watchmyagents 0.5.0 → 0.8.0

package/scripts/service.js

@@ -0,0 +1,325 @@
+#!/usr/bin/env node
+// wma-service — install WatchMyAgents as an always-on OS background service.
+//
+// Turns the manual `wma-fetch --watch` (and optionally `wma-shield`) commands
+// into OS-native services that start at login, restart on crash, and run with
+// NO terminal — so the WGS loop is truly automatic on the customer's machine.
+//
+//   macOS  → launchd LaunchAgent (~/Library/LaunchAgents)
+//   Linux  → systemd user unit   (~/.config/systemd/user)
+//
+// One integrated install:
+//   wma-service install --agent-id agent_xxx [--interval 5m] [--with-shield]
+//   wma-service status
+//   wma-service uninstall [--with-shield]
+//
+// Secrets NEVER go in the plist/unit. They're snapshotted (from the current
+// environment) into a protected env file (~/.watchmyagents/env, chmod 600) that
+// the service loads at runtime. Required env at install time:
+//   ANTHROPIC_API_KEY, WMA_API_KEY, WMA_FORTRESS_BASE_URL, WMA_SIGNALS_SALT
+// Raw logs stay local (Modèle C); only anonymized signals are uploaded.
+
+import os from 'node:os';
+import { mkdirSync, writeFileSync, rmSync, existsSync, chmodSync } from 'node:fs';
+import { join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { execFileSync } from 'node:child_process';
+import { isValidAgentId } from '../src/validate.js';
+
+const HOME = os.homedir();
+const PLATFORM = process.platform;                       // 'darwin' | 'linux' | …
+const UID = typeof process.getuid === 'function' ? process.getuid() : null;
+const NODE = process.execPath;                            // absolute node binary
+const FETCH_SCRIPT = fileURLToPath(new URL('./fetch-anthropic.js', import.meta.url));
+const SHIELD_SCRIPT = fileURLToPath(new URL('./shield.js', import.meta.url));
+
+const CONFIG_DIR = join(HOME, '.watchmyagents');
+const ENV_FILE = join(CONFIG_DIR, 'env');
+const LOG_DIR_DEFAULT = join(CONFIG_DIR, 'logs');
+
+const REQUIRED_ENV = ['ANTHROPIC_API_KEY', 'WMA_API_KEY', 'WMA_FORTRESS_BASE_URL', 'WMA_SIGNALS_SALT'];
+
+const WATCH_LABEL = 'com.watchmyagents.watch';
+const SHIELD_LABEL = 'com.watchmyagents.shield';
+
+function parseArgs(argv) {
+  const out = { _: [] };
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a.startsWith('--')) {
+      const k = a.slice(2);
+      const n = argv[i + 1];
+      if (n == null || n.startsWith('--')) out[k] = true;
+      else { out[k] = n; i++; }
+    } else out._.push(a);
+  }
+  return out;
+}
+
+function die(msg, code = 1) { process.stderr.write(`error: ${msg}\n`); process.exit(code); }
+function info(msg) { process.stdout.write(`[wma-service] ${msg}\n`); }
+function warn(msg) { process.stderr.write(`[wma-service] ⚠️  ${msg}\n`); }
+
+function sh(value) { return `"${String(value).replace(/(["$`\\])/g, '\\$1')}"`; }
+
+// ── Config (secrets) ──────────────────────────────────────────────────────
+function writeEnvFile() {
+  const missing = REQUIRED_ENV.filter((k) => !process.env[k]);
+  if (missing.length) {
+    die(`missing required env var(s): ${missing.join(', ')}\n` +
+        '       Export them in this shell, then re-run install. e.g.:\n' +
+        '         export $(grep -v "^#" .env | xargs)\n' +
+        '         export WMA_API_KEY=... WMA_FORTRESS_BASE_URL=... WMA_SIGNALS_SALT=...');
+  }
+  // The env file is sourced by the launcher (set -a; . file) and read by
+  // systemd's EnvironmentFile. A newline in a value would inject extra lines /
+  // corrupt the file, so reject it. (Our value types — hex salt, wma_/sk-ant
+  // keys, https URL — never legitimately contain newlines.)
+  for (const k of REQUIRED_ENV) {
+    if (/[\r\n]/.test(process.env[k])) die(`${k} contains a newline — refusing to write it to the env file`);
+  }
+  mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+  // Plain KEY=value lines — readable by both `set -a; . file` (launchd launcher)
+  // and systemd's EnvironmentFile=. No quoting needed (no spaces in our values).
+  const body = REQUIRED_ENV.map((k) => `${k}=${process.env[k]}`).join('\n') + '\n';
+  writeFileSync(ENV_FILE, body, { mode: 0o600 });
+  chmodSync(ENV_FILE, 0o600);
+  info(`secrets written to ${ENV_FILE} (chmod 600)`);
+}
+
+// ── macOS (launchd) ─────────────────────────────────────────────────────--
+function launchAgentsDir() { return join(HOME, 'Library', 'LaunchAgents'); }
+function plistPath(label) { return join(launchAgentsDir(), `${label}.plist`); }
+function launcherPath(label) { return join(CONFIG_DIR, `${label}.launcher.sh`); }
+
+function writeLauncher(label, scriptPath, args) {
+  const argLine = args.map(sh).join(' ');
+  const body = `#!/bin/sh
+# Generated by wma-service. Loads secrets then runs the WMA daemon.
+set -a
+. ${sh(ENV_FILE)}
+set +a
+exec ${sh(NODE)} ${sh(scriptPath)} ${argLine}
+`;
+  const p = launcherPath(label);
+  writeFileSync(p, body, { mode: 0o700 });
+  chmodSync(p, 0o700);
+  return p;
+}
+
+function writePlist(label, launcher) {
+  const outLog = join(CONFIG_DIR, `${label}.out.log`);
+  const errLog = join(CONFIG_DIR, `${label}.err.log`);
+  // Pre-create the log files 0600 so launchd appends to owner-only files.
+  // (No secrets are logged, but defense-in-depth on world-readable home files.)
+  for (const lp of [outLog, errLog]) {
+    if (!existsSync(lp)) writeFileSync(lp, '', { mode: 0o600 });
+    else chmodSync(lp, 0o600);
+  }
+  const body = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key><string>${label}</string>
+  <key>ProgramArguments</key>
+  <array><string>${launcher}</string></array>
+  <key>RunAtLoad</key><true/>
+  <key>KeepAlive</key><true/>
+  <key>ProcessType</key><string>Background</string>
+  <key>StandardOutPath</key><string>${outLog}</string>
+  <key>StandardErrorPath</key><string>${errLog}</string>
+</dict>
+</plist>
+`;
+  mkdirSync(launchAgentsDir(), { recursive: true });
+  const p = plistPath(label);
+  writeFileSync(p, body, { mode: 0o644 });
+  return p;
+}
+
+function launchctl(args, { ignoreError = false } = {}) {
+  try {
+    execFileSync('launchctl', args, { stdio: 'pipe' });
+    return true;
+  } catch (e) {
+    if (!ignoreError) warn(`launchctl ${args.join(' ')} failed: ${(e.stderr || e.message).toString().trim().slice(0, 200)}`);
+    return false;
+  }
+}
+
+function macLoad(label, plist) {
+  const domain = `gui/${UID}`;
+  launchctl(['bootout', `${domain}/${label}`], { ignoreError: true }); // unload prior
+  const ok = launchctl(['bootstrap', domain, plist]);
+  launchctl(['enable', `${domain}/${label}`], { ignoreError: true });
+  if (ok) info(`loaded ${label} (launchd) — running now + at every login`);
+  else {
+    warn(`could not auto-load ${label}. Load it manually:`);
+    process.stdout.write(`  launchctl bootstrap gui/${UID} ${plist}\n`);
+  }
+}
+
+function macUnload(label) {
+  const domain = `gui/${UID}`;
+  launchctl(['bootout', `${domain}/${label}`], { ignoreError: true });
+  for (const p of [plistPath(label), launcherPath(label)]) if (existsSync(p)) rmSync(p);
+  info(`removed ${label} (launchd)`);
+}
+
+function macInstallOne(label, scriptPath, args) {
+  const launcher = writeLauncher(label, scriptPath, args);
+  const plist = writePlist(label, launcher);
+  macLoad(label, plist);
+}
+
+// ── Linux (systemd user) ───────────────────────────────────────────────────
+function systemdDir() { return join(HOME, '.config', 'systemd', 'user'); }
+function unitName(label) { return `${label.replace(/\./g, '-')}.service`; }
+function unitPath(label) { return join(systemdDir(), unitName(label)); }
+
+function writeUnit(label, desc, scriptPath, args) {
+  // Quote every token for systemd. systemd splits ExecStart on whitespace and
+  // does NOT run a shell; double-quotes group tokens and honor \" and \\.
+  const sdQuote = (s) => `"${String(s).replace(/(["\\])/g, '\\$1')}"`;
+  const exec = [NODE, scriptPath, ...args].map(sdQuote).join(' ');
+  const body = `[Unit]
+Description=${desc}
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+EnvironmentFile=${ENV_FILE}
+ExecStart=${exec}
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=default.target
+`;
+  mkdirSync(systemdDir(), { recursive: true });
+  const p = unitPath(label);
+  writeFileSync(p, body, { mode: 0o644 });
+  return p;
+}
+
+function systemctl(args, { ignoreError = false } = {}) {
+  try { execFileSync('systemctl', ['--user', ...args], { stdio: 'pipe' }); return true; }
+  catch (e) { if (!ignoreError) warn(`systemctl --user ${args.join(' ')} failed: ${(e.stderr || e.message).toString().trim().slice(0, 200)}`); return false; }
+}
+
+function linuxInstallOne(label, desc, scriptPath, args) {
+  writeUnit(label, desc, scriptPath, args);
+  const unit = unitName(label);
+  systemctl(['daemon-reload'], { ignoreError: true });
+  const ok = systemctl(['enable', '--now', unit]);
+  if (ok) info(`enabled ${unit} (systemd) — running now + at login. For boot-without-login: loginctl enable-linger ${process.env.USER || ''}`);
+  else { warn(`could not auto-enable ${unit}. Enable manually:`); process.stdout.write(`  systemctl --user enable --now ${unit}\n`); }
+}
+
+function linuxUninstallOne(label) {
+  const unit = unitName(label);
+  systemctl(['disable', '--now', unit], { ignoreError: true });
+  if (existsSync(unitPath(label))) rmSync(unitPath(label));
+  systemctl(['daemon-reload'], { ignoreError: true });
+  info(`removed ${unit} (systemd)`);
+}
+
+// ── Commands ────────────────────────────────────────────────────────────--
+function cmdInstall(args) {
+  const agentId = args['agent-id'];
+  if (!agentId) die('--agent-id required (e.g. agent_01ABC...)');
+  if (!isValidAgentId(agentId)) die(`--agent-id invalid format (expected "agent_" + alphanumeric, got "${agentId}")`);
+  const interval = args.interval || '5m';
+  if (!/^\d+[smhd]$/.test(interval)) die(`--interval invalid format (expected like 30s, 5m, 1h, 2d; got "${interval}")`);
+  const logDir = args['log-dir'] || LOG_DIR_DEFAULT;
+  const withShield = !!args['with-shield'];
+
+  if (PLATFORM !== 'darwin' && PLATFORM !== 'linux') {
+    die(`unsupported platform "${PLATFORM}". Supported: macOS (launchd), Linux (systemd).\n` +
+        '       Run the daemon manually or wrap it in your own process manager:\n' +
+        `         wma-fetch --agent-id ${agentId} --watch --upload --interval ${interval}`);
+  }
+
+  mkdirSync(logDir, { recursive: true, mode: 0o700 });
+  writeEnvFile();
+
+  const watchArgs = ['--agent-id', agentId, '--watch', '--upload', '--interval', interval, '--log-dir', logDir];
+  const shieldArgs = ['--agent-id', agentId, '--policies-source', 'fortress', '--log-dir', logDir];
+
+  if (PLATFORM === 'darwin') {
+    macInstallOne(WATCH_LABEL, FETCH_SCRIPT, watchArgs);
+    if (withShield) macInstallOne(SHIELD_LABEL, SHIELD_SCRIPT, shieldArgs);
+  } else {
+    linuxInstallOne(WATCH_LABEL, 'WatchMyAgents Watch daemon', FETCH_SCRIPT, watchArgs);
+    if (withShield) linuxInstallOne(SHIELD_LABEL, 'WatchMyAgents Shield enforcement', SHIELD_SCRIPT, shieldArgs);
+  }
+
+  info('done — the WGS loop now runs always-on, no terminal needed.');
+  info(`logs: ${CONFIG_DIR}/*.log  |  captured events: ${logDir}`);
+  info(`status:  wma-service status    uninstall:  wma-service uninstall${withShield ? ' --with-shield' : ''}`);
+}
+
+function cmdUninstall(args) {
+  const withShield = !!args['with-shield'];
+  if (PLATFORM === 'darwin') {
+    macUnload(WATCH_LABEL);
+    if (withShield) macUnload(SHIELD_LABEL);
+  } else if (PLATFORM === 'linux') {
+    linuxUninstallOne(WATCH_LABEL);
+    if (withShield) linuxUninstallOne(SHIELD_LABEL);
+  } else {
+    die(`unsupported platform "${PLATFORM}"`);
+  }
+  info('uninstalled. (Secrets in ' + ENV_FILE + ' left intact — delete manually if you want them gone.)');
+}
+
+function cmdStatus() {
+  if (PLATFORM === 'darwin') {
+    try {
+      const out = execFileSync('launchctl', ['list'], { encoding: 'utf8' });
+      const lines = out.split('\n').filter((l) => l.includes('watchmyagents'));
+      process.stdout.write(lines.length ? lines.join('\n') + '\n' : 'no WatchMyAgents services loaded\n');
+    } catch { warn('could not query launchctl'); }
+  } else if (PLATFORM === 'linux') {
+    for (const label of [WATCH_LABEL, SHIELD_LABEL]) {
+      try {
+        const out = execFileSync('systemctl', ['--user', 'is-active', unitName(label)], { encoding: 'utf8' }).trim();
+        process.stdout.write(`${unitName(label)}: ${out}\n`);
+      } catch (e) {
+        process.stdout.write(`${unitName(label)}: ${(e.stdout || 'inactive').toString().trim()}\n`);
+      }
+    }
+  } else {
+    die(`unsupported platform "${PLATFORM}"`);
+  }
+}
+
+function usage() {
+  process.stdout.write(`wma-service — run WatchMyAgents as an always-on OS service
+
+Usage:
+  wma-service install --agent-id agent_xxx [--interval 5m] [--log-dir DIR] [--with-shield]
+  wma-service status
+  wma-service uninstall [--with-shield]
+
+Required env at install (snapshotted to ~/.watchmyagents/env, chmod 600):
+  ANTHROPIC_API_KEY, WMA_API_KEY, WMA_FORTRESS_BASE_URL, WMA_SIGNALS_SALT
+
+macOS → launchd LaunchAgent · Linux → systemd user unit.
+The service starts at login and restarts on crash. Raw logs stay local.
+`);
+}
+
+function main() {
+  const args = parseArgs(process.argv.slice(2));
+  const cmd = args._[0];
+  switch (cmd) {
+    case 'install': return cmdInstall(args);
+    case 'uninstall': return cmdUninstall(args);
+    case 'status': return cmdStatus();
+    default: usage(); process.exit(cmd ? 1 : 0);
+  }
+}
+
+main();

package/scripts/shield.js

@@ -25,6 +25,7 @@
 // ANTHROPIC_API_KEY env var is used if --api-key is omitted.
 
 import { resolve } from 'node:path';
+import { createHash } from 'node:crypto';
 import { streamWithReconnect } from '../src/shield/stream.js';
 import { loadPolicies, evaluate } from '../src/shield/policy.js';
 import {
@@ -33,6 +34,9 @@ import {
 } from '../src/shield/enforce.js';
 import { DecisionLogger } from '../src/shield/decisions.js';
 import { listSessions } from '../src/sources/anthropic-managed.js';
+import { FortressPolicySource, postDecision } from '../src/shield/sources/fortress.js';
+import { resolveFortressBase } from '../src/fortress/url.js';
+import { isValidAgentId } from '../src/validate.js';
 
 function parseArgs(argv) {
   const out = {};
@@ -114,9 +118,45 @@ After either option, restart Shield — it auto-detects the new mode.
 // Per-session worker — runs one event loop, returns when session ends.
 // ────────────────────────────────────────────────────────────────────────
 async function runSessionWorker({ sessionId, ctx }) {
-  const { apiKey, agentId, ruleset, mode, decisions, signal } = ctx;
+  const { apiKey, agentId, mode, decisions, signal, pushDecisionToFortress, signalsSalt } = ctx;
+  // NOTE: ctx.ruleset is a getter — read it FRESH per evaluation so policy
+  // refreshes from Fortress (every 5 min) take effect without restart.
   sinfo(sessionId, `attached (${mode} mode)`);
 
+  // Helper: hash an IoC value with the customer salt (same one used by
+  // anonymizer for signals → correlates decisions to signals in Fortress).
+  // Returns null if no salt is configured (decisions still upload, just
+  // without input_hash).
+  const hashIoc = (value) => {
+    if (!signalsSalt || value == null) return null;
+    const s = typeof value === 'string' ? value : JSON.stringify(value);
+    return 'sha256:' + createHash('sha256').update(signalsSalt).update(s).digest('hex').slice(0, 32);
+  };
+
+  // Helper: assemble + fire the decision push to Fortress (fire-and-forget).
+  const fireToFortress = (rawEvent, normalized, result, decidedInMs) => {
+    if (!pushDecisionToFortress) return;
+    // Extract the most relevant input value to hash (URL > command > query > path)
+    const inp = normalized?.input;
+    let inputForHash = null;
+    if (inp && typeof inp === 'object') {
+      inputForHash = inp.url || inp.command || inp.query || inp.path || inp.file_path || null;
+    }
+    pushDecisionToFortress({
+      anthropic_agent_id: agentId,
+      decision: result.decision,
+      rule_id: result.rule_id || undefined,
+      session_hash: hashIoc(sessionId) || undefined,
+      event_id_hash: hashIoc(rawEvent?.id) || undefined,
+      input_hash: hashIoc(inputForHash) || undefined,
+      action_type: normalized?.action_type || undefined,
+      tool_name: normalized?.tool_name || undefined,
+      message: result.message || result.rule_name || undefined,
+      decided_at: new Date().toISOString(),
+      decided_in_ms: decidedInMs,
+    }).catch(() => undefined);
+  };
+
   let processed = 0, enforced = 0, sessionInterrupted = false;
   // Cache is only needed for tool_confirmation mode (lookup by event_id when
   // requires_action fires). Interrupt mode evaluates synchronously and never
@@ -161,7 +201,7 @@ async function runSessionWorker({ sessionId, ctx }) {
         // No caching in interrupt mode — react synchronously, free memory.
         const normalized = normalizeForPolicy(rawEvent);
         const t0 = Date.now();
-        const result = evaluate(normalized, ruleset);
+        const result = evaluate(normalized, ctx.ruleset);
         const decidedInMs = Date.now() - t0;
 
         sinfo(sessionId, `${rawEvent.type} tool=${normalized.tool_name} → ${result.decision}${result.rule_id ? ` (${result.rule_id})` : ''}`);
@@ -171,6 +211,7 @@ async function runSessionWorker({ sessionId, ctx }) {
           ruleId: result.rule_id, ruleName: result.rule_name,
           message: result.message, decidedInMs,
         });
+        fireToFortress(rawEvent, normalized, result, decidedInMs);
 
         if ((result.decision === 'deny' || result.decision === 'interrupt') && !sessionInterrupted) {
           try {
@@ -217,7 +258,7 @@ async function runSessionWorker({ sessionId, ctx }) {
 
           const normalized = normalizeForPolicy(sourceEvent);
           const t0 = Date.now();
-          const result = evaluate(normalized, ruleset);
+          const result = evaluate(normalized, ctx.ruleset);
           const decidedInMs = Date.now() - t0;
 
           sinfo(sessionId, `requires_action ${sourceEvent.type} tool=${normalized.tool_name} → ${result.decision}${result.rule_id ? ` (${result.rule_id})` : ''}`);
@@ -227,6 +268,7 @@ async function runSessionWorker({ sessionId, ctx }) {
             ruleId: result.rule_id, ruleName: result.rule_name,
             message: result.message, decidedInMs,
           });
+          fireToFortress(sourceEvent, normalized, result, decidedInMs);
 
           try {
             if (result.decision === 'allow') {
@@ -373,17 +415,56 @@ async function main() {
 
   const singleSessionId = args['session-id']; // optional now
   const policyPath = args.policy;
+  const policiesSource = args['policies-source'] || (policyPath ? 'local' : null);
+  const wmaApiKey = args['wma-api-key'] || process.env.WMA_API_KEY;
+  const signalsSalt = args['salt'] || process.env.WMA_SIGNALS_SALT;
+  const fortressBase = resolveFortressBase({
+    explicitBase: args['fortress-base-url'],
+    explicitUrl: args['fortress-url'],
+  });
   const logDir = resolve(args['log-dir'] || './watchmyagents-logs');
 
   if (!apiKey) die('error: --api-key or ANTHROPIC_API_KEY required');
   if (!agentId) die('error: --agent-id required');
-  if (!policyPath) die('error: --policy <path-to-policies.json> required');
+  if (!isValidAgentId(agentId)) {
+    die(`error: --agent-id has invalid format (expected "agent_" + alphanumeric, got "${agentId}")`);
+  }
 
-  let ruleset;
-  try {
-    ruleset = await loadPolicies(resolve(policyPath));
-  } catch (e) {
-    die(`error loading policies: ${e.message}`);
+  // Policies source: --policies-source fortress | local  (default infers from --policy)
+  let ruleset;          // for 'local' mode: static; for 'fortress': initial snapshot
+  let fortressPolicies; // FortressPolicySource instance, used as ground truth at runtime
+
+  if (policiesSource === 'fortress') {
+    if (!wmaApiKey) die('error: --policies-source fortress requires --wma-api-key or WMA_API_KEY env');
+    if (!fortressBase) die('error: --policies-source fortress requires --fortress-base-url or WMA_FORTRESS_BASE_URL env');
+    if (!/^wma_[a-f0-9]{32}$/i.test(wmaApiKey)) warn(`WMA_API_KEY format looks unusual (expected wma_<32hex>).`);
+
+    fortressPolicies = new FortressPolicySource({
+      apiKey: wmaApiKey,
+      base: fortressBase,
+      anthropicAgentId: agentId,
+      refreshIntervalMs: 5 * 60_000,
+      onError: (e) => warn(`policy refresh failed (keeping cached): ${e.message}`),
+      onRefresh: ({ policies, fetched_at, initial }) => {
+        info(`policies ${initial ? 'loaded' : 'refreshed'} from Fortress — ${policies.length} active (fetched_at: ${fetched_at})`);
+      },
+    });
+    try {
+      await fortressPolicies.start();
+    } catch (e) {
+      die(`error fetching policies from Fortress: ${e.message}\n` +
+          `       Check WMA_FORTRESS_BASE_URL and WMA_API_KEY.`);
+    }
+    ruleset = fortressPolicies.current();
+  } else if (policiesSource === 'local') {
+    if (!policyPath) die('error: --policies-source local requires --policy <path-to-policies.json>');
+    try {
+      ruleset = await loadPolicies(resolve(policyPath));
+    } catch (e) {
+      die(`error loading policies: ${e.message}`);
+    }
+  } else {
+    die('error: --policy <path> OR --policies-source fortress required');
   }
 
   let mode = 'interrupt';
@@ -395,7 +476,10 @@ async function main() {
     warn(`could not fetch agent config (${e.message}). Defaulting to interrupt mode.`);
   }
 
-  info(`armed — ${ruleset.policies.length} policies loaded from ${policyPath}`);
+  const sourceLabel = policiesSource === 'fortress'
+    ? `Fortress (${fortressBase})`
+    : policyPath;
+  info(`armed — ${ruleset.policies.length} policies loaded from ${sourceLabel}`);
   info(`default action when no rule matches: ${ruleset.default.action}`);
   info(`agent: ${agentId}${agentMeta?.name ? ` "${agentMeta.name}"` : ''}`);
   info(`enforcement mode: ${mode}`);
@@ -414,11 +498,45 @@ async function main() {
     return loggers.get(sessionId);
   };
 
+  // Optional Fortress decision pusher — only active if we have a wma key + base.
+  // In 'fortress' mode this is always available. In 'local' mode it's a fire-
+  // and-forget extra channel if both are set.
+  const canPushToFortress = !!(wmaApiKey && fortressBase);
+  const pushDecisionToFortress = canPushToFortress
+    ? async (decisionData) => {
+        try {
+          await postDecision({ apiKey: wmaApiKey, base: fortressBase, decision: decisionData });
+        } catch (e) {
+          warn(`Fortress decision push failed: ${e.message}`);
+        }
+      }
+    : null;
+
   const ac = new AbortController();
-  process.on('SIGINT',  () => { info('SIGINT received, shutting down…'); ac.abort(); });
-  process.on('SIGTERM', () => { info('SIGTERM received, shutting down…'); ac.abort(); });
+  process.on('SIGINT',  () => {
+    info('SIGINT received, shutting down…');
+    if (fortressPolicies) fortressPolicies.stop();
+    ac.abort();
+  });
+  process.on('SIGTERM', () => {
+    info('SIGTERM received, shutting down…');
+    if (fortressPolicies) fortressPolicies.stop();
+    ac.abort();
+  });
 
-  const ctx = { apiKey, agentId, ruleset, mode, decisions, signal: ac.signal };
+  // ctx exposes a getter for the live ruleset so workers see policy refreshes.
+  const ctx = {
+    apiKey,
+    agentId,
+    get ruleset() {
+      return fortressPolicies ? fortressPolicies.current() : ruleset;
+    },
+    mode,
+    decisions,
+    pushDecisionToFortress,
+    signalsSalt,
+    signal: ac.signal,
+  };
 
   if (singleSessionId) {
     info(`single-session mode — attached to ${singleSessionId}`);

package/scripts/upload-fortress.js

@@ -29,6 +29,7 @@ import { join, resolve } from 'node:path';
 import { createReadStream } from 'node:fs';
 import { createInterface } from 'node:readline';
 import { SignalsAggregator } from '../src/anonymizer.js';
+import { resolveFortressBase, fortressEndpoint } from '../src/fortress/url.js';
 
 function parseArgs(argv) {
   const out = {};
@@ -101,14 +102,24 @@ async function main() {
 
   const agentId = args['agent-id'];
   const logDir = resolve(args['log-dir'] || './watchmyagents-logs');
-  const fortressUrl = args['fortress-url'] || process.env.WMA_FORTRESS_URL;
   const apiKey = args['api-key'] || process.env.WMA_API_KEY;
   const salt = args.salt || process.env.WMA_SIGNALS_SALT;
   const displayName = args['display-name'] || agentId;
   const dryRun = !!args['dry-run'];
 
+  // Resolve Fortress base URL. Accepts:
+  //   --fortress-base-url <base>            (preferred CLI)
+  //   --fortress-url <full ingest-signals>  (legacy CLI)
+  //   WMA_FORTRESS_BASE_URL env             (preferred env)
+  //   WMA_FORTRESS_URL env                  (legacy env, points at ingest-signals)
+  const fortressBase = resolveFortressBase({
+    explicitBase: args['fortress-base-url'],
+    explicitUrl: args['fortress-url'],
+  });
+  const fortressUrl = fortressBase ? fortressEndpoint(fortressBase, 'ingest-signals') : null;
+
   // Validation
-  if (!agentId) die('error: --agent-id required (Anthropic agent_id, e.g. agent_01XaN...)');
+  if (!agentId) die('error: --agent-id required (Anthropic agent_id, e.g. agent_01ABC...)');
   // Strict alphanumeric to prevent path traversal in collectFiles below
   // (--agent-id ends up as a filesystem path segment).
   if (!/^agent_[a-zA-Z0-9]+$/.test(agentId)) {

package/src/fortress/url.js

@@ -0,0 +1,59 @@
+// ─────────────────────────────────────────────────────────────────────────
+// Fortress URL resolution — shared across upload-fortress, shield, etc.
+// ─────────────────────────────────────────────────────────────────────────
+// The user sets ONE of:
+//
+//   WMA_FORTRESS_BASE_URL=https://<project>.supabase.co/functions/v1
+//      → preferred. Each tool appends its endpoint (/ingest-signals,
+//        /get-policies, /ingest-decisions).
+//
+//   WMA_FORTRESS_URL=https://<project>.supabase.co/functions/v1/ingest-signals
+//      → legacy (v0.5.0 era). The base URL is derived by stripping the
+//        last path segment, so other endpoints can be constructed.
+//
+// Either way, callers receive a `base` they append `/<endpoint>` to.
+
+/**
+ * Resolve the Fortress base URL from env / args.
+ * @param {object} opts - { explicitUrl, explicitBase, env }
+ * @returns {string|null} base URL like https://x.supabase.co/functions/v1
+ *                       (no trailing slash), or null if not configured.
+ */
+export function resolveFortressBase({ explicitUrl, explicitBase, env = process.env } = {}) {
+  // 1. Explicit base URL from CLI
+  if (explicitBase) return stripTrailingSlash(explicitBase);
+
+  // 2. Env: WMA_FORTRESS_BASE_URL (preferred)
+  if (env.WMA_FORTRESS_BASE_URL) return stripTrailingSlash(env.WMA_FORTRESS_BASE_URL);
+
+  // 3. Legacy: WMA_FORTRESS_URL (full path to ingest-signals)
+  const legacy = explicitUrl || env.WMA_FORTRESS_URL;
+  if (legacy) {
+    // Strip last path segment to get the base
+    try {
+      const u = new URL(legacy);
+      const parts = u.pathname.split('/').filter(Boolean);
+      if (parts.length > 0) parts.pop();
+      u.pathname = '/' + parts.join('/');
+      return stripTrailingSlash(u.toString());
+    } catch {
+      return null;
+    }
+  }
+
+  return null;
+}
+
+function stripTrailingSlash(s) {
+  return s.endsWith('/') ? s.slice(0, -1) : s;
+}
+
+/**
+ * Build a full endpoint URL given a base + endpoint name.
+ * @param {string} base - e.g. https://x.supabase.co/functions/v1
+ * @param {string} endpoint - e.g. "ingest-signals", "get-policies"
+ */
+export function fortressEndpoint(base, endpoint) {
+  if (!base) throw new Error('Fortress base URL not configured');
+  return `${base}/${endpoint}`;
+}

package/src/logger.js

@@ -1,6 +1,7 @@
 import { mkdir, appendFile } from 'node:fs/promises';
 import { join } from 'node:path';
 import { randomUUID } from 'node:crypto';
+import { assertSafePathSegment } from './validate.js';
 
 const EXPORT_FIELDS = [
   'id', 'agent_id', 'framework', 'timestamp', 'action_type',
@@ -18,6 +19,9 @@ export class Logger {
   //                full / EACCES / EINVAL must propagate so callers know.
   //                Opt into bestEffort=true only for non-critical paths.
   constructor({ logDir, agentId, sessionId, silent, bestEffort } = {}) {
+    // agentId becomes a filesystem path segment (logDir/<agentId>/…). Reject
+    // anything that could traverse out of logDir before we ever build a path.
+    assertSafePathSegment(agentId, 'agentId');
     this.logDir = logDir;
     this.agentId = agentId;
     this.sessionId = sessionId || randomUUID();