watchmyagents 0.9.0 → 0.9.2

package/README.md

@@ -121,6 +121,8 @@ wma-fetch (--agent-id <agent_id> | --all-agents) [--session-id <sess_id>] [--sin
 | `--watch` | **Continuous daemon** — loop forever, incrementally capturing NEW events (deduped by stable event id) until `Ctrl+C` |
 | `--interval 5m` | Poll interval in watch mode (default `5m`; accepts `30s`/`1h`/…) |
 | `--upload` | In watch mode, anonymize each new window and ship signals to Fortress (needs `WMA_API_KEY` + `WMA_FORTRESS_BASE_URL` + `WMA_SIGNALS_SALT`). Raw stays local. |
+| `--discovery-since 7d` | Window for discovering NEW sessions (default `7d`). Sessions already being tracked are re-fetched regardless of age, so long-running ones never drop out. |
+| `--send-agent-names` | Opt-in: send the human agent name as the Fortress `display_name`. Default sends the agent id only (the name may contain client/project info). |
 | `--api-key sk-ant-…` | Override the `ANTHROPIC_API_KEY` env var. **Discouraged** — visible in shell history & process list. Prefer the env var. |
 
 Logs land in `./watchmyagents-logs/<agent_id>/<date>.ndjson` (file mode `0600`, dir `0700`).
@@ -153,7 +155,7 @@ wma-upload-fortress --agent-id agent_01ABC... [--display-name "My agent"]
 wma-upload-fortress --agent-id agent_xxx --dry-run
 ```
 
-**What is sent:** counts, latencies, salted IoC hashes, sequences — same as `wma-anonymize` output.
+**What is sent:** the anonymized signals payload (counts, latencies, salted IoC hashes, sequences — same as `wma-anonymize` output) **plus two routing identifiers**: your `anthropic_agent_id` and a `display_name`. The agent id is required so Fortress can associate signals with the right agent; `display_name` defaults to the agent id and only carries the human-readable agent name if you opt in (`wma-fetch --watch --upload --send-agent-names`).
 **What is NOT sent:** raw prompts, raw URLs/commands/queries, raw agent responses, raw error messages. All payload content stays on your machine.
 
 The endpoint auto-registers the agent on the first upload if it doesn't exist in Fortress yet — no manual onboarding needed for new agents.
@@ -245,9 +247,9 @@ WatchMyAgents is built so that **your prompts and outputs never have to leave yo
 |---|---|
 | **Your machine** (`./watchmyagents-logs/`) | Full NDJSON with all prompts, tool inputs, agent outputs. `chmod 600` on every file. |
 | **Anthropic API** | Where the agent runs. WMA pulls events via the public REST API only. |
-| **WMA infrastructure** | **Nothing today.** Future opt-in telemetry will ship only anonymized metadata (counts, timings, hashes) — never raw payloads. |
+| **WMA Fortress** (opt-in, only with `--upload` / `wma-upload-fortress` / `wma-shield --policies-source fortress`) | The **anonymized signals** payload (counts, timings, salted hashes, sequences) + two routing identifiers: your `anthropic_agent_id` and a `display_name` (defaults to the agent id; the human agent name only with `--send-agent-names`). Shield enforcement **decisions** (hashed session/event/input fingerprints — never raw values). **Never** raw prompts, URLs, commands, or outputs. |
 
-This is the "local-first" guarantee. It is the product, not a marketing claim.
+This is the "local-first" guarantee: **raw payloads never leave your machine.** Cloud upload is opt-in and carries only anonymized metadata + the agent id/name needed to route it.
 
 ## Security
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "watchmyagents",
-  "version": "0.9.0",
+  "version": "0.9.2",
   "description": "Security observability + real-time policy enforcement for AI agents. Local-first NDJSON capture with a continuous Watch daemon that auto-uploads anonymized signals, Shield CLI that blocks policy violations live (with policies pulled from Fortress cloud), anonymizer producing signals-only payloads, bidirectional sync with WatchMyAgents Fortress, and one-command install as an always-on launchd/systemd service — closing the recursive Watch→Guardian→Shield security loop.",
   "type": "module",
   "files": [

package/scripts/agents.js

@@ -18,12 +18,10 @@
 // ANTHROPIC_API_KEY from env (or --api-key, discouraged).
 
 import os from 'node:os';
-import { readdir, stat } from 'node:fs/promises';
-import { createReadStream } from 'node:fs';
-import { createInterface } from 'node:readline';
 import { join, resolve } from 'node:path';
 import { listAgents } from '../src/sources/anthropic-managed.js';
 import { classifyAgentType } from '../src/typology.js';
+import { aggregate, buildFeatures, NON_DERIVABLE } from '../src/typology-features.js';
 import { isValidAgentId, assertSafePathSegment } from '../src/validate.js';
 
 function parseArgs(argv) {
@@ -40,131 +38,9 @@ function parseArgs(argv) {
 function die(msg, code = 1) { process.stderr.write(`error: ${msg}\n`); process.exit(code); }
 function info(msg) { process.stdout.write(`[wma-agents] ${msg}\n`); }
 
-// Action types that represent a TOOL invocation (the denominator for f_* tool
-// fractions). Confirmed produced by src/sources/anthropic-managed.js.
-const TOOL_ACTIONS = new Set(['tool_use', 'mcp_tool_use', 'custom_tool_use']);
-
-// ──────────────────────────────────────────────────────────────────────────
-// Tool-name → category mapping (Modèle C: name-based, no content). Managed
-// Agents expose tools as an opaque bundle, so tool_name is free-text. We match
-// the confirmed built-ins (web_search, web_fetch, bash) plus best-effort
-// regexes for common tool names. A tool that matches nothing contributes to the
-// denominator but to no category (honest: unknown ≠ inferred).
-// ──────────────────────────────────────────────────────────────────────────
-const CATEGORY_RULES = [
-  // category,    matcher (lower-cased tool_name)
-  ['search',   (n) => /(^|_)web_search$|(^|_)search($|_)|google|brave/.test(n)],
-  ['browser',  (n) => /web_fetch|browser|playwright|puppeteer|navigate|screenshot/.test(n)],
-  ['http',     (n) => /(^|_)http|fetch_url|curl|request|webhook|api_call/.test(n)],
-  ['code',     (n) => /bash|shell|terminal|code_exec|exec_|python|node_run|run_code|interpreter/.test(n)],
-  ['database', (n) => /sql|query_db|database|postgres|mysql|mongo|redis|bigquery|snowflake/.test(n)],
-  ['email',    (n) => /email|gmail|smtp|sendmail|mailgun|outlook/.test(n)],
-  ['payment',  (n) => /payment|charge|transfer|invoice|stripe|paypal|payout|refund|checkout/.test(n)],
-  ['secret',   (n) => /secret|vault|credential|kms|keychain|token_get/.test(n)],
-  ['memory',   (n) => /memory|retriev|vector|(^|_)rag($|_)|knowledge|embed|pinecone|chroma/.test(n)],
-  ['file',     (n) => /editor|str_replace|read_file|write_file|create_file|file_io|(^|_)file($|_)|fs_/.test(n)],
-];
-
-// Best-effort deploy detection (spec discriminator devops_infra vs coding).
-const DEPLOY_RE = /deploy|terraform|kubectl|helm|(^|_)release($|_)|ansible|pulumi|cloudformation/;
-
-function categoryOf(toolName) {
-  const n = String(toolName || '').toLowerCase();
-  for (const [cat, m] of CATEGORY_RULES) if (m(n)) return cat;
-  return null;
-}
-
-// Aggregate raw counts from an agent's local NDJSON logs (Modèle C: counts only).
-async function aggregate(logDir, agentId) {
-  const actionCounts = {};       // action_type → count
-  const categoryCounts = {};     // tool category → count
-  let toolEvents = 0;            // denominator for f_* fractions
-  let deployUses = 0;
-  const dir = join(logDir, agentId);
-  const s = await stat(dir).catch(() => null);
-  if (!s || !s.isDirectory()) return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false };
-  let names;
-  try { names = await readdir(dir); } catch { return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false }; }
-  const files = names.filter((n) => n.endsWith('.ndjson') && !n.startsWith('raw-'));
-  if (files.length === 0) return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false };
-
-  for (const f of files) {
-    await new Promise((res) => {
-      const rl = createInterface({ input: createReadStream(join(dir, f), { encoding: 'utf8' }), crlfDelay: Infinity });
-      rl.on('line', (line) => {
-        if (!line.trim()) return;
-        let e; try { e = JSON.parse(line); } catch { return; }
-        if (e.action_type) actionCounts[e.action_type] = (actionCounts[e.action_type] || 0) + 1;
-        if (TOOL_ACTIONS.has(e.action_type)) {
-          toolEvents += 1;
-          const cat = categoryOf(e.tool_name);
-          if (cat) categoryCounts[cat] = (categoryCounts[cat] || 0) + 1;
-          if (DEPLOY_RE.test(String(e.tool_name || '').toLowerCase())) deployUses += 1;
-        }
-      });
-      rl.on('close', res); rl.on('error', res);
-    });
-  }
-  return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: true };
-}
-
-// Features that the WMA NDJSON logs CANNOT reliably expose today (opaque tool
-// names / no behavioural signal / content off-limits under Modèle C). They
-// default to 0/false; the caller prints a one-line note.
-const NON_DERIVABLE = [
-  'f_database', 'f_email', 'f_payment', 'f_secret', 'f_memory',
-  'flag_internal_sys', 'flag_on_behalf', 'aux_untrusted', 'aux_sensitive',
-];
-
-// Build the canonical anonymized FEATURE VECTOR from the aggregated counts.
-// Fractions = category_count / toolEvents. n_events = total observed events.
-function buildFeatures(agg) {
-  const { actionCounts, categoryCounts, toolEvents, deployUses } = agg;
-  const nEvents = Object.values(actionCounts).reduce((a, b) => a + b, 0);
-  const frac = (c) => (toolEvents > 0 ? (categoryCounts[c] || 0) / toolEvents : 0);
-  const eventFrac = (...types) => (nEvents > 0
-    ? types.reduce((a, t) => a + (actionCounts[t] || 0), 0) / nEvents
-    : 0);
-
-  // f_handoff / f_user_msg are derived from event TYPE (not tool category):
-  // confirmed action_types thread_message_* and user_message.
-  const handoff = eventFrac('thread_message_sent', 'thread_message_received', 'thread_created');
-  const userMsg = eventFrac('user_message');
-
-  // aux_autonomy ≈ 1 − (human-in-the-loop event share). Confirmed action_types
-  // user_message / user_interrupt / tool_confirmation mark human involvement; an
-  // agent that proceeds without them is more autonomous. Heuristic — documented.
-  const hitlShare = eventFrac('user_message', 'user_interrupt', 'tool_confirmation');
-  const auxAutonomy = nEvents > 0 ? Math.max(0, 1 - hitlShare) : 0;
-
-  return {
-    // tool-category fractions (over tool uses)
-    f_code: frac('code'),
-    f_browser: frac('browser'),
-    f_database: frac('database'),     // non-derivable in practice → ~0
-    f_http: frac('http'),
-    f_email: frac('email'),           // non-derivable in practice → ~0
-    f_payment: frac('payment'),       // non-derivable in practice → ~0
-    f_secret: frac('secret'),         // non-derivable in practice → ~0
-    f_search: frac('search'),
-    f_memory: frac('memory'),         // non-derivable in practice → ~0
-    f_file: frac('file'),
-    // event-type fractions (over all events)
-    f_handoff: handoff,
-    f_user_msg: userMsg,
-    // discriminator flags (best-effort; only flag_deploy has any behavioural
-    // signal — and only if the agent literally names a deploy tool).
-    flag_deploy: deployUses > 0 ? 1 : 0,
-    flag_internal_sys: 0,             // no behavioural signal in logs
-    flag_on_behalf: 0,                // no behavioural signal in logs
-    // aux ratios
-    aux_autonomy: auxAutonomy,        // heuristic (HITL-frequency)
-    aux_untrusted: 0,                 // no honest source in logs
-    aux_sensitive: 0,                 // no honest source in logs
-    // window size
-    n_events: nEvents,
-  };
-}
+// Feature aggregation lives in src/typology-features.js (shared with the Watch
+// daemon so both CLI snapshot and continuous upload use the same Modèle C
+// extraction). The rest of this file is just CLI presentation.
 
 async function main() {
   const args = parseArgs(process.argv.slice(2));

package/scripts/fetch-anthropic.js

@@ -30,6 +30,8 @@ import { TokenTracker } from '../src/tokens.js';
 import { SignalsAggregator } from '../src/anonymizer.js';
 import { resolveFortressBase, fortressEndpoint } from '../src/fortress/url.js';
 import { isValidAgentId, isValidSessionId, assertSafePathSegment } from '../src/validate.js';
+import { classifyAgentType } from '../src/typology.js';
+import { aggregate, buildFeatures } from '../src/typology-features.js';
 import {
   getAgent, listAgents, listSessions, fetchSessionEntries, fetchRawEvents,
 } from '../src/sources/anthropic-managed.js';
@@ -105,7 +107,10 @@ function postJson(url, headers, body) {
 }
 
 // Anonymize a batch of just-written entries and ship them as one signals row.
-async function uploadSignals(uploadCtx, agentId, displayName, entries) {
+// `classification` (optional) carries the agent's typology — Fortress upserts
+// agent_type/confidence/stage on the agent row so the typology badge + the
+// apply-template flow fill themselves with no manual click.
+async function uploadSignals(uploadCtx, agentId, displayName, entries, classification) {
   const agg = new SignalsAggregator({ salt: uploadCtx.salt });
   for (const e of entries) agg.add(e);
   const sig = agg.finalize();
@@ -116,6 +121,7 @@ async function uploadSignals(uploadCtx, agentId, displayName, entries) {
     window_start: sig.window_start,
     window_end: sig.window_end,
     payload: sig.payload,
+    ...(classification ? { classification } : {}),
   });
   const { status, body: resp } = await postJson(
     uploadCtx.url, { authorization: `Bearer ${uploadCtx.apiKey}` }, body,
@@ -202,76 +208,112 @@ async function fetchOneShot({ apiKey, agentId, model, logDir, since, sessionId,
 }
 
 // ── CONTINUOUS / DAEMON (single agent or whole fleet) ───────────────────────
-// `agents` = [{ agentId, model, displayName }]. One process watches them all.
-async function runWatch({ apiKey, agents, logDir, intervalMs, uploadCtx }) {
+// resolveAgents() returns the current fleet [{agentId, model, displayName}] each
+// cycle — in fleet mode it RE-DISCOVERS so agents created after startup get picked
+// up. `windowMs` bounds discovery of NEW sessions, but sessions we're ALREADY
+// tracking are re-fetched regardless of age, so a long-running (>window) session
+// never drops out of capture. `sendNames`: include the human agent name in the
+// Fortress display_name (opt-in); default sends the agent id only (Modèle C).
+async function runWatch({ apiKey, resolveAgents, fleet, logDir, intervalMs, windowMs, uploadCtx, sendNames }) {
+  let agents = await resolveAgents();
   const seenIds = new Set();     // stable Anthropic event ids already captured
   for (const ag of agents) {
     for (const id of await preloadSeenIds(logDir, ag.agentId)) seenIds.add(id);
   }
   const loggers = new Map();     // sessionId → Logger (session ids are globally unique)
-  const ended = new Set();       // sessions we've already closed with session_end
+  const ended = new Set();       // terminated sessions (skip)
+  const sessionAgent = new Map();// sessionId → { agentId, model, displayName }
+  const priors = new Map();      // agentId → previous classification (threads the
+                                  // typology state machine across upload cycles)
 
   const ac = new AbortController();
   const shutdown = () => { info('shutting down…'); ac.abort(); };
   process.on('SIGINT', shutdown);
   process.on('SIGTERM', shutdown);
 
-  const fleet = agents.length > 1;
-  info(`watch mode — ${agents.length} agent(s), interval ${Math.round(intervalMs / 1000)}s, upload ${uploadCtx ? 'ON' : 'OFF'}, ${seenIds.size} known events preloaded`);
+  info(`watch mode — ${agents.length} agent(s)${fleet ? ' (fleet, re-discovered each cycle)' : ''}, interval ${Math.round(intervalMs / 1000)}s, discovery window ${Math.round(windowMs / 3600000)}h, upload ${uploadCtx ? 'ON' : 'OFF'}, ${seenIds.size} known events preloaded`);
 
   while (!ac.signal.aborted) {
-    const since = new Date(Date.now() - 24 * 3600 * 1000);
-    let cycleNew = 0;
+    if (fleet) { const next = await resolveAgents(); if (next.length) agents = next; }
+    const since = new Date(Date.now() - windowMs);
 
+    // (1) Discover sessions in the window; register the owning agent for each.
     for (const ag of agents) {
       if (ac.signal.aborted) break;
       const tag = fleet ? `[${ag.displayName}] ` : '';
       let sessions = [];
       try { sessions = await listSessions(apiKey, { agentId: ag.agentId, since }); }
       catch (e) { warn(`${tag}listSessions failed: ${e.message}`); continue; }
-
       for (const s of sessions) {
-        if (!s.id || ended.has(s.id)) continue;
-        let logger = loggers.get(s.id);
-        if (!logger) { logger = new Logger({ logDir, agentId: ag.agentId, sessionId: s.id, silent: true }); loggers.set(s.id, logger); }
+        if (s.id && !ended.has(s.id) && !sessionAgent.has(s.id)) {
+          sessionAgent.set(s.id, { agentId: ag.agentId, model: ag.model, displayName: ag.displayName });
+        }
+      }
+    }
 
-        const fresh = [];
-        let sawTerminated = false;
-        try {
-          for await (const entry of fetchSessionEntries({ apiKey, agentId: ag.agentId, sessionId: s.id, model: ag.model })) {
-            if (entry.id && seenIds.has(entry.id)) continue;
-            if (entry.id) seenIds.add(entry.id);
-            const written = await logger.write(entry);
-            fresh.push(written);
-            if (entry.action_type === 'state_transition'
-                && entry.output?.scope === 'session'
-                && entry.output?.state === 'terminated') sawTerminated = true;
-          }
-        } catch (e) { warn(`${tag}session ${s.id.slice(0, 16)}…: fetch failed: ${e.message}`); continue; }
+    // (2) Capture every tracked, not-yet-ended session — REGARDLESS of age. This
+    // is what stops a long-running session created before the window from silently
+    // dropping out of monitoring (and, paired with Shield, out of enforcement).
+    let cycleNew = 0;
+    for (const [sid, ag] of sessionAgent) {
+      if (ac.signal.aborted) break;
+      if (ended.has(sid)) continue;
+      const tag = fleet ? `[${ag.displayName}] ` : '';
+      let logger = loggers.get(sid);
+      if (!logger) { logger = new Logger({ logDir, agentId: ag.agentId, sessionId: sid, silent: true }); loggers.set(sid, logger); }
 
-        if (fresh.length === 0) continue;
-        cycleNew += fresh.length;
-        info(`${tag}session ${s.id.slice(0, 16)}…: +${fresh.length} new event(s)`);
+      const fresh = [];
+      let sawTerminated = false;
+      try {
+        for await (const entry of fetchSessionEntries({ apiKey, agentId: ag.agentId, sessionId: sid, model: ag.model })) {
+          if (entry.id && seenIds.has(entry.id)) continue;
+          if (entry.id) seenIds.add(entry.id);
+          const written = await logger.write(entry);
+          fresh.push(written);
+          if (entry.action_type === 'state_transition'
+              && entry.output?.scope === 'session'
+              && entry.output?.state === 'terminated') sawTerminated = true;
+        }
+      } catch (e) { warn(`${tag}session ${sid.slice(0, 16)}…: fetch failed: ${e.message}`); continue; }
 
-        if (uploadCtx) {
+      if (fresh.length === 0) continue;
+      cycleNew += fresh.length;
+      info(`${tag}session ${sid.slice(0, 16)}…: +${fresh.length} new event(s)`);
+
+      if (uploadCtx) {
+        try {
+          // Compute the agent's typology from its CUMULATIVE local logs and
+          // thread the prior across cycles so the state machine refines toward
+          // stable (Modèle C: features = counts/categories only, no raw content).
+          let classification;
           try {
-            const resp = await uploadSignals(uploadCtx, ag.agentId, ag.displayName, fresh);
-            if (resp?.signal_id) info(`  ↑ signals uploaded (signal_id ${resp.signal_id})`);
-          } catch (e) { warn(`  signals upload failed: ${e.message}`); }
-        }
+            const features = buildFeatures(await aggregate(logDir, ag.agentId));
+            features.agent_id = ag.agentId;
+            const cls = classifyAgentType(features, priors.get(ag.agentId) || null);
+            priors.set(ag.agentId, cls);
+            classification = { agent_type: cls.classified_type, confidence: cls.confidence, stage: cls.stage };
+          } catch (e) { warn(`  classification skipped: ${e.message}`); }
 
-        if (sawTerminated) {
-          const tracker = new TokenTracker();
-          for (const e of fresh) tracker.record(e);
-          const stats = tracker.stats().total;
-          await logger.write({
-            action_type: 'session_end', framework: 'anthropic-managed', status: 'ok', model: ag.model,
-            session_tokens: { input: stats.input, output: stats.output, cache_read: stats.cache_read, cache_creation: stats.cache_creation, total: stats.sum },
-            session_cost_usd: stats.cost_usd || null,
-          });
-          ended.add(s.id);
-          info(`${tag}session ${s.id.slice(0, 16)}… terminated — closed`);
-        }
+          const resp = await uploadSignals(uploadCtx, ag.agentId, sendNames ? ag.displayName : ag.agentId, fresh, classification);
+          if (resp?.signal_id) {
+            const cTag = classification ? ` · type ${classification.agent_type} (${Math.round(classification.confidence * 100)}%, ${classification.stage})` : '';
+            info(`  ↑ signals uploaded (signal_id ${resp.signal_id})${cTag}`);
+          }
+        } catch (e) { warn(`  signals upload failed: ${e.message}`); }
+      }
+
+      if (sawTerminated) {
+        const tracker = new TokenTracker();
+        for (const e of fresh) tracker.record(e);
+        const stats = tracker.stats().total;
+        await logger.write({
+          action_type: 'session_end', framework: 'anthropic-managed', status: 'ok', model: ag.model,
+          session_tokens: { input: stats.input, output: stats.output, cache_read: stats.cache_read, cache_creation: stats.cache_creation, total: stats.sum },
+          session_cost_usd: stats.cost_usd || null,
+        });
+        ended.add(sid);
+        sessionAgent.delete(sid);   // bound memory: terminated sessions aren't re-fetched
+        info(`${tag}session ${sid.slice(0, 16)}… terminated — closed`);
       }
     }
 
@@ -318,30 +360,49 @@ async function main() {
     uploadCtx = { apiKey: wmaKey, salt, url: fortressEndpoint(base, 'ingest-signals') };
   }
 
-  // Resolve the agent list: the whole fleet (--all-agents) or a single agent.
-  let agents;
-  if (allAgents) {
-    info('discovering agents (fleet mode)…');
-    const all = await listAgents(apiKey).catch((e) => die(`failed to list agents: ${e.message}`));
-    agents = all
-      .filter((a) => a.id && isValidAgentId(a.id))
-      .map((a) => ({ agentId: a.id, model: resolveModel(a), displayName: cleanLabel(a.name || a.id) }));
-    if (agents.length === 0) die('error: no agents found under this API key');
-    info(`fleet: ${agents.length} agent(s) — ${agents.map((a) => a.displayName).join(', ')}`);
-  } else {
-    info(`resolving agent ${agentId}…`);
-    const agent = await getAgent(apiKey, agentId).catch((e) => die(`failed to GET agent: ${e.message}`));
-    agents = [{ agentId, model: resolveModel(agent), displayName: cleanLabel(agent.name || agentId) }];
-    info(`model: ${agents[0].model || '(unknown)'}`);
-  }
-
   if (watch) {
     const intervalMs = parseDurationMs(args.interval, 5 * 60_000);
-    await runWatch({ apiKey, agents, logDir, intervalMs, uploadCtx });
+    // Discovery window for NEW sessions (default 7d, configurable). Sessions we
+    // already track are re-fetched regardless of age, so long-lived ones don't drop.
+    const windowMs = parseDurationMs(args['discovery-since'], 7 * 24 * 3600_000);
+    const sendNames = !!args['send-agent-names'];
+
+    let resolveAgents;
+    if (allAgents) {
+      // Re-discover the fleet each cycle: agents created after startup get picked
+      // up, gone ones drop off. Keep the last good list if a discovery call fails.
+      let lastFleet = [];
+      resolveAgents = async () => {
+        const all = await listAgents(apiKey).catch((e) => { warn(`fleet re-discovery failed (keeping last): ${e.message}`); return null; });
+        if (!all) return lastFleet;
+        const next = all
+          .filter((a) => a.id && isValidAgentId(a.id))
+          .map((a) => ({ agentId: a.id, model: resolveModel(a), displayName: cleanLabel(a.name || a.id) }));
+        const prev = new Set(lastFleet.map((a) => a.agentId));
+        const cur = new Set(next.map((a) => a.agentId));
+        for (const a of next) if (!prev.has(a.agentId)) info(`fleet: + ${a.displayName}`);
+        for (const a of lastFleet) if (!cur.has(a.agentId)) info(`fleet: − ${a.displayName} (gone)`);
+        lastFleet = next;
+        return next;
+      };
+      info('discovering agents (fleet mode)…');
+      const first = await resolveAgents();
+      if (first.length === 0) die('error: no agents found under this API key');
+      info(`fleet: ${first.length} agent(s) — ${first.map((a) => a.displayName).join(', ')}`);
+    } else {
+      info(`resolving agent ${agentId}…`);
+      const agent = await getAgent(apiKey, agentId).catch((e) => die(`failed to GET agent: ${e.message}`));
+      const single = [{ agentId, model: resolveModel(agent), displayName: cleanLabel(agent.name || agentId) }];
+      info(`model: ${single[0].model || '(unknown)'}`);
+      resolveAgents = async () => single;
+    }
+
+    await runWatch({ apiKey, resolveAgents, fleet: allAgents, logDir, intervalMs, windowMs, uploadCtx, sendNames });
   } else {
+    info(`resolving agent ${agentId}…`);
+    const agent = await getAgent(apiKey, agentId).catch((e) => die(`failed to GET agent: ${e.message}`));
     const since = args.since ? parseSince(args.since) : null;
-    const a = agents[0];
-    await fetchOneShot({ apiKey, agentId: a.agentId, model: a.model, logDir, since, sessionId: args['session-id'], dumpRaw: !!args['dump-raw'] });
+    await fetchOneShot({ apiKey, agentId, model: resolveModel(agent), logDir, since, sessionId: args['session-id'], dumpRaw: !!args['dump-raw'] });
   }
 }
 

package/scripts/shield.js

@@ -57,6 +57,14 @@ function info(msg) { process.stdout.write(`[shield] ${msg}\n`); }
 function warn(msg) { process.stderr.write(`[shield] ⚠️  ${msg}\n`); }
 function sinfo(sid, msg) { process.stdout.write(`[shield/${sid.slice(0, 12)}] ${msg}\n`); }
 function swarn(sid, msg) { process.stderr.write(`[shield/${sid.slice(0, 12)}] ⚠️  ${msg}\n`); }
+const sleep = (ms, signal) => new Promise((res) => {
+  const t = setTimeout(res, ms);
+  if (signal) signal.addEventListener('abort', () => { clearTimeout(t); res(); }, { once: true });
+});
+function parseWindowMs(v, fallback) {
+  const m = v && String(v).match(/^(\d+)\s*([smhd])$/);
+  return m ? parseInt(m[1], 10) * { s: 1000, m: 60_000, h: 3_600_000, d: 86_400_000 }[m[2]] : fallback;
+}
 
 const CACHEABLE_TOOL_TYPES = new Set([
   'agent.tool_use', 'agent.mcp_tool_use', 'agent.custom_tool_use',
@@ -319,6 +327,10 @@ async function runSessionWorker({ sessionId, ctx }) {
 // ────────────────────────────────────────────────────────────────────────
 async function runAgentWide(ctx) {
   const { apiKey, agentId, signal } = ctx;
+  // Discovery window for sessions we haven't attached yet (default 7d). Already-
+  // attached workers stream until the session terminates regardless of age, so a
+  // long-running session never loses enforcement once attached.
+  const discoveryWindowMs = ctx.discoveryWindowMs || 7 * 24 * 3600_000;
   const workers = new Map();      // sessionId → AbortController (active workers)
   const cooldown = new Map();     // sessionId → unix-ms timestamp when re-attach is allowed
 
@@ -332,9 +344,7 @@ async function runAgentWide(ctx) {
   async function discoverAndAttach() {
     let sessions;
     try {
-      // Look at sessions from the last 24h (anything older that's still idle
-      // is probably stale; the user can extend the window if needed).
-      const since = new Date(Date.now() - 24 * 3600_000);
+      const since = new Date(Date.now() - discoveryWindowMs);
       sessions = await listSessions(apiKey, { agentId, since });
     } catch (e) {
       warn(`listSessions failed: ${e.message}`);
@@ -424,6 +434,7 @@ async function main() {
   });
   const logDir = resolve(args['log-dir'] || './watchmyagents-logs');
   const allAgents = !!args['all-agents'];
+  const discoveryWindowMs = parseWindowMs(args['discovery-since'], 7 * 24 * 3600_000);
 
   if (!apiKey) die('error: --api-key or ANTHROPIC_API_KEY required');
   if (!allAgents && !agentId) die('error: --agent-id required (or --all-agents for fleet mode)');
@@ -530,22 +541,47 @@ async function main() {
     return {
       apiKey, agentId: aid,
       get ruleset() { return fortressPolicies ? fortressPolicies.current() : ruleset; },
-      mode, decisions, pushDecisionToFortress, signalsSalt, signal: ac.signal,
+      mode, decisions, pushDecisionToFortress, signalsSalt, signal: ac.signal, discoveryWindowMs,
     };
   }
 
-  // Phase 1: arm every agent. Fail LOUD if none armed (otherwise the process would
-  // exit silently and — under launchd/systemd — restart-loop without a clear cause).
-  const ctxs = (await Promise.all(agentIds.map(setupAgent))).filter(Boolean);
-  if (ctxs.length === 0) {
-    die(`error: no agents could be armed (${agentIds.length} discovered; all policy fetches failed). Check WMA_API_KEY / WMA_FORTRESS_BASE_URL.`);
+  if (!fleet) {
+    // Single agent: arm + run (blocks until SIGINT/SIGTERM). die() on failure
+    // already fires inside setupAgent for the non-fleet path.
+    const ctx = await setupAgent(agentIds[0]);
+    await (singleSessionId ? runSessionWorker({ sessionId: singleSessionId, ctx }) : runAgentWide(ctx));
+    return;
   }
-  if (fleet) info(`armed ${ctxs.length}/${agentIds.length} agent(s); watching.`);
 
-  // Phase 2: run each agent's loop (blocks until SIGINT/SIGTERM).
-  await Promise.all(ctxs.map((ctx) => (
-    singleSessionId ? runSessionWorker({ sessionId: singleSessionId, ctx }) : runAgentWide(ctx)
-  )));
+  // Fleet: arm all discovered agents, then RECONCILE periodically so an agent
+  // created after startup gets armed + protected without a restart. A per-agent
+  // arm failure is skipped and retried on the next reconcile.
+  const armed = new Set();
+  const running = [];
+  const armNew = async (ids) => {
+    for (const aid of ids) {
+      if (armed.has(aid)) continue;
+      const ctx = await setupAgent(aid);
+      if (!ctx) continue;                 // skipped (policy fetch failed) → retry next reconcile
+      armed.add(aid);
+      running.push(runAgentWide(ctx));    // fire; blocks on the shared signal until shutdown
+      info(`fleet: armed ${aid.slice(0, 16)}…`);
+    }
+  };
+  await armNew(agentIds);
+  if (armed.size === 0) {
+    die(`error: no agents could be armed (${agentIds.length} discovered; all policy fetches failed). Check WMA_API_KEY / WMA_FORTRESS_BASE_URL.`);
+  }
+  info(`fleet: ${armed.size}/${agentIds.length} agent(s) armed; reconciling every 60s for new agents.`);
+  while (!ac.signal.aborted) {
+    await sleep(60_000, ac.signal);
+    if (ac.signal.aborted) break;
+    let all;
+    try { all = await listAgents(apiKey); }
+    catch (e) { warn(`fleet reconcile failed (keeping current): ${e.message}`); continue; }
+    await armNew(all.map((a) => a.id).filter((id) => id && isValidAgentId(id)));
+  }
+  await Promise.all(running);
 }
 
 main().catch(e => {

package/src/typology-features.js

@@ -0,0 +1,136 @@
+// Shared local-log feature extraction for the typology classifier (Modèle C).
+// Both wma-agents (CLI snapshot) and the Watch daemon (continuous upload) use
+// this to derive the anonymized behavioural FEATURE VECTOR from local NDJSON
+// logs, then feed it to classifyAgentType() in ./typology.js.
+//
+// Modèle C invariant: only `action_type` and `tool_name` are read from each log
+// line — the raw payload fields (input/output/content/error/thinking) are NEVER
+// touched here, so no raw content can ever enter a feature.
+
+import { readdir, stat } from 'node:fs/promises';
+import { createReadStream } from 'node:fs';
+import { createInterface } from 'node:readline';
+import { join } from 'node:path';
+
+// Action types that represent a TOOL invocation (denominator for f_* fractions).
+const TOOL_ACTIONS = new Set(['tool_use', 'mcp_tool_use', 'custom_tool_use']);
+
+// Tool-name → category mapping. Anthropic Managed Agents expose tools as an
+// opaque bundle, so tool_name is free-text. We match the confirmed built-ins
+// (web_search, web_fetch, bash) plus best-effort regexes for common tool names.
+// A tool that matches nothing contributes to the denominator but to no category
+// (honest: unknown ≠ inferred).
+const CATEGORY_RULES = [
+  ['search',   (n) => /(^|_)web_search$|(^|_)search($|_)|google|brave/.test(n)],
+  ['browser',  (n) => /web_fetch|browser|playwright|puppeteer|navigate|screenshot/.test(n)],
+  ['http',     (n) => /(^|_)http|fetch_url|curl|request|webhook|api_call/.test(n)],
+  ['code',     (n) => /bash|shell|terminal|code_exec|exec_|python|node_run|run_code|interpreter/.test(n)],
+  ['database', (n) => /sql|query_db|database|postgres|mysql|mongo|redis|bigquery|snowflake/.test(n)],
+  ['email',    (n) => /email|gmail|smtp|sendmail|mailgun|outlook/.test(n)],
+  ['payment',  (n) => /payment|charge|transfer|invoice|stripe|paypal|payout|refund|checkout/.test(n)],
+  ['secret',   (n) => /secret|vault|credential|kms|keychain|token_get/.test(n)],
+  ['memory',   (n) => /memory|retriev|vector|(^|_)rag($|_)|knowledge|embed|pinecone|chroma/.test(n)],
+  ['file',     (n) => /editor|str_replace|read_file|write_file|create_file|file_io|(^|_)file($|_)|fs_/.test(n)],
+];
+
+// Best-effort deploy detection (spec discriminator devops_infra vs coding).
+const DEPLOY_RE = /deploy|terraform|kubectl|helm|(^|_)release($|_)|ansible|pulumi|cloudformation/;
+
+// Features that the WMA NDJSON logs CANNOT reliably expose today (opaque tool
+// names, no behavioural signal, or raw content off-limits under Modèle C).
+// They default to 0/false; callers can surface this to the user.
+export const NON_DERIVABLE = [
+  'f_database', 'f_email', 'f_payment', 'f_secret', 'f_memory',
+  'flag_internal_sys', 'flag_on_behalf', 'aux_untrusted', 'aux_sensitive',
+];
+
+function categoryOf(toolName) {
+  const n = String(toolName || '').toLowerCase();
+  for (const [cat, m] of CATEGORY_RULES) if (m(n)) return cat;
+  return null;
+}
+
+// Aggregate raw counts from an agent's local NDJSON logs. Returns `hasLogs:false`
+// when there's nothing to read (cold start).
+export async function aggregate(logDir, agentId) {
+  const actionCounts = {};
+  const categoryCounts = {};
+  let toolEvents = 0;
+  let deployUses = 0;
+  const dir = join(logDir, agentId);
+  const s = await stat(dir).catch(() => null);
+  if (!s || !s.isDirectory()) return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false };
+  let names;
+  try { names = await readdir(dir); } catch { return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false }; }
+  const files = names.filter((n) => n.endsWith('.ndjson') && !n.startsWith('raw-'));
+  if (files.length === 0) return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false };
+
+  for (const f of files) {
+    await new Promise((res) => {
+      const rl = createInterface({ input: createReadStream(join(dir, f), { encoding: 'utf8' }), crlfDelay: Infinity });
+      rl.on('line', (line) => {
+        if (!line.trim()) return;
+        let e; try { e = JSON.parse(line); } catch { return; }
+        if (e.action_type) actionCounts[e.action_type] = (actionCounts[e.action_type] || 0) + 1;
+        if (TOOL_ACTIONS.has(e.action_type)) {
+          toolEvents += 1;
+          const cat = categoryOf(e.tool_name);
+          if (cat) categoryCounts[cat] = (categoryCounts[cat] || 0) + 1;
+          if (DEPLOY_RE.test(String(e.tool_name || '').toLowerCase())) deployUses += 1;
+        }
+      });
+      rl.on('close', res); rl.on('error', res);
+    });
+  }
+  return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: true };
+}
+
+// Build the canonical anonymized FEATURE VECTOR from the aggregated counts.
+// fractions f_* = category_count / toolEvents ; event fractions = type_count /
+// nEvents ; flags 0/1 ; aux ratios in [0,1] ; n_events = total observed events.
+export function buildFeatures(agg) {
+  const { actionCounts, categoryCounts, toolEvents, deployUses } = agg;
+  const nEvents = Object.values(actionCounts).reduce((a, b) => a + b, 0);
+  const frac = (c) => (toolEvents > 0 ? (categoryCounts[c] || 0) / toolEvents : 0);
+  const eventFrac = (...types) => (nEvents > 0
+    ? types.reduce((a, t) => a + (actionCounts[t] || 0), 0) / nEvents
+    : 0);
+
+  // f_handoff / f_user_msg are derived from event TYPE (not tool category):
+  // confirmed action_types thread_message_* and user_message.
+  const handoff = eventFrac('thread_message_sent', 'thread_message_received', 'thread_created');
+  const userMsg = eventFrac('user_message');
+
+  // aux_autonomy ≈ 1 − (human-in-the-loop event share). user_message /
+  // user_interrupt / tool_confirmation mark human involvement.
+  const hitlShare = eventFrac('user_message', 'user_interrupt', 'tool_confirmation');
+  const auxAutonomy = nEvents > 0 ? Math.max(0, 1 - hitlShare) : 0;
+
+  return {
+    // tool-category fractions (over tool uses)
+    f_code: frac('code'),
+    f_browser: frac('browser'),
+    f_database: frac('database'),     // non-derivable in practice → ~0
+    f_http: frac('http'),
+    f_email: frac('email'),           // non-derivable in practice → ~0
+    f_payment: frac('payment'),       // non-derivable in practice → ~0
+    f_secret: frac('secret'),         // non-derivable in practice → ~0
+    f_search: frac('search'),
+    f_memory: frac('memory'),         // non-derivable in practice → ~0
+    f_file: frac('file'),
+    // event-type fractions (over all events)
+    f_handoff: handoff,
+    f_user_msg: userMsg,
+    // discriminator flags (best-effort; only flag_deploy has any behavioural
+    // signal — and only if the agent literally names a deploy tool).
+    flag_deploy: deployUses > 0 ? 1 : 0,
+    flag_internal_sys: 0,             // no behavioural signal in logs
+    flag_on_behalf: 0,                // no behavioural signal in logs
+    // aux ratios
+    aux_autonomy: auxAutonomy,        // heuristic (HITL-frequency)
+    aux_untrusted: 0,                 // no honest source in logs
+    aux_sensitive: 0,                 // no honest source in logs
+    // window size
+    n_events: nEvents,
+  };
+}