watchmyagents 0.8.2 → 0.9.1

package/README.md

@@ -105,14 +105,15 @@ Each entry carries: `id`, `agent_id`, `framework`, `timestamp`, `action_type`, `
 ### `wma-fetch` — pull events from Anthropic Managed Agents
 
 ```bash
-wma-fetch --agent-id <agent_id> [--session-id <sess_id>] [--since 1h]
+wma-fetch (--agent-id <agent_id> | --all-agents) [--session-id <sess_id>] [--since 1h]
          [--log-dir ./watchmyagents-logs] [--dump-raw]
          [--watch [--interval 5m] [--upload]]
 ```
 
 | Flag | Effect |
 |---|---|
-| `--agent-id agent_xxx` | Required — Anthropic agent identifier |
+| `--agent-id agent_xxx` | Anthropic agent identifier (required unless `--all-agents`) |
+| `--all-agents` | **Fleet mode** (requires `--watch`) — discover ALL agents under the key and watch them in a single process |
 | `--since 1h` / `24h` / `7d` | Fetch window (default: all) |
 | `--session-id sesn_xxx` | Limit to a single session |
 | `--log-dir ./logs` | Where to write NDJSON (default `./watchmyagents-logs`) |
@@ -120,6 +121,8 @@ wma-fetch --agent-id <agent_id> [--session-id <sess_id>] [--since 1h]
 | `--watch` | **Continuous daemon** — loop forever, incrementally capturing NEW events (deduped by stable event id) until `Ctrl+C` |
 | `--interval 5m` | Poll interval in watch mode (default `5m`; accepts `30s`/`1h`/…) |
 | `--upload` | In watch mode, anonymize each new window and ship signals to Fortress (needs `WMA_API_KEY` + `WMA_FORTRESS_BASE_URL` + `WMA_SIGNALS_SALT`). Raw stays local. |
+| `--discovery-since 7d` | Window for discovering NEW sessions (default `7d`). Sessions already being tracked are re-fetched regardless of age, so long-running ones never drop out. |
+| `--send-agent-names` | Opt-in: send the human agent name as the Fortress `display_name`. Default sends the agent id only (the name may contain client/project info). |
 | `--api-key sk-ant-…` | Override the `ANTHROPIC_API_KEY` env var. **Discouraged** — visible in shell history & process list. Prefer the env var. |
 
 Logs land in `./watchmyagents-logs/<agent_id>/<date>.ndjson` (file mode `0600`, dir `0700`).
@@ -152,7 +155,7 @@ wma-upload-fortress --agent-id agent_01ABC... [--display-name "My agent"]
 wma-upload-fortress --agent-id agent_xxx --dry-run
 ```
 
-**What is sent:** counts, latencies, salted IoC hashes, sequences — same as `wma-anonymize` output.
+**What is sent:** the anonymized signals payload (counts, latencies, salted IoC hashes, sequences — same as `wma-anonymize` output) **plus two routing identifiers**: your `anthropic_agent_id` and a `display_name`. The agent id is required so Fortress can associate signals with the right agent; `display_name` defaults to the agent id and only carries the human-readable agent name if you opt in (`wma-fetch --watch --upload --send-agent-names`).
 **What is NOT sent:** raw prompts, raw URLs/commands/queries, raw agent responses, raw error messages. All payload content stays on your machine.
 
 The endpoint auto-registers the agent on the first upload if it doesn't exist in Fortress yet — no manual onboarding needed for new agents.
@@ -167,6 +170,21 @@ wma-inspect [path]
 
 Outputs sections aligned with security audit needs: tokens summary, by-tool / by-action-type breakdowns, top tool destinations (URLs / queries), action-sequence transitions, tool error rates, p50/p95/max latency per tool, rate metrics.
 
+### `wma-agents` — discover + classify your agents (typology)
+
+Lists every Managed Agent under your key and classifies each one's **typology**
+(one of 10 Guardian Core archetypes) from its OBSERVED behaviour in your local
+logs — which drives the cold-start Shield template. Modèle C: reads local logs
+only (tool-category fractions, never raw content) and transmits nothing.
+
+```bash
+wma-agents list [--log-dir ~/.watchmyagents/logs] [--json]
+```
+
+With fewer than ~50 observed events an agent stays `generic` (cold start) and
+refines as activity accumulates. Re-classification to a *less strict* type is
+gated (raised confidence + longer window) to resist mimicry-evasion.
+
 ## Automating — continuous monitoring
 
 ### `wma-service` — install as an always-on service (recommended)
@@ -180,7 +198,7 @@ export WMA_API_KEY="wma_..."
 export WMA_FORTRESS_BASE_URL="https://<project>.supabase.co/functions/v1"
 export WMA_SIGNALS_SALT="..."                                 # stable per-customer salt
 
-wma-service install --agent-id agent_01ABC... --interval 5m [--with-shield]
+wma-service install (--agent-id agent_01ABC... | --all-agents) [--interval 5m] [--with-shield]
 wma-service status
 wma-service uninstall [--with-shield]
 ```
@@ -229,9 +247,9 @@ WatchMyAgents is built so that **your prompts and outputs never have to leave yo
 |---|---|
 | **Your machine** (`./watchmyagents-logs/`) | Full NDJSON with all prompts, tool inputs, agent outputs. `chmod 600` on every file. |
 | **Anthropic API** | Where the agent runs. WMA pulls events via the public REST API only. |
-| **WMA infrastructure** | **Nothing today.** Future opt-in telemetry will ship only anonymized metadata (counts, timings, hashes) — never raw payloads. |
+| **WMA Fortress** (opt-in, only with `--upload` / `wma-upload-fortress` / `wma-shield --policies-source fortress`) | The **anonymized signals** payload (counts, timings, salted hashes, sequences) + two routing identifiers: your `anthropic_agent_id` and a `display_name` (defaults to the agent id; the human agent name only with `--send-agent-names`). Shield enforcement **decisions** (hashed session/event/input fingerprints — never raw values). **Never** raw prompts, URLs, commands, or outputs. |
 
-This is the "local-first" guarantee. It is the product, not a marketing claim.
+This is the "local-first" guarantee: **raw payloads never leave your machine.** Cloud upload is opt-in and carries only anonymized metadata + the agent id/name needed to route it.
 
 ## Security
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "watchmyagents",
-  "version": "0.8.2",
+  "version": "0.9.1",
   "description": "Security observability + real-time policy enforcement for AI agents. Local-first NDJSON capture with a continuous Watch daemon that auto-uploads anonymized signals, Shield CLI that blocks policy violations live (with policies pulled from Fortress cloud), anonymizer producing signals-only payloads, bidirectional sync with WatchMyAgents Fortress, and one-command install as an always-on launchd/systemd service — closing the recursive Watch→Guardian→Shield security loop.",
   "type": "module",
   "files": [
@@ -11,6 +11,7 @@
     "scripts/anonymize.js",
     "scripts/upload-fortress.js",
     "scripts/service.js",
+    "scripts/agents.js",
     "README.md",
     "SECURITY.md",
     "LICENSE"
@@ -21,15 +22,18 @@
     "wma-shield": "scripts/shield.js",
     "wma-anonymize": "scripts/anonymize.js",
     "wma-upload-fortress": "scripts/upload-fortress.js",
-    "wma-service": "scripts/service.js"
+    "wma-service": "scripts/service.js",
+    "wma-agents": "scripts/agents.js"
   },
   "scripts": {
+    "test": "node --test",
     "inspect": "node scripts/inspect.js",
     "fetch": "node scripts/fetch-anthropic.js",
     "shield": "node scripts/shield.js",
     "anonymize": "node scripts/anonymize.js",
     "upload-fortress": "node scripts/upload-fortress.js",
-    "service": "node scripts/service.js"
+    "service": "node scripts/service.js",
+    "agents": "node scripts/agents.js"
   },
   "engines": {
     "node": ">=18.0.0"

package/scripts/agents.js

@@ -0,0 +1,218 @@
+#!/usr/bin/env node
+// wma-agents — discover all Managed Agents under your key and classify each
+// agent's typology from its OBSERVED behaviour (for Shield template selection).
+//
+// Usage:
+//   wma-agents [list] [--log-dir ~/.watchmyagents/logs] [--json]
+//
+// Reads the local Watch logs (NEVER leaves the machine — Modèle C) and derives
+// the anonymized behavioural FEATURE VECTOR per the typology spec:
+//   per-tool-category FRACTIONS (f_*), boolean local flags (flag_*), aux ratios
+//   (aux_*), and n_events. It then calls classifyAgentType() and prints the
+//   schema-conformant result. With <50 events an agent is `generic` (cold start)
+//   and refines as activity accumulates.
+//
+// Modèle C invariant: only counts/ratios/flags are computed here — never raw
+// prompt/output content, never the agent display name. Nothing is transmitted.
+//
+// ANTHROPIC_API_KEY from env (or --api-key, discouraged).
+
+import os from 'node:os';
+import { readdir, stat } from 'node:fs/promises';
+import { createReadStream } from 'node:fs';
+import { createInterface } from 'node:readline';
+import { join, resolve } from 'node:path';
+import { listAgents } from '../src/sources/anthropic-managed.js';
+import { classifyAgentType } from '../src/typology.js';
+import { isValidAgentId, assertSafePathSegment } from '../src/validate.js';
+
+function parseArgs(argv) {
+  const out = { _: [] };
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a.startsWith('--')) {
+      const k = a.slice(2); const n = argv[i + 1];
+      if (n == null || n.startsWith('--')) out[k] = true; else { out[k] = n; i++; }
+    } else out._.push(a);
+  }
+  return out;
+}
+function die(msg, code = 1) { process.stderr.write(`error: ${msg}\n`); process.exit(code); }
+function info(msg) { process.stdout.write(`[wma-agents] ${msg}\n`); }
+
+// Action types that represent a TOOL invocation (the denominator for f_* tool
+// fractions). Confirmed produced by src/sources/anthropic-managed.js.
+const TOOL_ACTIONS = new Set(['tool_use', 'mcp_tool_use', 'custom_tool_use']);
+
+// ──────────────────────────────────────────────────────────────────────────
+// Tool-name → category mapping (Modèle C: name-based, no content). Managed
+// Agents expose tools as an opaque bundle, so tool_name is free-text. We match
+// the confirmed built-ins (web_search, web_fetch, bash) plus best-effort
+// regexes for common tool names. A tool that matches nothing contributes to the
+// denominator but to no category (honest: unknown ≠ inferred).
+// ──────────────────────────────────────────────────────────────────────────
+const CATEGORY_RULES = [
+  // category,    matcher (lower-cased tool_name)
+  ['search',   (n) => /(^|_)web_search$|(^|_)search($|_)|google|brave/.test(n)],
+  ['browser',  (n) => /web_fetch|browser|playwright|puppeteer|navigate|screenshot/.test(n)],
+  ['http',     (n) => /(^|_)http|fetch_url|curl|request|webhook|api_call/.test(n)],
+  ['code',     (n) => /bash|shell|terminal|code_exec|exec_|python|node_run|run_code|interpreter/.test(n)],
+  ['database', (n) => /sql|query_db|database|postgres|mysql|mongo|redis|bigquery|snowflake/.test(n)],
+  ['email',    (n) => /email|gmail|smtp|sendmail|mailgun|outlook/.test(n)],
+  ['payment',  (n) => /payment|charge|transfer|invoice|stripe|paypal|payout|refund|checkout/.test(n)],
+  ['secret',   (n) => /secret|vault|credential|kms|keychain|token_get/.test(n)],
+  ['memory',   (n) => /memory|retriev|vector|(^|_)rag($|_)|knowledge|embed|pinecone|chroma/.test(n)],
+  ['file',     (n) => /editor|str_replace|read_file|write_file|create_file|file_io|(^|_)file($|_)|fs_/.test(n)],
+];
+
+// Best-effort deploy detection (spec discriminator devops_infra vs coding).
+const DEPLOY_RE = /deploy|terraform|kubectl|helm|(^|_)release($|_)|ansible|pulumi|cloudformation/;
+
+function categoryOf(toolName) {
+  const n = String(toolName || '').toLowerCase();
+  for (const [cat, m] of CATEGORY_RULES) if (m(n)) return cat;
+  return null;
+}
+
+// Aggregate raw counts from an agent's local NDJSON logs (Modèle C: counts only).
+async function aggregate(logDir, agentId) {
+  const actionCounts = {};       // action_type → count
+  const categoryCounts = {};     // tool category → count
+  let toolEvents = 0;            // denominator for f_* fractions
+  let deployUses = 0;
+  const dir = join(logDir, agentId);
+  const s = await stat(dir).catch(() => null);
+  if (!s || !s.isDirectory()) return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false };
+  let names;
+  try { names = await readdir(dir); } catch { return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false }; }
+  const files = names.filter((n) => n.endsWith('.ndjson') && !n.startsWith('raw-'));
+  if (files.length === 0) return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false };
+
+  for (const f of files) {
+    await new Promise((res) => {
+      const rl = createInterface({ input: createReadStream(join(dir, f), { encoding: 'utf8' }), crlfDelay: Infinity });
+      rl.on('line', (line) => {
+        if (!line.trim()) return;
+        let e; try { e = JSON.parse(line); } catch { return; }
+        if (e.action_type) actionCounts[e.action_type] = (actionCounts[e.action_type] || 0) + 1;
+        if (TOOL_ACTIONS.has(e.action_type)) {
+          toolEvents += 1;
+          const cat = categoryOf(e.tool_name);
+          if (cat) categoryCounts[cat] = (categoryCounts[cat] || 0) + 1;
+          if (DEPLOY_RE.test(String(e.tool_name || '').toLowerCase())) deployUses += 1;
+        }
+      });
+      rl.on('close', res); rl.on('error', res);
+    });
+  }
+  return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: true };
+}
+
+// Features that the WMA NDJSON logs CANNOT reliably expose today (opaque tool
+// names / no behavioural signal / content off-limits under Modèle C). They
+// default to 0/false; the caller prints a one-line note.
+const NON_DERIVABLE = [
+  'f_database', 'f_email', 'f_payment', 'f_secret', 'f_memory',
+  'flag_internal_sys', 'flag_on_behalf', 'aux_untrusted', 'aux_sensitive',
+];
+
+// Build the canonical anonymized FEATURE VECTOR from the aggregated counts.
+// Fractions = category_count / toolEvents. n_events = total observed events.
+function buildFeatures(agg) {
+  const { actionCounts, categoryCounts, toolEvents, deployUses } = agg;
+  const nEvents = Object.values(actionCounts).reduce((a, b) => a + b, 0);
+  const frac = (c) => (toolEvents > 0 ? (categoryCounts[c] || 0) / toolEvents : 0);
+  const eventFrac = (...types) => (nEvents > 0
+    ? types.reduce((a, t) => a + (actionCounts[t] || 0), 0) / nEvents
+    : 0);
+
+  // f_handoff / f_user_msg are derived from event TYPE (not tool category):
+  // confirmed action_types thread_message_* and user_message.
+  const handoff = eventFrac('thread_message_sent', 'thread_message_received', 'thread_created');
+  const userMsg = eventFrac('user_message');
+
+  // aux_autonomy ≈ 1 − (human-in-the-loop event share). Confirmed action_types
+  // user_message / user_interrupt / tool_confirmation mark human involvement; an
+  // agent that proceeds without them is more autonomous. Heuristic — documented.
+  const hitlShare = eventFrac('user_message', 'user_interrupt', 'tool_confirmation');
+  const auxAutonomy = nEvents > 0 ? Math.max(0, 1 - hitlShare) : 0;
+
+  return {
+    // tool-category fractions (over tool uses)
+    f_code: frac('code'),
+    f_browser: frac('browser'),
+    f_database: frac('database'),     // non-derivable in practice → ~0
+    f_http: frac('http'),
+    f_email: frac('email'),           // non-derivable in practice → ~0
+    f_payment: frac('payment'),       // non-derivable in practice → ~0
+    f_secret: frac('secret'),         // non-derivable in practice → ~0
+    f_search: frac('search'),
+    f_memory: frac('memory'),         // non-derivable in practice → ~0
+    f_file: frac('file'),
+    // event-type fractions (over all events)
+    f_handoff: handoff,
+    f_user_msg: userMsg,
+    // discriminator flags (best-effort; only flag_deploy has any behavioural
+    // signal — and only if the agent literally names a deploy tool).
+    flag_deploy: deployUses > 0 ? 1 : 0,
+    flag_internal_sys: 0,             // no behavioural signal in logs
+    flag_on_behalf: 0,                // no behavioural signal in logs
+    // aux ratios
+    aux_autonomy: auxAutonomy,        // heuristic (HITL-frequency)
+    aux_untrusted: 0,                 // no honest source in logs
+    aux_sensitive: 0,                 // no honest source in logs
+    // window size
+    n_events: nEvents,
+  };
+}
+
+async function main() {
+  const args = parseArgs(process.argv.slice(2));
+  if (args._[0] && args._[0] !== 'list') die(`unknown command "${args._[0]}" (only "list" supported)`);
+  const apiKey = args['api-key'] || process.env.ANTHROPIC_API_KEY;
+  if (!apiKey) die('--api-key or ANTHROPIC_API_KEY required');
+  if (args['api-key']) process.stderr.write('[wma-agents] WARNING: --api-key is visible in shell history; prefer ANTHROPIC_API_KEY env\n');
+  const logDir = resolve(args['log-dir'] || join(os.homedir(), '.watchmyagents', 'logs'));
+  const asJson = !!args.json;
+
+  let agents;
+  try { agents = await listAgents(apiKey); }
+  catch (e) { die(`failed to list agents: ${e.message}`); }
+
+  const results = [];
+  for (const a of agents) {
+    if (!a.id || !isValidAgentId(a.id)) continue;
+    assertSafePathSegment(a.id, 'agent id');
+    const agg = await aggregate(logDir, a.id);
+    const features = buildFeatures(agg);
+    features.agent_id = a.id;
+    // No prior state threaded here (single-shot CLI snapshot); the continuous
+    // Watch daemon is responsible for threading window state across runs.
+    const cls = classifyAgentType(features);
+    results.push({
+      id: a.id,
+      name: a.name || '(unnamed)',     // shown for the human only — NOT a classification signal
+      hasLogs: agg.hasLogs,
+      ...cls,
+    });
+  }
+
+  if (asJson) { process.stdout.write(JSON.stringify(results, null, 2) + '\n'); return; }
+
+  info(`discovered ${results.length} agent(s) - classified from local logs in ${logDir}`);
+  info(`Modele C: features below default to 0 (logs don't expose them): ${NON_DERIVABLE.join(', ')}`);
+  process.stdout.write('\n');
+  for (const r of results) {
+    const mods = (r.modifiers && r.modifiers.length) ? ` [+${r.modifiers.join(',')}]` : '';
+    const overlay = r.evidence?.payment_overlay ? '  (+transactional overlay)' : '';
+    process.stdout.write(`  ${r.name}\n`);
+    process.stdout.write(`    ${r.id}\n`);
+    process.stdout.write(`    -> ${r.classified_type}  (conf ${Math.round(r.confidence * 100)}%, ${r.stage})${mods}${overlay}\n`);
+    process.stdout.write(`    evidence: ${r.evidence.window_events} events, top2=${r.evidence.top2_type}, margin=${r.evidence.margin}\n`);
+    if (!r.hasLogs) process.stdout.write('    (no local logs yet - cold start)\n');
+    process.stdout.write('\n');
+  }
+  info('type drives the cold-start Shield template (Guardian Core §8). The global-baseline floor applies regardless of classification.');
+}
+
+main().catch((e) => { process.stderr.write(`error: ${e.stack || e.message}\n`); process.exit(1); });

package/scripts/fetch-anthropic.js

@@ -31,7 +31,7 @@ import { SignalsAggregator } from '../src/anonymizer.js';
 import { resolveFortressBase, fortressEndpoint } from '../src/fortress/url.js';
 import { isValidAgentId, isValidSessionId, assertSafePathSegment } from '../src/validate.js';
 import {
-  getAgent, listSessions, fetchSessionEntries, fetchRawEvents,
+  getAgent, listAgents, listSessions, fetchSessionEntries, fetchRawEvents,
 } from '../src/sources/anthropic-managed.js';
 
 function parseArgs(argv) {
@@ -70,6 +70,9 @@ function parseSince(s) {
 function die(msg, code = 1) { process.stderr.write(`${msg}\n`); process.exit(code); }
 function info(msg) { process.stdout.write(`[wma-fetch] ${msg}\n`); }
 function warn(msg) { process.stderr.write(`[wma-fetch] ⚠️  ${msg}\n`); }
+// Strip control chars + truncate a customer-set agent name before it goes into
+// a log line or the Fortress display_name (defense-in-depth vs log/payload injection).
+function cleanLabel(s) { return [...String(s ?? '')].filter((c) => c.charCodeAt(0) >= 32 && c.charCodeAt(0) !== 127).join('').slice(0, 60).trim(); }
 
 function resolveModel(agent) {
   const raw = agent.model || agent.config?.model || null;
@@ -198,35 +201,63 @@ async function fetchOneShot({ apiKey, agentId, model, logDir, since, sessionId,
   process.stdout.write(`[wma-fetch] inspect with: npx wma-inspect ${logDir}\n`);
 }
 
-// ── CONTINUOUS / DAEMON ─────────────────────────────────────────────────────
-async function runWatch({ apiKey, agentId, model, displayName, logDir, intervalMs, uploadCtx }) {
-  const seenIds = await preloadSeenIds(logDir, agentId);
-  const loggers = new Map();     // sessionId → Logger (persists sequence across cycles)
-  const ended = new Set();       // sessions we've already closed with session_end
+// ── CONTINUOUS / DAEMON (single agent or whole fleet) ───────────────────────
+// resolveAgents() returns the current fleet [{agentId, model, displayName}] each
+// cycle — in fleet mode it RE-DISCOVERS so agents created after startup get picked
+// up. `windowMs` bounds discovery of NEW sessions, but sessions we're ALREADY
+// tracking are re-fetched regardless of age, so a long-running (>window) session
+// never drops out of capture. `sendNames`: include the human agent name in the
+// Fortress display_name (opt-in); default sends the agent id only (Modèle C).
+async function runWatch({ apiKey, resolveAgents, fleet, logDir, intervalMs, windowMs, uploadCtx, sendNames }) {
+  let agents = await resolveAgents();
+  const seenIds = new Set();     // stable Anthropic event ids already captured
+  for (const ag of agents) {
+    for (const id of await preloadSeenIds(logDir, ag.agentId)) seenIds.add(id);
+  }
+  const loggers = new Map();     // sessionId → Logger (session ids are globally unique)
+  const ended = new Set();       // terminated sessions (skip)
+  const sessionAgent = new Map();// sessionId → { agentId, model, displayName }
 
   const ac = new AbortController();
   const shutdown = () => { info('shutting down…'); ac.abort(); };
   process.on('SIGINT', shutdown);
   process.on('SIGTERM', shutdown);
 
-  info(`watch mode — interval ${Math.round(intervalMs / 1000)}s, upload ${uploadCtx ? 'ON' : 'OFF'}, ${seenIds.size} known events preloaded`);
+  info(`watch mode — ${agents.length} agent(s)${fleet ? ' (fleet, re-discovered each cycle)' : ''}, interval ${Math.round(intervalMs / 1000)}s, discovery window ${Math.round(windowMs / 3600000)}h, upload ${uploadCtx ? 'ON' : 'OFF'}, ${seenIds.size} known events preloaded`);
 
   while (!ac.signal.aborted) {
-    const since = new Date(Date.now() - 24 * 3600 * 1000);
-    let sessions = [];
-    try { sessions = await listSessions(apiKey, { agentId, since }); }
-    catch (e) { warn(`listSessions failed: ${e.message}`); }
+    if (fleet) { const next = await resolveAgents(); if (next.length) agents = next; }
+    const since = new Date(Date.now() - windowMs);
+
+    // (1) Discover sessions in the window; register the owning agent for each.
+    for (const ag of agents) {
+      if (ac.signal.aborted) break;
+      const tag = fleet ? `[${ag.displayName}] ` : '';
+      let sessions = [];
+      try { sessions = await listSessions(apiKey, { agentId: ag.agentId, since }); }
+      catch (e) { warn(`${tag}listSessions failed: ${e.message}`); continue; }
+      for (const s of sessions) {
+        if (s.id && !ended.has(s.id) && !sessionAgent.has(s.id)) {
+          sessionAgent.set(s.id, { agentId: ag.agentId, model: ag.model, displayName: ag.displayName });
+        }
+      }
+    }
 
+    // (2) Capture every tracked, not-yet-ended session — REGARDLESS of age. This
+    // is what stops a long-running session created before the window from silently
+    // dropping out of monitoring (and, paired with Shield, out of enforcement).
     let cycleNew = 0;
-    for (const s of sessions) {
-      if (!s.id || ended.has(s.id)) continue;
-      let logger = loggers.get(s.id);
-      if (!logger) { logger = new Logger({ logDir, agentId, sessionId: s.id, silent: true }); loggers.set(s.id, logger); }
+    for (const [sid, ag] of sessionAgent) {
+      if (ac.signal.aborted) break;
+      if (ended.has(sid)) continue;
+      const tag = fleet ? `[${ag.displayName}] ` : '';
+      let logger = loggers.get(sid);
+      if (!logger) { logger = new Logger({ logDir, agentId: ag.agentId, sessionId: sid, silent: true }); loggers.set(sid, logger); }
 
       const fresh = [];
       let sawTerminated = false;
       try {
-        for await (const entry of fetchSessionEntries({ apiKey, agentId, sessionId: s.id, model })) {
+        for await (const entry of fetchSessionEntries({ apiKey, agentId: ag.agentId, sessionId: sid, model: ag.model })) {
           if (entry.id && seenIds.has(entry.id)) continue;
           if (entry.id) seenIds.add(entry.id);
           const written = await logger.write(entry);
@@ -235,15 +266,15 @@ async function runWatch({ apiKey, agentId, model, displayName, logDir, intervalM
               && entry.output?.scope === 'session'
               && entry.output?.state === 'terminated') sawTerminated = true;
         }
-      } catch (e) { warn(`session ${s.id}: fetch failed: ${e.message}`); continue; }
+      } catch (e) { warn(`${tag}session ${sid.slice(0, 16)}…: fetch failed: ${e.message}`); continue; }
 
       if (fresh.length === 0) continue;
       cycleNew += fresh.length;
-      info(`session ${s.id.slice(0, 16)}…: +${fresh.length} new event(s)`);
+      info(`${tag}session ${sid.slice(0, 16)}…: +${fresh.length} new event(s)`);
 
       if (uploadCtx) {
         try {
-          const resp = await uploadSignals(uploadCtx, agentId, displayName, fresh);
+          const resp = await uploadSignals(uploadCtx, ag.agentId, sendNames ? ag.displayName : ag.agentId, fresh);
           if (resp?.signal_id) info(`  ↑ signals uploaded (signal_id ${resp.signal_id})`);
         } catch (e) { warn(`  signals upload failed: ${e.message}`); }
       }
@@ -253,12 +284,13 @@ async function runWatch({ apiKey, agentId, model, displayName, logDir, intervalM
         for (const e of fresh) tracker.record(e);
         const stats = tracker.stats().total;
         await logger.write({
-          action_type: 'session_end', framework: 'anthropic-managed', status: 'ok', model,
+          action_type: 'session_end', framework: 'anthropic-managed', status: 'ok', model: ag.model,
           session_tokens: { input: stats.input, output: stats.output, cache_read: stats.cache_read, cache_creation: stats.cache_creation, total: stats.sum },
           session_cost_usd: stats.cost_usd || null,
         });
-        ended.add(s.id);
-        info(`session ${s.id.slice(0, 16)}… terminated — closed`);
+        ended.add(sid);
+        sessionAgent.delete(sid);   // bound memory: terminated sessions aren't re-fetched
+        info(`${tag}session ${sid.slice(0, 16)}… terminated — closed`);
       }
     }
 
@@ -275,10 +307,12 @@ async function main() {
   const logDir = resolve(args['log-dir'] || './watchmyagents-logs');
   const watch = !!args.watch;
   const upload = !!args.upload;
+  const allAgents = !!args['all-agents'];
 
   if (!apiKey) die('error: --api-key or ANTHROPIC_API_KEY required');
-  if (!agentId) die('error: --agent-id required (e.g. agent_01ABC...)');
-  if (!isValidAgentId(agentId)) {
+  if (!allAgents && !agentId) die('error: --agent-id required (or --all-agents for fleet mode)');
+  if (allAgents && !watch) die('error: --all-agents requires --watch (fleet daemon). For a one-shot, target a single --agent-id.');
+  if (agentId && !isValidAgentId(agentId)) {
     die(`error: --agent-id has invalid format (expected "agent_" + alphanumeric, got "${agentId}")`);
   }
   const sessionIdArg = args['session-id'];
@@ -303,18 +337,49 @@ async function main() {
     uploadCtx = { apiKey: wmaKey, salt, url: fortressEndpoint(base, 'ingest-signals') };
   }
 
-  info(`resolving agent ${agentId}…`);
-  const agent = await getAgent(apiKey, agentId).catch((e) => die(`failed to GET agent: ${e.message}`));
-  const model = resolveModel(agent);
-  const displayName = agent.name || agentId;
-  info(`model: ${model || '(unknown)'}`);
-
   if (watch) {
     const intervalMs = parseDurationMs(args.interval, 5 * 60_000);
-    await runWatch({ apiKey, agentId, model, displayName, logDir, intervalMs, uploadCtx });
+    // Discovery window for NEW sessions (default 7d, configurable). Sessions we
+    // already track are re-fetched regardless of age, so long-lived ones don't drop.
+    const windowMs = parseDurationMs(args['discovery-since'], 7 * 24 * 3600_000);
+    const sendNames = !!args['send-agent-names'];
+
+    let resolveAgents;
+    if (allAgents) {
+      // Re-discover the fleet each cycle: agents created after startup get picked
+      // up, gone ones drop off. Keep the last good list if a discovery call fails.
+      let lastFleet = [];
+      resolveAgents = async () => {
+        const all = await listAgents(apiKey).catch((e) => { warn(`fleet re-discovery failed (keeping last): ${e.message}`); return null; });
+        if (!all) return lastFleet;
+        const next = all
+          .filter((a) => a.id && isValidAgentId(a.id))
+          .map((a) => ({ agentId: a.id, model: resolveModel(a), displayName: cleanLabel(a.name || a.id) }));
+        const prev = new Set(lastFleet.map((a) => a.agentId));
+        const cur = new Set(next.map((a) => a.agentId));
+        for (const a of next) if (!prev.has(a.agentId)) info(`fleet: + ${a.displayName}`);
+        for (const a of lastFleet) if (!cur.has(a.agentId)) info(`fleet: − ${a.displayName} (gone)`);
+        lastFleet = next;
+        return next;
+      };
+      info('discovering agents (fleet mode)…');
+      const first = await resolveAgents();
+      if (first.length === 0) die('error: no agents found under this API key');
+      info(`fleet: ${first.length} agent(s) — ${first.map((a) => a.displayName).join(', ')}`);
+    } else {
+      info(`resolving agent ${agentId}…`);
+      const agent = await getAgent(apiKey, agentId).catch((e) => die(`failed to GET agent: ${e.message}`));
+      const single = [{ agentId, model: resolveModel(agent), displayName: cleanLabel(agent.name || agentId) }];
+      info(`model: ${single[0].model || '(unknown)'}`);
+      resolveAgents = async () => single;
+    }
+
+    await runWatch({ apiKey, resolveAgents, fleet: allAgents, logDir, intervalMs, windowMs, uploadCtx, sendNames });
   } else {
+    info(`resolving agent ${agentId}…`);
+    const agent = await getAgent(apiKey, agentId).catch((e) => die(`failed to GET agent: ${e.message}`));
     const since = args.since ? parseSince(args.since) : null;
-    await fetchOneShot({ apiKey, agentId, model, logDir, since, sessionId: args['session-id'], dumpRaw: !!args['dump-raw'] });
+    await fetchOneShot({ apiKey, agentId, model: resolveModel(agent), logDir, since, sessionId: args['session-id'], dumpRaw: !!args['dump-raw'] });
   }
 }
 

package/scripts/service.js

@@ -251,9 +251,10 @@ function linuxUninstallOne(label) {
 
 // ── Commands ────────────────────────────────────────────────────────────--
 function cmdInstall(args) {
+  const allAgents = !!args['all-agents'];
   const agentId = args['agent-id'];
-  if (!agentId) die('--agent-id required (e.g. agent_01ABC...)');
-  if (!isValidAgentId(agentId)) die(`--agent-id invalid format (expected "agent_" + alphanumeric, got "${agentId}")`);
+  if (!allAgents && !agentId) die('--agent-id required (or --all-agents to cover the whole fleet)');
+  if (agentId && !isValidAgentId(agentId)) die(`--agent-id invalid format (expected "agent_" + alphanumeric, got "${agentId}")`);
   const interval = args.interval || '5m';
   if (!/^\d+[smhd]$/.test(interval)) die(`--interval invalid format (expected like 30s, 5m, 1h, 2d; got "${interval}")`);
   const logDir = args['log-dir'] || LOG_DIR_DEFAULT;
@@ -262,14 +263,15 @@ function cmdInstall(args) {
   if (PLATFORM !== 'darwin' && PLATFORM !== 'linux') {
     die(`unsupported platform "${PLATFORM}". Supported: macOS (launchd), Linux (systemd).\n` +
         '       Run the daemon manually or wrap it in your own process manager:\n' +
-        `         wma-fetch --agent-id ${agentId} --watch --upload --interval ${interval}`);
+        `         wma-fetch ${allAgents ? '--all-agents' : `--agent-id ${agentId}`} --watch --upload --interval ${interval}`);
   }
 
   mkdirSync(logDir, { recursive: true, mode: 0o700 });
   writeEnvFile();
 
-  const watchArgs = ['--agent-id', agentId, '--watch', '--upload', '--interval', interval, '--log-dir', logDir];
-  const shieldArgs = ['--agent-id', agentId, '--policies-source', 'fortress', '--log-dir', logDir];
+  const target = allAgents ? ['--all-agents'] : ['--agent-id', agentId];
+  const watchArgs = [...target, '--watch', '--upload', '--interval', interval, '--log-dir', logDir];
+  const shieldArgs = [...target, '--policies-source', 'fortress', '--log-dir', logDir];
 
   if (PLATFORM === 'darwin') {
     macInstallOne(WATCH_LABEL, FETCH_SCRIPT, watchArgs);