watchmyagents 0.8.2 → 0.9.0

package/README.md

@@ -105,14 +105,15 @@ Each entry carries: `id`, `agent_id`, `framework`, `timestamp`, `action_type`, `
 ### `wma-fetch` — pull events from Anthropic Managed Agents
 
 ```bash
-wma-fetch --agent-id <agent_id> [--session-id <sess_id>] [--since 1h]
+wma-fetch (--agent-id <agent_id> | --all-agents) [--session-id <sess_id>] [--since 1h]
          [--log-dir ./watchmyagents-logs] [--dump-raw]
          [--watch [--interval 5m] [--upload]]
 ```
 
 | Flag | Effect |
 |---|---|
-| `--agent-id agent_xxx` | Required — Anthropic agent identifier |
+| `--agent-id agent_xxx` | Anthropic agent identifier (required unless `--all-agents`) |
+| `--all-agents` | **Fleet mode** (requires `--watch`) — discover ALL agents under the key and watch them in a single process |
 | `--since 1h` / `24h` / `7d` | Fetch window (default: all) |
 | `--session-id sesn_xxx` | Limit to a single session |
 | `--log-dir ./logs` | Where to write NDJSON (default `./watchmyagents-logs`) |
@@ -167,6 +168,21 @@ wma-inspect [path]
 
 Outputs sections aligned with security audit needs: tokens summary, by-tool / by-action-type breakdowns, top tool destinations (URLs / queries), action-sequence transitions, tool error rates, p50/p95/max latency per tool, rate metrics.
 
+### `wma-agents` — discover + classify your agents (typology)
+
+Lists every Managed Agent under your key and classifies each one's **typology**
+(one of 10 Guardian Core archetypes) from its OBSERVED behaviour in your local
+logs — which drives the cold-start Shield template. Modèle C: reads local logs
+only (tool-category fractions, never raw content) and transmits nothing.
+
+```bash
+wma-agents list [--log-dir ~/.watchmyagents/logs] [--json]
+```
+
+With fewer than ~50 observed events an agent stays `generic` (cold start) and
+refines as activity accumulates. Re-classification to a *less strict* type is
+gated (raised confidence + longer window) to resist mimicry-evasion.
+
 ## Automating — continuous monitoring
 
 ### `wma-service` — install as an always-on service (recommended)
@@ -180,7 +196,7 @@ export WMA_API_KEY="wma_..."
 export WMA_FORTRESS_BASE_URL="https://<project>.supabase.co/functions/v1"
 export WMA_SIGNALS_SALT="..."                                 # stable per-customer salt
 
-wma-service install --agent-id agent_01ABC... --interval 5m [--with-shield]
+wma-service install (--agent-id agent_01ABC... | --all-agents) [--interval 5m] [--with-shield]
 wma-service status
 wma-service uninstall [--with-shield]
 ```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "watchmyagents",
-  "version": "0.8.2",
+  "version": "0.9.0",
   "description": "Security observability + real-time policy enforcement for AI agents. Local-first NDJSON capture with a continuous Watch daemon that auto-uploads anonymized signals, Shield CLI that blocks policy violations live (with policies pulled from Fortress cloud), anonymizer producing signals-only payloads, bidirectional sync with WatchMyAgents Fortress, and one-command install as an always-on launchd/systemd service — closing the recursive Watch→Guardian→Shield security loop.",
   "type": "module",
   "files": [
@@ -11,6 +11,7 @@
     "scripts/anonymize.js",
     "scripts/upload-fortress.js",
     "scripts/service.js",
+    "scripts/agents.js",
     "README.md",
     "SECURITY.md",
     "LICENSE"
@@ -21,15 +22,18 @@
     "wma-shield": "scripts/shield.js",
     "wma-anonymize": "scripts/anonymize.js",
     "wma-upload-fortress": "scripts/upload-fortress.js",
-    "wma-service": "scripts/service.js"
+    "wma-service": "scripts/service.js",
+    "wma-agents": "scripts/agents.js"
   },
   "scripts": {
+    "test": "node --test",
     "inspect": "node scripts/inspect.js",
     "fetch": "node scripts/fetch-anthropic.js",
     "shield": "node scripts/shield.js",
     "anonymize": "node scripts/anonymize.js",
     "upload-fortress": "node scripts/upload-fortress.js",
-    "service": "node scripts/service.js"
+    "service": "node scripts/service.js",
+    "agents": "node scripts/agents.js"
   },
   "engines": {
     "node": ">=18.0.0"

package/scripts/agents.js

@@ -0,0 +1,218 @@
+#!/usr/bin/env node
+// wma-agents — discover all Managed Agents under your key and classify each
+// agent's typology from its OBSERVED behaviour (for Shield template selection).
+//
+// Usage:
+//   wma-agents [list] [--log-dir ~/.watchmyagents/logs] [--json]
+//
+// Reads the local Watch logs (NEVER leaves the machine — Modèle C) and derives
+// the anonymized behavioural FEATURE VECTOR per the typology spec:
+//   per-tool-category FRACTIONS (f_*), boolean local flags (flag_*), aux ratios
+//   (aux_*), and n_events. It then calls classifyAgentType() and prints the
+//   schema-conformant result. With <50 events an agent is `generic` (cold start)
+//   and refines as activity accumulates.
+//
+// Modèle C invariant: only counts/ratios/flags are computed here — never raw
+// prompt/output content, never the agent display name. Nothing is transmitted.
+//
+// ANTHROPIC_API_KEY from env (or --api-key, discouraged).
+
+import os from 'node:os';
+import { readdir, stat } from 'node:fs/promises';
+import { createReadStream } from 'node:fs';
+import { createInterface } from 'node:readline';
+import { join, resolve } from 'node:path';
+import { listAgents } from '../src/sources/anthropic-managed.js';
+import { classifyAgentType } from '../src/typology.js';
+import { isValidAgentId, assertSafePathSegment } from '../src/validate.js';
+
+function parseArgs(argv) {
+  const out = { _: [] };
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a.startsWith('--')) {
+      const k = a.slice(2); const n = argv[i + 1];
+      if (n == null || n.startsWith('--')) out[k] = true; else { out[k] = n; i++; }
+    } else out._.push(a);
+  }
+  return out;
+}
+function die(msg, code = 1) { process.stderr.write(`error: ${msg}\n`); process.exit(code); }
+function info(msg) { process.stdout.write(`[wma-agents] ${msg}\n`); }
+
+// Action types that represent a TOOL invocation (the denominator for f_* tool
+// fractions). Confirmed produced by src/sources/anthropic-managed.js.
+const TOOL_ACTIONS = new Set(['tool_use', 'mcp_tool_use', 'custom_tool_use']);
+
+// ──────────────────────────────────────────────────────────────────────────
+// Tool-name → category mapping (Modèle C: name-based, no content). Managed
+// Agents expose tools as an opaque bundle, so tool_name is free-text. We match
+// the confirmed built-ins (web_search, web_fetch, bash) plus best-effort
+// regexes for common tool names. A tool that matches nothing contributes to the
+// denominator but to no category (honest: unknown ≠ inferred).
+// ──────────────────────────────────────────────────────────────────────────
+const CATEGORY_RULES = [
+  // category,    matcher (lower-cased tool_name)
+  ['search',   (n) => /(^|_)web_search$|(^|_)search($|_)|google|brave/.test(n)],
+  ['browser',  (n) => /web_fetch|browser|playwright|puppeteer|navigate|screenshot/.test(n)],
+  ['http',     (n) => /(^|_)http|fetch_url|curl|request|webhook|api_call/.test(n)],
+  ['code',     (n) => /bash|shell|terminal|code_exec|exec_|python|node_run|run_code|interpreter/.test(n)],
+  ['database', (n) => /sql|query_db|database|postgres|mysql|mongo|redis|bigquery|snowflake/.test(n)],
+  ['email',    (n) => /email|gmail|smtp|sendmail|mailgun|outlook/.test(n)],
+  ['payment',  (n) => /payment|charge|transfer|invoice|stripe|paypal|payout|refund|checkout/.test(n)],
+  ['secret',   (n) => /secret|vault|credential|kms|keychain|token_get/.test(n)],
+  ['memory',   (n) => /memory|retriev|vector|(^|_)rag($|_)|knowledge|embed|pinecone|chroma/.test(n)],
+  ['file',     (n) => /editor|str_replace|read_file|write_file|create_file|file_io|(^|_)file($|_)|fs_/.test(n)],
+];
+
+// Best-effort deploy detection (spec discriminator devops_infra vs coding).
+const DEPLOY_RE = /deploy|terraform|kubectl|helm|(^|_)release($|_)|ansible|pulumi|cloudformation/;
+
+function categoryOf(toolName) {
+  const n = String(toolName || '').toLowerCase();
+  for (const [cat, m] of CATEGORY_RULES) if (m(n)) return cat;
+  return null;
+}
+
+// Aggregate raw counts from an agent's local NDJSON logs (Modèle C: counts only).
+async function aggregate(logDir, agentId) {
+  const actionCounts = {};       // action_type → count
+  const categoryCounts = {};     // tool category → count
+  let toolEvents = 0;            // denominator for f_* fractions
+  let deployUses = 0;
+  const dir = join(logDir, agentId);
+  const s = await stat(dir).catch(() => null);
+  if (!s || !s.isDirectory()) return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false };
+  let names;
+  try { names = await readdir(dir); } catch { return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false }; }
+  const files = names.filter((n) => n.endsWith('.ndjson') && !n.startsWith('raw-'));
+  if (files.length === 0) return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false };
+
+  for (const f of files) {
+    await new Promise((res) => {
+      const rl = createInterface({ input: createReadStream(join(dir, f), { encoding: 'utf8' }), crlfDelay: Infinity });
+      rl.on('line', (line) => {
+        if (!line.trim()) return;
+        let e; try { e = JSON.parse(line); } catch { return; }
+        if (e.action_type) actionCounts[e.action_type] = (actionCounts[e.action_type] || 0) + 1;
+        if (TOOL_ACTIONS.has(e.action_type)) {
+          toolEvents += 1;
+          const cat = categoryOf(e.tool_name);
+          if (cat) categoryCounts[cat] = (categoryCounts[cat] || 0) + 1;
+          if (DEPLOY_RE.test(String(e.tool_name || '').toLowerCase())) deployUses += 1;
+        }
+      });
+      rl.on('close', res); rl.on('error', res);
+    });
+  }
+  return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: true };
+}
+
+// Features that the WMA NDJSON logs CANNOT reliably expose today (opaque tool
+// names / no behavioural signal / content off-limits under Modèle C). They
+// default to 0/false; the caller prints a one-line note.
+const NON_DERIVABLE = [
+  'f_database', 'f_email', 'f_payment', 'f_secret', 'f_memory',
+  'flag_internal_sys', 'flag_on_behalf', 'aux_untrusted', 'aux_sensitive',
+];
+
+// Build the canonical anonymized FEATURE VECTOR from the aggregated counts.
+// Fractions = category_count / toolEvents. n_events = total observed events.
+function buildFeatures(agg) {
+  const { actionCounts, categoryCounts, toolEvents, deployUses } = agg;
+  const nEvents = Object.values(actionCounts).reduce((a, b) => a + b, 0);
+  const frac = (c) => (toolEvents > 0 ? (categoryCounts[c] || 0) / toolEvents : 0);
+  const eventFrac = (...types) => (nEvents > 0
+    ? types.reduce((a, t) => a + (actionCounts[t] || 0), 0) / nEvents
+    : 0);
+
+  // f_handoff / f_user_msg are derived from event TYPE (not tool category):
+  // confirmed action_types thread_message_* and user_message.
+  const handoff = eventFrac('thread_message_sent', 'thread_message_received', 'thread_created');
+  const userMsg = eventFrac('user_message');
+
+  // aux_autonomy ≈ 1 − (human-in-the-loop event share). Confirmed action_types
+  // user_message / user_interrupt / tool_confirmation mark human involvement; an
+  // agent that proceeds without them is more autonomous. Heuristic — documented.
+  const hitlShare = eventFrac('user_message', 'user_interrupt', 'tool_confirmation');
+  const auxAutonomy = nEvents > 0 ? Math.max(0, 1 - hitlShare) : 0;
+
+  return {
+    // tool-category fractions (over tool uses)
+    f_code: frac('code'),
+    f_browser: frac('browser'),
+    f_database: frac('database'),     // non-derivable in practice → ~0
+    f_http: frac('http'),
+    f_email: frac('email'),           // non-derivable in practice → ~0
+    f_payment: frac('payment'),       // non-derivable in practice → ~0
+    f_secret: frac('secret'),         // non-derivable in practice → ~0
+    f_search: frac('search'),
+    f_memory: frac('memory'),         // non-derivable in practice → ~0
+    f_file: frac('file'),
+    // event-type fractions (over all events)
+    f_handoff: handoff,
+    f_user_msg: userMsg,
+    // discriminator flags (best-effort; only flag_deploy has any behavioural
+    // signal — and only if the agent literally names a deploy tool).
+    flag_deploy: deployUses > 0 ? 1 : 0,
+    flag_internal_sys: 0,             // no behavioural signal in logs
+    flag_on_behalf: 0,                // no behavioural signal in logs
+    // aux ratios
+    aux_autonomy: auxAutonomy,        // heuristic (HITL-frequency)
+    aux_untrusted: 0,                 // no honest source in logs
+    aux_sensitive: 0,                 // no honest source in logs
+    // window size
+    n_events: nEvents,
+  };
+}
+
+async function main() {
+  const args = parseArgs(process.argv.slice(2));
+  if (args._[0] && args._[0] !== 'list') die(`unknown command "${args._[0]}" (only "list" supported)`);
+  const apiKey = args['api-key'] || process.env.ANTHROPIC_API_KEY;
+  if (!apiKey) die('--api-key or ANTHROPIC_API_KEY required');
+  if (args['api-key']) process.stderr.write('[wma-agents] WARNING: --api-key is visible in shell history; prefer ANTHROPIC_API_KEY env\n');
+  const logDir = resolve(args['log-dir'] || join(os.homedir(), '.watchmyagents', 'logs'));
+  const asJson = !!args.json;
+
+  let agents;
+  try { agents = await listAgents(apiKey); }
+  catch (e) { die(`failed to list agents: ${e.message}`); }
+
+  const results = [];
+  for (const a of agents) {
+    if (!a.id || !isValidAgentId(a.id)) continue;
+    assertSafePathSegment(a.id, 'agent id');
+    const agg = await aggregate(logDir, a.id);
+    const features = buildFeatures(agg);
+    features.agent_id = a.id;
+    // No prior state threaded here (single-shot CLI snapshot); the continuous
+    // Watch daemon is responsible for threading window state across runs.
+    const cls = classifyAgentType(features);
+    results.push({
+      id: a.id,
+      name: a.name || '(unnamed)',     // shown for the human only — NOT a classification signal
+      hasLogs: agg.hasLogs,
+      ...cls,
+    });
+  }
+
+  if (asJson) { process.stdout.write(JSON.stringify(results, null, 2) + '\n'); return; }
+
+  info(`discovered ${results.length} agent(s) - classified from local logs in ${logDir}`);
+  info(`Modele C: features below default to 0 (logs don't expose them): ${NON_DERIVABLE.join(', ')}`);
+  process.stdout.write('\n');
+  for (const r of results) {
+    const mods = (r.modifiers && r.modifiers.length) ? ` [+${r.modifiers.join(',')}]` : '';
+    const overlay = r.evidence?.payment_overlay ? '  (+transactional overlay)' : '';
+    process.stdout.write(`  ${r.name}\n`);
+    process.stdout.write(`    ${r.id}\n`);
+    process.stdout.write(`    -> ${r.classified_type}  (conf ${Math.round(r.confidence * 100)}%, ${r.stage})${mods}${overlay}\n`);
+    process.stdout.write(`    evidence: ${r.evidence.window_events} events, top2=${r.evidence.top2_type}, margin=${r.evidence.margin}\n`);
+    if (!r.hasLogs) process.stdout.write('    (no local logs yet - cold start)\n');
+    process.stdout.write('\n');
+  }
+  info('type drives the cold-start Shield template (Guardian Core §8). The global-baseline floor applies regardless of classification.');
+}
+
+main().catch((e) => { process.stderr.write(`error: ${e.stack || e.message}\n`); process.exit(1); });

package/scripts/fetch-anthropic.js

@@ -31,7 +31,7 @@ import { SignalsAggregator } from '../src/anonymizer.js';
 import { resolveFortressBase, fortressEndpoint } from '../src/fortress/url.js';
 import { isValidAgentId, isValidSessionId, assertSafePathSegment } from '../src/validate.js';
 import {
-  getAgent, listSessions, fetchSessionEntries, fetchRawEvents,
+  getAgent, listAgents, listSessions, fetchSessionEntries, fetchRawEvents,
 } from '../src/sources/anthropic-managed.js';
 
 function parseArgs(argv) {
@@ -70,6 +70,9 @@ function parseSince(s) {
 function die(msg, code = 1) { process.stderr.write(`${msg}\n`); process.exit(code); }
 function info(msg) { process.stdout.write(`[wma-fetch] ${msg}\n`); }
 function warn(msg) { process.stderr.write(`[wma-fetch] ⚠️  ${msg}\n`); }
+// Strip control chars + truncate a customer-set agent name before it goes into
+// a log line or the Fortress display_name (defense-in-depth vs log/payload injection).
+function cleanLabel(s) { return [...String(s ?? '')].filter((c) => c.charCodeAt(0) >= 32 && c.charCodeAt(0) !== 127).join('').slice(0, 60).trim(); }
 
 function resolveModel(agent) {
   const raw = agent.model || agent.config?.model || null;
@@ -198,10 +201,14 @@ async function fetchOneShot({ apiKey, agentId, model, logDir, since, sessionId,
   process.stdout.write(`[wma-fetch] inspect with: npx wma-inspect ${logDir}\n`);
 }
 
-// ── CONTINUOUS / DAEMON ─────────────────────────────────────────────────────
-async function runWatch({ apiKey, agentId, model, displayName, logDir, intervalMs, uploadCtx }) {
-  const seenIds = await preloadSeenIds(logDir, agentId);
-  const loggers = new Map();     // sessionId → Logger (persists sequence across cycles)
+// ── CONTINUOUS / DAEMON (single agent or whole fleet) ───────────────────────
+// `agents` = [{ agentId, model, displayName }]. One process watches them all.
+async function runWatch({ apiKey, agents, logDir, intervalMs, uploadCtx }) {
+  const seenIds = new Set();     // stable Anthropic event ids already captured
+  for (const ag of agents) {
+    for (const id of await preloadSeenIds(logDir, ag.agentId)) seenIds.add(id);
+  }
+  const loggers = new Map();     // sessionId → Logger (session ids are globally unique)
   const ended = new Set();       // sessions we've already closed with session_end
 
   const ac = new AbortController();
@@ -209,56 +216,62 @@ async function runWatch({ apiKey, agentId, model, displayName, logDir, intervalM
   process.on('SIGINT', shutdown);
   process.on('SIGTERM', shutdown);
 
-  info(`watch mode — interval ${Math.round(intervalMs / 1000)}s, upload ${uploadCtx ? 'ON' : 'OFF'}, ${seenIds.size} known events preloaded`);
+  const fleet = agents.length > 1;
+  info(`watch mode — ${agents.length} agent(s), interval ${Math.round(intervalMs / 1000)}s, upload ${uploadCtx ? 'ON' : 'OFF'}, ${seenIds.size} known events preloaded`);
 
   while (!ac.signal.aborted) {
     const since = new Date(Date.now() - 24 * 3600 * 1000);
-    let sessions = [];
-    try { sessions = await listSessions(apiKey, { agentId, since }); }
-    catch (e) { warn(`listSessions failed: ${e.message}`); }
-
     let cycleNew = 0;
-    for (const s of sessions) {
-      if (!s.id || ended.has(s.id)) continue;
-      let logger = loggers.get(s.id);
-      if (!logger) { logger = new Logger({ logDir, agentId, sessionId: s.id, silent: true }); loggers.set(s.id, logger); }
 
-      const fresh = [];
-      let sawTerminated = false;
-      try {
-        for await (const entry of fetchSessionEntries({ apiKey, agentId, sessionId: s.id, model })) {
-          if (entry.id && seenIds.has(entry.id)) continue;
-          if (entry.id) seenIds.add(entry.id);
-          const written = await logger.write(entry);
-          fresh.push(written);
-          if (entry.action_type === 'state_transition'
-              && entry.output?.scope === 'session'
-              && entry.output?.state === 'terminated') sawTerminated = true;
-        }
-      } catch (e) { warn(`session ${s.id}: fetch failed: ${e.message}`); continue; }
+    for (const ag of agents) {
+      if (ac.signal.aborted) break;
+      const tag = fleet ? `[${ag.displayName}] ` : '';
+      let sessions = [];
+      try { sessions = await listSessions(apiKey, { agentId: ag.agentId, since }); }
+      catch (e) { warn(`${tag}listSessions failed: ${e.message}`); continue; }
 
-      if (fresh.length === 0) continue;
-      cycleNew += fresh.length;
-      info(`session ${s.id.slice(0, 16)}…: +${fresh.length} new event(s)`);
+      for (const s of sessions) {
+        if (!s.id || ended.has(s.id)) continue;
+        let logger = loggers.get(s.id);
+        if (!logger) { logger = new Logger({ logDir, agentId: ag.agentId, sessionId: s.id, silent: true }); loggers.set(s.id, logger); }
 
-      if (uploadCtx) {
+        const fresh = [];
+        let sawTerminated = false;
         try {
-          const resp = await uploadSignals(uploadCtx, agentId, displayName, fresh);
-          if (resp?.signal_id) info(`  ↑ signals uploaded (signal_id ${resp.signal_id})`);
-        } catch (e) { warn(`  signals upload failed: ${e.message}`); }
-      }
+          for await (const entry of fetchSessionEntries({ apiKey, agentId: ag.agentId, sessionId: s.id, model: ag.model })) {
+            if (entry.id && seenIds.has(entry.id)) continue;
+            if (entry.id) seenIds.add(entry.id);
+            const written = await logger.write(entry);
+            fresh.push(written);
+            if (entry.action_type === 'state_transition'
+                && entry.output?.scope === 'session'
+                && entry.output?.state === 'terminated') sawTerminated = true;
+          }
+        } catch (e) { warn(`${tag}session ${s.id.slice(0, 16)}…: fetch failed: ${e.message}`); continue; }
+
+        if (fresh.length === 0) continue;
+        cycleNew += fresh.length;
+        info(`${tag}session ${s.id.slice(0, 16)}…: +${fresh.length} new event(s)`);
 
-      if (sawTerminated) {
-        const tracker = new TokenTracker();
-        for (const e of fresh) tracker.record(e);
-        const stats = tracker.stats().total;
-        await logger.write({
-          action_type: 'session_end', framework: 'anthropic-managed', status: 'ok', model,
-          session_tokens: { input: stats.input, output: stats.output, cache_read: stats.cache_read, cache_creation: stats.cache_creation, total: stats.sum },
-          session_cost_usd: stats.cost_usd || null,
-        });
-        ended.add(s.id);
-        info(`session ${s.id.slice(0, 16)}… terminated — closed`);
+        if (uploadCtx) {
+          try {
+            const resp = await uploadSignals(uploadCtx, ag.agentId, ag.displayName, fresh);
+            if (resp?.signal_id) info(`  ↑ signals uploaded (signal_id ${resp.signal_id})`);
+          } catch (e) { warn(`  signals upload failed: ${e.message}`); }
+        }
+
+        if (sawTerminated) {
+          const tracker = new TokenTracker();
+          for (const e of fresh) tracker.record(e);
+          const stats = tracker.stats().total;
+          await logger.write({
+            action_type: 'session_end', framework: 'anthropic-managed', status: 'ok', model: ag.model,
+            session_tokens: { input: stats.input, output: stats.output, cache_read: stats.cache_read, cache_creation: stats.cache_creation, total: stats.sum },
+            session_cost_usd: stats.cost_usd || null,
+          });
+          ended.add(s.id);
+          info(`${tag}session ${s.id.slice(0, 16)}… terminated — closed`);
+        }
       }
     }
 
@@ -275,10 +288,12 @@ async function main() {
   const logDir = resolve(args['log-dir'] || './watchmyagents-logs');
   const watch = !!args.watch;
   const upload = !!args.upload;
+  const allAgents = !!args['all-agents'];
 
   if (!apiKey) die('error: --api-key or ANTHROPIC_API_KEY required');
-  if (!agentId) die('error: --agent-id required (e.g. agent_01ABC...)');
-  if (!isValidAgentId(agentId)) {
+  if (!allAgents && !agentId) die('error: --agent-id required (or --all-agents for fleet mode)');
+  if (allAgents && !watch) die('error: --all-agents requires --watch (fleet daemon). For a one-shot, target a single --agent-id.');
+  if (agentId && !isValidAgentId(agentId)) {
     die(`error: --agent-id has invalid format (expected "agent_" + alphanumeric, got "${agentId}")`);
   }
   const sessionIdArg = args['session-id'];
@@ -303,18 +318,30 @@ async function main() {
     uploadCtx = { apiKey: wmaKey, salt, url: fortressEndpoint(base, 'ingest-signals') };
   }
 
-  info(`resolving agent ${agentId}…`);
-  const agent = await getAgent(apiKey, agentId).catch((e) => die(`failed to GET agent: ${e.message}`));
-  const model = resolveModel(agent);
-  const displayName = agent.name || agentId;
-  info(`model: ${model || '(unknown)'}`);
+  // Resolve the agent list: the whole fleet (--all-agents) or a single agent.
+  let agents;
+  if (allAgents) {
+    info('discovering agents (fleet mode)…');
+    const all = await listAgents(apiKey).catch((e) => die(`failed to list agents: ${e.message}`));
+    agents = all
+      .filter((a) => a.id && isValidAgentId(a.id))
+      .map((a) => ({ agentId: a.id, model: resolveModel(a), displayName: cleanLabel(a.name || a.id) }));
+    if (agents.length === 0) die('error: no agents found under this API key');
+    info(`fleet: ${agents.length} agent(s) — ${agents.map((a) => a.displayName).join(', ')}`);
+  } else {
+    info(`resolving agent ${agentId}…`);
+    const agent = await getAgent(apiKey, agentId).catch((e) => die(`failed to GET agent: ${e.message}`));
+    agents = [{ agentId, model: resolveModel(agent), displayName: cleanLabel(agent.name || agentId) }];
+    info(`model: ${agents[0].model || '(unknown)'}`);
+  }
 
   if (watch) {
     const intervalMs = parseDurationMs(args.interval, 5 * 60_000);
-    await runWatch({ apiKey, agentId, model, displayName, logDir, intervalMs, uploadCtx });
+    await runWatch({ apiKey, agents, logDir, intervalMs, uploadCtx });
   } else {
     const since = args.since ? parseSince(args.since) : null;
-    await fetchOneShot({ apiKey, agentId, model, logDir, since, sessionId: args['session-id'], dumpRaw: !!args['dump-raw'] });
+    const a = agents[0];
+    await fetchOneShot({ apiKey, agentId: a.agentId, model: a.model, logDir, since, sessionId: args['session-id'], dumpRaw: !!args['dump-raw'] });
   }
 }
 

package/scripts/service.js

@@ -251,9 +251,10 @@ function linuxUninstallOne(label) {
 
 // ── Commands ────────────────────────────────────────────────────────────--
 function cmdInstall(args) {
+  const allAgents = !!args['all-agents'];
   const agentId = args['agent-id'];
-  if (!agentId) die('--agent-id required (e.g. agent_01ABC...)');
-  if (!isValidAgentId(agentId)) die(`--agent-id invalid format (expected "agent_" + alphanumeric, got "${agentId}")`);
+  if (!allAgents && !agentId) die('--agent-id required (or --all-agents to cover the whole fleet)');
+  if (agentId && !isValidAgentId(agentId)) die(`--agent-id invalid format (expected "agent_" + alphanumeric, got "${agentId}")`);
   const interval = args.interval || '5m';
   if (!/^\d+[smhd]$/.test(interval)) die(`--interval invalid format (expected like 30s, 5m, 1h, 2d; got "${interval}")`);
   const logDir = args['log-dir'] || LOG_DIR_DEFAULT;
@@ -262,14 +263,15 @@ function cmdInstall(args) {
   if (PLATFORM !== 'darwin' && PLATFORM !== 'linux') {
     die(`unsupported platform "${PLATFORM}". Supported: macOS (launchd), Linux (systemd).\n` +
         '       Run the daemon manually or wrap it in your own process manager:\n' +
-        `         wma-fetch --agent-id ${agentId} --watch --upload --interval ${interval}`);
+        `         wma-fetch ${allAgents ? '--all-agents' : `--agent-id ${agentId}`} --watch --upload --interval ${interval}`);
   }
 
   mkdirSync(logDir, { recursive: true, mode: 0o700 });
   writeEnvFile();
 
-  const watchArgs = ['--agent-id', agentId, '--watch', '--upload', '--interval', interval, '--log-dir', logDir];
-  const shieldArgs = ['--agent-id', agentId, '--policies-source', 'fortress', '--log-dir', logDir];
+  const target = allAgents ? ['--all-agents'] : ['--agent-id', agentId];
+  const watchArgs = [...target, '--watch', '--upload', '--interval', interval, '--log-dir', logDir];
+  const shieldArgs = [...target, '--policies-source', 'fortress', '--log-dir', logDir];
 
   if (PLATFORM === 'darwin') {
     macInstallOne(WATCH_LABEL, FETCH_SCRIPT, watchArgs);

package/scripts/shield.js

@@ -33,7 +33,7 @@ import {
   getAgentConfig, detectAlwaysAsk,
 } from '../src/shield/enforce.js';
 import { DecisionLogger } from '../src/shield/decisions.js';
-import { listSessions } from '../src/sources/anthropic-managed.js';
+import { listSessions, listAgents } from '../src/sources/anthropic-managed.js';
 import { FortressPolicySource, postDecision } from '../src/shield/sources/fortress.js';
 import { resolveFortressBase } from '../src/fortress/url.js';
 import { isValidAgentId, isValidSessionId } from '../src/validate.js';
@@ -423,10 +423,15 @@ async function main() {
     explicitUrl: args['fortress-url'],
   });
   const logDir = resolve(args['log-dir'] || './watchmyagents-logs');
+  const allAgents = !!args['all-agents'];
 
   if (!apiKey) die('error: --api-key or ANTHROPIC_API_KEY required');
-  if (!agentId) die('error: --agent-id required');
-  if (!isValidAgentId(agentId)) {
+  if (!allAgents && !agentId) die('error: --agent-id required (or --all-agents for fleet mode)');
+  if (allAgents && singleSessionId) die('error: --all-agents is incompatible with --session-id');
+  if (allAgents && policiesSource !== 'fortress') {
+    die('error: --all-agents requires --policies-source fortress (per-agent policies).');
+  }
+  if (agentId && !isValidAgentId(agentId)) {
     die(`error: --agent-id has invalid format (expected "agent_" + alphanumeric, got "${agentId}")`);
   }
   // --session-id ends up in the Anthropic SSE URL path (src/shield/stream.js).
@@ -435,120 +440,112 @@ async function main() {
     die(`error: --session-id has invalid format (expected "sesn_" + alphanumeric, got "${singleSessionId}")`);
   }
 
-  // Policies source: --policies-source fortress | local  (default infers from --policy)
-  let ruleset;          // for 'local' mode: static; for 'fortress': initial snapshot
-  let fortressPolicies; // FortressPolicySource instance, used as ground truth at runtime
-
+  // Validate the policy source config once (shared across the fleet). For local
+  // mode the ruleset is loaded once and shared by every agent.
+  let sharedLocalRuleset = null;
   if (policiesSource === 'fortress') {
     if (!wmaApiKey) die('error: --policies-source fortress requires --wma-api-key or WMA_API_KEY env');
     if (!fortressBase) die('error: --policies-source fortress requires --fortress-base-url or WMA_FORTRESS_BASE_URL env');
     if (!/^wma_[a-f0-9]{32}$/i.test(wmaApiKey)) warn(`WMA_API_KEY format looks unusual (expected wma_<32hex>).`);
-
-    fortressPolicies = new FortressPolicySource({
-      apiKey: wmaApiKey,
-      base: fortressBase,
-      anthropicAgentId: agentId,
-      refreshIntervalMs: 5 * 60_000,
-      onError: (e) => warn(`policy refresh failed (keeping cached): ${e.message}`),
-      onRefresh: ({ policies, fetched_at, initial }) => {
-        info(`policies ${initial ? 'loaded' : 'refreshed'} from Fortress — ${policies.length} active (fetched_at: ${fetched_at})`);
-      },
-    });
-    try {
-      await fortressPolicies.start();
-    } catch (e) {
-      die(`error fetching policies from Fortress: ${e.message}\n` +
-          `       Check WMA_FORTRESS_BASE_URL and WMA_API_KEY.`);
-    }
-    ruleset = fortressPolicies.current();
   } else if (policiesSource === 'local') {
     if (!policyPath) die('error: --policies-source local requires --policy <path-to-policies.json>');
-    try {
-      ruleset = await loadPolicies(resolve(policyPath));
-    } catch (e) {
-      die(`error loading policies: ${e.message}`);
-    }
+    try { sharedLocalRuleset = await loadPolicies(resolve(policyPath)); }
+    catch (e) { die(`error loading policies: ${e.message}`); }
   } else {
     die('error: --policy <path> OR --policies-source fortress required');
   }
 
-  let mode = 'interrupt';
-  let agentMeta = null;
-  try {
-    agentMeta = await getAgentConfig(apiKey, agentId);
-    if (detectAlwaysAsk(agentMeta)) mode = 'tool_confirmation';
-  } catch (e) {
-    warn(`could not fetch agent config (${e.message}). Defaulting to interrupt mode.`);
-  }
-
-  const sourceLabel = policiesSource === 'fortress'
-    ? `Fortress (${fortressBase})`
-    : policyPath;
-  info(`armed — ${ruleset.policies.length} policies loaded from ${sourceLabel}`);
-  info(`default action when no rule matches: ${ruleset.default.action}`);
-  info(`agent: ${agentId}${agentMeta?.name ? ` "${agentMeta.name}"` : ''}`);
-  info(`enforcement mode: ${mode}`);
-  if (mode === 'interrupt') {
-    warn('DEGRADED mode — Shield will interrupt AFTER a violating tool runs.');
-    warn(`For pre-execution blocking, run: wma-shield --setup-guide --agent-id ${agentId}`);
+  // Resolve the agent list: whole fleet (--all-agents) or a single agent.
+  let agentIds;
+  if (allAgents) {
+    info('discovering agents (fleet mode)…');
+    const all = await listAgents(apiKey).catch((e) => die(`failed to list agents: ${e.message}`));
+    agentIds = all.map((a) => a.id).filter((id) => id && isValidAgentId(id));
+    if (agentIds.length === 0) die('error: no agents found under this API key');
+    info(`fleet: ${agentIds.length} agent(s)`);
+  } else {
+    agentIds = [agentId];
   }
+  const fleet = agentIds.length > 1;
 
-  // Per-session DecisionLogger factory (each session gets its own to keep
-  // sequence numbers monotonic per session).
-  const loggers = new Map();
-  const decisions = (sessionId) => {
-    if (!loggers.has(sessionId)) {
-      loggers.set(sessionId, new DecisionLogger({ logDir, agentId, sessionId }));
-    }
-    return loggers.get(sessionId);
+  // Shared infra: one shutdown signal, one fortress-source registry, one pusher.
+  const ac = new AbortController();
+  const fortressSources = [];
+  const shutdown = (sig) => {
+    info(`${sig} received, shutting down…`);
+    for (const fp of fortressSources) fp.stop();
+    ac.abort();
   };
+  process.on('SIGINT',  () => shutdown('SIGINT'));
+  process.on('SIGTERM', () => shutdown('SIGTERM'));
 
-  // Optional Fortress decision pusher — only active if we have a wma key + base.
-  // In 'fortress' mode this is always available. In 'local' mode it's a fire-
-  // and-forget extra channel if both are set.
+  // Optional Fortress decision pusher (each ctx carries its own agent id, so a
+  // single shared pusher tags decisions with the right agent).
   const canPushToFortress = !!(wmaApiKey && fortressBase);
   const pushDecisionToFortress = canPushToFortress
     ? async (decisionData) => {
-        try {
-          await postDecision({ apiKey: wmaApiKey, base: fortressBase, decision: decisionData });
-        } catch (e) {
-          warn(`Fortress decision push failed: ${e.message}`);
-        }
+        try { await postDecision({ apiKey: wmaApiKey, base: fortressBase, decision: decisionData }); }
+        catch (e) { warn(`Fortress decision push failed: ${e.message}`); }
       }
     : null;
 
-  const ac = new AbortController();
-  process.on('SIGINT',  () => {
-    info('SIGINT received, shutting down…');
-    if (fortressPolicies) fortressPolicies.stop();
-    ac.abort();
-  });
-  process.on('SIGTERM', () => {
-    info('SIGTERM received, shutting down…');
-    if (fortressPolicies) fortressPolicies.stop();
-    ac.abort();
-  });
+  // Per-agent SETUP (separate from the long-running phase so we can COUNT how
+  // many actually armed). In fleet mode a per-agent startup failure is skipped
+  // (warn) instead of killing the fleet. Returns the agent's ctx, or null if skipped.
+  async function setupAgent(aid) {
+    const tag = fleet ? `[${aid.slice(0, 16)}…] ` : '';
+    let fortressPolicies = null;
+    let ruleset = sharedLocalRuleset;
+    if (policiesSource === 'fortress') {
+      fortressPolicies = new FortressPolicySource({
+        apiKey: wmaApiKey, base: fortressBase, anthropicAgentId: aid, refreshIntervalMs: 5 * 60_000,
+        onError: (e) => warn(`${tag}policy refresh failed (keeping cached): ${e.message}`),
+        onRefresh: ({ policies, fetched_at, initial }) => info(`${tag}policies ${initial ? 'loaded' : 'refreshed'} from Fortress — ${policies.length} active (fetched_at: ${fetched_at})`),
+      });
+      try { await fortressPolicies.start(); }
+      catch (e) {
+        if (fleet) { warn(`${tag}skipped — policy fetch failed: ${e.message}`); return null; }
+        die(`error fetching policies from Fortress: ${e.message}\n       Check WMA_FORTRESS_BASE_URL and WMA_API_KEY.`);
+      }
+      fortressSources.push(fortressPolicies);
+      ruleset = fortressPolicies.current();
+    }
 
-  // ctx exposes a getter for the live ruleset so workers see policy refreshes.
-  const ctx = {
-    apiKey,
-    agentId,
-    get ruleset() {
-      return fortressPolicies ? fortressPolicies.current() : ruleset;
-    },
-    mode,
-    decisions,
-    pushDecisionToFortress,
-    signalsSalt,
-    signal: ac.signal,
-  };
+    let mode = 'interrupt';
+    let agentMeta = null;
+    try { agentMeta = await getAgentConfig(apiKey, aid); if (detectAlwaysAsk(agentMeta)) mode = 'tool_confirmation'; }
+    catch (e) { warn(`${tag}could not fetch agent config (${e.message}). Defaulting to interrupt mode.`); }
 
-  if (singleSessionId) {
-    info(`single-session mode — attached to ${singleSessionId}`);
-    await runSessionWorker({ sessionId: singleSessionId, ctx });
-  } else {
-    await runAgentWide(ctx);
+    info(`${tag}armed — ${ruleset.policies.length} policies · default ${ruleset.default.action} · mode ${mode}${agentMeta?.name ? ` · "${agentMeta.name}"` : ''}`);
+    if (mode === 'interrupt' && !fleet) {
+      warn('DEGRADED mode — Shield will interrupt AFTER a violating tool runs.');
+      warn(`For pre-execution blocking, run: wma-shield --setup-guide --agent-id ${aid}`);
+    }
+
+    const loggers = new Map();
+    const decisions = (sessionId) => {
+      if (!loggers.has(sessionId)) loggers.set(sessionId, new DecisionLogger({ logDir, agentId: aid, sessionId }));
+      return loggers.get(sessionId);
+    };
+    return {
+      apiKey, agentId: aid,
+      get ruleset() { return fortressPolicies ? fortressPolicies.current() : ruleset; },
+      mode, decisions, pushDecisionToFortress, signalsSalt, signal: ac.signal,
+    };
+  }
+
+  // Phase 1: arm every agent. Fail LOUD if none armed (otherwise the process would
+  // exit silently and — under launchd/systemd — restart-loop without a clear cause).
+  const ctxs = (await Promise.all(agentIds.map(setupAgent))).filter(Boolean);
+  if (ctxs.length === 0) {
+    die(`error: no agents could be armed (${agentIds.length} discovered; all policy fetches failed). Check WMA_API_KEY / WMA_FORTRESS_BASE_URL.`);
   }
+  if (fleet) info(`armed ${ctxs.length}/${agentIds.length} agent(s); watching.`);
+
+  // Phase 2: run each agent's loop (blocks until SIGINT/SIGTERM).
+  await Promise.all(ctxs.map((ctx) => (
+    singleSessionId ? runSessionWorker({ sessionId: singleSessionId, ctx }) : runAgentWide(ctx)
+  )));
 }
 
 main().catch(e => {

package/src/sources/anthropic-managed.js

@@ -77,6 +77,24 @@ export async function getAgent(apiKey, agentId) {
   return getWithRetry(apiKey, `/v1/agents/${agentId}`);
 }
 
+// List every Managed Agent under the API key (paginated). Used for fleet mode
+// (watch/shield/service --all-agents) and agent discovery.
+export async function listAgents(apiKey, { limit = 100 } = {}) {
+  const agents = [];
+  let after = null;
+  while (true) {
+    const qs = new URLSearchParams({ limit: String(limit) });
+    if (after) qs.set('after_id', after);
+    const data = await getWithRetry(apiKey, `/v1/agents?${qs}`);
+    const page = data.data || [];
+    for (const a of page) agents.push(a);
+    if (!data.has_more || page.length === 0) break;
+    after = page[page.length - 1]?.id;
+    if (!after) break;
+  }
+  return agents;
+}
+
 export async function listSessions(apiKey, { agentId, since, limit = 100 } = {}) {
   const sessions = [];
   let after = null;

package/src/typology-weights.json

@@ -0,0 +1,88 @@
+{
+  "$comment": "WatchMyAgents — typology classifier weights + thresholds (Guardian Core, agent-typology-classification.spec.md §3/§4/§5). INVARIANT: weights and thresholds live HERE, never hardcoded in typology.js ('poids de signature en config, pas en dur'). Calibrate on labelled real traffic. Modèle C: all inputs are anonymized behavioural fractions/flags only.",
+  "version": "0.1.0",
+  "updated_at": "2026-05-29T00:00:00Z",
+
+  "thresholds": {
+    "$comment": "§4 'Seuils par défaut (à calibrer)' + §5 downgrade asymmetry.",
+    "n_events_min": 50,
+    "confidence_min": 0.70,
+    "margin_min": 0.15,
+    "stable_windows": 3,
+    "downgrade_confidence_min": 0.85,
+    "downgrade_windows": 5,
+    "untrusted_modifier_min": 0.1,
+    "sensitive_modifier_min": 0.0,
+    "payment_overlay_min": 0.0,
+    "autonomy_modifier_min": 0.5,
+    "$comment_tie": "§8 conservative tie-break: when |score(top1)-score(top2)| <= tie_epsilon (a near/exact tie between two REAL types with real signal), select the STRICTER of the two rather than falling to the more-permissive generic — 'dans le doute, on reste sur le plus protecteur'. Set to 0 for exact-tie only.",
+    "tie_epsilon": 0.0
+  },
+
+  "confidence_sigmoid": {
+    "$comment": "§4 confidence = sigmoid(a·top1.score + b·margin + c·log(n_events)). All three coefficients live in config; a naive impl that only used top1.score would be wrong.",
+    "a": 4.0,
+    "b": 6.0,
+    "c": 0.6,
+    "bias": -3.5
+  },
+
+  "strictness_rank": {
+    "$comment": "§5 restriction ranking — derived from each template's baseline_policies enforcement severity (isolate>block>require_approval>throttle>monitor>warn). Higher rank = STRICTER. Drives re-classification asymmetry: to a stricter rank = normal threshold; to a looser rank = downgrade gate (conf>=0.85 AND 5 windows). NOT alphabetical.",
+    "devops_infra": 10,
+    "transactional_financial": 9,
+    "workflow_backoffice": 8,
+    "coding": 7,
+    "orchestrator": 6,
+    "browser_web": 5,
+    "personal_assistant": 4,
+    "data_rag": 3,
+    "generic": 2,
+    "customer_facing": 1
+  },
+
+  "features": {
+    "$comment": "Canonical anonymized feature keys (Modèle C). Fractions f_* in [0,1]; flag_* in {0,1}; aux_* in [0,1]. Order is informational only — scoring is key-addressed.",
+    "fractions": ["f_code", "f_browser", "f_database", "f_http", "f_email", "f_payment", "f_secret", "f_search", "f_memory", "f_handoff", "f_user_msg", "f_file"],
+    "flags": ["flag_deploy", "flag_internal_sys", "flag_on_behalf"],
+    "aux": ["aux_autonomy", "aux_untrusted", "aux_sensitive"]
+  },
+
+  "weights": {
+    "$comment": "w[type][feature] — signature weights (§3). Positive = signal for the type; negative = signal against. flag_* are the REQUIRED discriminators for the 3 inseparable pairs (coding/devops, data_rag/workflow, personal_assistant/workflow). 'generic' has no positive weights (pure fallback).",
+
+    "coding": {
+      "f_code": 1.0, "f_file": 0.5, "f_search": 0.3, "f_secret": 0.1,
+      "flag_deploy": -0.9
+    },
+    "devops_infra": {
+      "f_code": 0.7, "f_secret": 0.6, "f_file": 0.2,
+      "flag_deploy": 1.2
+    },
+    "data_rag": {
+      "f_database": 0.8, "f_search": 0.35, "f_memory": 0.7, "aux_untrusted": 0.2,
+      "flag_internal_sys": -0.7
+    },
+    "customer_facing": {
+      "f_user_msg": 1.0, "f_handoff": 0.3, "f_email": 0.2
+    },
+    "browser_web": {
+      "f_browser": 1.0, "f_http": 0.6, "f_search": 0.7
+    },
+    "orchestrator": {
+      "f_handoff": 1.2, "f_code": -0.2, "f_browser": -0.2, "f_database": -0.2
+    },
+    "workflow_backoffice": {
+      "f_database": 0.6, "f_http": 0.5, "f_file": 0.2,
+      "flag_internal_sys": 0.9, "flag_on_behalf": -0.6
+    },
+    "personal_assistant": {
+      "f_email": 0.8, "f_file": 0.4, "f_user_msg": 0.3,
+      "flag_on_behalf": 1.0
+    },
+    "transactional_financial": {
+      "f_payment": 1.5
+    },
+    "generic": {}
+  }
+}

package/src/typology.js

@@ -0,0 +1,398 @@
+// Agent typology classifier — maps an agent's OBSERVED behaviour to one of the
+// 10 Guardian Core archetypes, for Shield template selection / refinement.
+//
+// Source of truth: GUARDIAN CORE/agent-typology-classification.spec.md (v0.1) +
+// GUARDIAN CORE/schemas/agent-classification.schema.json. classifyAgentType()
+// returns an object conforming EXACTLY to that schema.
+//
+// Why behaviour, not config: Anthropic Managed Agents expose their tools as an
+// opaque bundle (`agent_toolset_20260401`), so static config can't tell a
+// researcher from a coder. We classify from anonymized behavioural signals
+// (Modèle C): per-tool-category FRACTIONS (f_*), boolean local flags (flag_*),
+// and aux ratios (aux_*). NEVER raw content — no prompts, no outputs, no names.
+//
+// ──────────────────────────────────────────────────────────────────────────
+// GLOBAL-BASELINE INDEPENDENCE (spec §1, §5 — INVARIANT, read this):
+//   The `global-baseline` (5 mandatory fail_closed floors) ALWAYS applies,
+//   regardless of the result — or absence — of classification. A bad
+//   classification degrades REFINEMENT, never the FLOOR. This classifier MUST
+//   NEVER gate, relax, or sit on the critical path of those floors. Nothing
+//   returned here can disable a floor. Template swaps bring new *probabilistic*
+//   policies in via `shadow` first; mandatory floors are never relaxed during
+//   the transition.
+// ──────────────────────────────────────────────────────────────────────────
+//
+// INVARIANTS enforced here:
+//   1. Modèle C — inputs are anonymized fractions/flags/aux ONLY.
+//   2. Weights + thresholds come from config (typology-weights.json), never
+//      hardcoded in the logic below.
+//   3. No easy downgrade — moving to a LESS strict template needs a raised
+//      confidence (0.85) AND a longer window (5), per the strictness ranking.
+//   4. global-baseline is independent of classification (see banner above).
+
+import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+// The 10 archetypes (schema `classified_type` enum, exact order/spelling).
+export const ARCHETYPES = [
+  'coding', 'devops_infra', 'data_rag', 'customer_facing', 'browser_web',
+  'orchestrator', 'workflow_backoffice', 'personal_assistant',
+  'transactional_financial', 'generic',
+];
+
+// Modifiers (schema enum). They ONLY add restrictions, so they are activatable
+// immediately — no asymmetry / hysteresis (spec §6).
+export const MODIFIERS = ['autonomy', 'untrusted_input', 'data_sensitivity', 'regulated'];
+
+// ── Config (weights + thresholds + strictness ranking) — loaded once. ───────
+// INVARIANT 2: nothing below hardcodes a weight or threshold; everything that
+// influences the decision is read from this file.
+let _config = null;
+export function loadConfig(path = join(__dirname, 'typology-weights.json')) {
+  if (_config && path === _config.__path) return _config;
+  const raw = JSON.parse(readFileSync(path, 'utf8'));
+  raw.__path = path;
+  _config = raw;
+  return _config;
+}
+// Test/seam: inject a config object directly.
+export function setConfig(cfg) { _config = { ...cfg, __path: '<injected>' }; return _config; }
+
+const sigmoid = (x) => 1 / (1 + Math.exp(-x));
+const clamp01 = (x) => Math.max(0, Math.min(1, x));
+
+// Strict comparison helper for re-classification asymmetry. Higher rank =
+// stricter template. Moving to >= current rank is an "upgrade" (or lateral);
+// moving to a strictly LOWER rank is a "downgrade" (gated).
+function strictnessOf(cfg, type) {
+  const r = cfg.strictness_rank || {};
+  return Number.isFinite(r[type]) ? r[type] : 0;
+}
+
+/**
+ * Build the canonical feature vector from a loose features object.
+ * Only the schema-legal keys are kept; everything is coerced to a number and
+ * clamped to [0,1] (the schema requires every feature_vector value in [0,1]).
+ * Missing features default to 0 — Modèle C: an absent signal is "not observed",
+ * never inferred from content.
+ */
+function normalizeFeatures(cfg, features) {
+  const fr = cfg.features?.fractions || [];
+  const fl = cfg.features?.flags || [];
+  const ax = cfg.features?.aux || [];
+  const out = {};
+  for (const k of [...fr, ...fl, ...ax]) {
+    const v = Number(features?.[k]);
+    out[k] = Number.isFinite(v) ? clamp01(v) : 0;
+  }
+  return out;
+}
+
+/** score(type) = Σ_i w[type][i] · feature_i  (spec §4). */
+function scoreType(weightsForType, fv) {
+  let s = 0;
+  for (const [feat, w] of Object.entries(weightsForType || {})) {
+    s += (Number(w) || 0) * (fv[feat] || 0);
+  }
+  return s;
+}
+
+/**
+ * Rank all archetypes by score. Returns the full sorted list plus top1/top2.
+ * Tie-break (spec §8): on EQUAL dominance, the STRICTER type wins (conservative).
+ * 'generic' is excluded from the positive ranking — it is the fallback only.
+ */
+function rankTypes(cfg, fv) {
+  const scored = ARCHETYPES
+    .filter((t) => t !== 'generic')
+    .map((t) => ({ type: t, score: scoreType(cfg.weights?.[t], fv) }));
+  scored.sort((a, b) => {
+    if (b.score !== a.score) return b.score - a.score;
+    // tie → stricter (higher strictness_rank) first
+    return strictnessOf(cfg, b.type) - strictnessOf(cfg, a.type);
+  });
+  return scored;
+}
+
+/**
+ * classifyAgentType(features[, prior][, opts]) → object conforming EXACTLY to
+ * agent-classification.schema.json.
+ *
+ * @param {object} features          Anonymized behavioural signals (Modèle C):
+ *   agent_id            {string}    pass-through identifier (no content)
+ *   f_code,f_browser,…  {number}    per-category FRACTIONS in [0,1]
+ *   flag_deploy,…       {0|1|bool}  local discriminator flags (no content)
+ *   aux_autonomy,…      {number}    aux ratios in [0,1]
+ *   n_events            {number}    events in the current sliding window
+ * @param {object} [prior]           Previous classification result (the caller
+ *   threads this so the state machine + asymmetry work across windows). Reads:
+ *   classified_type, stage, windows_consistent, strictness_rank,
+ *   last_reclassified_at.
+ * @param {object} [opts]
+ *   regulated {boolean}             tenant/Fortress flag (config-driven, NOT
+ *                                   behavioural) → adds the `regulated` modifier
+ *   now {string}                    ISO timestamp seam for tests
+ *   config {object}                 inject config (else loaded from disk)
+ * @returns {object}                 schema-conformant classification result
+ */
+export function classifyAgentType(features = {}, prior = null, opts = {}) {
+  const cfg = opts.config ? setConfig(opts.config) : loadConfig();
+  const th = cfg.thresholds || {};
+  const sg = cfg.confidence_sigmoid || {};
+  const now = opts.now || new Date().toISOString();
+
+  const agent_id = String(features.agent_id ?? prior?.agent_id ?? '');
+  const fv = normalizeFeatures(cfg, features);
+  // Floor + finiteness guard: the schema declares window_events as integer.
+  // Non-finite (Infinity/NaN) → 0 so it can't saturate confidence via log(n).
+  const _rawN = Number(features.n_events);
+  const nEvents = Number.isFinite(_rawN) ? Math.max(0, Math.floor(_rawN)) : 0;
+
+  // ── Score every archetype, find top1 / top2 / margin (spec §4). ──────────
+  const ranked = rankTypes(cfg, fv);
+  const top1 = ranked[0] || { type: 'generic', score: 0 };
+  const top2 = ranked[1] || { type: 'generic', score: 0 };
+  const margin = top1.score - top2.score;
+
+  // confidence = sigmoid(a·top1.score + b·margin + c·log(n_events) + bias).
+  // All three terms (top1 score, margin, log n_events) are folded in — NOT just
+  // top1.score. Coefficients a/b/c/bias come from config.
+  const logN = Math.log(Math.max(1, nEvents));
+  const confidence = clamp01(
+    sigmoid((sg.a || 0) * top1.score + (sg.b || 0) * margin + (sg.c || 0) * logN + (sg.bias || 0)),
+  );
+
+  // ── Candidate type per the gates (spec §4). ──────────────────────────────
+  // n_events < MIN_EVENTS               → generic (cold-start)
+  // OR confidence < CONF_THRESHOLD      → generic
+  // OR margin < MARGIN_MIN              → generic
+  // else                                → top1.type
+  let candidate;
+  const belowMinEvents = nEvents < th.n_events_min;
+  const lowConfidence = confidence < th.confidence_min;
+  const lowMargin = margin < th.margin_min;
+
+  // Conservative tie-break (spec §8): "en cas d'égalité, choisir le plus strict
+  // (conservateur)". When the top two are a near-TIE (|margin| ≤ tie_epsilon)
+  // between two REAL types and there is real signal (top1.score > 0), dropping
+  // to generic would RELAX protection — so instead we keep the STRICTER of the
+  // tied pair. rankTypes() already sorts the stricter type first on an exact
+  // tie, so top1 IS the stricter one here. This applies only on a true tie; a
+  // genuinely ambiguous low-signal window (no tie, just a small margin) still
+  // falls back to generic via the margin gate below.
+  const tieEps = th.tie_epsilon ?? 0;
+  const isTie = top1.score > 0 && top2.type !== 'generic' && Math.abs(margin) <= tieEps;
+
+  if (belowMinEvents) candidate = 'generic';
+  else if (isTie) candidate = top1.type;                  // stricter-wins, conservative
+  else if (lowConfidence || lowMargin) candidate = 'generic';
+  else candidate = top1.type;
+
+  // ── State machine + re-classification asymmetry (spec §5). ───────────────
+  // We accept the prior state as input so the CALLER threads it across windows;
+  // this function is otherwise pure for a given (features, prior).
+  const priorType = prior?.classified_type || 'generic';
+  const priorStage = prior?.stage || 'cold_start';
+  const priorWindows = Math.max(0, Math.floor(Number(prior?.windows_consistent) || 0));
+  const priorReclassAt = prior?.last_reclassified_at || null;
+  // Last real (non-generic) type, threaded across generic gaps. Closes the
+  // generic-laundering downgrade bypass: a strict→generic→looser-real sequence
+  // must still face the downgrade gate against the ORIGINAL strict rank.
+  const priorLastReal = prior?.last_real_type || (priorType !== 'generic' ? priorType : null);
+  // The candidate the prior window(s) were already accumulating toward (if any).
+  // The caller threads this so a pending change builds consecutive evidence
+  // across windows instead of resetting every window.
+  const priorPending = prior?.pending_type || null;
+
+  let classified_type = priorType;
+  let stage = priorStage;
+  let windows_consistent = priorWindows;
+  let last_reclassified_at = priorReclassAt;
+  // pending_type: the candidate we are accumulating consecutive windows toward
+  // but have not yet committed (hysteresis / asymmetry not satisfied). Surfaced
+  // in the result so the caller can thread it back next window.
+  let pending_type = null;
+  let pending_windows = 0;
+
+  if (belowMinEvents) {
+    // A low-traffic window must NOT collapse an established type. An adversary
+    // could throttle below MIN_EVENTS to shed a strict template (downgrade
+    // bypass). If we already hold a real type, RETAIN it (freeze the window
+    // count); only a genuinely cold agent (no prior real type) stays generic.
+    if (priorType !== 'generic') {
+      classified_type = priorType;
+      stage = priorStage;
+      windows_consistent = priorWindows;
+    } else {
+      classified_type = 'generic';
+      stage = 'cold_start';
+      windows_consistent = 0;
+    }
+  } else if (candidate === priorType) {
+    // Same type as last window → accumulate consistency (hysteresis).
+    windows_consistent = priorWindows + 1;
+    // provisional → stable after STABLE_WINDOWS consecutive consistent windows.
+    if (classified_type !== 'generic' && stage !== 'stable' &&
+        windows_consistent >= th.stable_windows) {
+      stage = 'stable';
+    } else if (classified_type !== 'generic' && stage === 'cold_start') {
+      stage = 'provisional';
+    }
+  } else {
+    // Type would CHANGE relative to the prior. Decide whether the change is
+    // allowed THIS window, or whether we must accumulate more evidence.
+    const toRank = strictnessOf(cfg, candidate);
+    // Reference rank for downgrade detection: the prior REAL type, or — across a
+    // generic gap — the last real type before we fell to generic. Using the
+    // last-real reference closes the generic-laundering bypass (strict → generic
+    // → looser-real must still face the downgrade gate against the strict rank).
+    const refType = (priorType !== 'generic') ? priorType : (priorLastReal || 'generic');
+    const refRank = strictnessOf(cfg, refType);
+    // A "downgrade" = moving to a real template STRICTLY LESS strict than the
+    // reference. Upgrading / lateral is NOT a downgrade. Falling back TO generic
+    // is handled below (never relaxes the floor — the global-baseline always applies).
+    const isDowngrade = candidate !== 'generic' && refType !== 'generic' && toRank < refRank;
+
+    // Required consecutive-consistent-window count BEFORE applying the change.
+    //   Leaving generic (cold_start → provisional): the FIRST window clearing
+    //     the gates commits — provisional = "1er type au-dessus du seuil" (§5).
+    //   Upgrade / lateral (real → real, equal-or-stricter): normal hysteresis
+    //     STABLE_WINDOWS, never relaxes the floor.
+    //   Downgrade (real → LESS strict): longer DOWNGRADE_WINDOWS AND a raised
+    //     confidence floor (anti mimicry-evasion: an agent must not soften its
+    //     protection by imitating a more permissive type).
+    const leavingGeneric = priorType === 'generic';
+    // Leaving generic is fast (1 window) ONLY when it is not a net downgrade vs
+    // the last real type. A net downgrade — even laundered through generic —
+    // takes the full gate: longer window AND raised confidence (anti-evasion).
+    const neededWindows = isDowngrade ? th.downgrade_windows
+                        : (leavingGeneric ? 1 : th.stable_windows);
+    const neededConfidence = isDowngrade ? th.downgrade_confidence_min : th.confidence_min;
+
+    // Consecutive consistent windows toward THIS candidate. If the prior window
+    // was already accumulating toward the same candidate, continue the count;
+    // otherwise this is the first window of a fresh pending change.
+    const accWindows = (priorPending === candidate)
+      ? Math.max(0, Math.floor(Number(prior?.pending_windows) || 0)) + 1
+      : 1;
+
+    if (candidate === 'generic') {
+      // Falling back to generic is never a security relaxation we must gate —
+      // the global-baseline floor still applies — but we still respect
+      // hysteresis so a single noisy window can't flap us out of a real type.
+      if (priorType === 'generic') {
+        windows_consistent = priorWindows + 1;
+        classified_type = 'generic';
+        stage = 'cold_start';
+      } else {
+        // Accumulate toward dropping the type, but keep the (stricter) prior
+        // until hysteresis is satisfied — conservative.
+        if (accWindows >= th.stable_windows) {
+          classified_type = 'generic';
+          stage = 'cold_start';
+          windows_consistent = 1;
+          last_reclassified_at = now;
+        } else {
+          pending_type = 'generic';
+          pending_windows = accWindows;
+          // classified_type / stage / windows_consistent unchanged (stay put).
+        }
+      }
+    } else if (confidence >= neededConfidence && accWindows >= neededWindows) {
+      // Enough consecutive evidence (counting the current window) to commit the
+      // change. The caller threads pending_type/pending_windows so consecutive
+      // windows toward the same candidate accumulate.
+      classified_type = candidate;
+      // A freshly committed type always lands in 'provisional'; it climbs to
+      // 'stable' only after STABLE_WINDOWS consecutive same-type windows.
+      stage = 'provisional';
+      windows_consistent = 1;
+      last_reclassified_at = now;
+    } else {
+      // Not enough evidence yet → keep the prior (stricter-by-default) type and
+      // record the pending candidate so the next window can build on it. We do
+      // NOT touch windows_consistent of the committed type (it still applies).
+      pending_type = candidate;
+      pending_windows = accWindows;
+    }
+  }
+
+  // Stage sanity: generic is always cold_start.
+  if (classified_type === 'generic') stage = 'cold_start';
+
+  // Last real (non-generic) type — threaded so a generic gap doesn't erase the
+  // downgrade reference (see priorLastReal). Persists across generic windows.
+  const last_real_type = (classified_type !== 'generic') ? classified_type : (priorLastReal || null);
+
+  // ── Modifiers (spec §6): additive restrictions, no asymmetry/hysteresis. ──
+  const modifiers = [];
+  const autonomyLevel = String(features.autonomy_level ?? features.aux_autonomy_level ?? '');
+  const auxAutonomy = Number(features.aux_autonomy) || 0;
+  // autonomy: explicit level in {act_with_approval, autonomous}, or a high ratio.
+  if (['act_with_approval', 'autonomous'].includes(autonomyLevel) || auxAutonomy >= (th.autonomy_modifier_min ?? 0.5)) {
+    modifiers.push('autonomy');
+  }
+  if ((fv.aux_untrusted || 0) > (th.untrusted_modifier_min ?? 0.1)) {
+    modifiers.push('untrusted_input');
+  }
+  if ((fv.aux_sensitive || 0) > (th.sensitive_modifier_min ?? 0)) {
+    modifiers.push('data_sensitivity');
+  }
+  // regulated is tenant/Fortress config — NOT behavioural.
+  if (opts.regulated === true) modifiers.push('regulated');
+
+  // ── Payment overlay (spec §3/§5/§6): f_payment > 0 FORCES the transactional
+  // profile even when another base type dominates. It is an OVERLAY, not a
+  // winner-take-all reclassification: the base type stays, and we surface the
+  // overlay in evidence so the Shield layer adds the confirmation/limit
+  // policies. Reducing f_payment to flee transactional_financial is neutralized
+  // by the downgrade asymmetry + the always-on floor.
+  //
+  // It is surfaced in `evidence.payment_overlay`, NOT in `modifiers[]`: the
+  // schema's modifiers enum is fixed to {autonomy, untrusted_input,
+  // data_sensitivity, regulated} — "transactional" is not a legal modifier
+  // value, so emitting it there would violate the schema. evidence has no
+  // additionalProperties:false, so it is the schema-legal carrier for the overlay.
+  const paymentOverlay = (fv.f_payment || 0) > (th.payment_overlay_min ?? 0);
+
+  // ── Evidence (schema-shaped). ────────────────────────────────────────────
+  const evidence = {
+    window_events: nEvents,
+    top2_type: top2.type,
+    margin: Number(margin.toFixed(6)),
+  };
+  // Extra evidence keys are schema-legal (evidence has no additionalProperties:
+  // false). Surface the decision context for audit — never raw content.
+  if (paymentOverlay) {
+    evidence.payment_overlay = {
+      active: true,
+      f_payment: fv.f_payment,
+      adds: 'transactional_financial confirmation/limit policies (overlay, base type unchanged)',
+    };
+  }
+  evidence.confidence_terms = { top1_score: Number(top1.score.toFixed(6)), margin: Number(margin.toFixed(6)), log_n_events: Number(logN.toFixed(6)) };
+
+  return {
+    agent_id,
+    classified_type,
+    confidence: Number(confidence.toFixed(6)),
+    stage,
+    modifiers,
+    evidence,
+    feature_vector: fv,
+    windows_consistent,
+    strictness_rank: strictnessOf(cfg, classified_type),
+    ...(last_reclassified_at ? { last_reclassified_at } : {}),
+    // Hysteresis carry-over (schema-legal extras: root has no
+    // additionalProperties:false). The caller threads these back as part of the
+    // `prior` next window so a pending change accumulates consecutive evidence,
+    // and so the downgrade reference survives a generic gap (anti-evasion).
+    ...(pending_type ? { pending_type, pending_windows } : {}),
+    ...(last_real_type ? { last_real_type } : {}),
+  };
+}
+
+export default classifyAgentType;