watchmyagents 0.3.0 → 0.6.0

package/README.md

@@ -116,10 +116,43 @@ wma-fetch --agent-id <agent_id> [--session-id <sess_id>] [--since 1h]
 | `--session-id sesn_xxx` | Limit to a single session |
 | `--log-dir ./logs` | Where to write NDJSON (default `./watchmyagents-logs`) |
 | `--dump-raw` | Also save raw API events alongside (forensic / debugging) |
-| `--api-key sk-ant-…` | Override the `ANTHROPIC_API_KEY` env var |
+| `--api-key sk-ant-…` | Override the `ANTHROPIC_API_KEY` env var. **Discouraged** — visible in shell history & process list. Prefer the env var. |
 
 Logs land in `./watchmyagents-logs/<agent_id>/<date>.ndjson` (file mode `0600`, dir `0700`).
 
+### `wma-anonymize` — preview what would leave your machine
+
+Produces the anonymized signals payload (counts, latencies, salted IoC hashes, sequence histograms — no raw URLs/commands/prompts) that future WMA cloud features would ship. Useful to verify Modèle C compliance and to test the format.
+
+```bash
+export WMA_SIGNALS_SALT="$(node -e 'console.log(require("crypto").randomBytes(16).toString("hex"))')"
+wma-anonymize ./watchmyagents-logs
+# → JSON on stdout. Add --out signals.json to write to file.
+```
+
+The salt is a per-customer secret — store it in `.env.local` and reuse it across runs (random salt each run breaks IoC correlation).
+
+### `wma-upload-fortress` — ship anonymized signals to your WMA Fortress
+
+Anonymizes your local NDJSON and POSTs the resulting payload to the WMA Fortress cloud control plane, where Guardian AI analyzes patterns and proposes security policies for your agents.
+
+```bash
+export WMA_API_KEY="wma_..."                    # from Fortress dashboard → Settings → API Keys
+export WMA_FORTRESS_URL="https://<your-project>.supabase.co/functions/v1/ingest-signals"
+export WMA_SIGNALS_SALT="..."                   # same salt as wma-anonymize
+
+wma-upload-fortress --agent-id agent_01XaN... [--display-name "My agent"]
+# → POSTs the anonymized payload. Server returns signal_id + agent_id.
+
+# Inspect what WOULD be posted, without uploading:
+wma-upload-fortress --agent-id agent_xxx --dry-run
+```
+
+**What is sent:** counts, latencies, salted IoC hashes, sequences — same as `wma-anonymize` output.
+**What is NOT sent:** raw prompts, raw URLs/commands/queries, raw agent responses, raw error messages. All payload content stays on your machine.
+
+The endpoint auto-registers the agent on the first upload if it doesn't exist in Fortress yet — no manual onboarding needed for new agents.
+
 ### `wma-inspect` — audit the logs
 
 ```bash
@@ -172,15 +205,30 @@ Report vulnerabilities via [SECURITY.md](./SECURITY.md).
 
 ## Shield — real-time policy enforcement
 
-`wma-shield` (shipped in v0.2.0) is the real-time enforcement companion to Watch. It streams agent events live, evaluates them against a local JSON policy file, and blocks tool calls that violate the policy via `user.tool_confirmation` (when the agent has `permission_policy: always_ask` configured) or `user.interrupt` (zero-setup fallback).
+`wma-shield` is the real-time enforcement companion to Watch. It streams agent events live, evaluates them against a policy ruleset, and blocks tool calls that violate the policy via `user.tool_confirmation` (when the agent has `permission_policy: always_ask` configured) or `user.interrupt` (zero-setup fallback).
 
+### Two policy sources (v0.6.0+)
+
+**Local JSON** (standalone — no cloud dependency):
 ```bash
-# Agent-wide mode — attaches to ALL active sessions of the agent automatically.
-# Run under a process supervisor (systemd, pm2, docker) for production.
 wma-shield --agent-id agent_xxx --policy ./policies.json
 ```
 
-Shield auto-detects the best enforcement mode at startup:
+**Fortress cloud** (policies managed in the dashboard, auto-refreshed every 5 min):
+```bash
+export ANTHROPIC_API_KEY="sk-ant-..."
+export WMA_API_KEY="wma_..."
+export WMA_FORTRESS_BASE_URL="https://<project>.supabase.co/functions/v1"
+export WMA_SIGNALS_SALT="..."          # same salt as wma-upload-fortress (for cross-table IoC correlation)
+
+wma-shield --agent-id agent_xxx --policies-source fortress
+```
+
+In Fortress mode, Shield also POSTs each enforcement decision back to Fortress (`/functions/v1/ingest-decisions`), so the dashboard's live timeline + Loop Visualizer light up in real time.
+
+### Enforcement mode auto-detection
+
+Shield auto-detects the best mode at startup:
 - **tool_confirmation** (precise, pre-execution blocking) when at least one tool has `permission_policy: always_ask`
 - **interrupt** (degraded, post-execution termination) otherwise
 
@@ -195,11 +243,13 @@ Decisions are logged to the same NDJSON stream as Watch (`action_type: shield_de
 
 - ✅ Watch SDK — Anthropic Managed Agents post-hoc fetch + local audit
 - ✅ Shield SDK — real-time enforcement (interrupt mode + tool_confirmation mode)
+- ✅ Anonymizer — produce signals payloads (Modèle C: no raw content leaves)
+- ✅ Anonymized telemetry to WMA Fortress cloud (`wma-upload-fortress` in v0.5.0)
+- ✅ Guardian AI (cloud) — automatic policy suggestions from observed behavior
+- ✅ Fortress (cloud) — dashboard + human-in-the-loop validation queue
+- ✅ Shield policy puller from Fortress (`wma-shield --policies-source fortress` in v0.6.0)
+- ✅ Shield decisions push to Fortress (live timeline + Loop Visualizer)
 - 🚧 Encrypted upload to customer's own cloud (S3/GCS/Azure with `age` public-key encryption)
-- 🚧 Anonymized telemetry to WMA cloud (opt-in, freemium model)
-- 🚧 Guardian AI (cloud) — automatic policy suggestions from observed behavior
-- 🚧 Fortress (cloud) — dashboard + human-in-the-loop validation queue
-- 🚧 Adapters for in-process agents (Claude SDK, OpenAI, LangChain, generic) — code present in `src/adapters/` but unverified against the new Modèle C architecture; documentation will follow once re-validated
 
 ## License
 

package/SECURITY.md

@@ -37,19 +37,25 @@ WMA needs your Anthropic API key to call the Managed Agents REST API on your beh
 
 ## Threat model
 
-WMA is built to give visibility into your AI agent's behavior. It is **observational**, not preventive.
+WMA combines **two complementary layers**:
+- **Watch** (`wma-fetch`, `wma-inspect`) — observational. Captures every agent action into local NDJSON for after-the-fact audit.
+- **Shield** (`wma-shield`, shipped in v0.2.0) — preventive. Streams agent events in real time and enforces policies via `user.tool_confirmation` (block before execution when the agent has `permission_policy: always_ask`) or `user.interrupt` (terminate after a violating tool ran, when always_ask is not configured).
 
 ### What WMA defends against
 
-- **Blind spots in agent behavior.** Tool calls, prompts, state transitions, errors are all captured for after-the-fact analysis.
+- **Blind spots in agent behavior.** Watch captures tool calls, prompts, state transitions, and errors for after-the-fact analysis.
 - **Token-only observability tools.** WMA captures every action including zero-token ones (`tool_use`, `state_transition`, etc.) that are the most security-relevant.
+- **Inline policy violations** (Shield). When the agent has `permission_policy: always_ask` configured, Shield blocks tool calls before execution. When not, Shield interrupts the session on first violation (the offending tool already ran, but the agent loop stops).
 - **Vendor lock-in.** NDJSON is portable; you own the data.
 
 ### What WMA does NOT defend against
 
-- **Real-time attack prevention.** WMA observes after events occur. For inline policy gating, see the upcoming Shield product.
 - **A compromised host.** If an attacker has read access to your user account, they can read the log files. Consider encryption at rest (filesystem-level, or future opt-in via `age`) for sensitive environments.
 - **Tampering with local logs.** Files are append-only by convention, not enforced. A future release will add a per-line hash chain for tamper-evident audit.
+- **Shield being killed.** Shield is an external process. If killed, the agent runs without enforcement until Shield restarts. Run under a process supervisor (systemd, pm2, docker `restart: always`) in production.
+- **Pre-installation activity.** Shield only enforces from the moment it attaches forward. Past events are not retroactively replayed or re-evaluated.
+- **A malicious policy file.** Shield's policy engine refuses obviously unsafe regex patterns (e.g. catastrophic backtracking) and truncates inputs before regex tests to mitigate ReDoS. But a user-controlled policy file remains a code-adjacent input — treat it as you would treat sourcecode.
+- **A compromised Anthropic API.** WMA trusts the events delivered by Anthropic. This is out of scope.
 - **A compromised Anthropic API.** WMA trusts the events delivered by Anthropic. This is out of scope.
 
 ## Supply chain

package/package.json

@@ -1,13 +1,15 @@
 {
   "name": "watchmyagents",
-  "version": "0.3.0",
-  "description": "Security observability + real-time policy enforcement for AI agents — local-first NDJSON capture of every agent action (tool calls, prompts, state transitions, errors) plus the Shield CLI that blocks policy violations live on Anthropic Managed Agents.",
+  "version": "0.6.0",
+  "description": "Security observability + real-time policy enforcement for AI agents. Local-first NDJSON capture, Shield CLI that blocks policy violations live (with policies pulled from Fortress cloud), anonymizer producing signals-only payloads, and bidirectional sync with WatchMyAgents Fortress — closing the recursive Watch→Guardian→Shield security loop.",
   "type": "module",
   "files": [
     "src/",
     "scripts/inspect.js",
     "scripts/fetch-anthropic.js",
     "scripts/shield.js",
+    "scripts/anonymize.js",
+    "scripts/upload-fortress.js",
     "README.md",
     "SECURITY.md",
     "LICENSE"
@@ -15,12 +17,16 @@
   "bin": {
     "wma-inspect": "scripts/inspect.js",
     "wma-fetch": "scripts/fetch-anthropic.js",
-    "wma-shield": "scripts/shield.js"
+    "wma-shield": "scripts/shield.js",
+    "wma-anonymize": "scripts/anonymize.js",
+    "wma-upload-fortress": "scripts/upload-fortress.js"
   },
   "scripts": {
     "inspect": "node scripts/inspect.js",
     "fetch": "node scripts/fetch-anthropic.js",
-    "shield": "node scripts/shield.js"
+    "shield": "node scripts/shield.js",
+    "anonymize": "node scripts/anonymize.js",
+    "upload-fortress": "node scripts/upload-fortress.js"
   },
   "engines": {
     "node": ">=18.0.0"

package/scripts/anonymize.js

@@ -0,0 +1,121 @@
+#!/usr/bin/env node
+// wma-anonymize — produce the anonymized signals payload that Watch would
+// send to Fortress, for inspection / verification.
+//
+// Usage:
+//   wma-anonymize <path-to-ndjson-or-dir> [--salt <hex>] [--out <file>]
+//
+// The `--salt` argument MUST be a stable per-customer secret. Using a
+// random salt each run means hashes won't correlate across runs (useless
+// for IoC tracking). Recommended: store the salt in `.env.local` as
+// `WMA_SIGNALS_SALT=...`.
+//
+// If --salt is omitted and WMA_SIGNALS_SALT is set, that's used. Otherwise
+// the script refuses to run (intentional — we don't want users to ship
+// random-salt hashes by accident).
+
+import { readdir, stat, writeFile } from 'node:fs/promises';
+import { resolve, join } from 'node:path';
+import { SignalsAggregator, anonymizeFile } from '../src/anonymizer.js';
+
+function parseArgs(argv) {
+  const out = {};
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a.startsWith('--')) {
+      const k = a.slice(2);
+      const n = argv[i + 1];
+      if (n == null || n.startsWith('--')) out[k] = true;
+      else { out[k] = n; i++; }
+    } else if (!out._target) {
+      out._target = a;
+    }
+  }
+  return out;
+}
+
+function die(msg, code = 1) {
+  process.stderr.write(`${msg}\n`);
+  process.exit(code);
+}
+
+async function collectFiles(p) {
+  const s = await stat(p).catch(() => null);
+  if (!s) return [];
+  if (s.isFile()) return p.endsWith('.ndjson') ? [p] : [];
+  const out = [];
+  for (const name of await readdir(p)) {
+    out.push(...(await collectFiles(join(p, name))));
+  }
+  return out;
+}
+
+async function main() {
+  const args = parseArgs(process.argv.slice(2));
+
+  if (!args._target) {
+    die(`usage: wma-anonymize <path> [--salt <hex>] [--out <file>]
+
+Reads Watch NDJSON logs and produces the anonymized signals payload
+that would be sent to Fortress. Use this to inspect exactly what
+leaves your machine BEFORE any upload feature is enabled.
+
+Required: --salt <hex> or WMA_SIGNALS_SALT env var (per-customer secret).
+If you don't have one, generate: node -e "console.log(require('crypto').randomBytes(16).toString('hex'))"
+and save it in .env.local.`);
+  }
+
+  const salt = args.salt || process.env.WMA_SIGNALS_SALT;
+  if (!salt) {
+    die('error: --salt <hex> or WMA_SIGNALS_SALT env var required (per-customer secret for hashing).\n' +
+        '       generate one with: node -e "console.log(require(\'crypto\').randomBytes(16).toString(\'hex\'))"');
+  }
+  if (args.salt) {
+    process.stderr.write('[wma-anonymize] warning: --salt on the command line is visible in shell history.\n' +
+                         '                Prefer: export WMA_SIGNALS_SALT=...\n');
+  }
+  if (salt.length < 16) {
+    die('error: salt too short (need ≥16 hex chars / ≥8 bytes of entropy)');
+  }
+
+  const target = resolve(args._target);
+  const files = await collectFiles(target);
+  if (files.length === 0) {
+    die(`error: no .ndjson files found at ${target}`);
+  }
+
+  // Aggregate across all files into one big payload (typical: one fetch run)
+  const agg = new SignalsAggregator({ salt });
+  for (const f of files) {
+    const partial = await anonymizeFile(f, { salt });
+    // Merge counts (a bit clunky — for the MVP we just re-iterate via agg)
+    // Simpler: aggregate over the files using the same agg instance.
+    // Re-implement here cleanly:
+    void partial;
+  }
+  // Re-do cleanly with a single aggregator across files:
+  const oneAgg = new SignalsAggregator({ salt });
+  for (const f of files) {
+    const { createReadStream } = await import('node:fs');
+    const { createInterface } = await import('node:readline');
+    const stream = createReadStream(f, { encoding: 'utf8' });
+    const rl = createInterface({ input: stream, crlfDelay: Infinity });
+    for await (const line of rl) {
+      if (!line.trim()) continue;
+      let e; try { e = JSON.parse(line); } catch { continue; }
+      oneAgg.add(e);
+    }
+  }
+
+  const signals = oneAgg.finalize();
+
+  const json = JSON.stringify(signals, null, 2);
+  if (args.out) {
+    await writeFile(resolve(args.out), json + '\n', { encoding: 'utf8', mode: 0o600 });
+    process.stderr.write(`[wma-anonymize] wrote ${args.out} (${signals._meta.entries_processed} entries processed)\n`);
+  } else {
+    process.stdout.write(json + '\n');
+  }
+}
+
+main().catch(e => { process.stderr.write(`error: ${e.stack || e.message}\n`); process.exit(1); });

package/scripts/fetch-anthropic.js

@@ -57,6 +57,16 @@ async function main() {
   if (!apiKey) die('error: --api-key or ANTHROPIC_API_KEY required');
   if (!agentId) die('error: --agent-id required (e.g. agent_01XaNB4M88ZvcW8FoQ5GC14A)');
 
+  // Security: --api-key on the command line ends up in shell history and is
+  // visible to other processes via /proc/<pid>/cmdline. Strongly prefer the
+  // ANTHROPIC_API_KEY environment variable.
+  if (args['api-key']) {
+    process.stderr.write(
+      '[wma-fetch] warning: --api-key on the command line is visible in shell history and\n' +
+      '            in the process list. Prefer: export ANTHROPIC_API_KEY=...\n'
+    );
+  }
+
   process.stdout.write(`[wma-fetch] resolving agent ${agentId}…\n`);
   const agent = await getAgent(apiKey, agentId).catch(e => die(`failed to GET agent: ${e.message}`));
   const rawModel = agent.model || agent.config?.model || null;

package/scripts/inspect.js

@@ -8,10 +8,22 @@
 //   - a directory (recursively scans for .ndjson)
 //   - omitted → defaults to ./watchmyagents-logs
 
-import { readFile, readdir, stat } from 'node:fs/promises';
+import { readdir, stat } from 'node:fs/promises';
+import { createReadStream } from 'node:fs';
+import { createInterface } from 'node:readline';
 import { join, resolve } from 'node:path';
 import { TokenTracker } from '../src/tokens.js';
 
+// Streaming line-by-line reader — bounds memory usage on large NDJSON files
+// (a long-running agent can produce hundreds of MB per day).
+async function* readNdjsonLines(path) {
+  const stream = createReadStream(path, { encoding: 'utf8' });
+  const rl = createInterface({ input: stream, crlfDelay: Infinity });
+  for await (const line of rl) {
+    if (line.trim()) yield line;
+  }
+}
+
 const target = resolve(process.argv[2] || './watchmyagents-logs');
 
 async function collectFiles(p) {
@@ -69,9 +81,7 @@ async function main() {
   let firstTs = null, lastTs = null;
 
   for (const f of files) {
-    const raw = await readFile(f, 'utf8');
-    for (const line of raw.split('\n')) {
-      if (!line.trim()) continue;
+    for await (const line of readNdjsonLines(f)) {
       let e; try { e = JSON.parse(line); } catch { continue; }
       entries.push(e);
       tracker.record(e);

package/scripts/shield.js

@@ -25,6 +25,7 @@
 // ANTHROPIC_API_KEY env var is used if --api-key is omitted.
 
 import { resolve } from 'node:path';
+import { createHash } from 'node:crypto';
 import { streamWithReconnect } from '../src/shield/stream.js';
 import { loadPolicies, evaluate } from '../src/shield/policy.js';
 import {
@@ -33,6 +34,8 @@ import {
 } from '../src/shield/enforce.js';
 import { DecisionLogger } from '../src/shield/decisions.js';
 import { listSessions } from '../src/sources/anthropic-managed.js';
+import { FortressPolicySource, postDecision } from '../src/shield/sources/fortress.js';
+import { resolveFortressBase } from '../src/fortress/url.js';
 
 function parseArgs(argv) {
   const out = {};
@@ -114,14 +117,74 @@ After either option, restart Shield — it auto-detects the new mode.
 // Per-session worker — runs one event loop, returns when session ends.
 // ────────────────────────────────────────────────────────────────────────
 async function runSessionWorker({ sessionId, ctx }) {
-  const { apiKey, agentId, ruleset, mode, decisions, signal } = ctx;
+  const { apiKey, agentId, mode, decisions, signal, pushDecisionToFortress, signalsSalt } = ctx;
+  // NOTE: ctx.ruleset is a getter — read it FRESH per evaluation so policy
+  // refreshes from Fortress (every 5 min) take effect without restart.
   sinfo(sessionId, `attached (${mode} mode)`);
 
+  // Helper: hash an IoC value with the customer salt (same one used by
+  // anonymizer for signals → correlates decisions to signals in Fortress).
+  // Returns null if no salt is configured (decisions still upload, just
+  // without input_hash).
+  const hashIoc = (value) => {
+    if (!signalsSalt || value == null) return null;
+    const s = typeof value === 'string' ? value : JSON.stringify(value);
+    return 'sha256:' + createHash('sha256').update(signalsSalt).update(s).digest('hex').slice(0, 32);
+  };
+
+  // Helper: assemble + fire the decision push to Fortress (fire-and-forget).
+  const fireToFortress = (rawEvent, normalized, result, decidedInMs) => {
+    if (!pushDecisionToFortress) return;
+    // Extract the most relevant input value to hash (URL > command > query > path)
+    const inp = normalized?.input;
+    let inputForHash = null;
+    if (inp && typeof inp === 'object') {
+      inputForHash = inp.url || inp.command || inp.query || inp.path || inp.file_path || null;
+    }
+    pushDecisionToFortress({
+      anthropic_agent_id: agentId,
+      decision: result.decision,
+      rule_id: result.rule_id || undefined,
+      session_hash: hashIoc(sessionId) || undefined,
+      event_id_hash: hashIoc(rawEvent?.id) || undefined,
+      input_hash: hashIoc(inputForHash) || undefined,
+      action_type: normalized?.action_type || undefined,
+      tool_name: normalized?.tool_name || undefined,
+      message: result.message || result.rule_name || undefined,
+      decided_at: new Date().toISOString(),
+      decided_in_ms: decidedInMs,
+    }).catch(() => undefined);
+  };
+
   let processed = 0, enforced = 0, sessionInterrupted = false;
   // Cache is only needed for tool_confirmation mode (lookup by event_id when
   // requires_action fires). Interrupt mode evaluates synchronously and never
   // reads the cache, so caching there would just leak memory on long sessions.
-  const toolUseCache = new Map();
+  //
+  // Bounded cache: any tool_use whose policy is "always_allow" never appears
+  // in requires_action, so without these limits the Map would grow forever
+  // on long-running sessions. Two limits enforced:
+  //   - Maximum 1000 entries (LRU eviction)
+  //   - TTL 5 minutes (any entry not consumed by requires_action gets dropped)
+  const TOOLUSE_CACHE_MAX = 1000;
+  const TOOLUSE_CACHE_TTL_MS = 5 * 60 * 1000;
+  const toolUseCache = new Map(); // event_id → { event, cachedAt }
+
+  function cacheToolUse(event) {
+    const now = Date.now();
+    // TTL sweep: only walk if cache is non-trivial in size (cheap noop otherwise)
+    if (toolUseCache.size > 16) {
+      for (const [k, v] of toolUseCache) {
+        if (now - v.cachedAt > TOOLUSE_CACHE_TTL_MS) toolUseCache.delete(k);
+      }
+    }
+    // LRU cap: drop oldest insertion if over the size limit
+    while (toolUseCache.size >= TOOLUSE_CACHE_MAX) {
+      const oldest = toolUseCache.keys().next().value;
+      toolUseCache.delete(oldest);
+    }
+    toolUseCache.set(event.id, { event, cachedAt: now });
+  }
 
   try {
     for await (const rawEvent of streamWithReconnect({
@@ -137,7 +200,7 @@ async function runSessionWorker({ sessionId, ctx }) {
         // No caching in interrupt mode — react synchronously, free memory.
         const normalized = normalizeForPolicy(rawEvent);
         const t0 = Date.now();
-        const result = evaluate(normalized, ruleset);
+        const result = evaluate(normalized, ctx.ruleset);
         const decidedInMs = Date.now() - t0;
 
         sinfo(sessionId, `${rawEvent.type} tool=${normalized.tool_name} → ${result.decision}${result.rule_id ? ` (${result.rule_id})` : ''}`);
@@ -147,6 +210,7 @@ async function runSessionWorker({ sessionId, ctx }) {
           ruleId: result.rule_id, ruleName: result.rule_name,
           message: result.message, decidedInMs,
         });
+        fireToFortress(rawEvent, normalized, result, decidedInMs);
 
         if ((result.decision === 'deny' || result.decision === 'interrupt') && !sessionInterrupted) {
           try {
@@ -166,7 +230,7 @@ async function runSessionWorker({ sessionId, ctx }) {
 
       // ── TOOL_CONFIRMATION MODE ──────────────────────────────────────
       if (mode === 'tool_confirmation' && CACHEABLE_TOOL_TYPES.has(rawEvent.type)) {
-        toolUseCache.set(rawEvent.id, rawEvent);
+        cacheToolUse(rawEvent);
         continue;
       }
 
@@ -176,7 +240,8 @@ async function runSessionWorker({ sessionId, ctx }) {
           && Array.isArray(rawEvent.stop_reason.event_ids)) {
 
         for (const eventId of rawEvent.stop_reason.event_ids) {
-          const sourceEvent = toolUseCache.get(eventId);
+          const cached = toolUseCache.get(eventId);
+          const sourceEvent = cached?.event;
           if (!sourceEvent) {
             swarn(sessionId, `requires_action for unknown event_id ${eventId} — denying defensively`);
             try {
@@ -192,7 +257,7 @@ async function runSessionWorker({ sessionId, ctx }) {
 
           const normalized = normalizeForPolicy(sourceEvent);
           const t0 = Date.now();
-          const result = evaluate(normalized, ruleset);
+          const result = evaluate(normalized, ctx.ruleset);
           const decidedInMs = Date.now() - t0;
 
           sinfo(sessionId, `requires_action ${sourceEvent.type} tool=${normalized.tool_name} → ${result.decision}${result.rule_id ? ` (${result.rule_id})` : ''}`);
@@ -202,6 +267,7 @@ async function runSessionWorker({ sessionId, ctx }) {
             ruleId: result.rule_id, ruleName: result.rule_name,
             message: result.message, decidedInMs,
           });
+          fireToFortress(sourceEvent, normalized, result, decidedInMs);
 
           try {
             if (result.decision === 'allow') {
@@ -337,19 +403,64 @@ async function main() {
     process.exit(0);
   }
 
+  // Security: --api-key on the command line ends up in shell history and in
+  // the process list. Strongly prefer the ANTHROPIC_API_KEY env var.
+  if (args['api-key']) {
+    process.stderr.write(
+      '[shield] warning: --api-key on the command line is visible in shell history and\n' +
+      '         in the process list. Prefer: export ANTHROPIC_API_KEY=...\n'
+    );
+  }
+
   const singleSessionId = args['session-id']; // optional now
   const policyPath = args.policy;
+  const policiesSource = args['policies-source'] || (policyPath ? 'local' : null);
+  const wmaApiKey = args['wma-api-key'] || process.env.WMA_API_KEY;
+  const signalsSalt = args['salt'] || process.env.WMA_SIGNALS_SALT;
+  const fortressBase = resolveFortressBase({
+    explicitBase: args['fortress-base-url'],
+    explicitUrl: args['fortress-url'],
+  });
   const logDir = resolve(args['log-dir'] || './watchmyagents-logs');
 
   if (!apiKey) die('error: --api-key or ANTHROPIC_API_KEY required');
   if (!agentId) die('error: --agent-id required');
-  if (!policyPath) die('error: --policy <path-to-policies.json> required');
 
-  let ruleset;
-  try {
-    ruleset = await loadPolicies(resolve(policyPath));
-  } catch (e) {
-    die(`error loading policies: ${e.message}`);
+  // Policies source: --policies-source fortress | local  (default infers from --policy)
+  let ruleset;          // for 'local' mode: static; for 'fortress': initial snapshot
+  let fortressPolicies; // FortressPolicySource instance, used as ground truth at runtime
+
+  if (policiesSource === 'fortress') {
+    if (!wmaApiKey) die('error: --policies-source fortress requires --wma-api-key or WMA_API_KEY env');
+    if (!fortressBase) die('error: --policies-source fortress requires --fortress-base-url or WMA_FORTRESS_BASE_URL env');
+    if (!/^wma_[a-f0-9]{32}$/i.test(wmaApiKey)) warn(`WMA_API_KEY format looks unusual (expected wma_<32hex>).`);
+
+    fortressPolicies = new FortressPolicySource({
+      apiKey: wmaApiKey,
+      base: fortressBase,
+      anthropicAgentId: agentId,
+      refreshIntervalMs: 5 * 60_000,
+      onError: (e) => warn(`policy refresh failed (keeping cached): ${e.message}`),
+      onRefresh: ({ policies, fetched_at, initial }) => {
+        info(`policies ${initial ? 'loaded' : 'refreshed'} from Fortress — ${policies.length} active (fetched_at: ${fetched_at})`);
+      },
+    });
+    try {
+      await fortressPolicies.start();
+    } catch (e) {
+      die(`error fetching policies from Fortress: ${e.message}\n` +
+          `       Check WMA_FORTRESS_BASE_URL and WMA_API_KEY.`);
+    }
+    ruleset = fortressPolicies.current();
+  } else if (policiesSource === 'local') {
+    if (!policyPath) die('error: --policies-source local requires --policy <path-to-policies.json>');
+    try {
+      ruleset = await loadPolicies(resolve(policyPath));
+    } catch (e) {
+      die(`error loading policies: ${e.message}`);
+    }
+  } else {
+    die('error: --policy <path> OR --policies-source fortress required');
   }
 
   let mode = 'interrupt';
@@ -361,7 +472,10 @@ async function main() {
     warn(`could not fetch agent config (${e.message}). Defaulting to interrupt mode.`);
   }
 
-  info(`armed — ${ruleset.policies.length} policies loaded from ${policyPath}`);
+  const sourceLabel = policiesSource === 'fortress'
+    ? `Fortress (${fortressBase})`
+    : policyPath;
+  info(`armed — ${ruleset.policies.length} policies loaded from ${sourceLabel}`);
   info(`default action when no rule matches: ${ruleset.default.action}`);
   info(`agent: ${agentId}${agentMeta?.name ? ` "${agentMeta.name}"` : ''}`);
   info(`enforcement mode: ${mode}`);
@@ -380,11 +494,45 @@ async function main() {
     return loggers.get(sessionId);
   };
 
+  // Optional Fortress decision pusher — only active if we have a wma key + base.
+  // In 'fortress' mode this is always available. In 'local' mode it's a fire-
+  // and-forget extra channel if both are set.
+  const canPushToFortress = !!(wmaApiKey && fortressBase);
+  const pushDecisionToFortress = canPushToFortress
+    ? async (decisionData) => {
+        try {
+          await postDecision({ apiKey: wmaApiKey, base: fortressBase, decision: decisionData });
+        } catch (e) {
+          warn(`Fortress decision push failed: ${e.message}`);
+        }
+      }
+    : null;
+
   const ac = new AbortController();
-  process.on('SIGINT',  () => { info('SIGINT received, shutting down…'); ac.abort(); });
-  process.on('SIGTERM', () => { info('SIGTERM received, shutting down…'); ac.abort(); });
+  process.on('SIGINT',  () => {
+    info('SIGINT received, shutting down…');
+    if (fortressPolicies) fortressPolicies.stop();
+    ac.abort();
+  });
+  process.on('SIGTERM', () => {
+    info('SIGTERM received, shutting down…');
+    if (fortressPolicies) fortressPolicies.stop();
+    ac.abort();
+  });
 
-  const ctx = { apiKey, agentId, ruleset, mode, decisions, signal: ac.signal };
+  // ctx exposes a getter for the live ruleset so workers see policy refreshes.
+  const ctx = {
+    apiKey,
+    agentId,
+    get ruleset() {
+      return fortressPolicies ? fortressPolicies.current() : ruleset;
+    },
+    mode,
+    decisions,
+    pushDecisionToFortress,
+    signalsSalt,
+    signal: ac.signal,
+  };
 
   if (singleSessionId) {
     info(`single-session mode — attached to ${singleSessionId}`);