npm - watchmyagents - Versions diffs - 0.8.2 → 0.9.1 - Mend

watchmyagents 0.8.2 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +24 -6
package/package.json +7 -3
package/scripts/agents.js +218 -0
package/scripts/fetch-anthropic.js +97 -32
package/scripts/service.js +7 -5
package/scripts/shield.js +130 -97
package/src/sources/anthropic-managed.js +18 -0
package/src/typology-weights.json +88 -0
package/src/typology.js +398 -0

package/scripts/shield.js CHANGED Viewed

@@ -33,7 +33,7 @@ import {
   getAgentConfig, detectAlwaysAsk,
 } from '../src/shield/enforce.js';
 import { DecisionLogger } from '../src/shield/decisions.js';
-import { listSessions } from '../src/sources/anthropic-managed.js';
+import { listSessions, listAgents } from '../src/sources/anthropic-managed.js';
 import { FortressPolicySource, postDecision } from '../src/shield/sources/fortress.js';
 import { resolveFortressBase } from '../src/fortress/url.js';
 import { isValidAgentId, isValidSessionId } from '../src/validate.js';
@@ -57,6 +57,14 @@ function info(msg) { process.stdout.write(`[shield] ${msg}\n`); }
 function warn(msg) { process.stderr.write(`[shield] ⚠️  ${msg}\n`); }
 function sinfo(sid, msg) { process.stdout.write(`[shield/${sid.slice(0, 12)}] ${msg}\n`); }
 function swarn(sid, msg) { process.stderr.write(`[shield/${sid.slice(0, 12)}] ⚠️  ${msg}\n`); }
+const sleep = (ms, signal) => new Promise((res) => {
+  const t = setTimeout(res, ms);
+  if (signal) signal.addEventListener('abort', () => { clearTimeout(t); res(); }, { once: true });
+});
+function parseWindowMs(v, fallback) {
+  const m = v && String(v).match(/^(\d+)\s*([smhd])$/);
+  return m ? parseInt(m[1], 10) * { s: 1000, m: 60_000, h: 3_600_000, d: 86_400_000 }[m[2]] : fallback;
+}
 const CACHEABLE_TOOL_TYPES = new Set([
   'agent.tool_use', 'agent.mcp_tool_use', 'agent.custom_tool_use',
@@ -319,6 +327,10 @@ async function runSessionWorker({ sessionId, ctx }) {
 // ────────────────────────────────────────────────────────────────────────
 async function runAgentWide(ctx) {
   const { apiKey, agentId, signal } = ctx;
+  // Discovery window for sessions we haven't attached yet (default 7d). Already-
+  // attached workers stream until the session terminates regardless of age, so a
+  // long-running session never loses enforcement once attached.
+  const discoveryWindowMs = ctx.discoveryWindowMs || 7 * 24 * 3600_000;
   const workers = new Map();      // sessionId → AbortController (active workers)
   const cooldown = new Map();     // sessionId → unix-ms timestamp when re-attach is allowed
@@ -332,9 +344,7 @@ async function runAgentWide(ctx) {
   async function discoverAndAttach() {
     let sessions;
     try {
-      // Look at sessions from the last 24h (anything older that's still idle
-      // is probably stale; the user can extend the window if needed).
-      const since = new Date(Date.now() - 24 * 3600_000);
+      const since = new Date(Date.now() - discoveryWindowMs);
       sessions = await listSessions(apiKey, { agentId, since });
     } catch (e) {
       warn(`listSessions failed: ${e.message}`);
@@ -423,10 +433,16 @@ async function main() {
     explicitUrl: args['fortress-url'],
   });
   const logDir = resolve(args['log-dir'] || './watchmyagents-logs');
+  const allAgents = !!args['all-agents'];
+  const discoveryWindowMs = parseWindowMs(args['discovery-since'], 7 * 24 * 3600_000);
   if (!apiKey) die('error: --api-key or ANTHROPIC_API_KEY required');
-  if (!agentId) die('error: --agent-id required');
-  if (!isValidAgentId(agentId)) {
+  if (!allAgents && !agentId) die('error: --agent-id required (or --all-agents for fleet mode)');
+  if (allAgents && singleSessionId) die('error: --all-agents is incompatible with --session-id');
+  if (allAgents && policiesSource !== 'fortress') {
+    die('error: --all-agents requires --policies-source fortress (per-agent policies).');
+  }
+  if (agentId && !isValidAgentId(agentId)) {
     die(`error: --agent-id has invalid format (expected "agent_" + alphanumeric, got "${agentId}")`);
   }
   // --session-id ends up in the Anthropic SSE URL path (src/shield/stream.js).
@@ -435,120 +451,137 @@ async function main() {
     die(`error: --session-id has invalid format (expected "sesn_" + alphanumeric, got "${singleSessionId}")`);
   }
-  // Policies source: --policies-source fortress | local  (default infers from --policy)
-  let ruleset;          // for 'local' mode: static; for 'fortress': initial snapshot
-  let fortressPolicies; // FortressPolicySource instance, used as ground truth at runtime
+  // Validate the policy source config once (shared across the fleet). For local
+  // mode the ruleset is loaded once and shared by every agent.
+  let sharedLocalRuleset = null;
   if (policiesSource === 'fortress') {
     if (!wmaApiKey) die('error: --policies-source fortress requires --wma-api-key or WMA_API_KEY env');
     if (!fortressBase) die('error: --policies-source fortress requires --fortress-base-url or WMA_FORTRESS_BASE_URL env');
     if (!/^wma_[a-f0-9]{32}$/i.test(wmaApiKey)) warn(`WMA_API_KEY format looks unusual (expected wma_<32hex>).`);
-    fortressPolicies = new FortressPolicySource({
-      apiKey: wmaApiKey,
-      base: fortressBase,
-      anthropicAgentId: agentId,
-      refreshIntervalMs: 5 * 60_000,
-      onError: (e) => warn(`policy refresh failed (keeping cached): ${e.message}`),
-      onRefresh: ({ policies, fetched_at, initial }) => {
-        info(`policies ${initial ? 'loaded' : 'refreshed'} from Fortress — ${policies.length} active (fetched_at: ${fetched_at})`);
-      },
-    });
-    try {
-      await fortressPolicies.start();
-    } catch (e) {
-      die(`error fetching policies from Fortress: ${e.message}\n` +
-          `       Check WMA_FORTRESS_BASE_URL and WMA_API_KEY.`);
-    }
-    ruleset = fortressPolicies.current();
   } else if (policiesSource === 'local') {
     if (!policyPath) die('error: --policies-source local requires --policy <path-to-policies.json>');
-    try {
-      ruleset = await loadPolicies(resolve(policyPath));
-    } catch (e) {
-      die(`error loading policies: ${e.message}`);
-    }
+    try { sharedLocalRuleset = await loadPolicies(resolve(policyPath)); }
+    catch (e) { die(`error loading policies: ${e.message}`); }
   } else {
     die('error: --policy <path> OR --policies-source fortress required');
   }
-  let mode = 'interrupt';
-  let agentMeta = null;
-  try {
-    agentMeta = await getAgentConfig(apiKey, agentId);
-    if (detectAlwaysAsk(agentMeta)) mode = 'tool_confirmation';
-  } catch (e) {
-    warn(`could not fetch agent config (${e.message}). Defaulting to interrupt mode.`);
-  }
-  const sourceLabel = policiesSource === 'fortress'
-    ? `Fortress (${fortressBase})`
-    : policyPath;
-  info(`armed — ${ruleset.policies.length} policies loaded from ${sourceLabel}`);
-  info(`default action when no rule matches: ${ruleset.default.action}`);
-  info(`agent: ${agentId}${agentMeta?.name ? ` "${agentMeta.name}"` : ''}`);
-  info(`enforcement mode: ${mode}`);
-  if (mode === 'interrupt') {
-    warn('DEGRADED mode — Shield will interrupt AFTER a violating tool runs.');
-    warn(`For pre-execution blocking, run: wma-shield --setup-guide --agent-id ${agentId}`);
+  // Resolve the agent list: whole fleet (--all-agents) or a single agent.
+  let agentIds;
+  if (allAgents) {
+    info('discovering agents (fleet mode)…');
+    const all = await listAgents(apiKey).catch((e) => die(`failed to list agents: ${e.message}`));
+    agentIds = all.map((a) => a.id).filter((id) => id && isValidAgentId(id));
+    if (agentIds.length === 0) die('error: no agents found under this API key');
+    info(`fleet: ${agentIds.length} agent(s)`);
+  } else {
+    agentIds = [agentId];
   }
+  const fleet = agentIds.length > 1;
-  // Per-session DecisionLogger factory (each session gets its own to keep
-  // sequence numbers monotonic per session).
-  const loggers = new Map();
-  const decisions = (sessionId) => {
-    if (!loggers.has(sessionId)) {
-      loggers.set(sessionId, new DecisionLogger({ logDir, agentId, sessionId }));
-    }
-    return loggers.get(sessionId);
+  // Shared infra: one shutdown signal, one fortress-source registry, one pusher.
+  const ac = new AbortController();
+  const fortressSources = [];
+  const shutdown = (sig) => {
+    info(`${sig} received, shutting down…`);
+    for (const fp of fortressSources) fp.stop();
+    ac.abort();
   };
+  process.on('SIGINT',  () => shutdown('SIGINT'));
+  process.on('SIGTERM', () => shutdown('SIGTERM'));
-  // Optional Fortress decision pusher — only active if we have a wma key + base.
-  // In 'fortress' mode this is always available. In 'local' mode it's a fire-
-  // and-forget extra channel if both are set.
+  // Optional Fortress decision pusher (each ctx carries its own agent id, so a
+  // single shared pusher tags decisions with the right agent).
   const canPushToFortress = !!(wmaApiKey && fortressBase);
   const pushDecisionToFortress = canPushToFortress
     ? async (decisionData) => {
-        try {
-          await postDecision({ apiKey: wmaApiKey, base: fortressBase, decision: decisionData });
-        } catch (e) {
-          warn(`Fortress decision push failed: ${e.message}`);
-        }
+        try { await postDecision({ apiKey: wmaApiKey, base: fortressBase, decision: decisionData }); }
+        catch (e) { warn(`Fortress decision push failed: ${e.message}`); }
       }
     : null;
-  const ac = new AbortController();
-  process.on('SIGINT',  () => {
-    info('SIGINT received, shutting down…');
-    if (fortressPolicies) fortressPolicies.stop();
-    ac.abort();
-  });
-  process.on('SIGTERM', () => {
-    info('SIGTERM received, shutting down…');
-    if (fortressPolicies) fortressPolicies.stop();
-    ac.abort();
-  });
+  // Per-agent SETUP (separate from the long-running phase so we can COUNT how
+  // many actually armed). In fleet mode a per-agent startup failure is skipped
+  // (warn) instead of killing the fleet. Returns the agent's ctx, or null if skipped.
+  async function setupAgent(aid) {
+    const tag = fleet ? `[${aid.slice(0, 16)}…] ` : '';
+    let fortressPolicies = null;
+    let ruleset = sharedLocalRuleset;
+    if (policiesSource === 'fortress') {
+      fortressPolicies = new FortressPolicySource({
+        apiKey: wmaApiKey, base: fortressBase, anthropicAgentId: aid, refreshIntervalMs: 5 * 60_000,
+        onError: (e) => warn(`${tag}policy refresh failed (keeping cached): ${e.message}`),
+        onRefresh: ({ policies, fetched_at, initial }) => info(`${tag}policies ${initial ? 'loaded' : 'refreshed'} from Fortress — ${policies.length} active (fetched_at: ${fetched_at})`),
+      });
+      try { await fortressPolicies.start(); }
+      catch (e) {
+        if (fleet) { warn(`${tag}skipped — policy fetch failed: ${e.message}`); return null; }
+        die(`error fetching policies from Fortress: ${e.message}\n       Check WMA_FORTRESS_BASE_URL and WMA_API_KEY.`);
+      }
+      fortressSources.push(fortressPolicies);
+      ruleset = fortressPolicies.current();
+    }
-  // ctx exposes a getter for the live ruleset so workers see policy refreshes.
-  const ctx = {
-    apiKey,
-    agentId,
-    get ruleset() {
-      return fortressPolicies ? fortressPolicies.current() : ruleset;
-    },
-    mode,
-    decisions,
-    pushDecisionToFortress,
-    signalsSalt,
-    signal: ac.signal,
-  };
+    let mode = 'interrupt';
+    let agentMeta = null;
+    try { agentMeta = await getAgentConfig(apiKey, aid); if (detectAlwaysAsk(agentMeta)) mode = 'tool_confirmation'; }
+    catch (e) { warn(`${tag}could not fetch agent config (${e.message}). Defaulting to interrupt mode.`); }
-  if (singleSessionId) {
-    info(`single-session mode — attached to ${singleSessionId}`);
-    await runSessionWorker({ sessionId: singleSessionId, ctx });
-  } else {
-    await runAgentWide(ctx);
+    info(`${tag}armed — ${ruleset.policies.length} policies · default ${ruleset.default.action} · mode ${mode}${agentMeta?.name ? ` · "${agentMeta.name}"` : ''}`);
+    if (mode === 'interrupt' && !fleet) {
+      warn('DEGRADED mode — Shield will interrupt AFTER a violating tool runs.');
+      warn(`For pre-execution blocking, run: wma-shield --setup-guide --agent-id ${aid}`);
+    }
+    const loggers = new Map();
+    const decisions = (sessionId) => {
+      if (!loggers.has(sessionId)) loggers.set(sessionId, new DecisionLogger({ logDir, agentId: aid, sessionId }));
+      return loggers.get(sessionId);
+    };
+    return {
+      apiKey, agentId: aid,
+      get ruleset() { return fortressPolicies ? fortressPolicies.current() : ruleset; },
+      mode, decisions, pushDecisionToFortress, signalsSalt, signal: ac.signal, discoveryWindowMs,
+    };
+  }
+  if (!fleet) {
+    // Single agent: arm + run (blocks until SIGINT/SIGTERM). die() on failure
+    // already fires inside setupAgent for the non-fleet path.
+    const ctx = await setupAgent(agentIds[0]);
+    await (singleSessionId ? runSessionWorker({ sessionId: singleSessionId, ctx }) : runAgentWide(ctx));
+    return;
+  }
+  // Fleet: arm all discovered agents, then RECONCILE periodically so an agent
+  // created after startup gets armed + protected without a restart. A per-agent
+  // arm failure is skipped and retried on the next reconcile.
+  const armed = new Set();
+  const running = [];
+  const armNew = async (ids) => {
+    for (const aid of ids) {
+      if (armed.has(aid)) continue;
+      const ctx = await setupAgent(aid);
+      if (!ctx) continue;                 // skipped (policy fetch failed) → retry next reconcile
+      armed.add(aid);
+      running.push(runAgentWide(ctx));    // fire; blocks on the shared signal until shutdown
+      info(`fleet: armed ${aid.slice(0, 16)}…`);
+    }
+  };
+  await armNew(agentIds);
+  if (armed.size === 0) {
+    die(`error: no agents could be armed (${agentIds.length} discovered; all policy fetches failed). Check WMA_API_KEY / WMA_FORTRESS_BASE_URL.`);
+  }
+  info(`fleet: ${armed.size}/${agentIds.length} agent(s) armed; reconciling every 60s for new agents.`);
+  while (!ac.signal.aborted) {
+    await sleep(60_000, ac.signal);
+    if (ac.signal.aborted) break;
+    let all;
+    try { all = await listAgents(apiKey); }
+    catch (e) { warn(`fleet reconcile failed (keeping current): ${e.message}`); continue; }
+    await armNew(all.map((a) => a.id).filter((id) => id && isValidAgentId(id)));
   }
+  await Promise.all(running);
 }
 main().catch(e => {

package/src/sources/anthropic-managed.js CHANGED Viewed

@@ -77,6 +77,24 @@ export async function getAgent(apiKey, agentId) {
   return getWithRetry(apiKey, `/v1/agents/${agentId}`);
 }
+// List every Managed Agent under the API key (paginated). Used for fleet mode
+// (watch/shield/service --all-agents) and agent discovery.
+export async function listAgents(apiKey, { limit = 100 } = {}) {
+  const agents = [];
+  let after = null;
+  while (true) {
+    const qs = new URLSearchParams({ limit: String(limit) });
+    if (after) qs.set('after_id', after);
+    const data = await getWithRetry(apiKey, `/v1/agents?${qs}`);
+    const page = data.data || [];
+    for (const a of page) agents.push(a);
+    if (!data.has_more || page.length === 0) break;
+    after = page[page.length - 1]?.id;
+    if (!after) break;
+  }
+  return agents;
+}
 export async function listSessions(apiKey, { agentId, since, limit = 100 } = {}) {
   const sessions = [];
   let after = null;

package/src/typology-weights.json ADDED Viewed

@@ -0,0 +1,88 @@
+{
+  "$comment": "WatchMyAgents — typology classifier weights + thresholds (Guardian Core, agent-typology-classification.spec.md §3/§4/§5). INVARIANT: weights and thresholds live HERE, never hardcoded in typology.js ('poids de signature en config, pas en dur'). Calibrate on labelled real traffic. Modèle C: all inputs are anonymized behavioural fractions/flags only.",
+  "version": "0.1.0",
+  "updated_at": "2026-05-29T00:00:00Z",
+  "thresholds": {
+    "$comment": "§4 'Seuils par défaut (à calibrer)' + §5 downgrade asymmetry.",
+    "n_events_min": 50,
+    "confidence_min": 0.70,
+    "margin_min": 0.15,
+    "stable_windows": 3,
+    "downgrade_confidence_min": 0.85,
+    "downgrade_windows": 5,
+    "untrusted_modifier_min": 0.1,
+    "sensitive_modifier_min": 0.0,
+    "payment_overlay_min": 0.0,
+    "autonomy_modifier_min": 0.5,
+    "$comment_tie": "§8 conservative tie-break: when |score(top1)-score(top2)| <= tie_epsilon (a near/exact tie between two REAL types with real signal), select the STRICTER of the two rather than falling to the more-permissive generic — 'dans le doute, on reste sur le plus protecteur'. Set to 0 for exact-tie only.",
+    "tie_epsilon": 0.0
+  },
+  "confidence_sigmoid": {
+    "$comment": "§4 confidence = sigmoid(a·top1.score + b·margin + c·log(n_events)). All three coefficients live in config; a naive impl that only used top1.score would be wrong.",
+    "a": 4.0,
+    "b": 6.0,
+    "c": 0.6,
+    "bias": -3.5
+  },
+  "strictness_rank": {
+    "$comment": "§5 restriction ranking — derived from each template's baseline_policies enforcement severity (isolate>block>require_approval>throttle>monitor>warn). Higher rank = STRICTER. Drives re-classification asymmetry: to a stricter rank = normal threshold; to a looser rank = downgrade gate (conf>=0.85 AND 5 windows). NOT alphabetical.",
+    "devops_infra": 10,
+    "transactional_financial": 9,
+    "workflow_backoffice": 8,
+    "coding": 7,
+    "orchestrator": 6,
+    "browser_web": 5,
+    "personal_assistant": 4,
+    "data_rag": 3,
+    "generic": 2,
+    "customer_facing": 1
+  },
+  "features": {
+    "$comment": "Canonical anonymized feature keys (Modèle C). Fractions f_* in [0,1]; flag_* in {0,1}; aux_* in [0,1]. Order is informational only — scoring is key-addressed.",
+    "fractions": ["f_code", "f_browser", "f_database", "f_http", "f_email", "f_payment", "f_secret", "f_search", "f_memory", "f_handoff", "f_user_msg", "f_file"],
+    "flags": ["flag_deploy", "flag_internal_sys", "flag_on_behalf"],
+    "aux": ["aux_autonomy", "aux_untrusted", "aux_sensitive"]
+  },
+  "weights": {
+    "$comment": "w[type][feature] — signature weights (§3). Positive = signal for the type; negative = signal against. flag_* are the REQUIRED discriminators for the 3 inseparable pairs (coding/devops, data_rag/workflow, personal_assistant/workflow). 'generic' has no positive weights (pure fallback).",
+    "coding": {
+      "f_code": 1.0, "f_file": 0.5, "f_search": 0.3, "f_secret": 0.1,
+      "flag_deploy": -0.9
+    },
+    "devops_infra": {
+      "f_code": 0.7, "f_secret": 0.6, "f_file": 0.2,
+      "flag_deploy": 1.2
+    },
+    "data_rag": {
+      "f_database": 0.8, "f_search": 0.35, "f_memory": 0.7, "aux_untrusted": 0.2,
+      "flag_internal_sys": -0.7
+    },
+    "customer_facing": {
+      "f_user_msg": 1.0, "f_handoff": 0.3, "f_email": 0.2
+    },
+    "browser_web": {
+      "f_browser": 1.0, "f_http": 0.6, "f_search": 0.7
+    },
+    "orchestrator": {
+      "f_handoff": 1.2, "f_code": -0.2, "f_browser": -0.2, "f_database": -0.2
+    },
+    "workflow_backoffice": {
+      "f_database": 0.6, "f_http": 0.5, "f_file": 0.2,
+      "flag_internal_sys": 0.9, "flag_on_behalf": -0.6
+    },
+    "personal_assistant": {
+      "f_email": 0.8, "f_file": 0.4, "f_user_msg": 0.3,
+      "flag_on_behalf": 1.0
+    },
+    "transactional_financial": {
+      "f_payment": 1.5
+    },
+    "generic": {}
+  }
+}