watchmyagents 0.8.0 → 0.9.0

package/README.md

@@ -105,14 +105,15 @@ Each entry carries: `id`, `agent_id`, `framework`, `timestamp`, `action_type`, `
 ### `wma-fetch` — pull events from Anthropic Managed Agents
 
 ```bash
-wma-fetch --agent-id <agent_id> [--session-id <sess_id>] [--since 1h]
+wma-fetch (--agent-id <agent_id> | --all-agents) [--session-id <sess_id>] [--since 1h]
          [--log-dir ./watchmyagents-logs] [--dump-raw]
          [--watch [--interval 5m] [--upload]]
 ```
 
 | Flag | Effect |
 |---|---|
-| `--agent-id agent_xxx` | Required — Anthropic agent identifier |
+| `--agent-id agent_xxx` | Anthropic agent identifier (required unless `--all-agents`) |
+| `--all-agents` | **Fleet mode** (requires `--watch`) — discover ALL agents under the key and watch them in a single process |
 | `--since 1h` / `24h` / `7d` | Fetch window (default: all) |
 | `--session-id sesn_xxx` | Limit to a single session |
 | `--log-dir ./logs` | Where to write NDJSON (default `./watchmyagents-logs`) |
@@ -167,6 +168,21 @@ wma-inspect [path]
 
 Outputs sections aligned with security audit needs: tokens summary, by-tool / by-action-type breakdowns, top tool destinations (URLs / queries), action-sequence transitions, tool error rates, p50/p95/max latency per tool, rate metrics.
 
+### `wma-agents` — discover + classify your agents (typology)
+
+Lists every Managed Agent under your key and classifies each one's **typology**
+(one of 10 Guardian Core archetypes) from its OBSERVED behaviour in your local
+logs — which drives the cold-start Shield template. Modèle C: reads local logs
+only (tool-category fractions, never raw content) and transmits nothing.
+
+```bash
+wma-agents list [--log-dir ~/.watchmyagents/logs] [--json]
+```
+
+With fewer than ~50 observed events an agent stays `generic` (cold start) and
+refines as activity accumulates. Re-classification to a *less strict* type is
+gated (raised confidence + longer window) to resist mimicry-evasion.
+
 ## Automating — continuous monitoring
 
 ### `wma-service` — install as an always-on service (recommended)
@@ -180,7 +196,7 @@ export WMA_API_KEY="wma_..."
 export WMA_FORTRESS_BASE_URL="https://<project>.supabase.co/functions/v1"
 export WMA_SIGNALS_SALT="..."                                 # stable per-customer salt
 
-wma-service install --agent-id agent_01ABC... --interval 5m [--with-shield]
+wma-service install (--agent-id agent_01ABC... | --all-agents) [--interval 5m] [--with-shield]
 wma-service status
 wma-service uninstall [--with-shield]
 ```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "watchmyagents",
-  "version": "0.8.0",
+  "version": "0.9.0",
   "description": "Security observability + real-time policy enforcement for AI agents. Local-first NDJSON capture with a continuous Watch daemon that auto-uploads anonymized signals, Shield CLI that blocks policy violations live (with policies pulled from Fortress cloud), anonymizer producing signals-only payloads, bidirectional sync with WatchMyAgents Fortress, and one-command install as an always-on launchd/systemd service — closing the recursive Watch→Guardian→Shield security loop.",
   "type": "module",
   "files": [
@@ -11,6 +11,7 @@
     "scripts/anonymize.js",
     "scripts/upload-fortress.js",
     "scripts/service.js",
+    "scripts/agents.js",
     "README.md",
     "SECURITY.md",
     "LICENSE"
@@ -21,23 +22,24 @@
     "wma-shield": "scripts/shield.js",
     "wma-anonymize": "scripts/anonymize.js",
     "wma-upload-fortress": "scripts/upload-fortress.js",
-    "wma-service": "scripts/service.js"
+    "wma-service": "scripts/service.js",
+    "wma-agents": "scripts/agents.js"
   },
   "scripts": {
+    "test": "node --test",
     "inspect": "node scripts/inspect.js",
     "fetch": "node scripts/fetch-anthropic.js",
     "shield": "node scripts/shield.js",
     "anonymize": "node scripts/anonymize.js",
     "upload-fortress": "node scripts/upload-fortress.js",
-    "service": "node scripts/service.js"
+    "service": "node scripts/service.js",
+    "agents": "node scripts/agents.js"
   },
   "engines": {
     "node": ">=18.0.0"
   },
   "dependencies": {},
-  "devDependencies": {
-    "@anthropic-ai/sdk": "^0.42.0"
-  },
+  "devDependencies": {},
   "keywords": [
     "ai",
     "agents",

package/scripts/agents.js

@@ -0,0 +1,218 @@
+#!/usr/bin/env node
+// wma-agents — discover all Managed Agents under your key and classify each
+// agent's typology from its OBSERVED behaviour (for Shield template selection).
+//
+// Usage:
+//   wma-agents [list] [--log-dir ~/.watchmyagents/logs] [--json]
+//
+// Reads the local Watch logs (NEVER leaves the machine — Modèle C) and derives
+// the anonymized behavioural FEATURE VECTOR per the typology spec:
+//   per-tool-category FRACTIONS (f_*), boolean local flags (flag_*), aux ratios
+//   (aux_*), and n_events. It then calls classifyAgentType() and prints the
+//   schema-conformant result. With <50 events an agent is `generic` (cold start)
+//   and refines as activity accumulates.
+//
+// Modèle C invariant: only counts/ratios/flags are computed here — never raw
+// prompt/output content, never the agent display name. Nothing is transmitted.
+//
+// ANTHROPIC_API_KEY from env (or --api-key, discouraged).
+
+import os from 'node:os';
+import { readdir, stat } from 'node:fs/promises';
+import { createReadStream } from 'node:fs';
+import { createInterface } from 'node:readline';
+import { join, resolve } from 'node:path';
+import { listAgents } from '../src/sources/anthropic-managed.js';
+import { classifyAgentType } from '../src/typology.js';
+import { isValidAgentId, assertSafePathSegment } from '../src/validate.js';
+
+function parseArgs(argv) {
+  const out = { _: [] };
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a.startsWith('--')) {
+      const k = a.slice(2); const n = argv[i + 1];
+      if (n == null || n.startsWith('--')) out[k] = true; else { out[k] = n; i++; }
+    } else out._.push(a);
+  }
+  return out;
+}
+function die(msg, code = 1) { process.stderr.write(`error: ${msg}\n`); process.exit(code); }
+function info(msg) { process.stdout.write(`[wma-agents] ${msg}\n`); }
+
+// Action types that represent a TOOL invocation (the denominator for f_* tool
+// fractions). Confirmed produced by src/sources/anthropic-managed.js.
+const TOOL_ACTIONS = new Set(['tool_use', 'mcp_tool_use', 'custom_tool_use']);
+
+// ──────────────────────────────────────────────────────────────────────────
+// Tool-name → category mapping (Modèle C: name-based, no content). Managed
+// Agents expose tools as an opaque bundle, so tool_name is free-text. We match
+// the confirmed built-ins (web_search, web_fetch, bash) plus best-effort
+// regexes for common tool names. A tool that matches nothing contributes to the
+// denominator but to no category (honest: unknown ≠ inferred).
+// ──────────────────────────────────────────────────────────────────────────
+const CATEGORY_RULES = [
+  // category,    matcher (lower-cased tool_name)
+  ['search',   (n) => /(^|_)web_search$|(^|_)search($|_)|google|brave/.test(n)],
+  ['browser',  (n) => /web_fetch|browser|playwright|puppeteer|navigate|screenshot/.test(n)],
+  ['http',     (n) => /(^|_)http|fetch_url|curl|request|webhook|api_call/.test(n)],
+  ['code',     (n) => /bash|shell|terminal|code_exec|exec_|python|node_run|run_code|interpreter/.test(n)],
+  ['database', (n) => /sql|query_db|database|postgres|mysql|mongo|redis|bigquery|snowflake/.test(n)],
+  ['email',    (n) => /email|gmail|smtp|sendmail|mailgun|outlook/.test(n)],
+  ['payment',  (n) => /payment|charge|transfer|invoice|stripe|paypal|payout|refund|checkout/.test(n)],
+  ['secret',   (n) => /secret|vault|credential|kms|keychain|token_get/.test(n)],
+  ['memory',   (n) => /memory|retriev|vector|(^|_)rag($|_)|knowledge|embed|pinecone|chroma/.test(n)],
+  ['file',     (n) => /editor|str_replace|read_file|write_file|create_file|file_io|(^|_)file($|_)|fs_/.test(n)],
+];
+
+// Best-effort deploy detection (spec discriminator devops_infra vs coding).
+const DEPLOY_RE = /deploy|terraform|kubectl|helm|(^|_)release($|_)|ansible|pulumi|cloudformation/;
+
+function categoryOf(toolName) {
+  const n = String(toolName || '').toLowerCase();
+  for (const [cat, m] of CATEGORY_RULES) if (m(n)) return cat;
+  return null;
+}
+
+// Aggregate raw counts from an agent's local NDJSON logs (Modèle C: counts only).
+async function aggregate(logDir, agentId) {
+  const actionCounts = {};       // action_type → count
+  const categoryCounts = {};     // tool category → count
+  let toolEvents = 0;            // denominator for f_* fractions
+  let deployUses = 0;
+  const dir = join(logDir, agentId);
+  const s = await stat(dir).catch(() => null);
+  if (!s || !s.isDirectory()) return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false };
+  let names;
+  try { names = await readdir(dir); } catch { return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false }; }
+  const files = names.filter((n) => n.endsWith('.ndjson') && !n.startsWith('raw-'));
+  if (files.length === 0) return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false };
+
+  for (const f of files) {
+    await new Promise((res) => {
+      const rl = createInterface({ input: createReadStream(join(dir, f), { encoding: 'utf8' }), crlfDelay: Infinity });
+      rl.on('line', (line) => {
+        if (!line.trim()) return;
+        let e; try { e = JSON.parse(line); } catch { return; }
+        if (e.action_type) actionCounts[e.action_type] = (actionCounts[e.action_type] || 0) + 1;
+        if (TOOL_ACTIONS.has(e.action_type)) {
+          toolEvents += 1;
+          const cat = categoryOf(e.tool_name);
+          if (cat) categoryCounts[cat] = (categoryCounts[cat] || 0) + 1;
+          if (DEPLOY_RE.test(String(e.tool_name || '').toLowerCase())) deployUses += 1;
+        }
+      });
+      rl.on('close', res); rl.on('error', res);
+    });
+  }
+  return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: true };
+}
+
+// Features that the WMA NDJSON logs CANNOT reliably expose today (opaque tool
+// names / no behavioural signal / content off-limits under Modèle C). They
+// default to 0/false; the caller prints a one-line note.
+const NON_DERIVABLE = [
+  'f_database', 'f_email', 'f_payment', 'f_secret', 'f_memory',
+  'flag_internal_sys', 'flag_on_behalf', 'aux_untrusted', 'aux_sensitive',
+];
+
+// Build the canonical anonymized FEATURE VECTOR from the aggregated counts.
+// Fractions = category_count / toolEvents. n_events = total observed events.
+function buildFeatures(agg) {
+  const { actionCounts, categoryCounts, toolEvents, deployUses } = agg;
+  const nEvents = Object.values(actionCounts).reduce((a, b) => a + b, 0);
+  const frac = (c) => (toolEvents > 0 ? (categoryCounts[c] || 0) / toolEvents : 0);
+  const eventFrac = (...types) => (nEvents > 0
+    ? types.reduce((a, t) => a + (actionCounts[t] || 0), 0) / nEvents
+    : 0);
+
+  // f_handoff / f_user_msg are derived from event TYPE (not tool category):
+  // confirmed action_types thread_message_* and user_message.
+  const handoff = eventFrac('thread_message_sent', 'thread_message_received', 'thread_created');
+  const userMsg = eventFrac('user_message');
+
+  // aux_autonomy ≈ 1 − (human-in-the-loop event share). Confirmed action_types
+  // user_message / user_interrupt / tool_confirmation mark human involvement; an
+  // agent that proceeds without them is more autonomous. Heuristic — documented.
+  const hitlShare = eventFrac('user_message', 'user_interrupt', 'tool_confirmation');
+  const auxAutonomy = nEvents > 0 ? Math.max(0, 1 - hitlShare) : 0;
+
+  return {
+    // tool-category fractions (over tool uses)
+    f_code: frac('code'),
+    f_browser: frac('browser'),
+    f_database: frac('database'),     // non-derivable in practice → ~0
+    f_http: frac('http'),
+    f_email: frac('email'),           // non-derivable in practice → ~0
+    f_payment: frac('payment'),       // non-derivable in practice → ~0
+    f_secret: frac('secret'),         // non-derivable in practice → ~0
+    f_search: frac('search'),
+    f_memory: frac('memory'),         // non-derivable in practice → ~0
+    f_file: frac('file'),
+    // event-type fractions (over all events)
+    f_handoff: handoff,
+    f_user_msg: userMsg,
+    // discriminator flags (best-effort; only flag_deploy has any behavioural
+    // signal — and only if the agent literally names a deploy tool).
+    flag_deploy: deployUses > 0 ? 1 : 0,
+    flag_internal_sys: 0,             // no behavioural signal in logs
+    flag_on_behalf: 0,                // no behavioural signal in logs
+    // aux ratios
+    aux_autonomy: auxAutonomy,        // heuristic (HITL-frequency)
+    aux_untrusted: 0,                 // no honest source in logs
+    aux_sensitive: 0,                 // no honest source in logs
+    // window size
+    n_events: nEvents,
+  };
+}
+
+async function main() {
+  const args = parseArgs(process.argv.slice(2));
+  if (args._[0] && args._[0] !== 'list') die(`unknown command "${args._[0]}" (only "list" supported)`);
+  const apiKey = args['api-key'] || process.env.ANTHROPIC_API_KEY;
+  if (!apiKey) die('--api-key or ANTHROPIC_API_KEY required');
+  if (args['api-key']) process.stderr.write('[wma-agents] WARNING: --api-key is visible in shell history; prefer ANTHROPIC_API_KEY env\n');
+  const logDir = resolve(args['log-dir'] || join(os.homedir(), '.watchmyagents', 'logs'));
+  const asJson = !!args.json;
+
+  let agents;
+  try { agents = await listAgents(apiKey); }
+  catch (e) { die(`failed to list agents: ${e.message}`); }
+
+  const results = [];
+  for (const a of agents) {
+    if (!a.id || !isValidAgentId(a.id)) continue;
+    assertSafePathSegment(a.id, 'agent id');
+    const agg = await aggregate(logDir, a.id);
+    const features = buildFeatures(agg);
+    features.agent_id = a.id;
+    // No prior state threaded here (single-shot CLI snapshot); the continuous
+    // Watch daemon is responsible for threading window state across runs.
+    const cls = classifyAgentType(features);
+    results.push({
+      id: a.id,
+      name: a.name || '(unnamed)',     // shown for the human only — NOT a classification signal
+      hasLogs: agg.hasLogs,
+      ...cls,
+    });
+  }
+
+  if (asJson) { process.stdout.write(JSON.stringify(results, null, 2) + '\n'); return; }
+
+  info(`discovered ${results.length} agent(s) - classified from local logs in ${logDir}`);
+  info(`Modele C: features below default to 0 (logs don't expose them): ${NON_DERIVABLE.join(', ')}`);
+  process.stdout.write('\n');
+  for (const r of results) {
+    const mods = (r.modifiers && r.modifiers.length) ? ` [+${r.modifiers.join(',')}]` : '';
+    const overlay = r.evidence?.payment_overlay ? '  (+transactional overlay)' : '';
+    process.stdout.write(`  ${r.name}\n`);
+    process.stdout.write(`    ${r.id}\n`);
+    process.stdout.write(`    -> ${r.classified_type}  (conf ${Math.round(r.confidence * 100)}%, ${r.stage})${mods}${overlay}\n`);
+    process.stdout.write(`    evidence: ${r.evidence.window_events} events, top2=${r.evidence.top2_type}, margin=${r.evidence.margin}\n`);
+    if (!r.hasLogs) process.stdout.write('    (no local logs yet - cold start)\n');
+    process.stdout.write('\n');
+  }
+  info('type drives the cold-start Shield template (Guardian Core §8). The global-baseline floor applies regardless of classification.');
+}
+
+main().catch((e) => { process.stderr.write(`error: ${e.stack || e.message}\n`); process.exit(1); });

package/scripts/fetch-anthropic.js

@@ -31,7 +31,7 @@ import { SignalsAggregator } from '../src/anonymizer.js';
 import { resolveFortressBase, fortressEndpoint } from '../src/fortress/url.js';
 import { isValidAgentId, isValidSessionId, assertSafePathSegment } from '../src/validate.js';
 import {
-  getAgent, listSessions, fetchSessionEntries, fetchRawEvents,
+  getAgent, listAgents, listSessions, fetchSessionEntries, fetchRawEvents,
 } from '../src/sources/anthropic-managed.js';
 
 function parseArgs(argv) {
@@ -70,6 +70,9 @@ function parseSince(s) {
 function die(msg, code = 1) { process.stderr.write(`${msg}\n`); process.exit(code); }
 function info(msg) { process.stdout.write(`[wma-fetch] ${msg}\n`); }
 function warn(msg) { process.stderr.write(`[wma-fetch] ⚠️  ${msg}\n`); }
+// Strip control chars + truncate a customer-set agent name before it goes into
+// a log line or the Fortress display_name (defense-in-depth vs log/payload injection).
+function cleanLabel(s) { return [...String(s ?? '')].filter((c) => c.charCodeAt(0) >= 32 && c.charCodeAt(0) !== 127).join('').slice(0, 60).trim(); }
 
 function resolveModel(agent) {
   const raw = agent.model || agent.config?.model || null;
@@ -198,10 +201,14 @@ async function fetchOneShot({ apiKey, agentId, model, logDir, since, sessionId,
   process.stdout.write(`[wma-fetch] inspect with: npx wma-inspect ${logDir}\n`);
 }
 
-// ── CONTINUOUS / DAEMON ─────────────────────────────────────────────────────
-async function runWatch({ apiKey, agentId, model, displayName, logDir, intervalMs, uploadCtx }) {
-  const seenIds = await preloadSeenIds(logDir, agentId);
-  const loggers = new Map();     // sessionId → Logger (persists sequence across cycles)
+// ── CONTINUOUS / DAEMON (single agent or whole fleet) ───────────────────────
+// `agents` = [{ agentId, model, displayName }]. One process watches them all.
+async function runWatch({ apiKey, agents, logDir, intervalMs, uploadCtx }) {
+  const seenIds = new Set();     // stable Anthropic event ids already captured
+  for (const ag of agents) {
+    for (const id of await preloadSeenIds(logDir, ag.agentId)) seenIds.add(id);
+  }
+  const loggers = new Map();     // sessionId → Logger (session ids are globally unique)
   const ended = new Set();       // sessions we've already closed with session_end
 
   const ac = new AbortController();
@@ -209,56 +216,62 @@ async function runWatch({ apiKey, agentId, model, displayName, logDir, intervalM
   process.on('SIGINT', shutdown);
   process.on('SIGTERM', shutdown);
 
-  info(`watch mode — interval ${Math.round(intervalMs / 1000)}s, upload ${uploadCtx ? 'ON' : 'OFF'}, ${seenIds.size} known events preloaded`);
+  const fleet = agents.length > 1;
+  info(`watch mode — ${agents.length} agent(s), interval ${Math.round(intervalMs / 1000)}s, upload ${uploadCtx ? 'ON' : 'OFF'}, ${seenIds.size} known events preloaded`);
 
   while (!ac.signal.aborted) {
     const since = new Date(Date.now() - 24 * 3600 * 1000);
-    let sessions = [];
-    try { sessions = await listSessions(apiKey, { agentId, since }); }
-    catch (e) { warn(`listSessions failed: ${e.message}`); }
-
     let cycleNew = 0;
-    for (const s of sessions) {
-      if (!s.id || ended.has(s.id)) continue;
-      let logger = loggers.get(s.id);
-      if (!logger) { logger = new Logger({ logDir, agentId, sessionId: s.id, silent: true }); loggers.set(s.id, logger); }
 
-      const fresh = [];
-      let sawTerminated = false;
-      try {
-        for await (const entry of fetchSessionEntries({ apiKey, agentId, sessionId: s.id, model })) {
-          if (entry.id && seenIds.has(entry.id)) continue;
-          if (entry.id) seenIds.add(entry.id);
-          const written = await logger.write(entry);
-          fresh.push(written);
-          if (entry.action_type === 'state_transition'
-              && entry.output?.scope === 'session'
-              && entry.output?.state === 'terminated') sawTerminated = true;
-        }
-      } catch (e) { warn(`session ${s.id}: fetch failed: ${e.message}`); continue; }
+    for (const ag of agents) {
+      if (ac.signal.aborted) break;
+      const tag = fleet ? `[${ag.displayName}] ` : '';
+      let sessions = [];
+      try { sessions = await listSessions(apiKey, { agentId: ag.agentId, since }); }
+      catch (e) { warn(`${tag}listSessions failed: ${e.message}`); continue; }
 
-      if (fresh.length === 0) continue;
-      cycleNew += fresh.length;
-      info(`session ${s.id.slice(0, 16)}…: +${fresh.length} new event(s)`);
+      for (const s of sessions) {
+        if (!s.id || ended.has(s.id)) continue;
+        let logger = loggers.get(s.id);
+        if (!logger) { logger = new Logger({ logDir, agentId: ag.agentId, sessionId: s.id, silent: true }); loggers.set(s.id, logger); }
 
-      if (uploadCtx) {
+        const fresh = [];
+        let sawTerminated = false;
         try {
-          const resp = await uploadSignals(uploadCtx, agentId, displayName, fresh);
-          if (resp?.signal_id) info(`  ↑ signals uploaded (signal_id ${resp.signal_id})`);
-        } catch (e) { warn(`  signals upload failed: ${e.message}`); }
-      }
+          for await (const entry of fetchSessionEntries({ apiKey, agentId: ag.agentId, sessionId: s.id, model: ag.model })) {
+            if (entry.id && seenIds.has(entry.id)) continue;
+            if (entry.id) seenIds.add(entry.id);
+            const written = await logger.write(entry);
+            fresh.push(written);
+            if (entry.action_type === 'state_transition'
+                && entry.output?.scope === 'session'
+                && entry.output?.state === 'terminated') sawTerminated = true;
+          }
+        } catch (e) { warn(`${tag}session ${s.id.slice(0, 16)}…: fetch failed: ${e.message}`); continue; }
+
+        if (fresh.length === 0) continue;
+        cycleNew += fresh.length;
+        info(`${tag}session ${s.id.slice(0, 16)}…: +${fresh.length} new event(s)`);
 
-      if (sawTerminated) {
-        const tracker = new TokenTracker();
-        for (const e of fresh) tracker.record(e);
-        const stats = tracker.stats().total;
-        await logger.write({
-          action_type: 'session_end', framework: 'anthropic-managed', status: 'ok', model,
-          session_tokens: { input: stats.input, output: stats.output, cache_read: stats.cache_read, cache_creation: stats.cache_creation, total: stats.sum },
-          session_cost_usd: stats.cost_usd || null,
-        });
-        ended.add(s.id);
-        info(`session ${s.id.slice(0, 16)}… terminated — closed`);
+        if (uploadCtx) {
+          try {
+            const resp = await uploadSignals(uploadCtx, ag.agentId, ag.displayName, fresh);
+            if (resp?.signal_id) info(`  ↑ signals uploaded (signal_id ${resp.signal_id})`);
+          } catch (e) { warn(`  signals upload failed: ${e.message}`); }
+        }
+
+        if (sawTerminated) {
+          const tracker = new TokenTracker();
+          for (const e of fresh) tracker.record(e);
+          const stats = tracker.stats().total;
+          await logger.write({
+            action_type: 'session_end', framework: 'anthropic-managed', status: 'ok', model: ag.model,
+            session_tokens: { input: stats.input, output: stats.output, cache_read: stats.cache_read, cache_creation: stats.cache_creation, total: stats.sum },
+            session_cost_usd: stats.cost_usd || null,
+          });
+          ended.add(s.id);
+          info(`${tag}session ${s.id.slice(0, 16)}… terminated — closed`);
+        }
       }
     }
 
@@ -275,10 +288,12 @@ async function main() {
   const logDir = resolve(args['log-dir'] || './watchmyagents-logs');
   const watch = !!args.watch;
   const upload = !!args.upload;
+  const allAgents = !!args['all-agents'];
 
   if (!apiKey) die('error: --api-key or ANTHROPIC_API_KEY required');
-  if (!agentId) die('error: --agent-id required (e.g. agent_01ABC...)');
-  if (!isValidAgentId(agentId)) {
+  if (!allAgents && !agentId) die('error: --agent-id required (or --all-agents for fleet mode)');
+  if (allAgents && !watch) die('error: --all-agents requires --watch (fleet daemon). For a one-shot, target a single --agent-id.');
+  if (agentId && !isValidAgentId(agentId)) {
     die(`error: --agent-id has invalid format (expected "agent_" + alphanumeric, got "${agentId}")`);
   }
   const sessionIdArg = args['session-id'];
@@ -303,18 +318,30 @@ async function main() {
     uploadCtx = { apiKey: wmaKey, salt, url: fortressEndpoint(base, 'ingest-signals') };
   }
 
-  info(`resolving agent ${agentId}…`);
-  const agent = await getAgent(apiKey, agentId).catch((e) => die(`failed to GET agent: ${e.message}`));
-  const model = resolveModel(agent);
-  const displayName = agent.name || agentId;
-  info(`model: ${model || '(unknown)'}`);
+  // Resolve the agent list: the whole fleet (--all-agents) or a single agent.
+  let agents;
+  if (allAgents) {
+    info('discovering agents (fleet mode)…');
+    const all = await listAgents(apiKey).catch((e) => die(`failed to list agents: ${e.message}`));
+    agents = all
+      .filter((a) => a.id && isValidAgentId(a.id))
+      .map((a) => ({ agentId: a.id, model: resolveModel(a), displayName: cleanLabel(a.name || a.id) }));
+    if (agents.length === 0) die('error: no agents found under this API key');
+    info(`fleet: ${agents.length} agent(s) — ${agents.map((a) => a.displayName).join(', ')}`);
+  } else {
+    info(`resolving agent ${agentId}…`);
+    const agent = await getAgent(apiKey, agentId).catch((e) => die(`failed to GET agent: ${e.message}`));
+    agents = [{ agentId, model: resolveModel(agent), displayName: cleanLabel(agent.name || agentId) }];
+    info(`model: ${agents[0].model || '(unknown)'}`);
+  }
 
   if (watch) {
     const intervalMs = parseDurationMs(args.interval, 5 * 60_000);
-    await runWatch({ apiKey, agentId, model, displayName, logDir, intervalMs, uploadCtx });
+    await runWatch({ apiKey, agents, logDir, intervalMs, uploadCtx });
   } else {
     const since = args.since ? parseSince(args.since) : null;
-    await fetchOneShot({ apiKey, agentId, model, logDir, since, sessionId: args['session-id'], dumpRaw: !!args['dump-raw'] });
+    const a = agents[0];
+    await fetchOneShot({ apiKey, agentId: a.agentId, model: a.model, logDir, since, sessionId: args['session-id'], dumpRaw: !!args['dump-raw'] });
   }
 }
 

package/scripts/service.js

@@ -94,11 +94,15 @@ function launcherPath(label) { return join(CONFIG_DIR, `${label}.launcher.sh`);
 
 function writeLauncher(label, scriptPath, args) {
   const argLine = args.map(sh).join(' ');
+  // Load secrets with a read-loop, NOT '. file' / source. Sourcing would
+  // shell-evaluate each value, so a secret like FOO=https://x/$(cmd) would
+  // execute cmd at launch. A read-loop assigns the value literally — the
+  // content is never re-scanned for command substitution.
   const body = `#!/bin/sh
-# Generated by wma-service. Loads secrets then runs the WMA daemon.
-set -a
-. ${sh(ENV_FILE)}
-set +a
+# Generated by wma-service. Loads secrets WITHOUT shell-evaluating their values.
+while IFS='=' read -r __k __v; do
+  [ -n "$__k" ] && export "$__k=$__v"
+done < ${sh(ENV_FILE)}
 exec ${sh(NODE)} ${sh(scriptPath)} ${argLine}
 `;
   const p = launcherPath(label);
@@ -147,15 +151,35 @@ function launchctl(args, { ignoreError = false } = {}) {
   }
 }
 
+// Synchronous sleep (installer CLI — blocking is fine). Used to let launchd's
+// asynchronous bootout finish before we bootstrap again.
+function syncSleep(ms) {
+  Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, ms);
+}
+function macLoaded(label) {
+  try { execFileSync('launchctl', ['print', `gui/${UID}/${label}`], { stdio: 'pipe' }); return true; }
+  catch { return false; }
+}
+
 function macLoad(label, plist) {
   const domain = `gui/${UID}`;
-  launchctl(['bootout', `${domain}/${label}`], { ignoreError: true }); // unload prior
-  const ok = launchctl(['bootstrap', domain, plist]);
+  // bootout is async: on reinstall, bootstrapping again before the old instance
+  // is gone races and silently fails (symptom: reinstall = dead services).
+  // Wait for the prior instance to disappear, then retry bootstrap.
+  if (macLoaded(label)) {
+    launchctl(['bootout', `${domain}/${label}`], { ignoreError: true });
+    for (let i = 0; i < 20 && macLoaded(label); i++) syncSleep(150);
+  }
+  let ok = false;
+  for (let attempt = 0; attempt < 5 && !ok; attempt++) {
+    ok = launchctl(['bootstrap', domain, plist], { ignoreError: attempt < 4 });
+    if (!ok) syncSleep(250);
+  }
   launchctl(['enable', `${domain}/${label}`], { ignoreError: true });
   if (ok) info(`loaded ${label} (launchd) — running now + at every login`);
   else {
     warn(`could not auto-load ${label}. Load it manually:`);
-    process.stdout.write(`  launchctl bootstrap gui/${UID} ${plist}\n`);
+    process.stdout.write(`  launchctl bootout gui/${UID}/${label} 2>/dev/null; launchctl bootstrap gui/${UID} ${plist}\n`);
   }
 }
 
@@ -227,9 +251,10 @@ function linuxUninstallOne(label) {
 
 // ── Commands ────────────────────────────────────────────────────────────--
 function cmdInstall(args) {
+  const allAgents = !!args['all-agents'];
   const agentId = args['agent-id'];
-  if (!agentId) die('--agent-id required (e.g. agent_01ABC...)');
-  if (!isValidAgentId(agentId)) die(`--agent-id invalid format (expected "agent_" + alphanumeric, got "${agentId}")`);
+  if (!allAgents && !agentId) die('--agent-id required (or --all-agents to cover the whole fleet)');
+  if (agentId && !isValidAgentId(agentId)) die(`--agent-id invalid format (expected "agent_" + alphanumeric, got "${agentId}")`);
   const interval = args.interval || '5m';
   if (!/^\d+[smhd]$/.test(interval)) die(`--interval invalid format (expected like 30s, 5m, 1h, 2d; got "${interval}")`);
   const logDir = args['log-dir'] || LOG_DIR_DEFAULT;
@@ -238,14 +263,15 @@ function cmdInstall(args) {
   if (PLATFORM !== 'darwin' && PLATFORM !== 'linux') {
     die(`unsupported platform "${PLATFORM}". Supported: macOS (launchd), Linux (systemd).\n` +
         '       Run the daemon manually or wrap it in your own process manager:\n' +
-        `         wma-fetch --agent-id ${agentId} --watch --upload --interval ${interval}`);
+        `         wma-fetch ${allAgents ? '--all-agents' : `--agent-id ${agentId}`} --watch --upload --interval ${interval}`);
   }
 
   mkdirSync(logDir, { recursive: true, mode: 0o700 });
   writeEnvFile();
 
-  const watchArgs = ['--agent-id', agentId, '--watch', '--upload', '--interval', interval, '--log-dir', logDir];
-  const shieldArgs = ['--agent-id', agentId, '--policies-source', 'fortress', '--log-dir', logDir];
+  const target = allAgents ? ['--all-agents'] : ['--agent-id', agentId];
+  const watchArgs = [...target, '--watch', '--upload', '--interval', interval, '--log-dir', logDir];
+  const shieldArgs = [...target, '--policies-source', 'fortress', '--log-dir', logDir];
 
   if (PLATFORM === 'darwin') {
     macInstallOne(WATCH_LABEL, FETCH_SCRIPT, watchArgs);