watchmyagents 0.9.1 → 0.9.3

package/README.md

@@ -155,7 +155,7 @@ wma-upload-fortress --agent-id agent_01ABC... [--display-name "My agent"]
 wma-upload-fortress --agent-id agent_xxx --dry-run
 ```
 
-**What is sent:** the anonymized signals payload (counts, latencies, salted IoC hashes, sequences — same as `wma-anonymize` output) **plus two routing identifiers**: your `anthropic_agent_id` and a `display_name`. The agent id is required so Fortress can associate signals with the right agent; `display_name` defaults to the agent id and only carries the human-readable agent name if you opt in (`wma-fetch --watch --upload --send-agent-names`).
+**What is sent:** the anonymized signals payload (counts, latencies, salted IoC hashes, sequences — same as `wma-anonymize` output), the agent's **`classification`** when the daemon has it (`{agent_type, confidence, stage}` — anonymized metadata, never raw content), **plus two routing identifiers**: your `anthropic_agent_id` and a `display_name`. The agent id is required so Fortress can associate signals with the right agent; `display_name` defaults to the **human-readable agent name** (sanitized to strip control chars) for UX in the dashboard — pass `--no-send-agent-names` to keep it pseudonymized (sends the agent id instead) if your agent names themselves carry sensitive client/project info.
 **What is NOT sent:** raw prompts, raw URLs/commands/queries, raw agent responses, raw error messages. All payload content stays on your machine.
 
 The endpoint auto-registers the agent on the first upload if it doesn't exist in Fortress yet — no manual onboarding needed for new agents.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "watchmyagents",
-  "version": "0.9.1",
+  "version": "0.9.3",
   "description": "Security observability + real-time policy enforcement for AI agents. Local-first NDJSON capture with a continuous Watch daemon that auto-uploads anonymized signals, Shield CLI that blocks policy violations live (with policies pulled from Fortress cloud), anonymizer producing signals-only payloads, bidirectional sync with WatchMyAgents Fortress, and one-command install as an always-on launchd/systemd service — closing the recursive Watch→Guardian→Shield security loop.",
   "type": "module",
   "files": [

package/scripts/agents.js

@@ -18,12 +18,10 @@
 // ANTHROPIC_API_KEY from env (or --api-key, discouraged).
 
 import os from 'node:os';
-import { readdir, stat } from 'node:fs/promises';
-import { createReadStream } from 'node:fs';
-import { createInterface } from 'node:readline';
 import { join, resolve } from 'node:path';
 import { listAgents } from '../src/sources/anthropic-managed.js';
 import { classifyAgentType } from '../src/typology.js';
+import { aggregate, buildFeatures, NON_DERIVABLE } from '../src/typology-features.js';
 import { isValidAgentId, assertSafePathSegment } from '../src/validate.js';
 
 function parseArgs(argv) {
@@ -40,131 +38,9 @@ function parseArgs(argv) {
 function die(msg, code = 1) { process.stderr.write(`error: ${msg}\n`); process.exit(code); }
 function info(msg) { process.stdout.write(`[wma-agents] ${msg}\n`); }
 
-// Action types that represent a TOOL invocation (the denominator for f_* tool
-// fractions). Confirmed produced by src/sources/anthropic-managed.js.
-const TOOL_ACTIONS = new Set(['tool_use', 'mcp_tool_use', 'custom_tool_use']);
-
-// ──────────────────────────────────────────────────────────────────────────
-// Tool-name → category mapping (Modèle C: name-based, no content). Managed
-// Agents expose tools as an opaque bundle, so tool_name is free-text. We match
-// the confirmed built-ins (web_search, web_fetch, bash) plus best-effort
-// regexes for common tool names. A tool that matches nothing contributes to the
-// denominator but to no category (honest: unknown ≠ inferred).
-// ──────────────────────────────────────────────────────────────────────────
-const CATEGORY_RULES = [
-  // category,    matcher (lower-cased tool_name)
-  ['search',   (n) => /(^|_)web_search$|(^|_)search($|_)|google|brave/.test(n)],
-  ['browser',  (n) => /web_fetch|browser|playwright|puppeteer|navigate|screenshot/.test(n)],
-  ['http',     (n) => /(^|_)http|fetch_url|curl|request|webhook|api_call/.test(n)],
-  ['code',     (n) => /bash|shell|terminal|code_exec|exec_|python|node_run|run_code|interpreter/.test(n)],
-  ['database', (n) => /sql|query_db|database|postgres|mysql|mongo|redis|bigquery|snowflake/.test(n)],
-  ['email',    (n) => /email|gmail|smtp|sendmail|mailgun|outlook/.test(n)],
-  ['payment',  (n) => /payment|charge|transfer|invoice|stripe|paypal|payout|refund|checkout/.test(n)],
-  ['secret',   (n) => /secret|vault|credential|kms|keychain|token_get/.test(n)],
-  ['memory',   (n) => /memory|retriev|vector|(^|_)rag($|_)|knowledge|embed|pinecone|chroma/.test(n)],
-  ['file',     (n) => /editor|str_replace|read_file|write_file|create_file|file_io|(^|_)file($|_)|fs_/.test(n)],
-];
-
-// Best-effort deploy detection (spec discriminator devops_infra vs coding).
-const DEPLOY_RE = /deploy|terraform|kubectl|helm|(^|_)release($|_)|ansible|pulumi|cloudformation/;
-
-function categoryOf(toolName) {
-  const n = String(toolName || '').toLowerCase();
-  for (const [cat, m] of CATEGORY_RULES) if (m(n)) return cat;
-  return null;
-}
-
-// Aggregate raw counts from an agent's local NDJSON logs (Modèle C: counts only).
-async function aggregate(logDir, agentId) {
-  const actionCounts = {};       // action_type → count
-  const categoryCounts = {};     // tool category → count
-  let toolEvents = 0;            // denominator for f_* fractions
-  let deployUses = 0;
-  const dir = join(logDir, agentId);
-  const s = await stat(dir).catch(() => null);
-  if (!s || !s.isDirectory()) return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false };
-  let names;
-  try { names = await readdir(dir); } catch { return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false }; }
-  const files = names.filter((n) => n.endsWith('.ndjson') && !n.startsWith('raw-'));
-  if (files.length === 0) return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false };
-
-  for (const f of files) {
-    await new Promise((res) => {
-      const rl = createInterface({ input: createReadStream(join(dir, f), { encoding: 'utf8' }), crlfDelay: Infinity });
-      rl.on('line', (line) => {
-        if (!line.trim()) return;
-        let e; try { e = JSON.parse(line); } catch { return; }
-        if (e.action_type) actionCounts[e.action_type] = (actionCounts[e.action_type] || 0) + 1;
-        if (TOOL_ACTIONS.has(e.action_type)) {
-          toolEvents += 1;
-          const cat = categoryOf(e.tool_name);
-          if (cat) categoryCounts[cat] = (categoryCounts[cat] || 0) + 1;
-          if (DEPLOY_RE.test(String(e.tool_name || '').toLowerCase())) deployUses += 1;
-        }
-      });
-      rl.on('close', res); rl.on('error', res);
-    });
-  }
-  return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: true };
-}
-
-// Features that the WMA NDJSON logs CANNOT reliably expose today (opaque tool
-// names / no behavioural signal / content off-limits under Modèle C). They
-// default to 0/false; the caller prints a one-line note.
-const NON_DERIVABLE = [
-  'f_database', 'f_email', 'f_payment', 'f_secret', 'f_memory',
-  'flag_internal_sys', 'flag_on_behalf', 'aux_untrusted', 'aux_sensitive',
-];
-
-// Build the canonical anonymized FEATURE VECTOR from the aggregated counts.
-// Fractions = category_count / toolEvents. n_events = total observed events.
-function buildFeatures(agg) {
-  const { actionCounts, categoryCounts, toolEvents, deployUses } = agg;
-  const nEvents = Object.values(actionCounts).reduce((a, b) => a + b, 0);
-  const frac = (c) => (toolEvents > 0 ? (categoryCounts[c] || 0) / toolEvents : 0);
-  const eventFrac = (...types) => (nEvents > 0
-    ? types.reduce((a, t) => a + (actionCounts[t] || 0), 0) / nEvents
-    : 0);
-
-  // f_handoff / f_user_msg are derived from event TYPE (not tool category):
-  // confirmed action_types thread_message_* and user_message.
-  const handoff = eventFrac('thread_message_sent', 'thread_message_received', 'thread_created');
-  const userMsg = eventFrac('user_message');
-
-  // aux_autonomy ≈ 1 − (human-in-the-loop event share). Confirmed action_types
-  // user_message / user_interrupt / tool_confirmation mark human involvement; an
-  // agent that proceeds without them is more autonomous. Heuristic — documented.
-  const hitlShare = eventFrac('user_message', 'user_interrupt', 'tool_confirmation');
-  const auxAutonomy = nEvents > 0 ? Math.max(0, 1 - hitlShare) : 0;
-
-  return {
-    // tool-category fractions (over tool uses)
-    f_code: frac('code'),
-    f_browser: frac('browser'),
-    f_database: frac('database'),     // non-derivable in practice → ~0
-    f_http: frac('http'),
-    f_email: frac('email'),           // non-derivable in practice → ~0
-    f_payment: frac('payment'),       // non-derivable in practice → ~0
-    f_secret: frac('secret'),         // non-derivable in practice → ~0
-    f_search: frac('search'),
-    f_memory: frac('memory'),         // non-derivable in practice → ~0
-    f_file: frac('file'),
-    // event-type fractions (over all events)
-    f_handoff: handoff,
-    f_user_msg: userMsg,
-    // discriminator flags (best-effort; only flag_deploy has any behavioural
-    // signal — and only if the agent literally names a deploy tool).
-    flag_deploy: deployUses > 0 ? 1 : 0,
-    flag_internal_sys: 0,             // no behavioural signal in logs
-    flag_on_behalf: 0,                // no behavioural signal in logs
-    // aux ratios
-    aux_autonomy: auxAutonomy,        // heuristic (HITL-frequency)
-    aux_untrusted: 0,                 // no honest source in logs
-    aux_sensitive: 0,                 // no honest source in logs
-    // window size
-    n_events: nEvents,
-  };
-}
+// Feature aggregation lives in src/typology-features.js (shared with the Watch
+// daemon so both CLI snapshot and continuous upload use the same Modèle C
+// extraction). The rest of this file is just CLI presentation.
 
 async function main() {
   const args = parseArgs(process.argv.slice(2));

package/scripts/fetch-anthropic.js

@@ -30,6 +30,8 @@ import { TokenTracker } from '../src/tokens.js';
 import { SignalsAggregator } from '../src/anonymizer.js';
 import { resolveFortressBase, fortressEndpoint } from '../src/fortress/url.js';
 import { isValidAgentId, isValidSessionId, assertSafePathSegment } from '../src/validate.js';
+import { classifyAgentType } from '../src/typology.js';
+import { aggregate, buildFeatures } from '../src/typology-features.js';
 import {
   getAgent, listAgents, listSessions, fetchSessionEntries, fetchRawEvents,
 } from '../src/sources/anthropic-managed.js';
@@ -105,7 +107,10 @@ function postJson(url, headers, body) {
 }
 
 // Anonymize a batch of just-written entries and ship them as one signals row.
-async function uploadSignals(uploadCtx, agentId, displayName, entries) {
+// `classification` (optional) carries the agent's typology — Fortress upserts
+// agent_type/confidence/stage on the agent row so the typology badge + the
+// apply-template flow fill themselves with no manual click.
+async function uploadSignals(uploadCtx, agentId, displayName, entries, classification) {
   const agg = new SignalsAggregator({ salt: uploadCtx.salt });
   for (const e of entries) agg.add(e);
   const sig = agg.finalize();
@@ -116,6 +121,7 @@ async function uploadSignals(uploadCtx, agentId, displayName, entries) {
     window_start: sig.window_start,
     window_end: sig.window_end,
     payload: sig.payload,
+    ...(classification ? { classification } : {}),
   });
   const { status, body: resp } = await postJson(
     uploadCtx.url, { authorization: `Bearer ${uploadCtx.apiKey}` }, body,
@@ -217,6 +223,8 @@ async function runWatch({ apiKey, resolveAgents, fleet, logDir, intervalMs, wind
   const loggers = new Map();     // sessionId → Logger (session ids are globally unique)
   const ended = new Set();       // terminated sessions (skip)
   const sessionAgent = new Map();// sessionId → { agentId, model, displayName }
+  const priors = new Map();      // agentId → previous classification (threads the
+                                  // typology state machine across upload cycles)
 
   const ac = new AbortController();
   const shutdown = () => { info('shutting down…'); ac.abort(); };
@@ -274,8 +282,23 @@ async function runWatch({ apiKey, resolveAgents, fleet, logDir, intervalMs, wind
 
       if (uploadCtx) {
         try {
-          const resp = await uploadSignals(uploadCtx, ag.agentId, sendNames ? ag.displayName : ag.agentId, fresh);
-          if (resp?.signal_id) info(`  ↑ signals uploaded (signal_id ${resp.signal_id})`);
+          // Compute the agent's typology from its CUMULATIVE local logs and
+          // thread the prior across cycles so the state machine refines toward
+          // stable (Modèle C: features = counts/categories only, no raw content).
+          let classification;
+          try {
+            const features = buildFeatures(await aggregate(logDir, ag.agentId));
+            features.agent_id = ag.agentId;
+            const cls = classifyAgentType(features, priors.get(ag.agentId) || null);
+            priors.set(ag.agentId, cls);
+            classification = { agent_type: cls.classified_type, confidence: cls.confidence, stage: cls.stage };
+          } catch (e) { warn(`  classification skipped: ${e.message}`); }
+
+          const resp = await uploadSignals(uploadCtx, ag.agentId, sendNames ? ag.displayName : ag.agentId, fresh, classification);
+          if (resp?.signal_id) {
+            const cTag = classification ? ` · type ${classification.agent_type} (${Math.round(classification.confidence * 100)}%, ${classification.stage})` : '';
+            info(`  ↑ signals uploaded (signal_id ${resp.signal_id})${cTag}`);
+          }
         } catch (e) { warn(`  signals upload failed: ${e.message}`); }
       }
 
@@ -342,7 +365,12 @@ async function main() {
     // Discovery window for NEW sessions (default 7d, configurable). Sessions we
     // already track are re-fetched regardless of age, so long-lived ones don't drop.
     const windowMs = parseDurationMs(args['discovery-since'], 7 * 24 * 3600_000);
-    const sendNames = !!args['send-agent-names'];
+    // display_name on the Fortress payload: defaults to the human agent name
+    // (UX-friendly — operators identify agents by name in the dashboard). The
+    // name is sanitized via cleanLabel() so log/payload injection is impossible.
+    // Use --no-send-agent-names to opt OUT (sends the agent_id instead) for
+    // setups where the agent name itself is considered sensitive metadata.
+    const sendNames = args['no-send-agent-names'] !== true;
 
     let resolveAgents;
     if (allAgents) {

package/src/typology-features.js

@@ -0,0 +1,136 @@
+// Shared local-log feature extraction for the typology classifier (Modèle C).
+// Both wma-agents (CLI snapshot) and the Watch daemon (continuous upload) use
+// this to derive the anonymized behavioural FEATURE VECTOR from local NDJSON
+// logs, then feed it to classifyAgentType() in ./typology.js.
+//
+// Modèle C invariant: only `action_type` and `tool_name` are read from each log
+// line — the raw payload fields (input/output/content/error/thinking) are NEVER
+// touched here, so no raw content can ever enter a feature.
+
+import { readdir, stat } from 'node:fs/promises';
+import { createReadStream } from 'node:fs';
+import { createInterface } from 'node:readline';
+import { join } from 'node:path';
+
+// Action types that represent a TOOL invocation (denominator for f_* fractions).
+const TOOL_ACTIONS = new Set(['tool_use', 'mcp_tool_use', 'custom_tool_use']);
+
+// Tool-name → category mapping. Anthropic Managed Agents expose tools as an
+// opaque bundle, so tool_name is free-text. We match the confirmed built-ins
+// (web_search, web_fetch, bash) plus best-effort regexes for common tool names.
+// A tool that matches nothing contributes to the denominator but to no category
+// (honest: unknown ≠ inferred).
+const CATEGORY_RULES = [
+  ['search',   (n) => /(^|_)web_search$|(^|_)search($|_)|google|brave/.test(n)],
+  ['browser',  (n) => /web_fetch|browser|playwright|puppeteer|navigate|screenshot/.test(n)],
+  ['http',     (n) => /(^|_)http|fetch_url|curl|request|webhook|api_call/.test(n)],
+  ['code',     (n) => /bash|shell|terminal|code_exec|exec_|python|node_run|run_code|interpreter/.test(n)],
+  ['database', (n) => /sql|query_db|database|postgres|mysql|mongo|redis|bigquery|snowflake/.test(n)],
+  ['email',    (n) => /email|gmail|smtp|sendmail|mailgun|outlook/.test(n)],
+  ['payment',  (n) => /payment|charge|transfer|invoice|stripe|paypal|payout|refund|checkout/.test(n)],
+  ['secret',   (n) => /secret|vault|credential|kms|keychain|token_get/.test(n)],
+  ['memory',   (n) => /memory|retriev|vector|(^|_)rag($|_)|knowledge|embed|pinecone|chroma/.test(n)],
+  ['file',     (n) => /editor|str_replace|read_file|write_file|create_file|file_io|(^|_)file($|_)|fs_/.test(n)],
+];
+
+// Best-effort deploy detection (spec discriminator devops_infra vs coding).
+const DEPLOY_RE = /deploy|terraform|kubectl|helm|(^|_)release($|_)|ansible|pulumi|cloudformation/;
+
+// Features that the WMA NDJSON logs CANNOT reliably expose today (opaque tool
+// names, no behavioural signal, or raw content off-limits under Modèle C).
+// They default to 0/false; callers can surface this to the user.
+export const NON_DERIVABLE = [
+  'f_database', 'f_email', 'f_payment', 'f_secret', 'f_memory',
+  'flag_internal_sys', 'flag_on_behalf', 'aux_untrusted', 'aux_sensitive',
+];
+
+function categoryOf(toolName) {
+  const n = String(toolName || '').toLowerCase();
+  for (const [cat, m] of CATEGORY_RULES) if (m(n)) return cat;
+  return null;
+}
+
+// Aggregate raw counts from an agent's local NDJSON logs. Returns `hasLogs:false`
+// when there's nothing to read (cold start).
+export async function aggregate(logDir, agentId) {
+  const actionCounts = {};
+  const categoryCounts = {};
+  let toolEvents = 0;
+  let deployUses = 0;
+  const dir = join(logDir, agentId);
+  const s = await stat(dir).catch(() => null);
+  if (!s || !s.isDirectory()) return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false };
+  let names;
+  try { names = await readdir(dir); } catch { return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false }; }
+  const files = names.filter((n) => n.endsWith('.ndjson') && !n.startsWith('raw-'));
+  if (files.length === 0) return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: false };
+
+  for (const f of files) {
+    await new Promise((res) => {
+      const rl = createInterface({ input: createReadStream(join(dir, f), { encoding: 'utf8' }), crlfDelay: Infinity });
+      rl.on('line', (line) => {
+        if (!line.trim()) return;
+        let e; try { e = JSON.parse(line); } catch { return; }
+        if (e.action_type) actionCounts[e.action_type] = (actionCounts[e.action_type] || 0) + 1;
+        if (TOOL_ACTIONS.has(e.action_type)) {
+          toolEvents += 1;
+          const cat = categoryOf(e.tool_name);
+          if (cat) categoryCounts[cat] = (categoryCounts[cat] || 0) + 1;
+          if (DEPLOY_RE.test(String(e.tool_name || '').toLowerCase())) deployUses += 1;
+        }
+      });
+      rl.on('close', res); rl.on('error', res);
+    });
+  }
+  return { actionCounts, categoryCounts, toolEvents, deployUses, hasLogs: true };
+}
+
+// Build the canonical anonymized FEATURE VECTOR from the aggregated counts.
+// fractions f_* = category_count / toolEvents ; event fractions = type_count /
+// nEvents ; flags 0/1 ; aux ratios in [0,1] ; n_events = total observed events.
+export function buildFeatures(agg) {
+  const { actionCounts, categoryCounts, toolEvents, deployUses } = agg;
+  const nEvents = Object.values(actionCounts).reduce((a, b) => a + b, 0);
+  const frac = (c) => (toolEvents > 0 ? (categoryCounts[c] || 0) / toolEvents : 0);
+  const eventFrac = (...types) => (nEvents > 0
+    ? types.reduce((a, t) => a + (actionCounts[t] || 0), 0) / nEvents
+    : 0);
+
+  // f_handoff / f_user_msg are derived from event TYPE (not tool category):
+  // confirmed action_types thread_message_* and user_message.
+  const handoff = eventFrac('thread_message_sent', 'thread_message_received', 'thread_created');
+  const userMsg = eventFrac('user_message');
+
+  // aux_autonomy ≈ 1 − (human-in-the-loop event share). user_message /
+  // user_interrupt / tool_confirmation mark human involvement.
+  const hitlShare = eventFrac('user_message', 'user_interrupt', 'tool_confirmation');
+  const auxAutonomy = nEvents > 0 ? Math.max(0, 1 - hitlShare) : 0;
+
+  return {
+    // tool-category fractions (over tool uses)
+    f_code: frac('code'),
+    f_browser: frac('browser'),
+    f_database: frac('database'),     // non-derivable in practice → ~0
+    f_http: frac('http'),
+    f_email: frac('email'),           // non-derivable in practice → ~0
+    f_payment: frac('payment'),       // non-derivable in practice → ~0
+    f_secret: frac('secret'),         // non-derivable in practice → ~0
+    f_search: frac('search'),
+    f_memory: frac('memory'),         // non-derivable in practice → ~0
+    f_file: frac('file'),
+    // event-type fractions (over all events)
+    f_handoff: handoff,
+    f_user_msg: userMsg,
+    // discriminator flags (best-effort; only flag_deploy has any behavioural
+    // signal — and only if the agent literally names a deploy tool).
+    flag_deploy: deployUses > 0 ? 1 : 0,
+    flag_internal_sys: 0,             // no behavioural signal in logs
+    flag_on_behalf: 0,                // no behavioural signal in logs
+    // aux ratios
+    aux_autonomy: auxAutonomy,        // heuristic (HITL-frequency)
+    aux_untrusted: 0,                 // no honest source in logs
+    aux_sensitive: 0,                 // no honest source in logs
+    // window size
+    n_events: nEvents,
+  };
+}