watchmyagents 0.6.0 → 0.8.2

package/README.md

@@ -25,7 +25,7 @@ You'll need:
 ```bash
 export ANTHROPIC_API_KEY="sk-ant-..."
 
-wma-fetch --agent-id agent_01XaN... --since 1h
+wma-fetch --agent-id agent_01ABC... --since 1h
 wma-inspect
 ```
 
@@ -107,6 +107,7 @@ Each entry carries: `id`, `agent_id`, `framework`, `timestamp`, `action_type`, `
 ```bash
 wma-fetch --agent-id <agent_id> [--session-id <sess_id>] [--since 1h]
          [--log-dir ./watchmyagents-logs] [--dump-raw]
+         [--watch [--interval 5m] [--upload]]
 ```
 
 | Flag | Effect |
@@ -116,6 +117,9 @@ wma-fetch --agent-id <agent_id> [--session-id <sess_id>] [--since 1h]
 | `--session-id sesn_xxx` | Limit to a single session |
 | `--log-dir ./logs` | Where to write NDJSON (default `./watchmyagents-logs`) |
 | `--dump-raw` | Also save raw API events alongside (forensic / debugging) |
+| `--watch` | **Continuous daemon** — loop forever, incrementally capturing NEW events (deduped by stable event id) until `Ctrl+C` |
+| `--interval 5m` | Poll interval in watch mode (default `5m`; accepts `30s`/`1h`/…) |
+| `--upload` | In watch mode, anonymize each new window and ship signals to Fortress (needs `WMA_API_KEY` + `WMA_FORTRESS_BASE_URL` + `WMA_SIGNALS_SALT`). Raw stays local. |
 | `--api-key sk-ant-…` | Override the `ANTHROPIC_API_KEY` env var. **Discouraged** — visible in shell history & process list. Prefer the env var. |
 
 Logs land in `./watchmyagents-logs/<agent_id>/<date>.ndjson` (file mode `0600`, dir `0700`).
@@ -141,7 +145,7 @@ export WMA_API_KEY="wma_..."                    # from Fortress dashboard → Se
 export WMA_FORTRESS_URL="https://<your-project>.supabase.co/functions/v1/ingest-signals"
 export WMA_SIGNALS_SALT="..."                   # same salt as wma-anonymize
 
-wma-upload-fortress --agent-id agent_01XaN... [--display-name "My agent"]
+wma-upload-fortress --agent-id agent_01ABC... [--display-name "My agent"]
 # → POSTs the anonymized payload. Server returns signal_id + agent_id.
 
 # Inspect what WOULD be posted, without uploading:
@@ -163,20 +167,58 @@ wma-inspect [path]
 
 Outputs sections aligned with security audit needs: tokens summary, by-tool / by-action-type breakdowns, top tool destinations (URLs / queries), action-sequence transitions, tool error rates, p50/p95/max latency per tool, rate metrics.
 
-## Automating (cron)
+## Automating — continuous monitoring
 
-For continuous monitoring, run `wma-fetch` on a cron:
+### `wma-service` — install as an always-on service (recommended)
+
+The turnkey way: install Watch (and optionally Shield) as an OS-native service
+that starts at login, restarts on crash, and runs with **no terminal**.
+
+```bash
+export ANTHROPIC_API_KEY="sk-ant-..."
+export WMA_API_KEY="wma_..."
+export WMA_FORTRESS_BASE_URL="https://<project>.supabase.co/functions/v1"
+export WMA_SIGNALS_SALT="..."                                 # stable per-customer salt
+
+wma-service install --agent-id agent_01ABC... --interval 5m [--with-shield]
+wma-service status
+wma-service uninstall [--with-shield]
+```
+
+- macOS → **launchd** LaunchAgent · Linux → **systemd** user unit.
+- Secrets are snapshotted to `~/.watchmyagents/env` (**chmod 600**) and loaded at
+  runtime — **never** written into the plist/unit.
+- `--with-shield` also runs `wma-shield --policies-source fortress` always-on for
+  live enforcement.
+- Raw logs stay local (`~/.watchmyagents/logs`); only anonymized signals upload.
+
+After this, the full Watch→Guardian→Shield loop runs hands-off.
+
+### `wma-fetch --watch` — the daemon directly
+
+If you'd rather run the loop in a terminal you control (the service wraps this):
+
+```bash
+wma-fetch --agent-id agent_01ABC... --watch --upload --interval 5m
+```
+
+It loops until `Ctrl+C`, dedupes by the stable Anthropic event id (no duplicate
+log lines across cycles), and is restart-safe (it preloads already-captured
+event ids on startup). The raw NDJSON never leaves your machine; only the
+anonymized signals are uploaded.
+
+### cron alternative (one-shot)
+
+If you'd rather not run a daemon, schedule one-shot fetches:
 
 ```cron
 # Every 15 minutes
-*/15 * * * * cd /path/to/project && wma-fetch --agent-id agent_01XaN... --since 20m
+*/15 * * * * cd /path/to/project && wma-fetch --agent-id agent_01ABC... --since 20m
 ```
 
-Or for daily reports:
-
 ```cron
 # Once per night, fetch the full last 24h
-5 0 * * * cd /path/to/project && wma-fetch --agent-id agent_01XaN... --since 25h
+5 0 * * * cd /path/to/project && wma-fetch --agent-id agent_01ABC... --since 25h
 ```
 
 ## Data sovereignty model

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "watchmyagents",
-  "version": "0.6.0",
-  "description": "Security observability + real-time policy enforcement for AI agents. Local-first NDJSON capture, Shield CLI that blocks policy violations live (with policies pulled from Fortress cloud), anonymizer producing signals-only payloads, and bidirectional sync with WatchMyAgents Fortress — closing the recursive Watch→Guardian→Shield security loop.",
+  "version": "0.8.2",
+  "description": "Security observability + real-time policy enforcement for AI agents. Local-first NDJSON capture with a continuous Watch daemon that auto-uploads anonymized signals, Shield CLI that blocks policy violations live (with policies pulled from Fortress cloud), anonymizer producing signals-only payloads, bidirectional sync with WatchMyAgents Fortress, and one-command install as an always-on launchd/systemd service — closing the recursive Watch→Guardian→Shield security loop.",
   "type": "module",
   "files": [
     "src/",
@@ -10,6 +10,7 @@
     "scripts/shield.js",
     "scripts/anonymize.js",
     "scripts/upload-fortress.js",
+    "scripts/service.js",
     "README.md",
     "SECURITY.md",
     "LICENSE"
@@ -19,22 +20,22 @@
     "wma-fetch": "scripts/fetch-anthropic.js",
     "wma-shield": "scripts/shield.js",
     "wma-anonymize": "scripts/anonymize.js",
-    "wma-upload-fortress": "scripts/upload-fortress.js"
+    "wma-upload-fortress": "scripts/upload-fortress.js",
+    "wma-service": "scripts/service.js"
   },
   "scripts": {
     "inspect": "node scripts/inspect.js",
     "fetch": "node scripts/fetch-anthropic.js",
     "shield": "node scripts/shield.js",
     "anonymize": "node scripts/anonymize.js",
-    "upload-fortress": "node scripts/upload-fortress.js"
+    "upload-fortress": "node scripts/upload-fortress.js",
+    "service": "node scripts/service.js"
   },
   "engines": {
     "node": ">=18.0.0"
   },
   "dependencies": {},
-  "devDependencies": {
-    "@anthropic-ai/sdk": "^0.42.0"
-  },
+  "devDependencies": {},
   "keywords": [
     "ai",
     "agents",

package/scripts/anonymize.js

@@ -16,7 +16,9 @@
 
 import { readdir, stat, writeFile } from 'node:fs/promises';
 import { resolve, join } from 'node:path';
-import { SignalsAggregator, anonymizeFile } from '../src/anonymizer.js';
+import { SignalsAggregator } from '../src/anonymizer.js';
+import { createReadStream } from 'node:fs';
+import { createInterface } from 'node:readline';
 
 function parseArgs(argv) {
   const out = {};
@@ -84,30 +86,18 @@ and save it in .env.local.`);
     die(`error: no .ndjson files found at ${target}`);
   }
 
-  // Aggregate across all files into one big payload (typical: one fetch run)
+  // Aggregate across all files into one signals payload, single pass.
   const agg = new SignalsAggregator({ salt });
   for (const f of files) {
-    const partial = await anonymizeFile(f, { salt });
-    // Merge counts (a bit clunky — for the MVP we just re-iterate via agg)
-    // Simpler: aggregate over the files using the same agg instance.
-    // Re-implement here cleanly:
-    void partial;
-  }
-  // Re-do cleanly with a single aggregator across files:
-  const oneAgg = new SignalsAggregator({ salt });
-  for (const f of files) {
-    const { createReadStream } = await import('node:fs');
-    const { createInterface } = await import('node:readline');
-    const stream = createReadStream(f, { encoding: 'utf8' });
-    const rl = createInterface({ input: stream, crlfDelay: Infinity });
+    const rl = createInterface({ input: createReadStream(f, { encoding: 'utf8' }), crlfDelay: Infinity });
     for await (const line of rl) {
       if (!line.trim()) continue;
       let e; try { e = JSON.parse(line); } catch { continue; }
-      oneAgg.add(e);
+      agg.add(e);
     }
   }
 
-  const signals = oneAgg.finalize();
+  const signals = agg.finalize();
 
   const json = JSON.stringify(signals, null, 2);
   if (args.out) {

package/scripts/fetch-anthropic.js

@@ -1,17 +1,35 @@
 #!/usr/bin/env node
-// wma-fetch — pull session events from Anthropic Managed Agents and
-// write them as WatchMyAgents NDJSON, ready for `wma-inspect`.
+// wma-fetch — pull session events from Anthropic Managed Agents and write them
+// as WatchMyAgents NDJSON, ready for `wma-inspect`.
 //
-// Usage:
-//   wma-fetch --agent-id agent_xxx [--session-id sess_xxx] [--since 1h]
-//             [--log-dir ./watchmyagents-logs] [--dump-raw]
+// Two modes:
 //
-// API key is read from --api-key or env ANTHROPIC_API_KEY.
+//   ONE-SHOT (default):
+//     wma-fetch --agent-id agent_xxx [--session-id sess_xxx] [--since 1h]
+//               [--log-dir ./watchmyagents-logs] [--dump-raw]
+//
+//   CONTINUOUS / DAEMON:
+//     wma-fetch --agent-id agent_xxx --watch [--interval 5m] [--upload]
+//     Loops until SIGINT. Each cycle incrementally fetches NEW events (deduped
+//     by the stable Anthropic event id), appends them to the NDJSON, and — with
+//     --upload — anonymizes the new window and ships signals to Fortress. This
+//     automates the Watch leg of the WGS loop so Guardian gets fresh data with
+//     no manual step. The raw NDJSON always stays local (Modèle C).
+//
+// API key from --api-key or env ANTHROPIC_API_KEY.
+// --upload also needs: WMA_API_KEY, WMA_FORTRESS_BASE_URL, WMA_SIGNALS_SALT.
 
-import { mkdir, appendFile } from 'node:fs/promises';
+import { mkdir, appendFile, readdir } from 'node:fs/promises';
+import { createReadStream } from 'node:fs';
+import { createInterface } from 'node:readline';
 import { join, resolve } from 'node:path';
+import { request as httpsRequest } from 'node:https';
+import { URL } from 'node:url';
 import { Logger } from '../src/logger.js';
 import { TokenTracker } from '../src/tokens.js';
+import { SignalsAggregator } from '../src/anonymizer.js';
+import { resolveFortressBase, fortressEndpoint } from '../src/fortress/url.js';
+import { isValidAgentId, isValidSessionId, assertSafePathSegment } from '../src/validate.js';
 import {
   getAgent, listSessions, fetchSessionEntries, fetchRawEvents,
 } from '../src/sources/anthropic-managed.js';
@@ -30,71 +48,126 @@ function parseArgs(argv) {
   return out;
 }
 
-function parseSince(s) {
-  if (!s || s === true) return null;
+function parseDurationMs(s, fallback) {
+  if (!s || s === true) return fallback;
   const m = String(s).match(/^(\d+)\s*([smhd])$/);
   if (m) {
     const n = parseInt(m[1], 10);
-    const mult = { s: 1000, m: 60_000, h: 3_600_000, d: 86_400_000 }[m[2]];
-    return new Date(Date.now() - n * mult);
+    return n * { s: 1000, m: 60_000, h: 3_600_000, d: 86_400_000 }[m[2]];
   }
+  throw new Error(`invalid duration: ${s} (use e.g. 30s, 5m, 1h, 2d)`);
+}
+
+function parseSince(s) {
+  if (!s || s === true) return null;
+  const m = String(s).match(/^(\d+)\s*([smhd])$/);
+  if (m) return new Date(Date.now() - parseDurationMs(s));
   const d = new Date(s);
   if (isNaN(d)) throw new Error(`invalid --since value: ${s}`);
   return d;
 }
 
 function die(msg, code = 1) { process.stderr.write(`${msg}\n`); process.exit(code); }
+function info(msg) { process.stdout.write(`[wma-fetch] ${msg}\n`); }
+function warn(msg) { process.stderr.write(`[wma-fetch] ⚠️  ${msg}\n`); }
 
-async function main() {
-  const args = parseArgs(process.argv.slice(2));
-  const apiKey = args['api-key'] || process.env.ANTHROPIC_API_KEY;
-  const agentId = args['agent-id'];
-  const sessionId = args['session-id'];
-  const since = args.since ? parseSince(args.since) : null;
-  const logDir = resolve(args['log-dir'] || './watchmyagents-logs');
-  const dumpRaw = !!args['dump-raw'];
+function resolveModel(agent) {
+  const raw = agent.model || agent.config?.model || null;
+  return (raw && typeof raw === 'object') ? (raw.id || null) : raw;
+}
 
-  if (!apiKey) die('error: --api-key or ANTHROPIC_API_KEY required');
-  if (!agentId) die('error: --agent-id required (e.g. agent_01XaNB4M88ZvcW8FoQ5GC14A)');
+// HTTPS POST helper for the --upload signals push (mirrors wma-upload-fortress).
+function postJson(url, headers, body) {
+  return new Promise((resolveReq, rejectReq) => {
+    const u = new URL(url);
+    if (u.protocol !== 'https:') return rejectReq(new Error(`refusing non-https URL: ${url}`));
+    const data = Buffer.from(body);
+    const req = httpsRequest({
+      method: 'POST', hostname: u.hostname, port: u.port || 443,
+      path: u.pathname + (u.search || ''),
+      headers: { ...headers, 'content-type': 'application/json', 'content-length': data.length },
+      rejectUnauthorized: true,
+    }, (res) => {
+      const chunks = [];
+      res.on('data', (c) => chunks.push(c));
+      res.on('end', () => {
+        const raw = Buffer.concat(chunks).toString('utf8');
+        let parsed = null; try { parsed = JSON.parse(raw); } catch { /* keep raw */ }
+        resolveReq({ status: res.statusCode || 0, body: parsed ?? raw });
+      });
+    });
+    req.on('error', rejectReq);
+    req.write(data); req.end();
+  });
+}
 
-  // Security: --api-key on the command line ends up in shell history and is
-  // visible to other processes via /proc/<pid>/cmdline. Strongly prefer the
-  // ANTHROPIC_API_KEY environment variable.
-  if (args['api-key']) {
-    process.stderr.write(
-      '[wma-fetch] warning: --api-key on the command line is visible in shell history and\n' +
-      '            in the process list. Prefer: export ANTHROPIC_API_KEY=...\n'
-    );
+// Anonymize a batch of just-written entries and ship them as one signals row.
+async function uploadSignals(uploadCtx, agentId, displayName, entries) {
+  const agg = new SignalsAggregator({ salt: uploadCtx.salt });
+  for (const e of entries) agg.add(e);
+  const sig = agg.finalize();
+  if (!sig.window_start || !sig.window_end) return null; // nothing datable to ship
+  const body = JSON.stringify({
+    anthropic_agent_id: agentId,
+    display_name: displayName,
+    window_start: sig.window_start,
+    window_end: sig.window_end,
+    payload: sig.payload,
+  });
+  const { status, body: resp } = await postJson(
+    uploadCtx.url, { authorization: `Bearer ${uploadCtx.apiKey}` }, body,
+  );
+  if (status < 200 || status >= 300) {
+    throw new Error(`ingest-signals HTTP ${status}: ${typeof resp === 'string' ? resp.slice(0, 200) : JSON.stringify(resp)}`);
+  }
+  return resp;
+}
+
+// Preload already-written entry ids so a restarted daemon doesn't re-append
+// events captured in a previous run (dedup by the stable Anthropic event id).
+async function preloadSeenIds(logDir, agentId) {
+  const seen = new Set();
+  const dir = join(logDir, agentId);
+  let names;
+  try { names = await readdir(dir); } catch { return seen; }
+  for (const name of names) {
+    if (!name.endsWith('.ndjson') || name.startsWith('raw-')) continue;
+    await new Promise((res) => {
+      const rl = createInterface({ input: createReadStream(join(dir, name), { encoding: 'utf8' }), crlfDelay: Infinity });
+      rl.on('line', (line) => {
+        if (!line.trim()) return;
+        try { const e = JSON.parse(line); if (e.id) seen.add(e.id); } catch { /* skip */ }
+      });
+      rl.on('close', res);
+      rl.on('error', res);
+    });
   }
+  return seen;
+}
 
-  process.stdout.write(`[wma-fetch] resolving agent ${agentId}…\n`);
-  const agent = await getAgent(apiKey, agentId).catch(e => die(`failed to GET agent: ${e.message}`));
-  const rawModel = agent.model || agent.config?.model || null;
-  // API may return model as { id, speed } object or as a plain string.
-  const model = (rawModel && typeof rawModel === 'object') ? (rawModel.id || null) : rawModel;
-  process.stdout.write(`[wma-fetch] model: ${model || '(unknown)'}\n`);
+const sleep = (ms, signal) => new Promise((res) => {
+  const t = setTimeout(res, ms);
+  if (signal) signal.addEventListener('abort', () => { clearTimeout(t); res(); }, { once: true });
+});
 
+// ── ONE-SHOT ──────────────────────────────────────────────────────────────
+async function fetchOneShot({ apiKey, agentId, model, logDir, since, sessionId, dumpRaw }) {
   let sessions;
   if (sessionId) {
     sessions = [{ id: sessionId, created_at: new Date().toISOString() }];
   } else {
-    process.stdout.write(`[wma-fetch] listing sessions${since ? ` since ${since.toISOString()}` : ''}…\n`);
-    sessions = await listSessions(apiKey, { agentId, since })
-      .catch(e => die(`failed to list sessions: ${e.message}`));
-  }
-
-  if (sessions.length === 0) {
-    process.stdout.write('[wma-fetch] no sessions to fetch\n');
-    return;
+    info(`listing sessions${since ? ` since ${since.toISOString()}` : ''}…`);
+    sessions = await listSessions(apiKey, { agentId, since }).catch((e) => die(`failed to list sessions: ${e.message}`));
   }
-  process.stdout.write(`[wma-fetch] ${sessions.length} session(s) to fetch\n`);
+  if (sessions.length === 0) { info('no sessions to fetch'); return; }
+  info(`${sessions.length} session(s) to fetch`);
 
   let totalEntries = 0;
   for (const s of sessions) {
     const sid = s.id;
     process.stdout.write(`\n[wma-fetch] session ${sid}\n`);
-
     if (dumpRaw) {
+      assertSafePathSegment(sid, 'session-id'); // defense-in-depth: sid → file path
       const rawPath = join(logDir, agentId, `raw-${sid}.jsonl`);
       await mkdir(join(logDir, agentId), { recursive: true, mode: 0o700 });
       for await (const ev of fetchRawEvents(apiKey, sid)) {
@@ -102,39 +175,147 @@ async function main() {
       }
       process.stdout.write(`  raw events  → ${rawPath}\n`);
     }
-
     const logger = new Logger({ logDir, agentId, sessionId: sid, silent: true });
     const tracker = new TokenTracker();
-
     let count = 0;
     for await (const entry of fetchSessionEntries({ apiKey, agentId, sessionId: sid, model })) {
       const written = await logger.write(entry);
       tracker.record(written);
       count++;
     }
-
     const stats = tracker.stats().total;
-    const sessionEnd = await logger.write({
-      action_type: 'session_end',
-      framework: 'anthropic-managed',
-      status: 'ok',
-      model,
-      session_tokens: {
-        input: stats.input, output: stats.output,
-        cache_read: stats.cache_read, cache_creation: stats.cache_creation,
-        total: stats.sum,
-      },
+    await logger.write({
+      action_type: 'session_end', framework: 'anthropic-managed', status: 'ok', model,
+      session_tokens: { input: stats.input, output: stats.output, cache_read: stats.cache_read, cache_creation: stats.cache_creation, total: stats.sum },
       session_cost_usd: stats.cost_usd || null,
     });
-
     process.stdout.write(`  entries     : ${count} (+1 session_end)\n`);
     process.stdout.write(`  tokens      : in=${stats.input} out=${stats.output} cache_r=${stats.cache_read} cache_w=${stats.cache_creation}\n`);
     process.stdout.write(`  written to  : ${logger._pathForToday()}\n`);
     totalEntries += count + 1;
   }
-
   process.stdout.write(`\n[wma-fetch] done — ${totalEntries} total entries across ${sessions.length} session(s)\n`);
   process.stdout.write(`[wma-fetch] inspect with: npx wma-inspect ${logDir}\n`);
 }
 
-main().catch(e => { process.stderr.write(`error: ${e.stack || e.message}\n`); process.exit(1); });
+// ── CONTINUOUS / DAEMON ─────────────────────────────────────────────────────
+async function runWatch({ apiKey, agentId, model, displayName, logDir, intervalMs, uploadCtx }) {
+  const seenIds = await preloadSeenIds(logDir, agentId);
+  const loggers = new Map();     // sessionId → Logger (persists sequence across cycles)
+  const ended = new Set();       // sessions we've already closed with session_end
+
+  const ac = new AbortController();
+  const shutdown = () => { info('shutting down…'); ac.abort(); };
+  process.on('SIGINT', shutdown);
+  process.on('SIGTERM', shutdown);
+
+  info(`watch mode — interval ${Math.round(intervalMs / 1000)}s, upload ${uploadCtx ? 'ON' : 'OFF'}, ${seenIds.size} known events preloaded`);
+
+  while (!ac.signal.aborted) {
+    const since = new Date(Date.now() - 24 * 3600 * 1000);
+    let sessions = [];
+    try { sessions = await listSessions(apiKey, { agentId, since }); }
+    catch (e) { warn(`listSessions failed: ${e.message}`); }
+
+    let cycleNew = 0;
+    for (const s of sessions) {
+      if (!s.id || ended.has(s.id)) continue;
+      let logger = loggers.get(s.id);
+      if (!logger) { logger = new Logger({ logDir, agentId, sessionId: s.id, silent: true }); loggers.set(s.id, logger); }
+
+      const fresh = [];
+      let sawTerminated = false;
+      try {
+        for await (const entry of fetchSessionEntries({ apiKey, agentId, sessionId: s.id, model })) {
+          if (entry.id && seenIds.has(entry.id)) continue;
+          if (entry.id) seenIds.add(entry.id);
+          const written = await logger.write(entry);
+          fresh.push(written);
+          if (entry.action_type === 'state_transition'
+              && entry.output?.scope === 'session'
+              && entry.output?.state === 'terminated') sawTerminated = true;
+        }
+      } catch (e) { warn(`session ${s.id}: fetch failed: ${e.message}`); continue; }
+
+      if (fresh.length === 0) continue;
+      cycleNew += fresh.length;
+      info(`session ${s.id.slice(0, 16)}…: +${fresh.length} new event(s)`);
+
+      if (uploadCtx) {
+        try {
+          const resp = await uploadSignals(uploadCtx, agentId, displayName, fresh);
+          if (resp?.signal_id) info(`  ↑ signals uploaded (signal_id ${resp.signal_id})`);
+        } catch (e) { warn(`  signals upload failed: ${e.message}`); }
+      }
+
+      if (sawTerminated) {
+        const tracker = new TokenTracker();
+        for (const e of fresh) tracker.record(e);
+        const stats = tracker.stats().total;
+        await logger.write({
+          action_type: 'session_end', framework: 'anthropic-managed', status: 'ok', model,
+          session_tokens: { input: stats.input, output: stats.output, cache_read: stats.cache_read, cache_creation: stats.cache_creation, total: stats.sum },
+          session_cost_usd: stats.cost_usd || null,
+        });
+        ended.add(s.id);
+        info(`session ${s.id.slice(0, 16)}… terminated — closed`);
+      }
+    }
+
+    if (cycleNew === 0) info('cycle: no new events');
+    await sleep(intervalMs, ac.signal);
+  }
+  info('stopped.');
+}
+
+async function main() {
+  const args = parseArgs(process.argv.slice(2));
+  const apiKey = args['api-key'] || process.env.ANTHROPIC_API_KEY;
+  const agentId = args['agent-id'];
+  const logDir = resolve(args['log-dir'] || './watchmyagents-logs');
+  const watch = !!args.watch;
+  const upload = !!args.upload;
+
+  if (!apiKey) die('error: --api-key or ANTHROPIC_API_KEY required');
+  if (!agentId) die('error: --agent-id required (e.g. agent_01ABC...)');
+  if (!isValidAgentId(agentId)) {
+    die(`error: --agent-id has invalid format (expected "agent_" + alphanumeric, got "${agentId}")`);
+  }
+  const sessionIdArg = args['session-id'];
+  if (sessionIdArg && !isValidSessionId(sessionIdArg)) {
+    die(`error: --session-id has invalid format (expected "sesn_" + alphanumeric, got "${sessionIdArg}")`);
+  }
+  if (args['api-key']) {
+    warn('--api-key on the command line is visible in shell history and the process list. Prefer: export ANTHROPIC_API_KEY=...');
+  }
+  if (upload && !watch) die('error: --upload requires --watch (continuous mode). For one-shot upload use wma-upload-fortress.');
+
+  // Resolve upload config up-front (so a misconfig fails before the loop starts).
+  let uploadCtx = null;
+  if (upload) {
+    const wmaKey = process.env.WMA_API_KEY;
+    const salt = process.env.WMA_SIGNALS_SALT;
+    const base = resolveFortressBase({});
+    if (!wmaKey) die('error: --upload needs WMA_API_KEY env (from Fortress dashboard → Settings → API Keys)');
+    if (!base) die('error: --upload needs WMA_FORTRESS_BASE_URL env (https://<project>.supabase.co/functions/v1)');
+    if (!salt) die('error: --upload needs WMA_SIGNALS_SALT env (stable per-customer hex secret)');
+    if (salt.length < 16) die('error: WMA_SIGNALS_SALT too short (need ≥16 hex chars)');
+    uploadCtx = { apiKey: wmaKey, salt, url: fortressEndpoint(base, 'ingest-signals') };
+  }
+
+  info(`resolving agent ${agentId}…`);
+  const agent = await getAgent(apiKey, agentId).catch((e) => die(`failed to GET agent: ${e.message}`));
+  const model = resolveModel(agent);
+  const displayName = agent.name || agentId;
+  info(`model: ${model || '(unknown)'}`);
+
+  if (watch) {
+    const intervalMs = parseDurationMs(args.interval, 5 * 60_000);
+    await runWatch({ apiKey, agentId, model, displayName, logDir, intervalMs, uploadCtx });
+  } else {
+    const since = args.since ? parseSince(args.since) : null;
+    await fetchOneShot({ apiKey, agentId, model, logDir, since, sessionId: args['session-id'], dumpRaw: !!args['dump-raw'] });
+  }
+}
+
+main().catch((e) => { process.stderr.write(`error: ${e.stack || e.message}\n`); process.exit(1); });

package/scripts/service.js

@@ -0,0 +1,349 @@
+#!/usr/bin/env node
+// wma-service — install WatchMyAgents as an always-on OS background service.
+//
+// Turns the manual `wma-fetch --watch` (and optionally `wma-shield`) commands
+// into OS-native services that start at login, restart on crash, and run with
+// NO terminal — so the WGS loop is truly automatic on the customer's machine.
+//
+//   macOS  → launchd LaunchAgent (~/Library/LaunchAgents)
+//   Linux  → systemd user unit   (~/.config/systemd/user)
+//
+// One integrated install:
+//   wma-service install --agent-id agent_xxx [--interval 5m] [--with-shield]
+//   wma-service status
+//   wma-service uninstall [--with-shield]
+//
+// Secrets NEVER go in the plist/unit. They're snapshotted (from the current
+// environment) into a protected env file (~/.watchmyagents/env, chmod 600) that
+// the service loads at runtime. Required env at install time:
+//   ANTHROPIC_API_KEY, WMA_API_KEY, WMA_FORTRESS_BASE_URL, WMA_SIGNALS_SALT
+// Raw logs stay local (Modèle C); only anonymized signals are uploaded.
+
+import os from 'node:os';
+import { mkdirSync, writeFileSync, rmSync, existsSync, chmodSync } from 'node:fs';
+import { join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { execFileSync } from 'node:child_process';
+import { isValidAgentId } from '../src/validate.js';
+
+const HOME = os.homedir();
+const PLATFORM = process.platform;                       // 'darwin' | 'linux' | …
+const UID = typeof process.getuid === 'function' ? process.getuid() : null;
+const NODE = process.execPath;                            // absolute node binary
+const FETCH_SCRIPT = fileURLToPath(new URL('./fetch-anthropic.js', import.meta.url));
+const SHIELD_SCRIPT = fileURLToPath(new URL('./shield.js', import.meta.url));
+
+const CONFIG_DIR = join(HOME, '.watchmyagents');
+const ENV_FILE = join(CONFIG_DIR, 'env');
+const LOG_DIR_DEFAULT = join(CONFIG_DIR, 'logs');
+
+const REQUIRED_ENV = ['ANTHROPIC_API_KEY', 'WMA_API_KEY', 'WMA_FORTRESS_BASE_URL', 'WMA_SIGNALS_SALT'];
+
+const WATCH_LABEL = 'com.watchmyagents.watch';
+const SHIELD_LABEL = 'com.watchmyagents.shield';
+
+function parseArgs(argv) {
+  const out = { _: [] };
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a.startsWith('--')) {
+      const k = a.slice(2);
+      const n = argv[i + 1];
+      if (n == null || n.startsWith('--')) out[k] = true;
+      else { out[k] = n; i++; }
+    } else out._.push(a);
+  }
+  return out;
+}
+
+function die(msg, code = 1) { process.stderr.write(`error: ${msg}\n`); process.exit(code); }
+function info(msg) { process.stdout.write(`[wma-service] ${msg}\n`); }
+function warn(msg) { process.stderr.write(`[wma-service] ⚠️  ${msg}\n`); }
+
+function sh(value) { return `"${String(value).replace(/(["$`\\])/g, '\\$1')}"`; }
+
+// ── Config (secrets) ──────────────────────────────────────────────────────
+function writeEnvFile() {
+  const missing = REQUIRED_ENV.filter((k) => !process.env[k]);
+  if (missing.length) {
+    die(`missing required env var(s): ${missing.join(', ')}\n` +
+        '       Export them in this shell, then re-run install. e.g.:\n' +
+        '         export $(grep -v "^#" .env | xargs)\n' +
+        '         export WMA_API_KEY=... WMA_FORTRESS_BASE_URL=... WMA_SIGNALS_SALT=...');
+  }
+  // The env file is sourced by the launcher (set -a; . file) and read by
+  // systemd's EnvironmentFile. A newline in a value would inject extra lines /
+  // corrupt the file, so reject it. (Our value types — hex salt, wma_/sk-ant
+  // keys, https URL — never legitimately contain newlines.)
+  for (const k of REQUIRED_ENV) {
+    if (/[\r\n]/.test(process.env[k])) die(`${k} contains a newline — refusing to write it to the env file`);
+  }
+  mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+  // Plain KEY=value lines — readable by both `set -a; . file` (launchd launcher)
+  // and systemd's EnvironmentFile=. No quoting needed (no spaces in our values).
+  const body = REQUIRED_ENV.map((k) => `${k}=${process.env[k]}`).join('\n') + '\n';
+  writeFileSync(ENV_FILE, body, { mode: 0o600 });
+  chmodSync(ENV_FILE, 0o600);
+  info(`secrets written to ${ENV_FILE} (chmod 600)`);
+}
+
+// ── macOS (launchd) ─────────────────────────────────────────────────────--
+function launchAgentsDir() { return join(HOME, 'Library', 'LaunchAgents'); }
+function plistPath(label) { return join(launchAgentsDir(), `${label}.plist`); }
+function launcherPath(label) { return join(CONFIG_DIR, `${label}.launcher.sh`); }
+
+function writeLauncher(label, scriptPath, args) {
+  const argLine = args.map(sh).join(' ');
+  // Load secrets with a read-loop, NOT '. file' / source. Sourcing would
+  // shell-evaluate each value, so a secret like FOO=https://x/$(cmd) would
+  // execute cmd at launch. A read-loop assigns the value literally — the
+  // content is never re-scanned for command substitution.
+  const body = `#!/bin/sh
+# Generated by wma-service. Loads secrets WITHOUT shell-evaluating their values.
+while IFS='=' read -r __k __v; do
+  [ -n "$__k" ] && export "$__k=$__v"
+done < ${sh(ENV_FILE)}
+exec ${sh(NODE)} ${sh(scriptPath)} ${argLine}
+`;
+  const p = launcherPath(label);
+  writeFileSync(p, body, { mode: 0o700 });
+  chmodSync(p, 0o700);
+  return p;
+}
+
+function writePlist(label, launcher) {
+  const outLog = join(CONFIG_DIR, `${label}.out.log`);
+  const errLog = join(CONFIG_DIR, `${label}.err.log`);
+  // Pre-create the log files 0600 so launchd appends to owner-only files.
+  // (No secrets are logged, but defense-in-depth on world-readable home files.)
+  for (const lp of [outLog, errLog]) {
+    if (!existsSync(lp)) writeFileSync(lp, '', { mode: 0o600 });
+    else chmodSync(lp, 0o600);
+  }
+  const body = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key><string>${label}</string>
+  <key>ProgramArguments</key>
+  <array><string>${launcher}</string></array>
+  <key>RunAtLoad</key><true/>
+  <key>KeepAlive</key><true/>
+  <key>ProcessType</key><string>Background</string>
+  <key>StandardOutPath</key><string>${outLog}</string>
+  <key>StandardErrorPath</key><string>${errLog}</string>
+</dict>
+</plist>
+`;
+  mkdirSync(launchAgentsDir(), { recursive: true });
+  const p = plistPath(label);
+  writeFileSync(p, body, { mode: 0o644 });
+  return p;
+}
+
+function launchctl(args, { ignoreError = false } = {}) {
+  try {
+    execFileSync('launchctl', args, { stdio: 'pipe' });
+    return true;
+  } catch (e) {
+    if (!ignoreError) warn(`launchctl ${args.join(' ')} failed: ${(e.stderr || e.message).toString().trim().slice(0, 200)}`);
+    return false;
+  }
+}
+
+// Synchronous sleep (installer CLI — blocking is fine). Used to let launchd's
+// asynchronous bootout finish before we bootstrap again.
+function syncSleep(ms) {
+  Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, ms);
+}
+function macLoaded(label) {
+  try { execFileSync('launchctl', ['print', `gui/${UID}/${label}`], { stdio: 'pipe' }); return true; }
+  catch { return false; }
+}
+
+function macLoad(label, plist) {
+  const domain = `gui/${UID}`;
+  // bootout is async: on reinstall, bootstrapping again before the old instance
+  // is gone races and silently fails (symptom: reinstall = dead services).
+  // Wait for the prior instance to disappear, then retry bootstrap.
+  if (macLoaded(label)) {
+    launchctl(['bootout', `${domain}/${label}`], { ignoreError: true });
+    for (let i = 0; i < 20 && macLoaded(label); i++) syncSleep(150);
+  }
+  let ok = false;
+  for (let attempt = 0; attempt < 5 && !ok; attempt++) {
+    ok = launchctl(['bootstrap', domain, plist], { ignoreError: attempt < 4 });
+    if (!ok) syncSleep(250);
+  }
+  launchctl(['enable', `${domain}/${label}`], { ignoreError: true });
+  if (ok) info(`loaded ${label} (launchd) — running now + at every login`);
+  else {
+    warn(`could not auto-load ${label}. Load it manually:`);
+    process.stdout.write(`  launchctl bootout gui/${UID}/${label} 2>/dev/null; launchctl bootstrap gui/${UID} ${plist}\n`);
+  }
+}
+
+function macUnload(label) {
+  const domain = `gui/${UID}`;
+  launchctl(['bootout', `${domain}/${label}`], { ignoreError: true });
+  for (const p of [plistPath(label), launcherPath(label)]) if (existsSync(p)) rmSync(p);
+  info(`removed ${label} (launchd)`);
+}
+
+function macInstallOne(label, scriptPath, args) {
+  const launcher = writeLauncher(label, scriptPath, args);
+  const plist = writePlist(label, launcher);
+  macLoad(label, plist);
+}
+
+// ── Linux (systemd user) ───────────────────────────────────────────────────
+function systemdDir() { return join(HOME, '.config', 'systemd', 'user'); }
+function unitName(label) { return `${label.replace(/\./g, '-')}.service`; }
+function unitPath(label) { return join(systemdDir(), unitName(label)); }
+
+function writeUnit(label, desc, scriptPath, args) {
+  // Quote every token for systemd. systemd splits ExecStart on whitespace and
+  // does NOT run a shell; double-quotes group tokens and honor \" and \\.
+  const sdQuote = (s) => `"${String(s).replace(/(["\\])/g, '\\$1')}"`;
+  const exec = [NODE, scriptPath, ...args].map(sdQuote).join(' ');
+  const body = `[Unit]
+Description=${desc}
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+EnvironmentFile=${ENV_FILE}
+ExecStart=${exec}
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=default.target
+`;
+  mkdirSync(systemdDir(), { recursive: true });
+  const p = unitPath(label);
+  writeFileSync(p, body, { mode: 0o644 });
+  return p;
+}
+
+function systemctl(args, { ignoreError = false } = {}) {
+  try { execFileSync('systemctl', ['--user', ...args], { stdio: 'pipe' }); return true; }
+  catch (e) { if (!ignoreError) warn(`systemctl --user ${args.join(' ')} failed: ${(e.stderr || e.message).toString().trim().slice(0, 200)}`); return false; }
+}
+
+function linuxInstallOne(label, desc, scriptPath, args) {
+  writeUnit(label, desc, scriptPath, args);
+  const unit = unitName(label);
+  systemctl(['daemon-reload'], { ignoreError: true });
+  const ok = systemctl(['enable', '--now', unit]);
+  if (ok) info(`enabled ${unit} (systemd) — running now + at login. For boot-without-login: loginctl enable-linger ${process.env.USER || ''}`);
+  else { warn(`could not auto-enable ${unit}. Enable manually:`); process.stdout.write(`  systemctl --user enable --now ${unit}\n`); }
+}
+
+function linuxUninstallOne(label) {
+  const unit = unitName(label);
+  systemctl(['disable', '--now', unit], { ignoreError: true });
+  if (existsSync(unitPath(label))) rmSync(unitPath(label));
+  systemctl(['daemon-reload'], { ignoreError: true });
+  info(`removed ${unit} (systemd)`);
+}
+
+// ── Commands ────────────────────────────────────────────────────────────--
+function cmdInstall(args) {
+  const agentId = args['agent-id'];
+  if (!agentId) die('--agent-id required (e.g. agent_01ABC...)');
+  if (!isValidAgentId(agentId)) die(`--agent-id invalid format (expected "agent_" + alphanumeric, got "${agentId}")`);
+  const interval = args.interval || '5m';
+  if (!/^\d+[smhd]$/.test(interval)) die(`--interval invalid format (expected like 30s, 5m, 1h, 2d; got "${interval}")`);
+  const logDir = args['log-dir'] || LOG_DIR_DEFAULT;
+  const withShield = !!args['with-shield'];
+
+  if (PLATFORM !== 'darwin' && PLATFORM !== 'linux') {
+    die(`unsupported platform "${PLATFORM}". Supported: macOS (launchd), Linux (systemd).\n` +
+        '       Run the daemon manually or wrap it in your own process manager:\n' +
+        `         wma-fetch --agent-id ${agentId} --watch --upload --interval ${interval}`);
+  }
+
+  mkdirSync(logDir, { recursive: true, mode: 0o700 });
+  writeEnvFile();
+
+  const watchArgs = ['--agent-id', agentId, '--watch', '--upload', '--interval', interval, '--log-dir', logDir];
+  const shieldArgs = ['--agent-id', agentId, '--policies-source', 'fortress', '--log-dir', logDir];
+
+  if (PLATFORM === 'darwin') {
+    macInstallOne(WATCH_LABEL, FETCH_SCRIPT, watchArgs);
+    if (withShield) macInstallOne(SHIELD_LABEL, SHIELD_SCRIPT, shieldArgs);
+  } else {
+    linuxInstallOne(WATCH_LABEL, 'WatchMyAgents Watch daemon', FETCH_SCRIPT, watchArgs);
+    if (withShield) linuxInstallOne(SHIELD_LABEL, 'WatchMyAgents Shield enforcement', SHIELD_SCRIPT, shieldArgs);
+  }
+
+  info('done — the WGS loop now runs always-on, no terminal needed.');
+  info(`logs: ${CONFIG_DIR}/*.log  |  captured events: ${logDir}`);
+  info(`status:  wma-service status    uninstall:  wma-service uninstall${withShield ? ' --with-shield' : ''}`);
+}
+
+function cmdUninstall(args) {
+  const withShield = !!args['with-shield'];
+  if (PLATFORM === 'darwin') {
+    macUnload(WATCH_LABEL);
+    if (withShield) macUnload(SHIELD_LABEL);
+  } else if (PLATFORM === 'linux') {
+    linuxUninstallOne(WATCH_LABEL);
+    if (withShield) linuxUninstallOne(SHIELD_LABEL);
+  } else {
+    die(`unsupported platform "${PLATFORM}"`);
+  }
+  info('uninstalled. (Secrets in ' + ENV_FILE + ' left intact — delete manually if you want them gone.)');
+}
+
+function cmdStatus() {
+  if (PLATFORM === 'darwin') {
+    try {
+      const out = execFileSync('launchctl', ['list'], { encoding: 'utf8' });
+      const lines = out.split('\n').filter((l) => l.includes('watchmyagents'));
+      process.stdout.write(lines.length ? lines.join('\n') + '\n' : 'no WatchMyAgents services loaded\n');
+    } catch { warn('could not query launchctl'); }
+  } else if (PLATFORM === 'linux') {
+    for (const label of [WATCH_LABEL, SHIELD_LABEL]) {
+      try {
+        const out = execFileSync('systemctl', ['--user', 'is-active', unitName(label)], { encoding: 'utf8' }).trim();
+        process.stdout.write(`${unitName(label)}: ${out}\n`);
+      } catch (e) {
+        process.stdout.write(`${unitName(label)}: ${(e.stdout || 'inactive').toString().trim()}\n`);
+      }
+    }
+  } else {
+    die(`unsupported platform "${PLATFORM}"`);
+  }
+}
+
+function usage() {
+  process.stdout.write(`wma-service — run WatchMyAgents as an always-on OS service
+
+Usage:
+  wma-service install --agent-id agent_xxx [--interval 5m] [--log-dir DIR] [--with-shield]
+  wma-service status
+  wma-service uninstall [--with-shield]
+
+Required env at install (snapshotted to ~/.watchmyagents/env, chmod 600):
+  ANTHROPIC_API_KEY, WMA_API_KEY, WMA_FORTRESS_BASE_URL, WMA_SIGNALS_SALT
+
+macOS → launchd LaunchAgent · Linux → systemd user unit.
+The service starts at login and restarts on crash. Raw logs stay local.
+`);
+}
+
+function main() {
+  const args = parseArgs(process.argv.slice(2));
+  const cmd = args._[0];
+  switch (cmd) {
+    case 'install': return cmdInstall(args);
+    case 'uninstall': return cmdUninstall(args);
+    case 'status': return cmdStatus();
+    default: usage(); process.exit(cmd ? 1 : 0);
+  }
+}
+
+main();

package/scripts/shield.js

@@ -36,6 +36,7 @@ import { DecisionLogger } from '../src/shield/decisions.js';
 import { listSessions } from '../src/sources/anthropic-managed.js';
 import { FortressPolicySource, postDecision } from '../src/shield/sources/fortress.js';
 import { resolveFortressBase } from '../src/fortress/url.js';
+import { isValidAgentId, isValidSessionId } from '../src/validate.js';
 
 function parseArgs(argv) {
   const out = {};
@@ -425,6 +426,14 @@ async function main() {
 
   if (!apiKey) die('error: --api-key or ANTHROPIC_API_KEY required');
   if (!agentId) die('error: --agent-id required');
+  if (!isValidAgentId(agentId)) {
+    die(`error: --agent-id has invalid format (expected "agent_" + alphanumeric, got "${agentId}")`);
+  }
+  // --session-id ends up in the Anthropic SSE URL path (src/shield/stream.js).
+  // Validate the same way wma-fetch does so a crafted value can't tamper the URL.
+  if (singleSessionId && !isValidSessionId(singleSessionId)) {
+    die(`error: --session-id has invalid format (expected "sesn_" + alphanumeric, got "${singleSessionId}")`);
+  }
 
   // Policies source: --policies-source fortress | local  (default infers from --policy)
   let ruleset;          // for 'local' mode: static; for 'fortress': initial snapshot

package/scripts/upload-fortress.js

@@ -119,7 +119,7 @@ async function main() {
   const fortressUrl = fortressBase ? fortressEndpoint(fortressBase, 'ingest-signals') : null;
 
   // Validation
-  if (!agentId) die('error: --agent-id required (Anthropic agent_id, e.g. agent_01XaN...)');
+  if (!agentId) die('error: --agent-id required (Anthropic agent_id, e.g. agent_01ABC...)');
   // Strict alphanumeric to prevent path traversal in collectFiles below
   // (--agent-id ends up as a filesystem path segment).
   if (!/^agent_[a-zA-Z0-9]+$/.test(agentId)) {

package/src/logger.js

@@ -1,6 +1,7 @@
 import { mkdir, appendFile } from 'node:fs/promises';
 import { join } from 'node:path';
 import { randomUUID } from 'node:crypto';
+import { assertSafePathSegment } from './validate.js';
 
 const EXPORT_FIELDS = [
   'id', 'agent_id', 'framework', 'timestamp', 'action_type',
@@ -18,6 +19,9 @@ export class Logger {
   //                full / EACCES / EINVAL must propagate so callers know.
   //                Opt into bestEffort=true only for non-critical paths.
   constructor({ logDir, agentId, sessionId, silent, bestEffort } = {}) {
+    // agentId becomes a filesystem path segment (logDir/<agentId>/…). Reject
+    // anything that could traverse out of logDir before we ever build a path.
+    assertSafePathSegment(agentId, 'agentId');
     this.logDir = logDir;
     this.agentId = agentId;
     this.sessionId = sessionId || randomUUID();

package/src/shield/enforce.js

@@ -9,6 +9,9 @@
 const API_BASE = 'https://api.anthropic.com';
 const BETA = 'managed-agents-2026-04-01';
 const VERSION = '2023-06-01';
+// Enforcement must be snappy: a hung confirm/interrupt would leave the agent
+// paused (tool_confirmation) or running (interrupt) indefinitely. Fail fast.
+const ENFORCE_TIMEOUT_MS = 15_000;
 
 function authHeaders(apiKey) {
   return {
@@ -19,11 +22,26 @@ function authHeaders(apiKey) {
   };
 }
 
+// fetch() has no built-in timeout — without one a stalled connection hangs the
+// enforcement path forever. Abort after ENFORCE_TIMEOUT_MS with a clear error.
+async function fetchWithTimeout(url, opts = {}, timeoutMs = ENFORCE_TIMEOUT_MS) {
+  const ac = new AbortController();
+  const timer = setTimeout(() => ac.abort(), timeoutMs);
+  try {
+    return await fetch(url, { ...opts, signal: ac.signal });
+  } catch (e) {
+    if (ac.signal.aborted) throw new Error(`request to ${url} timed out after ${timeoutMs}ms`);
+    throw e;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
 // GET /v1/agents/{id} — used at Shield startup to determine which enforcement
 // mode (tool_confirmation vs interrupt) is available.
 export async function getAgentConfig(apiKey, agentId) {
   const url = `${API_BASE}/v1/agents/${agentId}`;
-  const res = await fetch(url, { headers: authHeaders(apiKey) });
+  const res = await fetchWithTimeout(url, { headers: authHeaders(apiKey) });
   if (!res.ok) {
     const body = await res.text().catch(() => '');
     throw new Error(`getAgent failed: HTTP ${res.status}: ${body.slice(0, 300)}`);
@@ -58,7 +76,7 @@ export function detectAlwaysAsk(agent) {
 
 async function sendEvents(apiKey, sessionId, events) {
   const url = `${API_BASE}/v1/sessions/${sessionId}/events?beta=true`;
-  const res = await fetch(url, {
+  const res = await fetchWithTimeout(url, {
     method: 'POST',
     headers: authHeaders(apiKey),
     body: JSON.stringify({ events }),

package/src/shield/policy.js

@@ -58,7 +58,7 @@ const SUSPICIOUS_REGEX_PATTERNS = [
   /(\.\*){3,}/,                  // multiple .* in a row
 ];
 
-function validateRegexString(src, where) {
+export function validateRegexString(src, where) {
   if (typeof src !== 'string') {
     throw new Error(`policy ${where}: regex must be a string`);
   }
@@ -73,7 +73,7 @@ function validateRegexString(src, where) {
   return new RegExp(src);
 }
 
-function compileMatchRegexes(match) {
+export function compileMatchRegexes(match) {
   for (const [field, condition] of Object.entries(match)) {
     if (condition && typeof condition === 'object') {
       if (condition.regex) condition._regex = validateRegexString(condition.regex, `${field}.regex`);

package/src/shield/sources/fortress.js

@@ -111,7 +111,9 @@ export async function postDecision({ apiKey, base, decision }) {
 // Periodically refreshes the policy ruleset from Fortress.
 // ────────────────────────────────────────────────────────────────────────
 
-import { matchesPolicy } from '../policy.js';
+import { matchesPolicy, compileMatchRegexes } from '../policy.js';
+
+const VALID_ACTIONS = new Set(['allow', 'deny', 'interrupt']);
 
 export class FortressPolicySource {
   constructor({ apiKey, base, anthropicAgentId, refreshIntervalMs = 5 * 60_000, onError, onRefresh }) {
@@ -154,8 +156,18 @@ export class FortressPolicySource {
         base: this.base,
         anthropicAgentId: this.anthropicAgentId,
       });
-      // Compile regex etc. — reuse the same shape policy.js expects.
-      const compiled = policies.map((p) => compilePolicyFromFortress(p));
+      // Compile + validate each policy. A single malformed/dangerous policy
+      // (bad action, ReDoS-prone regex) must NOT take down the whole ruleset:
+      // skip it, report it, keep the rest. This matters because policies come
+      // from the cloud (Guardian-generated) — they're not fully trusted input.
+      const compiled = [];
+      for (const p of policies) {
+        try {
+          compiled.push(compilePolicyFromFortress(p));
+        } catch (e) {
+          this.onError(new Error(`skipping invalid Fortress policy "${p?.rule_id || p?.name || '?'}": ${e.message}`));
+        }
+      }
       this.ruleset = {
         version: 1,
         policies: compiled,
@@ -172,8 +184,20 @@ export class FortressPolicySource {
   }
 }
 
-// Convert a Fortress DB policy row to the local Shield format (compile regex).
+// Convert a Fortress DB policy row to the local Shield format.
+// Throws on anything invalid so _refresh can skip it (policies from the cloud
+// are NOT fully trusted — apply the same hardening as the local JSON loader).
 function compilePolicyFromFortress(p) {
+  if (!p || typeof p !== 'object') throw new Error('policy is not an object');
+  if (!VALID_ACTIONS.has(p.action)) {
+    throw new Error(`unsupported action "${p.action}" (expected allow|deny|interrupt)`);
+  }
+  if (p.match != null && typeof p.match !== 'object') {
+    throw new Error('match must be an object');
+  }
+  if (p.priority != null && (typeof p.priority !== 'number' || !Number.isFinite(p.priority))) {
+    throw new Error(`priority must be a finite number (got ${p.priority})`);
+  }
   const out = {
     id: p.rule_id,
     name: p.name,
@@ -183,18 +207,11 @@ function compilePolicyFromFortress(p) {
     message: p.message,
     priority: p.priority ?? 100,
   };
-  // Compile regex strings to RegExp via the same _regex/_not_regex/_regex_any
-  // protocol the local policy.js engine uses (avoids parsing each event).
-  // We rely on the validation already done in compileMatchRegexes within
-  // policy.js, but since we're not going through loadPolicies here we replicate
-  // the safe-compile step inline.
-  for (const [field, condition] of Object.entries(out.match)) {
-    if (condition && typeof condition === 'object') {
-      if (condition.regex) condition._regex = new RegExp(condition.regex);
-      if (condition.not_regex) condition._not_regex = new RegExp(condition.not_regex);
-      if (condition.regex_any) condition._regex_any = condition.regex_any.map(r => new RegExp(r));
-    }
-  }
+  // Reuse the SAME ReDoS-safe compiler as the local JSON loader (rejects
+  // catastrophic-backtracking patterns + over-long regexes). Previously this
+  // path used a bare new RegExp(), bypassing those guards — a dangerous remote
+  // regex could pin Shield's CPU.
+  compileMatchRegexes(out.match);
   return out;
 }
 

package/src/sources/anthropic-managed.js

@@ -21,6 +21,9 @@ import { URLSearchParams } from 'node:url';
 const API_HOST = 'api.anthropic.com';
 const BETA = 'managed-agents-2026-04-01';
 const VERSION = '2023-06-01';
+// Hard cap on any single GET so a hung connection can't pin Watch/Shield
+// forever. getWithRetry will retry on timeout (the error propagates here).
+const REQUEST_TIMEOUT_MS = 30_000;
 
 function httpGet(apiKey, path) {
   return new Promise((resolve, reject) => {
@@ -50,6 +53,9 @@ function httpGet(apiKey, path) {
       });
     });
     req.on('error', reject);
+    req.setTimeout(REQUEST_TIMEOUT_MS, () => {
+      req.destroy(new Error(`Anthropic request timed out after ${REQUEST_TIMEOUT_MS}ms (${path})`));
+    });
     req.end();
   });
 }
@@ -165,6 +171,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
       const cw = u.cache_creation_input_tokens || 0;
       yield {
         ...base,
+        id: ev.id,
         action_type: 'llm_call',
         tool_name: null,
         model: model || null,
@@ -183,6 +190,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (type === 'user.message') {
       yield {
         ...base,
+        id: ev.id,
         action_type: 'user_message',
         tool_name: null,
         model: model || null,
@@ -196,6 +204,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (type === 'user.interrupt') {
       yield {
         ...base,
+        id: ev.id,
         action_type: 'user_interrupt',
         tool_name: null,
         model: model || null,
@@ -210,6 +219,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
       const denied = ev.result === 'deny';
       yield {
         ...base,
+        id: ev.id,
         action_type: 'tool_confirmation',
         tool_name: null,
         model: model || null,
@@ -225,6 +235,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (type === 'user.custom_tool_result') {
       yield {
         ...base,
+        id: ev.id,
         action_type: 'custom_tool_result',
         tool_name: null,
         model: model || null,
@@ -239,6 +250,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (type === 'agent.message') {
       yield {
         ...base,
+        id: ev.id,
         action_type: 'message',
         tool_name: null,
         model: model || null,
@@ -252,6 +264,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (type === 'agent.thinking') {
       yield {
         ...base,
+        id: ev.id,
         action_type: 'thinking',
         tool_name: null,
         model: model || null,
@@ -278,6 +291,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
       const isError = ev.is_error === true;
       yield {
         ...base,
+        id: ev.id,
         action_type: start?.isMcp ? 'mcp_tool_use' : 'tool_use',
         tool_name: start?.name || 'unknown',
         timestamp: ts,
@@ -293,6 +307,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (type === 'agent.custom_tool_use') {
       yield {
         ...base,
+        id: ev.id,
         action_type: 'custom_tool_use',
         tool_name: ev.name || 'unknown',
         timestamp: ts,
@@ -306,6 +321,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (type === 'agent.thread_context_compacted') {
       yield {
         ...base,
+        id: ev.id,
         action_type: 'context_compacted',
         tool_name: null,
         model: model || null,
@@ -324,6 +340,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
       const direction = type.endsWith('_sent') ? 'sent' : 'received';
       yield {
         ...base,
+        id: ev.id,
         action_type: `thread_message_${direction}`,
         tool_name: null,
         model: model || null,
@@ -344,6 +361,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
       const { id: _id, type: _type, processed_at: _pa, created_at: _ca, ...changes } = ev;
       yield {
         ...base,
+        id: ev.id,
         action_type: 'config_change',
         tool_name: null,
         model: model || null,
@@ -357,6 +375,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (type === 'session.thread_created') {
       yield {
         ...base,
+        id: ev.id,
         action_type: 'thread_created',
         tool_name: null,
         model: model || null,
@@ -373,6 +392,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (type === 'session.error') {
       yield {
         ...base,
+        id: ev.id,
         action_type: 'session_error',
         tool_name: null,
         timestamp: ts,
@@ -393,6 +413,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
       const fatal = state === 'terminated';
       yield {
         ...base,
+        id: ev.id,
         action_type: 'state_transition',
         tool_name: null,
         model: model || null,

package/src/validate.js

@@ -0,0 +1,33 @@
+// Shared identifier + path-segment validation.
+//
+// agentId and sessionId end up as filesystem path segments (logDir/<agentId>/…
+// and raw-<sessionId>.jsonl). Without validation a crafted value like
+// "../../etc" would traverse out of the log directory. Every entry point that
+// turns an id into a path MUST validate it first.
+
+const AGENT_ID_RE = /^agent_[a-zA-Z0-9]+$/;
+const SESSION_ID_RE = /^sesn_[a-zA-Z0-9]+$/;
+
+export function isValidAgentId(id) {
+  return typeof id === 'string' && AGENT_ID_RE.test(id);
+}
+
+export function isValidSessionId(id) {
+  return typeof id === 'string' && SESSION_ID_RE.test(id);
+}
+
+// Defense-in-depth: reject any value that could escape its parent directory
+// before it is passed to path.join(). Throws on anything suspicious.
+export function assertSafePathSegment(seg, label = 'path segment') {
+  if (typeof seg !== 'string' || seg.length === 0) {
+    throw new Error(`${label} must be a non-empty string`);
+  }
+  if (
+    seg === '.' || seg === '..' ||
+    seg.includes('/') || seg.includes('\\') ||
+    seg.includes('..') || seg.includes('\0')
+  ) {
+    throw new Error(`${label} "${seg.slice(0, 40)}" contains illegal path characters`);
+  }
+  return seg;
+}