watchmyagents 1.0.1 → 1.0.3

package/README.md

@@ -155,7 +155,7 @@ wma-upload-fortress --agent-id agent_01ABC... [--display-name "My agent"]
 wma-upload-fortress --agent-id agent_xxx --dry-run
 ```
 
-**What is sent:** the anonymized signals payload (counts, latencies, salted IoC hashes, sequences — same as `wma-signals` output), the agent's **`classification`** when the daemon has it (`{agent_type, confidence, stage}` — anonymized metadata, never raw content), **plus the routing identifiers**: `provider` (e.g., `"anthropic-managed"` — added in v1.0 for the multi-framework SDK), `native_agent_id` (the canonical provider-agnostic field), `anthropic_agent_id` (kept for backwards compat with existing Fortress instances; will be dropped once Fortress migrates), `parent_agent_id` (`null` for root agents — populated for sub-agents detected via OpenAI Agents handoffs, CrewAI manager mode, Hermes Agent `spawn_subagent`, LangGraph sub-graphs), `composition_pattern` (`"solo" | "hierarchy" | "graph" | "peer"` — defaults to `"solo"` for Anthropic until thread-message detection lands), `enforcement_mode` (`"sync_confirm" | "sync_interrupt" | "detect_only"` — the strongest enforcement capability the Source provides; Fortress greys out Shield UI for `detect_only` agents to prevent UI/runtime mismatch), and a `display_name`. The agent id is required so Fortress can associate signals with the right agent; `display_name` defaults to the **human-readable agent name** (sanitized to strip control chars) for UX in the dashboard — pass `--no-send-agent-names` to keep it pseudonymized (sends the agent id instead) if your agent names themselves carry sensitive client/project info.
+**What is sent:** the anonymized signals payload (counts, latencies, salted IoC hashes, sequences — same as `wma-signals` output), the agent's **`classification`** when the daemon has it (`{agent_type, confidence, stage}` — anonymized metadata, never raw content), **plus the routing identifiers**: `provider` (e.g., `"anthropic-managed"` — added in v1.0 for the multi-framework SDK), `native_agent_id` (the canonical provider-agnostic field), `anthropic_agent_id` (kept for backwards compat with existing Fortress instances; will be dropped once Fortress migrates), `parent_agent_id` (`null` for root agents — populated for sub-agents detected via OpenAI Agents handoffs, CrewAI manager mode, Hermes Agent `spawn_subagent`, LangGraph sub-graphs), `composition_pattern` (`"solo" | "hierarchy" | "graph" | "peer"` — defaults to `"solo"` for Anthropic until thread-message detection lands), `enforcement_mode` (`"sync_confirm" | "sync_interrupt" | "detect_only"` — the strongest enforcement capability the Source provides; Fortress greys out Shield UI for `detect_only` agents to prevent UI/runtime mismatch), **`session_ids[]`** (opaque vendor session tokens — e.g. Anthropic `sess_01XaNB…` — added in v1.0.2 so an operator looking at a Shield decision in Fortress can `grep` the local NDJSON immediately for full raw context ; non-secret but sensitive, see [docs/CONTAINMENT.md](docs/CONTAINMENT.md#routing--forensic-metadata--what-can-cross-to-fortress) for Fortress-side guardrails), and a `display_name`. The agent id is required so Fortress can associate signals with the right agent; `display_name` defaults to the **human-readable agent name** (sanitized to strip control chars) for UX in the dashboard — pass `--no-send-agent-names` to keep it pseudonymized (sends the agent id instead) if your agent names themselves carry sensitive client/project info.
 **What is NOT sent:** raw prompts, raw URLs/commands/queries, raw agent responses, raw error messages. All payload content stays on your machine.
 
 The endpoint auto-registers the agent on the first upload if it doesn't exist in Fortress yet — no manual onboarding needed for new agents.
@@ -247,7 +247,7 @@ WatchMyAgents is built so that **your prompts and outputs never have to leave yo
 |---|---|
 | **Your machine** (`./watchmyagents-logs/`) | Full NDJSON with all prompts, tool inputs, agent outputs. `chmod 600` on every file. |
 | **Anthropic API** | Where the agent runs. WMA pulls events via the public REST API only. |
-| **WMA Fortress** (opt-in, only with `--upload` / `wma-upload-fortress` / `wma-shield --policies-source fortress`) | The **anonymized signals** payload (counts, timings, salted hashes, sequences) + routing identifiers: `provider` (e.g. `"anthropic-managed"`), `native_agent_id`, `anthropic_agent_id` (legacy alias), and `display_name` (defaults to the **human agent name** for dashboard UX — pass `--no-send-agent-names` to opt out and send only the agent id). Shield enforcement **decisions** (hashed session/event/input fingerprints — never raw values). **Never** raw prompts, URLs, commands, or outputs. |
+| **WMA Fortress** (opt-in, only with `--upload` / `wma-upload-fortress` / `wma-shield --policies-source fortress`) | The **anonymized signals** payload (counts, timings, salted hashes, sequences) + routing identifiers: `provider` (e.g. `"anthropic-managed"`), `native_agent_id`, `anthropic_agent_id` (legacy alias), `display_name` (defaults to the **human agent name** for dashboard UX — pass `--no-send-agent-names` to opt out and send only the agent id), and **`session_ids[]`** (opaque vendor session tokens, v1.0.2+, used by operators to grep their LOCAL NDJSON for full context after a Shield decision; non-secret but sensitive — Fortress applies RBAC, UI masking with reveal+audit, and retention limits, see [docs/CONTAINMENT.md](docs/CONTAINMENT.md)). Shield enforcement **decisions** (hashed session/event/input fingerprints — never raw values). **Never** raw prompts, URLs, commands, or outputs. |
 
 This is the "local-first" guarantee: **raw payloads never leave your machine.** Cloud upload is opt-in and carries only anonymized metadata + the agent id/name needed to route it.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "watchmyagents",
-  "version": "1.0.1",
+  "version": "1.0.3",
   "description": "Security observability + real-time policy enforcement for AI agents. Local-first NDJSON capture with a continuous Watch daemon that auto-uploads anonymized signals, Shield CLI that blocks policy violations live (with policies pulled from Fortress cloud), anonymizer producing signals-only payloads, bidirectional sync with WatchMyAgents Fortress, and one-command install as an always-on launchd/systemd service — closing the recursive Watch→Guardian→Shield security loop.",
   "type": "module",
   "files": [

package/src/anonymizer.js

@@ -18,10 +18,18 @@
 //   - output.content (agent text)
 //   - raw URLs / commands / queries
 //   - error messages
-//   - readable session_id (hashed)
-//   - readable agent_id (hashed)
 //   - PII of any kind
 //
+// Forensic routing metadata that DOES cross to Fortress (opaque tokens,
+// no semantic content, same sensitivity class as agent_id):
+//   - session_ids[]  — opaque vendor session ids (e.g. Anthropic
+//                      `sess_01XaNB…`). Sent so the operator looking
+//                      at a Shield decision in Fortress can grep the
+//                      LOCAL NDJSON for full raw context.
+//                      → see docs/CONTAINMENT.md "Routing & forensic
+//                        metadata" + the Fortress-side guardrails
+//                        (RBAC, UI masking, audit log, retention).
+//
 // This is the single bottleneck between Watch (local) and Fortress (cloud).
 // Every byte that crosses to the cloud passes through this module.
 
@@ -134,6 +142,13 @@ export class SignalsAggregator {
     this.entryCount = 0;
     this._prevActionType = null;
     this._prevSessionId = null;
+    // v1.0.2 F-6b — opaque session ids active in this window. Shipped to
+    // Fortress in the payload as `session_ids[]` so an operator looking at
+    // a Shield decision in the dashboard can grep their LOCAL NDJSON by
+    // session_id immediately (forensics short-circuit). The Anthropic
+    // session_id is a non-semantic token like `sess_01XaNB…` — same
+    // sensitivity class as `agent_id`, which we already transmit.
+    this.seenSessions = new Set();              // unique session_ids
   }
 
   add(entry) {
@@ -147,6 +162,13 @@ export class SignalsAggregator {
       if (!this.windowEnd || ts > this.windowEnd) this.windowEnd = ts;
     }
 
+    // F-6b — collect every distinct session_id encountered in the window.
+    // Stays opaque (no string transformation), bounded by the natural
+    // number of sessions in the window.
+    if (typeof entry.session_id === 'string' && entry.session_id.length > 0) {
+      this.seenSessions.add(entry.session_id);
+    }
+
     // Counts
     const at = entry.action_type || 'unknown';
     this.counts[at] = (this.counts[at] || 0) + 1;
@@ -233,6 +255,11 @@ export class SignalsAggregator {
         sequences_top10: sequencesTop,
         stop_reasons: this.stopReasons,
         tokens_total: this.tokensTotal,
+        // F-6c — opaque session ids active in this window, sorted for
+        // determinism. Operator forensic chain:
+        //   Fortress decision → window_start/end + session_ids → grep
+        //   the local NDJSON of the affected agent → full raw context.
+        session_ids: [...this.seenSessions].sort(),
       },
       _meta: {
         entries_processed: this.entryCount,

package/src/logger.js

@@ -13,6 +13,8 @@ import { assertSafePathSegment } from './validate.js';
 const EXPORT_FIELDS = [
   'id', 'agent_id', 'parent_agent_id', 'composition_pattern',
   'provider', 'timestamp', 'action_type',
+  // v1.0.2 F-6a — Anthropic-style sub-agent discriminators preserved locally
+  'session_thread_id', 'agent_name',
   'tool_name', 'duration_ms', 'tokens_used',
   'input_tokens', 'output_tokens', 'cache_read_tokens', 'cache_creation_tokens',
   'cost_usd', 'model',
@@ -60,6 +62,11 @@ export class Logger {
       // populates these on the event, and the Logger threads them through.
       parent_agent_id: e.parent_agent_id ?? null,
       composition_pattern: e.composition_pattern || 'solo',
+      // v1.0.2 F-6a: Anthropic-style discriminators preserved LOCAL ONLY
+      // (never sent raw to Fortress — SignalsAggregator derives the
+      // aggregated session_ids list from these at finalize time).
+      session_thread_id: e.session_thread_id ?? null,
+      agent_name: e.agent_name ?? null,
       provider: e.provider || e.framework || 'generic',
       timestamp: e.timestamp || new Date().toISOString(),
       action_type: e.action_type || 'tool_call',

package/src/sources/anthropic-managed.js

@@ -185,6 +185,13 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (!RELEVANT.has(ev.type)) continue;
     const type = ev.type;
     const ts = ev.processed_at || ev.created_at || new Date().toISOString();
+    // v1.0.2 F-6a: capture Anthropic's own discriminators on EVERY event,
+    // not just thread_message_*. session_thread_id + agent_name are how
+    // the vendor itself tells parent activity from sub-agent activity.
+    // Preserved LOCALLY (NDJSON) only — never sent raw to Fortress.
+    const session_thread_id = ev.session_thread_id ?? null;
+    const agent_name = ev.agent_name ?? null;
+    const subAgentMeta = { session_thread_id, agent_name };
     const tsMillis = tsMs(ev);
 
     if (type === 'span.model_request_start') {
@@ -201,6 +208,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
       const cw = u.cache_creation_input_tokens || 0;
       yield {
         ...base,
+        ...subAgentMeta,
         id: ev.id,
         action_type: 'llm_call',
         tool_name: null,
@@ -220,6 +228,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (type === 'user.message') {
       yield {
         ...base,
+        ...subAgentMeta,
         id: ev.id,
         action_type: 'user_message',
         tool_name: null,
@@ -234,6 +243,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (type === 'user.interrupt') {
       yield {
         ...base,
+        ...subAgentMeta,
         id: ev.id,
         action_type: 'user_interrupt',
         tool_name: null,
@@ -249,6 +259,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
       const denied = ev.result === 'deny';
       yield {
         ...base,
+        ...subAgentMeta,
         id: ev.id,
         action_type: 'tool_confirmation',
         tool_name: null,
@@ -265,6 +276,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (type === 'user.custom_tool_result') {
       yield {
         ...base,
+        ...subAgentMeta,
         id: ev.id,
         action_type: 'custom_tool_result',
         tool_name: null,
@@ -280,6 +292,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (type === 'agent.message') {
       yield {
         ...base,
+        ...subAgentMeta,
         id: ev.id,
         action_type: 'message',
         tool_name: null,
@@ -294,6 +307,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (type === 'agent.thinking') {
       yield {
         ...base,
+        ...subAgentMeta,
         id: ev.id,
         action_type: 'thinking',
         tool_name: null,
@@ -321,6 +335,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
       const isError = ev.is_error === true;
       yield {
         ...base,
+        ...subAgentMeta,
         id: ev.id,
         action_type: start?.isMcp ? 'mcp_tool_use' : 'tool_use',
         tool_name: start?.name || 'unknown',
@@ -337,6 +352,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (type === 'agent.custom_tool_use') {
       yield {
         ...base,
+        ...subAgentMeta,
         id: ev.id,
         action_type: 'custom_tool_use',
         tool_name: ev.name || 'unknown',
@@ -351,6 +367,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (type === 'agent.thread_context_compacted') {
       yield {
         ...base,
+        ...subAgentMeta,
         id: ev.id,
         action_type: 'context_compacted',
         tool_name: null,
@@ -370,6 +387,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
       const direction = type.endsWith('_sent') ? 'sent' : 'received';
       yield {
         ...base,
+        ...subAgentMeta,
         id: ev.id,
         action_type: `thread_message_${direction}`,
         tool_name: null,
@@ -391,6 +409,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
       const { id: _id, type: _type, processed_at: _pa, created_at: _ca, ...changes } = ev;
       yield {
         ...base,
+        ...subAgentMeta,
         id: ev.id,
         action_type: 'config_change',
         tool_name: null,
@@ -405,6 +424,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (type === 'session.thread_created') {
       yield {
         ...base,
+        ...subAgentMeta,
         id: ev.id,
         action_type: 'thread_created',
         tool_name: null,
@@ -422,6 +442,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
     if (type === 'session.error') {
       yield {
         ...base,
+        ...subAgentMeta,
         id: ev.id,
         action_type: 'session_error',
         tool_name: null,
@@ -443,6 +464,7 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
       const fatal = state === 'terminated';
       yield {
         ...base,
+        ...subAgentMeta,
         id: ev.id,
         action_type: 'state_transition',
         tool_name: null,

package/src/sources/contract.js

@@ -127,6 +127,19 @@ export const PROVIDERS = Object.freeze({
 //  * SUB-AGENT FIELDS (PR-C — see WMAAction.parent_agent_id):
 //  * @property {string|null} parent_agent_id        Null for root agents
 //  * @property {string|null} composition_pattern    From COMPOSITION_PATTERNS
+//  *
+//  * MULTI-AGENT DISCRIMINATORS (v1.0.2 F-6a — preserved LOCALLY only,
+//  * never sent raw to Fortress; the SignalsAggregator derives the
+//  * aggregated session_ids list from them at finalize time):
+//  * @property {string|null} session_thread_id      The thread the event happened in.
+//  *                                                For frameworks where one session can
+//  *                                                host multiple threads/sub-agents
+//  *                                                (Anthropic Task tool, future similar
+//  *                                                designs), this is how the vendor
+//  *                                                itself discriminates "parent vs sub".
+//  * @property {string|null} agent_name             The human-named emitter of this event
+//  *                                                (the parent agent OR a sub-agent
+//  *                                                running inside the parent's session).
 //  */
 
 const REQUIRED_FIELDS = ['id', 'provider', 'agent_id', 'session_id', 'action_type', 'timestamp', 'status'];