.cedar
# Or use Cedar-specific variable
export CEDAR_POLICY_FILE=~/.overwatch/my-custom-policy.cedar
Policy Hot Reload
The IDE extension automatically reloads policies when the policy file changes. For CLI usage, restart the proxy to load policy changes:
# Restart proxy to load new policy
overwatch proxy restart
Policy Validation
Cedar CLI Validation
Use the Cedar CLI to validate your policy syntax:
# Install Cedar CLI (if not already installed)
# See: https://docs.cedarpolicy.com/
# Validate policy syntax
cedar validate --policies ~/.overwatch/my-custom-policy.cedar
# Format policy file
cedar format --policies ~/.overwatch/my-custom-policy.cedar
Common Policy Errors
Syntax Errors:
- Missing semicolons after policy statements
- Incorrect entity type references
- Invalid context attribute names
Logic Errors:
- Conflicting
permitandforbidrules - Overly restrictive policies blocking legitimate operations
- Missing context checks causing policy evaluation failures
Validation Tips:
- Always validate policy syntax before deploying
- Test policies with sample requests to verify behavior
- Start with default policy and make incremental changes
- Use Cedar CLI's analysis tools to detect conflicts
Policy Best Practices
- Start with Defaults - Use the default policy as a foundation and customize incrementally
- Test Thoroughly - Validate policies with sample requests before deploying
- Document Custom Rules - Add comments explaining why custom restrictions are needed
- Version Control - Store custom policies in version control for audit and rollback
- Least Privilege - Only allow what's necessary for legitimate operations
- Regular Updates - Keep policies updated as security threats evolve
Related Documentation
- Cedar Policy Language - Official Cedar documentation
- Overwatch Overview - Learn about Overwatch architecture
- Threat Monitoring - View security threats and configure advanced controls