watchmyagents 0.8.0 → 0.9.0

package/scripts/shield.js

@@ -33,10 +33,10 @@ import {
   getAgentConfig, detectAlwaysAsk,
 } from '../src/shield/enforce.js';
 import { DecisionLogger } from '../src/shield/decisions.js';
-import { listSessions } from '../src/sources/anthropic-managed.js';
+import { listSessions, listAgents } from '../src/sources/anthropic-managed.js';
 import { FortressPolicySource, postDecision } from '../src/shield/sources/fortress.js';
 import { resolveFortressBase } from '../src/fortress/url.js';
-import { isValidAgentId } from '../src/validate.js';
+import { isValidAgentId, isValidSessionId } from '../src/validate.js';
 
 function parseArgs(argv) {
   const out = {};
@@ -423,127 +423,129 @@ async function main() {
     explicitUrl: args['fortress-url'],
   });
   const logDir = resolve(args['log-dir'] || './watchmyagents-logs');
+  const allAgents = !!args['all-agents'];
 
   if (!apiKey) die('error: --api-key or ANTHROPIC_API_KEY required');
-  if (!agentId) die('error: --agent-id required');
-  if (!isValidAgentId(agentId)) {
+  if (!allAgents && !agentId) die('error: --agent-id required (or --all-agents for fleet mode)');
+  if (allAgents && singleSessionId) die('error: --all-agents is incompatible with --session-id');
+  if (allAgents && policiesSource !== 'fortress') {
+    die('error: --all-agents requires --policies-source fortress (per-agent policies).');
+  }
+  if (agentId && !isValidAgentId(agentId)) {
     die(`error: --agent-id has invalid format (expected "agent_" + alphanumeric, got "${agentId}")`);
   }
+  // --session-id ends up in the Anthropic SSE URL path (src/shield/stream.js).
+  // Validate the same way wma-fetch does so a crafted value can't tamper the URL.
+  if (singleSessionId && !isValidSessionId(singleSessionId)) {
+    die(`error: --session-id has invalid format (expected "sesn_" + alphanumeric, got "${singleSessionId}")`);
+  }
 
-  // Policies source: --policies-source fortress | local  (default infers from --policy)
-  let ruleset;          // for 'local' mode: static; for 'fortress': initial snapshot
-  let fortressPolicies; // FortressPolicySource instance, used as ground truth at runtime
-
+  // Validate the policy source config once (shared across the fleet). For local
+  // mode the ruleset is loaded once and shared by every agent.
+  let sharedLocalRuleset = null;
   if (policiesSource === 'fortress') {
     if (!wmaApiKey) die('error: --policies-source fortress requires --wma-api-key or WMA_API_KEY env');
     if (!fortressBase) die('error: --policies-source fortress requires --fortress-base-url or WMA_FORTRESS_BASE_URL env');
     if (!/^wma_[a-f0-9]{32}$/i.test(wmaApiKey)) warn(`WMA_API_KEY format looks unusual (expected wma_<32hex>).`);
-
-    fortressPolicies = new FortressPolicySource({
-      apiKey: wmaApiKey,
-      base: fortressBase,
-      anthropicAgentId: agentId,
-      refreshIntervalMs: 5 * 60_000,
-      onError: (e) => warn(`policy refresh failed (keeping cached): ${e.message}`),
-      onRefresh: ({ policies, fetched_at, initial }) => {
-        info(`policies ${initial ? 'loaded' : 'refreshed'} from Fortress — ${policies.length} active (fetched_at: ${fetched_at})`);
-      },
-    });
-    try {
-      await fortressPolicies.start();
-    } catch (e) {
-      die(`error fetching policies from Fortress: ${e.message}\n` +
-          `       Check WMA_FORTRESS_BASE_URL and WMA_API_KEY.`);
-    }
-    ruleset = fortressPolicies.current();
   } else if (policiesSource === 'local') {
     if (!policyPath) die('error: --policies-source local requires --policy <path-to-policies.json>');
-    try {
-      ruleset = await loadPolicies(resolve(policyPath));
-    } catch (e) {
-      die(`error loading policies: ${e.message}`);
-    }
+    try { sharedLocalRuleset = await loadPolicies(resolve(policyPath)); }
+    catch (e) { die(`error loading policies: ${e.message}`); }
   } else {
     die('error: --policy <path> OR --policies-source fortress required');
   }
 
-  let mode = 'interrupt';
-  let agentMeta = null;
-  try {
-    agentMeta = await getAgentConfig(apiKey, agentId);
-    if (detectAlwaysAsk(agentMeta)) mode = 'tool_confirmation';
-  } catch (e) {
-    warn(`could not fetch agent config (${e.message}). Defaulting to interrupt mode.`);
-  }
-
-  const sourceLabel = policiesSource === 'fortress'
-    ? `Fortress (${fortressBase})`
-    : policyPath;
-  info(`armed — ${ruleset.policies.length} policies loaded from ${sourceLabel}`);
-  info(`default action when no rule matches: ${ruleset.default.action}`);
-  info(`agent: ${agentId}${agentMeta?.name ? ` "${agentMeta.name}"` : ''}`);
-  info(`enforcement mode: ${mode}`);
-  if (mode === 'interrupt') {
-    warn('DEGRADED mode — Shield will interrupt AFTER a violating tool runs.');
-    warn(`For pre-execution blocking, run: wma-shield --setup-guide --agent-id ${agentId}`);
+  // Resolve the agent list: whole fleet (--all-agents) or a single agent.
+  let agentIds;
+  if (allAgents) {
+    info('discovering agents (fleet mode)…');
+    const all = await listAgents(apiKey).catch((e) => die(`failed to list agents: ${e.message}`));
+    agentIds = all.map((a) => a.id).filter((id) => id && isValidAgentId(id));
+    if (agentIds.length === 0) die('error: no agents found under this API key');
+    info(`fleet: ${agentIds.length} agent(s)`);
+  } else {
+    agentIds = [agentId];
   }
+  const fleet = agentIds.length > 1;
 
-  // Per-session DecisionLogger factory (each session gets its own to keep
-  // sequence numbers monotonic per session).
-  const loggers = new Map();
-  const decisions = (sessionId) => {
-    if (!loggers.has(sessionId)) {
-      loggers.set(sessionId, new DecisionLogger({ logDir, agentId, sessionId }));
-    }
-    return loggers.get(sessionId);
+  // Shared infra: one shutdown signal, one fortress-source registry, one pusher.
+  const ac = new AbortController();
+  const fortressSources = [];
+  const shutdown = (sig) => {
+    info(`${sig} received, shutting down…`);
+    for (const fp of fortressSources) fp.stop();
+    ac.abort();
   };
+  process.on('SIGINT',  () => shutdown('SIGINT'));
+  process.on('SIGTERM', () => shutdown('SIGTERM'));
 
-  // Optional Fortress decision pusher — only active if we have a wma key + base.
-  // In 'fortress' mode this is always available. In 'local' mode it's a fire-
-  // and-forget extra channel if both are set.
+  // Optional Fortress decision pusher (each ctx carries its own agent id, so a
+  // single shared pusher tags decisions with the right agent).
   const canPushToFortress = !!(wmaApiKey && fortressBase);
   const pushDecisionToFortress = canPushToFortress
     ? async (decisionData) => {
-        try {
-          await postDecision({ apiKey: wmaApiKey, base: fortressBase, decision: decisionData });
-        } catch (e) {
-          warn(`Fortress decision push failed: ${e.message}`);
-        }
+        try { await postDecision({ apiKey: wmaApiKey, base: fortressBase, decision: decisionData }); }
+        catch (e) { warn(`Fortress decision push failed: ${e.message}`); }
       }
     : null;
 
-  const ac = new AbortController();
-  process.on('SIGINT',  () => {
-    info('SIGINT received, shutting down…');
-    if (fortressPolicies) fortressPolicies.stop();
-    ac.abort();
-  });
-  process.on('SIGTERM', () => {
-    info('SIGTERM received, shutting down…');
-    if (fortressPolicies) fortressPolicies.stop();
-    ac.abort();
-  });
+  // Per-agent SETUP (separate from the long-running phase so we can COUNT how
+  // many actually armed). In fleet mode a per-agent startup failure is skipped
+  // (warn) instead of killing the fleet. Returns the agent's ctx, or null if skipped.
+  async function setupAgent(aid) {
+    const tag = fleet ? `[${aid.slice(0, 16)}…] ` : '';
+    let fortressPolicies = null;
+    let ruleset = sharedLocalRuleset;
+    if (policiesSource === 'fortress') {
+      fortressPolicies = new FortressPolicySource({
+        apiKey: wmaApiKey, base: fortressBase, anthropicAgentId: aid, refreshIntervalMs: 5 * 60_000,
+        onError: (e) => warn(`${tag}policy refresh failed (keeping cached): ${e.message}`),
+        onRefresh: ({ policies, fetched_at, initial }) => info(`${tag}policies ${initial ? 'loaded' : 'refreshed'} from Fortress — ${policies.length} active (fetched_at: ${fetched_at})`),
+      });
+      try { await fortressPolicies.start(); }
+      catch (e) {
+        if (fleet) { warn(`${tag}skipped — policy fetch failed: ${e.message}`); return null; }
+        die(`error fetching policies from Fortress: ${e.message}\n       Check WMA_FORTRESS_BASE_URL and WMA_API_KEY.`);
+      }
+      fortressSources.push(fortressPolicies);
+      ruleset = fortressPolicies.current();
+    }
 
-  // ctx exposes a getter for the live ruleset so workers see policy refreshes.
-  const ctx = {
-    apiKey,
-    agentId,
-    get ruleset() {
-      return fortressPolicies ? fortressPolicies.current() : ruleset;
-    },
-    mode,
-    decisions,
-    pushDecisionToFortress,
-    signalsSalt,
-    signal: ac.signal,
-  };
+    let mode = 'interrupt';
+    let agentMeta = null;
+    try { agentMeta = await getAgentConfig(apiKey, aid); if (detectAlwaysAsk(agentMeta)) mode = 'tool_confirmation'; }
+    catch (e) { warn(`${tag}could not fetch agent config (${e.message}). Defaulting to interrupt mode.`); }
 
-  if (singleSessionId) {
-    info(`single-session mode — attached to ${singleSessionId}`);
-    await runSessionWorker({ sessionId: singleSessionId, ctx });
-  } else {
-    await runAgentWide(ctx);
+    info(`${tag}armed — ${ruleset.policies.length} policies · default ${ruleset.default.action} · mode ${mode}${agentMeta?.name ? ` · "${agentMeta.name}"` : ''}`);
+    if (mode === 'interrupt' && !fleet) {
+      warn('DEGRADED mode — Shield will interrupt AFTER a violating tool runs.');
+      warn(`For pre-execution blocking, run: wma-shield --setup-guide --agent-id ${aid}`);
+    }
+
+    const loggers = new Map();
+    const decisions = (sessionId) => {
+      if (!loggers.has(sessionId)) loggers.set(sessionId, new DecisionLogger({ logDir, agentId: aid, sessionId }));
+      return loggers.get(sessionId);
+    };
+    return {
+      apiKey, agentId: aid,
+      get ruleset() { return fortressPolicies ? fortressPolicies.current() : ruleset; },
+      mode, decisions, pushDecisionToFortress, signalsSalt, signal: ac.signal,
+    };
+  }
+
+  // Phase 1: arm every agent. Fail LOUD if none armed (otherwise the process would
+  // exit silently and — under launchd/systemd — restart-loop without a clear cause).
+  const ctxs = (await Promise.all(agentIds.map(setupAgent))).filter(Boolean);
+  if (ctxs.length === 0) {
+    die(`error: no agents could be armed (${agentIds.length} discovered; all policy fetches failed). Check WMA_API_KEY / WMA_FORTRESS_BASE_URL.`);
   }
+  if (fleet) info(`armed ${ctxs.length}/${agentIds.length} agent(s); watching.`);
+
+  // Phase 2: run each agent's loop (blocks until SIGINT/SIGTERM).
+  await Promise.all(ctxs.map((ctx) => (
+    singleSessionId ? runSessionWorker({ sessionId: singleSessionId, ctx }) : runAgentWide(ctx)
+  )));
 }
 
 main().catch(e => {

package/src/sources/anthropic-managed.js

@@ -77,6 +77,24 @@ export async function getAgent(apiKey, agentId) {
   return getWithRetry(apiKey, `/v1/agents/${agentId}`);
 }
 
+// List every Managed Agent under the API key (paginated). Used for fleet mode
+// (watch/shield/service --all-agents) and agent discovery.
+export async function listAgents(apiKey, { limit = 100 } = {}) {
+  const agents = [];
+  let after = null;
+  while (true) {
+    const qs = new URLSearchParams({ limit: String(limit) });
+    if (after) qs.set('after_id', after);
+    const data = await getWithRetry(apiKey, `/v1/agents?${qs}`);
+    const page = data.data || [];
+    for (const a of page) agents.push(a);
+    if (!data.has_more || page.length === 0) break;
+    after = page[page.length - 1]?.id;
+    if (!after) break;
+  }
+  return agents;
+}
+
 export async function listSessions(apiKey, { agentId, since, limit = 100 } = {}) {
   const sessions = [];
   let after = null;

package/src/typology-weights.json

@@ -0,0 +1,88 @@
+{
+  "$comment": "WatchMyAgents — typology classifier weights + thresholds (Guardian Core, agent-typology-classification.spec.md §3/§4/§5). INVARIANT: weights and thresholds live HERE, never hardcoded in typology.js ('poids de signature en config, pas en dur'). Calibrate on labelled real traffic. Modèle C: all inputs are anonymized behavioural fractions/flags only.",
+  "version": "0.1.0",
+  "updated_at": "2026-05-29T00:00:00Z",
+
+  "thresholds": {
+    "$comment": "§4 'Seuils par défaut (à calibrer)' + §5 downgrade asymmetry.",
+    "n_events_min": 50,
+    "confidence_min": 0.70,
+    "margin_min": 0.15,
+    "stable_windows": 3,
+    "downgrade_confidence_min": 0.85,
+    "downgrade_windows": 5,
+    "untrusted_modifier_min": 0.1,
+    "sensitive_modifier_min": 0.0,
+    "payment_overlay_min": 0.0,
+    "autonomy_modifier_min": 0.5,
+    "$comment_tie": "§8 conservative tie-break: when |score(top1)-score(top2)| <= tie_epsilon (a near/exact tie between two REAL types with real signal), select the STRICTER of the two rather than falling to the more-permissive generic — 'dans le doute, on reste sur le plus protecteur'. Set to 0 for exact-tie only.",
+    "tie_epsilon": 0.0
+  },
+
+  "confidence_sigmoid": {
+    "$comment": "§4 confidence = sigmoid(a·top1.score + b·margin + c·log(n_events)). All three coefficients live in config; a naive impl that only used top1.score would be wrong.",
+    "a": 4.0,
+    "b": 6.0,
+    "c": 0.6,
+    "bias": -3.5
+  },
+
+  "strictness_rank": {
+    "$comment": "§5 restriction ranking — derived from each template's baseline_policies enforcement severity (isolate>block>require_approval>throttle>monitor>warn). Higher rank = STRICTER. Drives re-classification asymmetry: to a stricter rank = normal threshold; to a looser rank = downgrade gate (conf>=0.85 AND 5 windows). NOT alphabetical.",
+    "devops_infra": 10,
+    "transactional_financial": 9,
+    "workflow_backoffice": 8,
+    "coding": 7,
+    "orchestrator": 6,
+    "browser_web": 5,
+    "personal_assistant": 4,
+    "data_rag": 3,
+    "generic": 2,
+    "customer_facing": 1
+  },
+
+  "features": {
+    "$comment": "Canonical anonymized feature keys (Modèle C). Fractions f_* in [0,1]; flag_* in {0,1}; aux_* in [0,1]. Order is informational only — scoring is key-addressed.",
+    "fractions": ["f_code", "f_browser", "f_database", "f_http", "f_email", "f_payment", "f_secret", "f_search", "f_memory", "f_handoff", "f_user_msg", "f_file"],
+    "flags": ["flag_deploy", "flag_internal_sys", "flag_on_behalf"],
+    "aux": ["aux_autonomy", "aux_untrusted", "aux_sensitive"]
+  },
+
+  "weights": {
+    "$comment": "w[type][feature] — signature weights (§3). Positive = signal for the type; negative = signal against. flag_* are the REQUIRED discriminators for the 3 inseparable pairs (coding/devops, data_rag/workflow, personal_assistant/workflow). 'generic' has no positive weights (pure fallback).",
+
+    "coding": {
+      "f_code": 1.0, "f_file": 0.5, "f_search": 0.3, "f_secret": 0.1,
+      "flag_deploy": -0.9
+    },
+    "devops_infra": {
+      "f_code": 0.7, "f_secret": 0.6, "f_file": 0.2,
+      "flag_deploy": 1.2
+    },
+    "data_rag": {
+      "f_database": 0.8, "f_search": 0.35, "f_memory": 0.7, "aux_untrusted": 0.2,
+      "flag_internal_sys": -0.7
+    },
+    "customer_facing": {
+      "f_user_msg": 1.0, "f_handoff": 0.3, "f_email": 0.2
+    },
+    "browser_web": {
+      "f_browser": 1.0, "f_http": 0.6, "f_search": 0.7
+    },
+    "orchestrator": {
+      "f_handoff": 1.2, "f_code": -0.2, "f_browser": -0.2, "f_database": -0.2
+    },
+    "workflow_backoffice": {
+      "f_database": 0.6, "f_http": 0.5, "f_file": 0.2,
+      "flag_internal_sys": 0.9, "flag_on_behalf": -0.6
+    },
+    "personal_assistant": {
+      "f_email": 0.8, "f_file": 0.4, "f_user_msg": 0.3,
+      "flag_on_behalf": 1.0
+    },
+    "transactional_financial": {
+      "f_payment": 1.5
+    },
+    "generic": {}
+  }
+}