watchmyagents 0.5.0 → 0.6.0

package/README.md

@@ -205,15 +205,30 @@ Report vulnerabilities via [SECURITY.md](./SECURITY.md).
 
 ## Shield — real-time policy enforcement
 
-`wma-shield` (shipped in v0.2.0) is the real-time enforcement companion to Watch. It streams agent events live, evaluates them against a local JSON policy file, and blocks tool calls that violate the policy via `user.tool_confirmation` (when the agent has `permission_policy: always_ask` configured) or `user.interrupt` (zero-setup fallback).
+`wma-shield` is the real-time enforcement companion to Watch. It streams agent events live, evaluates them against a policy ruleset, and blocks tool calls that violate the policy via `user.tool_confirmation` (when the agent has `permission_policy: always_ask` configured) or `user.interrupt` (zero-setup fallback).
 
+### Two policy sources (v0.6.0+)
+
+**Local JSON** (standalone — no cloud dependency):
 ```bash
-# Agent-wide mode — attaches to ALL active sessions of the agent automatically.
-# Run under a process supervisor (systemd, pm2, docker) for production.
 wma-shield --agent-id agent_xxx --policy ./policies.json
 ```
 
-Shield auto-detects the best enforcement mode at startup:
+**Fortress cloud** (policies managed in the dashboard, auto-refreshed every 5 min):
+```bash
+export ANTHROPIC_API_KEY="sk-ant-..."
+export WMA_API_KEY="wma_..."
+export WMA_FORTRESS_BASE_URL="https://<project>.supabase.co/functions/v1"
+export WMA_SIGNALS_SALT="..."          # same salt as wma-upload-fortress (for cross-table IoC correlation)
+
+wma-shield --agent-id agent_xxx --policies-source fortress
+```
+
+In Fortress mode, Shield also POSTs each enforcement decision back to Fortress (`/functions/v1/ingest-decisions`), so the dashboard's live timeline + Loop Visualizer light up in real time.
+
+### Enforcement mode auto-detection
+
+Shield auto-detects the best mode at startup:
 - **tool_confirmation** (precise, pre-execution blocking) when at least one tool has `permission_policy: always_ask`
 - **interrupt** (degraded, post-execution termination) otherwise
 
@@ -232,7 +247,8 @@ Decisions are logged to the same NDJSON stream as Watch (`action_type: shield_de
 - ✅ Anonymized telemetry to WMA Fortress cloud (`wma-upload-fortress` in v0.5.0)
 - ✅ Guardian AI (cloud) — automatic policy suggestions from observed behavior
 - ✅ Fortress (cloud) — dashboard + human-in-the-loop validation queue
-- 🚧 Shield policy puller from Fortress (replace local JSON with cloud-synced policies)
+- ✅ Shield policy puller from Fortress (`wma-shield --policies-source fortress` in v0.6.0)
+- ✅ Shield decisions push to Fortress (live timeline + Loop Visualizer)
 - 🚧 Encrypted upload to customer's own cloud (S3/GCS/Azure with `age` public-key encryption)
 
 ## License

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "watchmyagents",
-  "version": "0.5.0",
-  "description": "Security observability + real-time policy enforcement for AI agents. Local-first NDJSON capture, Shield CLI that blocks policy violations live, anonymizer producing signals-only payloads, and an upload command that ships anonymized telemetry to WatchMyAgents Fortress (the cloud control plane).",
+  "version": "0.6.0",
+  "description": "Security observability + real-time policy enforcement for AI agents. Local-first NDJSON capture, Shield CLI that blocks policy violations live (with policies pulled from Fortress cloud), anonymizer producing signals-only payloads, and bidirectional sync with WatchMyAgents Fortress — closing the recursive Watch→Guardian→Shield security loop.",
   "type": "module",
   "files": [
     "src/",

package/scripts/shield.js

@@ -25,6 +25,7 @@
 // ANTHROPIC_API_KEY env var is used if --api-key is omitted.
 
 import { resolve } from 'node:path';
+import { createHash } from 'node:crypto';
 import { streamWithReconnect } from '../src/shield/stream.js';
 import { loadPolicies, evaluate } from '../src/shield/policy.js';
 import {
@@ -33,6 +34,8 @@ import {
 } from '../src/shield/enforce.js';
 import { DecisionLogger } from '../src/shield/decisions.js';
 import { listSessions } from '../src/sources/anthropic-managed.js';
+import { FortressPolicySource, postDecision } from '../src/shield/sources/fortress.js';
+import { resolveFortressBase } from '../src/fortress/url.js';
 
 function parseArgs(argv) {
   const out = {};
@@ -114,9 +117,45 @@ After either option, restart Shield — it auto-detects the new mode.
 // Per-session worker — runs one event loop, returns when session ends.
 // ────────────────────────────────────────────────────────────────────────
 async function runSessionWorker({ sessionId, ctx }) {
-  const { apiKey, agentId, ruleset, mode, decisions, signal } = ctx;
+  const { apiKey, agentId, mode, decisions, signal, pushDecisionToFortress, signalsSalt } = ctx;
+  // NOTE: ctx.ruleset is a getter — read it FRESH per evaluation so policy
+  // refreshes from Fortress (every 5 min) take effect without restart.
   sinfo(sessionId, `attached (${mode} mode)`);
 
+  // Helper: hash an IoC value with the customer salt (same one used by
+  // anonymizer for signals → correlates decisions to signals in Fortress).
+  // Returns null if no salt is configured (decisions still upload, just
+  // without input_hash).
+  const hashIoc = (value) => {
+    if (!signalsSalt || value == null) return null;
+    const s = typeof value === 'string' ? value : JSON.stringify(value);
+    return 'sha256:' + createHash('sha256').update(signalsSalt).update(s).digest('hex').slice(0, 32);
+  };
+
+  // Helper: assemble + fire the decision push to Fortress (fire-and-forget).
+  const fireToFortress = (rawEvent, normalized, result, decidedInMs) => {
+    if (!pushDecisionToFortress) return;
+    // Extract the most relevant input value to hash (URL > command > query > path)
+    const inp = normalized?.input;
+    let inputForHash = null;
+    if (inp && typeof inp === 'object') {
+      inputForHash = inp.url || inp.command || inp.query || inp.path || inp.file_path || null;
+    }
+    pushDecisionToFortress({
+      anthropic_agent_id: agentId,
+      decision: result.decision,
+      rule_id: result.rule_id || undefined,
+      session_hash: hashIoc(sessionId) || undefined,
+      event_id_hash: hashIoc(rawEvent?.id) || undefined,
+      input_hash: hashIoc(inputForHash) || undefined,
+      action_type: normalized?.action_type || undefined,
+      tool_name: normalized?.tool_name || undefined,
+      message: result.message || result.rule_name || undefined,
+      decided_at: new Date().toISOString(),
+      decided_in_ms: decidedInMs,
+    }).catch(() => undefined);
+  };
+
   let processed = 0, enforced = 0, sessionInterrupted = false;
   // Cache is only needed for tool_confirmation mode (lookup by event_id when
   // requires_action fires). Interrupt mode evaluates synchronously and never
@@ -161,7 +200,7 @@ async function runSessionWorker({ sessionId, ctx }) {
         // No caching in interrupt mode — react synchronously, free memory.
         const normalized = normalizeForPolicy(rawEvent);
         const t0 = Date.now();
-        const result = evaluate(normalized, ruleset);
+        const result = evaluate(normalized, ctx.ruleset);
         const decidedInMs = Date.now() - t0;
 
         sinfo(sessionId, `${rawEvent.type} tool=${normalized.tool_name} → ${result.decision}${result.rule_id ? ` (${result.rule_id})` : ''}`);
@@ -171,6 +210,7 @@ async function runSessionWorker({ sessionId, ctx }) {
           ruleId: result.rule_id, ruleName: result.rule_name,
           message: result.message, decidedInMs,
         });
+        fireToFortress(rawEvent, normalized, result, decidedInMs);
 
         if ((result.decision === 'deny' || result.decision === 'interrupt') && !sessionInterrupted) {
           try {
@@ -217,7 +257,7 @@ async function runSessionWorker({ sessionId, ctx }) {
 
           const normalized = normalizeForPolicy(sourceEvent);
           const t0 = Date.now();
-          const result = evaluate(normalized, ruleset);
+          const result = evaluate(normalized, ctx.ruleset);
           const decidedInMs = Date.now() - t0;
 
           sinfo(sessionId, `requires_action ${sourceEvent.type} tool=${normalized.tool_name} → ${result.decision}${result.rule_id ? ` (${result.rule_id})` : ''}`);
@@ -227,6 +267,7 @@ async function runSessionWorker({ sessionId, ctx }) {
             ruleId: result.rule_id, ruleName: result.rule_name,
             message: result.message, decidedInMs,
           });
+          fireToFortress(sourceEvent, normalized, result, decidedInMs);
 
           try {
             if (result.decision === 'allow') {
@@ -373,17 +414,53 @@ async function main() {
 
   const singleSessionId = args['session-id']; // optional now
   const policyPath = args.policy;
+  const policiesSource = args['policies-source'] || (policyPath ? 'local' : null);
+  const wmaApiKey = args['wma-api-key'] || process.env.WMA_API_KEY;
+  const signalsSalt = args['salt'] || process.env.WMA_SIGNALS_SALT;
+  const fortressBase = resolveFortressBase({
+    explicitBase: args['fortress-base-url'],
+    explicitUrl: args['fortress-url'],
+  });
   const logDir = resolve(args['log-dir'] || './watchmyagents-logs');
 
   if (!apiKey) die('error: --api-key or ANTHROPIC_API_KEY required');
   if (!agentId) die('error: --agent-id required');
-  if (!policyPath) die('error: --policy <path-to-policies.json> required');
 
-  let ruleset;
-  try {
-    ruleset = await loadPolicies(resolve(policyPath));
-  } catch (e) {
-    die(`error loading policies: ${e.message}`);
+  // Policies source: --policies-source fortress | local  (default infers from --policy)
+  let ruleset;          // for 'local' mode: static; for 'fortress': initial snapshot
+  let fortressPolicies; // FortressPolicySource instance, used as ground truth at runtime
+
+  if (policiesSource === 'fortress') {
+    if (!wmaApiKey) die('error: --policies-source fortress requires --wma-api-key or WMA_API_KEY env');
+    if (!fortressBase) die('error: --policies-source fortress requires --fortress-base-url or WMA_FORTRESS_BASE_URL env');
+    if (!/^wma_[a-f0-9]{32}$/i.test(wmaApiKey)) warn(`WMA_API_KEY format looks unusual (expected wma_<32hex>).`);
+
+    fortressPolicies = new FortressPolicySource({
+      apiKey: wmaApiKey,
+      base: fortressBase,
+      anthropicAgentId: agentId,
+      refreshIntervalMs: 5 * 60_000,
+      onError: (e) => warn(`policy refresh failed (keeping cached): ${e.message}`),
+      onRefresh: ({ policies, fetched_at, initial }) => {
+        info(`policies ${initial ? 'loaded' : 'refreshed'} from Fortress — ${policies.length} active (fetched_at: ${fetched_at})`);
+      },
+    });
+    try {
+      await fortressPolicies.start();
+    } catch (e) {
+      die(`error fetching policies from Fortress: ${e.message}\n` +
+          `       Check WMA_FORTRESS_BASE_URL and WMA_API_KEY.`);
+    }
+    ruleset = fortressPolicies.current();
+  } else if (policiesSource === 'local') {
+    if (!policyPath) die('error: --policies-source local requires --policy <path-to-policies.json>');
+    try {
+      ruleset = await loadPolicies(resolve(policyPath));
+    } catch (e) {
+      die(`error loading policies: ${e.message}`);
+    }
+  } else {
+    die('error: --policy <path> OR --policies-source fortress required');
   }
 
   let mode = 'interrupt';
@@ -395,7 +472,10 @@ async function main() {
     warn(`could not fetch agent config (${e.message}). Defaulting to interrupt mode.`);
   }
 
-  info(`armed — ${ruleset.policies.length} policies loaded from ${policyPath}`);
+  const sourceLabel = policiesSource === 'fortress'
+    ? `Fortress (${fortressBase})`
+    : policyPath;
+  info(`armed — ${ruleset.policies.length} policies loaded from ${sourceLabel}`);
   info(`default action when no rule matches: ${ruleset.default.action}`);
   info(`agent: ${agentId}${agentMeta?.name ? ` "${agentMeta.name}"` : ''}`);
   info(`enforcement mode: ${mode}`);
@@ -414,11 +494,45 @@ async function main() {
     return loggers.get(sessionId);
   };
 
+  // Optional Fortress decision pusher — only active if we have a wma key + base.
+  // In 'fortress' mode this is always available. In 'local' mode it's a fire-
+  // and-forget extra channel if both are set.
+  const canPushToFortress = !!(wmaApiKey && fortressBase);
+  const pushDecisionToFortress = canPushToFortress
+    ? async (decisionData) => {
+        try {
+          await postDecision({ apiKey: wmaApiKey, base: fortressBase, decision: decisionData });
+        } catch (e) {
+          warn(`Fortress decision push failed: ${e.message}`);
+        }
+      }
+    : null;
+
   const ac = new AbortController();
-  process.on('SIGINT',  () => { info('SIGINT received, shutting down…'); ac.abort(); });
-  process.on('SIGTERM', () => { info('SIGTERM received, shutting down…'); ac.abort(); });
+  process.on('SIGINT',  () => {
+    info('SIGINT received, shutting down…');
+    if (fortressPolicies) fortressPolicies.stop();
+    ac.abort();
+  });
+  process.on('SIGTERM', () => {
+    info('SIGTERM received, shutting down…');
+    if (fortressPolicies) fortressPolicies.stop();
+    ac.abort();
+  });
 
-  const ctx = { apiKey, agentId, ruleset, mode, decisions, signal: ac.signal };
+  // ctx exposes a getter for the live ruleset so workers see policy refreshes.
+  const ctx = {
+    apiKey,
+    agentId,
+    get ruleset() {
+      return fortressPolicies ? fortressPolicies.current() : ruleset;
+    },
+    mode,
+    decisions,
+    pushDecisionToFortress,
+    signalsSalt,
+    signal: ac.signal,
+  };
 
   if (singleSessionId) {
     info(`single-session mode — attached to ${singleSessionId}`);

package/scripts/upload-fortress.js

@@ -29,6 +29,7 @@ import { join, resolve } from 'node:path';
 import { createReadStream } from 'node:fs';
 import { createInterface } from 'node:readline';
 import { SignalsAggregator } from '../src/anonymizer.js';
+import { resolveFortressBase, fortressEndpoint } from '../src/fortress/url.js';
 
 function parseArgs(argv) {
   const out = {};
@@ -101,12 +102,22 @@ async function main() {
 
   const agentId = args['agent-id'];
   const logDir = resolve(args['log-dir'] || './watchmyagents-logs');
-  const fortressUrl = args['fortress-url'] || process.env.WMA_FORTRESS_URL;
   const apiKey = args['api-key'] || process.env.WMA_API_KEY;
   const salt = args.salt || process.env.WMA_SIGNALS_SALT;
   const displayName = args['display-name'] || agentId;
   const dryRun = !!args['dry-run'];
 
+  // Resolve Fortress base URL. Accepts:
+  //   --fortress-base-url <base>            (preferred CLI)
+  //   --fortress-url <full ingest-signals>  (legacy CLI)
+  //   WMA_FORTRESS_BASE_URL env             (preferred env)
+  //   WMA_FORTRESS_URL env                  (legacy env, points at ingest-signals)
+  const fortressBase = resolveFortressBase({
+    explicitBase: args['fortress-base-url'],
+    explicitUrl: args['fortress-url'],
+  });
+  const fortressUrl = fortressBase ? fortressEndpoint(fortressBase, 'ingest-signals') : null;
+
   // Validation
   if (!agentId) die('error: --agent-id required (Anthropic agent_id, e.g. agent_01XaN...)');
   // Strict alphanumeric to prevent path traversal in collectFiles below

package/src/fortress/url.js

@@ -0,0 +1,59 @@
+// ─────────────────────────────────────────────────────────────────────────
+// Fortress URL resolution — shared across upload-fortress, shield, etc.
+// ─────────────────────────────────────────────────────────────────────────
+// The user sets ONE of:
+//
+//   WMA_FORTRESS_BASE_URL=https://<project>.supabase.co/functions/v1
+//      → preferred. Each tool appends its endpoint (/ingest-signals,
+//        /get-policies, /ingest-decisions).
+//
+//   WMA_FORTRESS_URL=https://<project>.supabase.co/functions/v1/ingest-signals
+//      → legacy (v0.5.0 era). The base URL is derived by stripping the
+//        last path segment, so other endpoints can be constructed.
+//
+// Either way, callers receive a `base` they append `/<endpoint>` to.
+
+/**
+ * Resolve the Fortress base URL from env / args.
+ * @param {object} opts - { explicitUrl, explicitBase, env }
+ * @returns {string|null} base URL like https://x.supabase.co/functions/v1
+ *                       (no trailing slash), or null if not configured.
+ */
+export function resolveFortressBase({ explicitUrl, explicitBase, env = process.env } = {}) {
+  // 1. Explicit base URL from CLI
+  if (explicitBase) return stripTrailingSlash(explicitBase);
+
+  // 2. Env: WMA_FORTRESS_BASE_URL (preferred)
+  if (env.WMA_FORTRESS_BASE_URL) return stripTrailingSlash(env.WMA_FORTRESS_BASE_URL);
+
+  // 3. Legacy: WMA_FORTRESS_URL (full path to ingest-signals)
+  const legacy = explicitUrl || env.WMA_FORTRESS_URL;
+  if (legacy) {
+    // Strip last path segment to get the base
+    try {
+      const u = new URL(legacy);
+      const parts = u.pathname.split('/').filter(Boolean);
+      if (parts.length > 0) parts.pop();
+      u.pathname = '/' + parts.join('/');
+      return stripTrailingSlash(u.toString());
+    } catch {
+      return null;
+    }
+  }
+
+  return null;
+}
+
+function stripTrailingSlash(s) {
+  return s.endsWith('/') ? s.slice(0, -1) : s;
+}
+
+/**
+ * Build a full endpoint URL given a base + endpoint name.
+ * @param {string} base - e.g. https://x.supabase.co/functions/v1
+ * @param {string} endpoint - e.g. "ingest-signals", "get-policies"
+ */
+export function fortressEndpoint(base, endpoint) {
+  if (!base) throw new Error('Fortress base URL not configured');
+  return `${base}/${endpoint}`;
+}

package/src/shield/sources/fortress.js

@@ -0,0 +1,203 @@
+// ─────────────────────────────────────────────────────────────────────────
+// Shield → Fortress integration (v0.6.0)
+// ─────────────────────────────────────────────────────────────────────────
+// Two pieces:
+//   1. fetchPolicies()  — Shield pulls active policies from Fortress
+//   2. postDecision()   — Shield pushes each enforcement decision to Fortress
+//
+// Both authenticate with the customer's `wma_xxx` API key (Bearer header),
+// against the Edge Functions get-policies and ingest-decisions deployed in
+// the Fortress repo.
+
+import { request as httpsRequest } from 'node:https';
+import { URL } from 'node:url';
+import { fortressEndpoint } from '../../fortress/url.js';
+
+const DEFAULT_TIMEOUT_MS = 15_000;
+
+function httpsJson(method, url, headers, body, timeoutMs = DEFAULT_TIMEOUT_MS) {
+  return new Promise((resolveReq, rejectReq) => {
+    const u = new URL(url);
+    if (u.protocol !== 'https:') {
+      return rejectReq(new Error(`refusing non-https Fortress URL: ${url}`));
+    }
+    const data = body ? Buffer.from(JSON.stringify(body)) : null;
+    const opts = {
+      method,
+      hostname: u.hostname,
+      port: u.port || 443,
+      path: u.pathname + (u.search || ''),
+      headers: {
+        ...headers,
+        ...(data ? { 'content-type': 'application/json', 'content-length': data.length } : {}),
+      },
+      rejectUnauthorized: true,
+    };
+    const req = httpsRequest(opts, (res) => {
+      const chunks = [];
+      res.on('data', (c) => chunks.push(c));
+      res.on('end', () => {
+        const raw = Buffer.concat(chunks).toString('utf8');
+        let parsed = null;
+        try { parsed = raw ? JSON.parse(raw) : null; } catch { /* keep raw */ }
+        resolveReq({ status: res.statusCode || 0, body: parsed ?? raw });
+      });
+    });
+    req.on('error', rejectReq);
+    req.setTimeout(timeoutMs, () => {
+      req.destroy(new Error(`Fortress request timed out after ${timeoutMs}ms`));
+    });
+    if (data) req.write(data);
+    req.end();
+  });
+}
+
+/**
+ * GET /functions/v1/get-policies?agent_id=<anthropicAgentId>
+ * Returns the array of enabled policies for this customer + agent.
+ *
+ * @param {object} opts
+ * @param {string} opts.apiKey - wma_xxx
+ * @param {string} opts.base - Fortress base URL (https://x.supabase.co/functions/v1)
+ * @param {string} [opts.anthropicAgentId] - optional filter
+ * @returns {Promise<{ ok: true, policies: array, fetched_at: string }>}
+ */
+export async function fetchPolicies({ apiKey, base, anthropicAgentId }) {
+  let url = fortressEndpoint(base, 'get-policies');
+  if (anthropicAgentId) {
+    const sep = url.includes('?') ? '&' : '?';
+    url += `${sep}agent_id=${encodeURIComponent(anthropicAgentId)}`;
+  }
+  const { status, body } = await httpsJson('GET', url, {
+    authorization: `Bearer ${apiKey}`,
+    accept: 'application/json',
+  });
+  if (status === 200 && body && body.ok) {
+    return { ok: true, policies: body.policies || [], fetched_at: body.fetched_at };
+  }
+  const err = body?.error || (typeof body === 'string' ? body.slice(0, 200) : 'unknown');
+  throw new Error(`get-policies failed (HTTP ${status}): ${err}`);
+}
+
+/**
+ * POST /functions/v1/ingest-decisions
+ * Push a single enforcement decision to Fortress.
+ *
+ * @param {object} opts
+ * @param {string} opts.apiKey - wma_xxx
+ * @param {string} opts.base - Fortress base URL
+ * @param {object} opts.decision - the body to POST. See ingest-decisions docs.
+ *   {
+ *     anthropic_agent_id, decision,
+ *     rule_id?, session_hash?, event_id_hash?, input_hash?,
+ *     action_type?, tool_name?, message?, decided_at?, decided_in_ms?
+ *   }
+ * @returns {Promise<{ ok: true, decision_id: string, agent_id: string }>}
+ */
+export async function postDecision({ apiKey, base, decision }) {
+  const url = fortressEndpoint(base, 'ingest-decisions');
+  const { status, body } = await httpsJson('POST', url, {
+    authorization: `Bearer ${apiKey}`,
+  }, decision);
+  if (status === 200 && body && body.ok) {
+    return { ok: true, decision_id: body.decision_id, agent_id: body.agent_id };
+  }
+  const err = body?.error || (typeof body === 'string' ? body.slice(0, 200) : 'unknown');
+  throw new Error(`ingest-decisions failed (HTTP ${status}): ${err}`);
+}
+
+// ────────────────────────────────────────────────────────────────────────
+// FortressPolicySource — drop-in replacement for the local JSON loader.
+// Periodically refreshes the policy ruleset from Fortress.
+// ────────────────────────────────────────────────────────────────────────
+
+import { matchesPolicy } from '../policy.js';
+
+export class FortressPolicySource {
+  constructor({ apiKey, base, anthropicAgentId, refreshIntervalMs = 5 * 60_000, onError, onRefresh }) {
+    if (!apiKey) throw new Error('FortressPolicySource: apiKey required');
+    if (!base) throw new Error('FortressPolicySource: base URL required');
+    this.apiKey = apiKey;
+    this.base = base;
+    this.anthropicAgentId = anthropicAgentId;
+    this.refreshIntervalMs = refreshIntervalMs;
+    this.onError = onError || (() => {});
+    this.onRefresh = onRefresh || (() => {});
+    this.ruleset = { version: 1, policies: [], default: { action: 'allow' } };
+    this.lastFetchedAt = null;
+    this._timer = null;
+    this._aborted = false;
+  }
+
+  /** Initial fetch — fails loud if it can't reach Fortress at startup. */
+  async start() {
+    await this._refresh({ initial: true });
+    this._timer = setInterval(() => this._refresh().catch(this.onError), this.refreshIntervalMs);
+    if (this._timer.unref) this._timer.unref();
+  }
+
+  stop() {
+    this._aborted = true;
+    if (this._timer) { clearInterval(this._timer); this._timer = null; }
+  }
+
+  /** Returns the current ruleset (used by the policy evaluator). */
+  current() {
+    return this.ruleset;
+  }
+
+  async _refresh({ initial = false } = {}) {
+    if (this._aborted) return;
+    try {
+      const { policies, fetched_at } = await fetchPolicies({
+        apiKey: this.apiKey,
+        base: this.base,
+        anthropicAgentId: this.anthropicAgentId,
+      });
+      // Compile regex etc. — reuse the same shape policy.js expects.
+      const compiled = policies.map((p) => compilePolicyFromFortress(p));
+      this.ruleset = {
+        version: 1,
+        policies: compiled,
+        default: { action: 'allow' },
+      };
+      this.lastFetchedAt = fetched_at;
+      this.onRefresh({ policies: compiled, fetched_at, initial });
+    } catch (e) {
+      // On initial failure, propagate so the operator notices a config issue.
+      // On subsequent failures, log and keep the previous cached ruleset.
+      if (initial) throw e;
+      this.onError(e);
+    }
+  }
+}
+
+// Convert a Fortress DB policy row to the local Shield format (compile regex).
+function compilePolicyFromFortress(p) {
+  const out = {
+    id: p.rule_id,
+    name: p.name,
+    rationale: p.rationale,
+    match: p.match || {},
+    action: p.action,
+    message: p.message,
+    priority: p.priority ?? 100,
+  };
+  // Compile regex strings to RegExp via the same _regex/_not_regex/_regex_any
+  // protocol the local policy.js engine uses (avoids parsing each event).
+  // We rely on the validation already done in compileMatchRegexes within
+  // policy.js, but since we're not going through loadPolicies here we replicate
+  // the safe-compile step inline.
+  for (const [field, condition] of Object.entries(out.match)) {
+    if (condition && typeof condition === 'object') {
+      if (condition.regex) condition._regex = new RegExp(condition.regex);
+      if (condition.not_regex) condition._not_regex = new RegExp(condition.not_regex);
+      if (condition.regex_any) condition._regex_any = condition.regex_any.map(r => new RegExp(r));
+    }
+  }
+  return out;
+}
+
+// Re-export matchesPolicy for convenience (callers can use the FortressPolicySource
+// + the standard evaluate() from policy.js).
+export { matchesPolicy };