watchmyagents 1.1.0 → 1.1.2

package/README.md

@@ -1,12 +1,26 @@
 # Watch My Agents
 
-**Security observability for AI agents.** A zero-dependency CLI + SDK that captures every action your AI agents take — tool calls, prompts, state transitions, errors, multi-agent comms — into local NDJSON logs. Built for security audits, not just token counting.
+**Real-time security observability AND enforcement for AI agents.** A zero-dependency CLI + SDK that captures every action your AI agents take — tool calls, prompts, state transitions, errors, multi-agent comms — into local NDJSON logs **AND** enforces security policies live, with sub-second propagation from the Fortress control plane to the Shield runtime.
 
-Designed around three guarantees:
+Designed around four guarantees:
 
 1. **Local-first.** Raw payloads (prompts, outputs, tool arguments) stay 100% on your machine. Nothing leaves unless you explicitly opt in.
-2. **Trace everything, not just what costs tokens.** A `web_fetch` to a suspicious URL carries zero tokens but is exactly what a security audit needs to see.
-3. **Zero dependencies.** Only Node.js 18+ built-ins. No telemetry, no phone-home, no hidden network calls.
+2. **Trace everything, not just what costs tokens.** A `web_fetch` to a suspicious URL carries zero tokens but is exactly what a security audit needs to see. Even tool calls that were blocked, denied, or interrupted before producing a result are logged with `status: error` so the audit trail is complete.
+3. **Real-time enforcement, not post-hoc auditing.** A policy accepted in Fortress UI is active in Shield within ~1 second via SSE + Postgres realtime. A policy violation is blocked in ~3ms via Anthropic's `user.tool_confirmation` / `user.interrupt` events. Measured in production, not promised in roadmap.
+4. **Zero dependencies.** Only Node.js 18+ built-ins. No telemetry, no phone-home, no hidden network calls. Preserved through every release including the SSE realtime work (custom RFC-compliant SSE parser, no `@supabase/realtime-js` or `ws` dep).
+
+### Measured end-to-end loop latency (v1.1.0+)
+
+```
+Anthropic agent action ────────► Watch capture           : ≤ 60s     (configurable via --interval)
+Watch capture        ────────► Fortress signal upload   : ≤ 60s     (same cycle)
+Fortress signal      ────────► Guardian analysis        : ≤ 30s     (event-triggered, debounced)
+Guardian proposal    ────────► Operator accepts in UI   : (human)
+Policy accepted      ────────► Shield receives via SSE  : ≤ 1s      (sub-second push, validated)
+Shield evaluates     ────────► Decision (allow/deny)    : ≤ 3ms     (measured on Anthropic Managed)
+```
+
+Full audit-clean: 3 successful Codex audit passes (v1.0.1, v1.0.2, v1.0.3) closed 7 findings with zero regression. Containment invariant (raw payloads never leave the customer machine) is formalized in `docs/CONTAINMENT.md` and locked by 8 regression tests.
 
 ---
 

package/SECURITY.md

@@ -57,6 +57,8 @@ WMA combines **two complementary layers**:
 - **Blind spots in agent behavior.** Watch captures tool calls, prompts, state transitions, and errors for after-the-fact analysis.
 - **Token-only observability tools.** WMA captures every action including zero-token ones (`tool_use`, `state_transition`, etc.) that are the most security-relevant.
 - **Inline policy violations** (Shield). When the agent has `permission_policy: always_ask` configured, Shield blocks tool calls before execution. When not, Shield interrupts the session on first violation (the offending tool already ran, but the agent loop stops).
+- **Stale enforcement after a policy update.** A new policy accepted in the Fortress dashboard is active in Shield within ~1 second via SSE + Postgres realtime (validated in production on v1.1.0). The 60s polling refresh is a fallback for environments where the SSE channel can't be established (firewall, proxy stripping `text/event-stream`).
+- **Lost audit trail for blocked / denied / interrupted tool calls.** Tool calls that started but never produced a result (Shield pre-block, operator denial, mid-execution kill, session termination) are logged as explicit `tool_use` entries with `status: error` and `error: "no_result_observed"` — they cannot disappear silently from the audit. (Fix shipped in v1.1.1 after the Codex P1 finding.)
 - **Vendor lock-in.** NDJSON is portable; you own the data.
 
 ### What WMA does NOT defend against

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "watchmyagents",
-  "version": "1.1.0",
+  "version": "1.1.2",
   "description": "Security observability + real-time policy enforcement for AI agents. Local-first NDJSON capture with a continuous Watch daemon that auto-uploads anonymized signals, Shield CLI that blocks policy violations live (with policies pulled from Fortress cloud), anonymizer producing signals-only payloads, bidirectional sync with WatchMyAgents Fortress, and one-command install as an always-on launchd/systemd service — closing the recursive Watch→Guardian→Shield security loop.",
   "type": "module",
   "files": [

package/scripts/agents.js

@@ -23,6 +23,7 @@ import { listAgents } from '../src/sources/anthropic-managed.js';
 import { classifyAgentType } from '../src/typology.js';
 import { aggregate, buildFeatures, NON_DERIVABLE } from '../src/typology-features.js';
 import { isValidAgentId, assertSafePathSegment } from '../src/validate.js';
+import { maybePrintVersionAndExit } from '../src/version.js';
 
 function parseArgs(argv) {
   const out = { _: [] };
@@ -43,6 +44,8 @@ function info(msg) { process.stdout.write(`[wma-agents] ${msg}\n`); }
 // extraction). The rest of this file is just CLI presentation.
 
 async function main() {
+  // v1.1.1 F-13: --version / -v short-circuit before any other parsing.
+  maybePrintVersionAndExit(process.argv);
   const args = parseArgs(process.argv.slice(2));
   if (args._[0] && args._[0] !== 'list') die(`unknown command "${args._[0]}" (only "list" supported)`);
   const apiKey = args['api-key'] || process.env.ANTHROPIC_API_KEY;

package/scripts/fetch-anthropic.js

@@ -29,6 +29,7 @@ import { Logger } from '../src/logger.js';
 import { TokenTracker } from '../src/tokens.js';
 import { SignalsAggregator } from '../src/anonymizer.js';
 import { resolveFortressBase, fortressEndpoint } from '../src/fortress/url.js';
+import { cleanLabel } from '../src/labels.js';
 import { isValidAgentId, isValidSessionId, assertSafePathSegment } from '../src/validate.js';
 import { classifyAgentType } from '../src/typology.js';
 import { aggregate, buildFeatures } from '../src/typology-features.js';
@@ -36,6 +37,7 @@ import {
   getAgent, listAgents, listSessions, fetchSessionEntries, fetchRawEvents,
   AnthropicManagedSource, effectiveEnforcementMode,
 } from '../src/sources/anthropic-managed.js';
+import { maybePrintVersionAndExit } from '../src/version.js';
 
 function parseArgs(argv) {
   const out = {};
@@ -73,9 +75,9 @@ function parseSince(s) {
 function die(msg, code = 1) { process.stderr.write(`${msg}\n`); process.exit(code); }
 function info(msg) { process.stdout.write(`[wma-fetch] ${msg}\n`); }
 function warn(msg) { process.stderr.write(`[wma-fetch] ⚠️  ${msg}\n`); }
-// Strip control chars + truncate a customer-set agent name before it goes into
-// a log line or the Fortress display_name (defense-in-depth vs log/payload injection).
-function cleanLabel(s) { return [...String(s ?? '')].filter((c) => c.charCodeAt(0) >= 32 && c.charCodeAt(0) !== 127).join('').slice(0, 60).trim(); }
+// v1.1.1 F-11: cleanLabel moved to src/labels.js so wma-upload-fortress
+// (and any future consumer) shares the exact same sanitization. Defense
+// in depth vs log/payload injection from customer-set agent names.
 
 function resolveModel(agent) {
   const raw = agent.model || agent.config?.model || null;
@@ -83,6 +85,12 @@ function resolveModel(agent) {
 }
 
 // HTTPS POST helper for the --upload signals push (mirrors wma-upload-fortress).
+// v1.1.2 F-17: response body cap for the Fortress ingest-signals POST.
+// The expected reply is a small JSON confirmation ({signal_id, agent_id,
+// registered_new_agent}) — well under 1 MB. Any larger and the endpoint
+// is misconfigured or compromised; abort.
+const MAX_FORTRESS_RESPONSE_BYTES = 1 * 1024 * 1024;
+
 function postJson(url, headers, body) {
   return new Promise((resolveReq, rejectReq) => {
     const u = new URL(url);
@@ -95,8 +103,22 @@ function postJson(url, headers, body) {
       rejectUnauthorized: true,
     }, (res) => {
       const chunks = [];
-      res.on('data', (c) => chunks.push(c));
+      let receivedBytes = 0;
+      let aborted = false;
+      res.on('data', (c) => {
+        if (aborted) return;
+        receivedBytes += c.length;
+        if (receivedBytes > MAX_FORTRESS_RESPONSE_BYTES) {
+          aborted = true;
+          chunks.length = 0;
+          try { req.destroy(); } catch { /* already destroyed */ }
+          rejectReq(new Error(`Fortress response exceeded ${MAX_FORTRESS_RESPONSE_BYTES} bytes — aborting`));
+          return;
+        }
+        chunks.push(c);
+      });
       res.on('end', () => {
+        if (aborted) return;
         const raw = Buffer.concat(chunks).toString('utf8');
         let parsed = null; try { parsed = JSON.parse(raw); } catch { /* keep raw */ }
         resolveReq({ status: res.statusCode || 0, body: parsed ?? raw });
@@ -261,7 +283,7 @@ const sleep = (ms, signal) => new Promise((res) => {
 });
 
 // ── ONE-SHOT ──────────────────────────────────────────────────────────────
-async function fetchOneShot({ apiKey, agentId, model, logDir, since, sessionId, dumpRaw }) {
+async function fetchOneShot({ apiKey, agentId, model, logDir, since, sessionId, dumpRaw, forceDuplicates = false }) {
   let sessions;
   if (sessionId) {
     sessions = [{ id: sessionId, created_at: new Date().toISOString() }];
@@ -272,7 +294,18 @@ async function fetchOneShot({ apiKey, agentId, model, logDir, since, sessionId,
   if (sessions.length === 0) { info('no sessions to fetch'); return; }
   info(`${sessions.length} session(s) to fetch`);
 
+  // v1.1.1 F-10 (P2 Codex audit): preload the entry ids already on disk for
+  // this agent so re-running the one-shot doesn't duplicate events. The
+  // watch daemon does this already; the one-shot was the missing piece.
+  // Operators who explicitly want the legacy duplicate-on-rerun behavior
+  // can opt back in with --force-duplicates.
+  const seenIds = forceDuplicates ? new Set() : await preloadSeenIds(logDir, agentId);
+  if (!forceDuplicates && seenIds.size > 0) {
+    info(`preloaded ${seenIds.size} known event id(s) for dedup`);
+  }
+
   let totalEntries = 0;
+  let totalSkipped = 0;
   for (const s of sessions) {
     const sid = s.id;
     process.stdout.write(`\n[wma-fetch] session ${sid}\n`);
@@ -288,23 +321,27 @@ async function fetchOneShot({ apiKey, agentId, model, logDir, since, sessionId,
     const logger = new Logger({ logDir, agentId, sessionId: sid, silent: true });
     const tracker = new TokenTracker();
     let count = 0;
+    let skipped = 0;
     for await (const entry of fetchSessionEntries({ apiKey, agentId, sessionId: sid, model })) {
+      if (entry.id && seenIds.has(entry.id)) { skipped++; continue; }
       const written = await logger.write(entry);
+      if (entry.id) seenIds.add(entry.id);
       tracker.record(written);
       count++;
     }
+    totalSkipped += skipped;
     const stats = tracker.stats().total;
     await logger.write({
       action_type: 'session_end', provider: 'anthropic-managed', status: 'ok', model,
       session_tokens: { input: stats.input, output: stats.output, cache_read: stats.cache_read, cache_creation: stats.cache_creation, total: stats.sum },
       session_cost_usd: stats.cost_usd || null,
     });
-    process.stdout.write(`  entries     : ${count} (+1 session_end)\n`);
+    process.stdout.write(`  entries     : ${count} (+1 session_end)${skipped ? ` · ${skipped} skipped (dedup)` : ''}\n`);
     process.stdout.write(`  tokens      : in=${stats.input} out=${stats.output} cache_r=${stats.cache_read} cache_w=${stats.cache_creation}\n`);
     process.stdout.write(`  written to  : ${logger._pathForToday()}\n`);
     totalEntries += count + 1;
   }
-  process.stdout.write(`\n[wma-fetch] done — ${totalEntries} total entries across ${sessions.length} session(s)\n`);
+  process.stdout.write(`\n[wma-fetch] done — ${totalEntries} total entries across ${sessions.length} session(s)${totalSkipped ? `, ${totalSkipped} skipped (dedup)` : ''}\n`);
   process.stdout.write(`[wma-fetch] inspect with: npx wma-inspect ${logDir}\n`);
 }
 
@@ -441,6 +478,8 @@ async function runWatch({ apiKey, resolveAgents, fleet, logDir, intervalMs, wind
 }
 
 async function main() {
+  // v1.1.1 F-13: --version / -v short-circuit before any other parsing.
+  maybePrintVersionAndExit(process.argv);
   const args = parseArgs(process.argv.slice(2));
   const apiKey = args['api-key'] || process.env.ANTHROPIC_API_KEY;
   const agentId = args['agent-id'];
@@ -545,7 +584,7 @@ async function main() {
     info(`resolving agent ${agentId}…`);
     const agent = await getAgent(apiKey, agentId).catch((e) => die(`failed to GET agent: ${e.message}`));
     const since = args.since ? parseSince(args.since) : null;
-    await fetchOneShot({ apiKey, agentId, model: resolveModel(agent), logDir, since, sessionId: args['session-id'], dumpRaw: !!args['dump-raw'] });
+    await fetchOneShot({ apiKey, agentId, model: resolveModel(agent), logDir, since, sessionId: args['session-id'], dumpRaw: !!args['dump-raw'], forceDuplicates: !!args['force-duplicates'] });
   }
 }
 

package/scripts/inspect.js

@@ -13,6 +13,7 @@ import { createReadStream } from 'node:fs';
 import { createInterface } from 'node:readline';
 import { join, resolve } from 'node:path';
 import { TokenTracker } from '../src/tokens.js';
+import { maybePrintVersionAndExit } from '../src/version.js';
 
 // Streaming line-by-line reader — bounds memory usage on large NDJSON files
 // (a long-running agent can produce hundreds of MB per day).
@@ -66,6 +67,8 @@ function extractDestination(input) {
 }
 
 async function main() {
+  // v1.1.1 F-13: --version / -v short-circuit before any other parsing.
+  maybePrintVersionAndExit(process.argv);
   const files = await collectFiles(target);
   if (files.length === 0) {
     process.stderr.write(`No .ndjson files found under ${target}\n`); process.exit(1);

package/scripts/service.js

@@ -25,6 +25,7 @@ import { join } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { execFileSync } from 'node:child_process';
 import { isValidAgentId } from '../src/validate.js';
+import { maybePrintVersionAndExit } from '../src/version.js';
 
 const HOME = os.homedir();
 const PLATFORM = process.platform;                       // 'darwin' | 'linux' | …
@@ -338,6 +339,8 @@ The service starts at login and restarts on crash. Raw logs stay local.
 }
 
 function main() {
+  // v1.1.1 F-13: --version / -v short-circuit before any other parsing.
+  maybePrintVersionAndExit(process.argv);
   const args = parseArgs(process.argv.slice(2));
   const cmd = args._[0];
   switch (cmd) {

package/scripts/shield.js

@@ -32,6 +32,7 @@ import {
   confirmAllow, confirmDeny, interruptSession,
   getAgentConfig, detectAlwaysAsk,
 } from '../src/shield/enforce.js';
+import { maybePrintVersionAndExit } from '../src/version.js';
 import { DecisionLogger } from '../src/shield/decisions.js';
 import { listSessions, listAgents } from '../src/sources/anthropic-managed.js';
 import { FortressPolicySource, postDecision } from '../src/shield/sources/fortress.js';
@@ -405,6 +406,8 @@ async function runAgentWide(ctx) {
 // Main
 // ────────────────────────────────────────────────────────────────────────
 async function main() {
+  // v1.1.1 F-13: --version / -v short-circuit before any other parsing.
+  maybePrintVersionAndExit(process.argv);
   const args = parseArgs(process.argv.slice(2));
   const apiKey = args['api-key'] || process.env.ANTHROPIC_API_KEY;
   const agentId = args['agent-id'];

package/scripts/signals.js

@@ -25,6 +25,7 @@ import { resolve, join } from 'node:path';
 import { SignalsAggregator } from '../src/anonymizer.js';
 import { createReadStream } from 'node:fs';
 import { createInterface } from 'node:readline';
+import { maybePrintVersionAndExit } from '../src/version.js';
 
 function parseArgs(argv) {
   const out = {};
@@ -59,6 +60,8 @@ async function collectFiles(p) {
 }
 
 async function main() {
+  // v1.1.1 F-13: --version / -v short-circuit before any other parsing.
+  maybePrintVersionAndExit(process.argv);
   const args = parseArgs(process.argv.slice(2));
 
   if (!args._target) {

package/scripts/upload-fortress.js

@@ -31,6 +31,8 @@ import { createInterface } from 'node:readline';
 import { SignalsAggregator } from '../src/anonymizer.js';
 import { resolveFortressBase, fortressEndpoint } from '../src/fortress/url.js';
 import { AnthropicManagedSource } from '../src/sources/anthropic-managed.js';
+import { cleanLabel } from '../src/labels.js';
+import { maybePrintVersionAndExit } from '../src/version.js';
 
 function parseArgs(argv) {
   const out = {};
@@ -61,6 +63,11 @@ async function collectFiles(p) {
   return out;
 }
 
+// v1.1.2 F-17: Fortress ingest-signals response is a small confirmation
+// JSON. Cap at 1 MB and abort if the endpoint streams more — defensive
+// against a compromised or misconfigured response.
+const MAX_FORTRESS_RESPONSE_BYTES = 1 * 1024 * 1024;
+
 function postJson(url, headers, body) {
   return new Promise((resolveReq, rejectReq) => {
     const u = new URL(url);
@@ -83,8 +90,22 @@ function postJson(url, headers, body) {
       },
       (res) => {
         const chunks = [];
-        res.on('data', (c) => chunks.push(c));
+        let receivedBytes = 0;
+        let aborted = false;
+        res.on('data', (c) => {
+          if (aborted) return;
+          receivedBytes += c.length;
+          if (receivedBytes > MAX_FORTRESS_RESPONSE_BYTES) {
+            aborted = true;
+            chunks.length = 0;
+            try { req.destroy(); } catch { /* already destroyed */ }
+            rejectReq(new Error(`Fortress response exceeded ${MAX_FORTRESS_RESPONSE_BYTES} bytes — aborting`));
+            return;
+          }
+          chunks.push(c);
+        });
         res.on('end', () => {
+          if (aborted) return;
           const raw = Buffer.concat(chunks).toString('utf8');
           let parsed = null;
           try { parsed = JSON.parse(raw); } catch { /* keep raw */ }
@@ -99,13 +120,18 @@ function postJson(url, headers, body) {
 }
 
 async function main() {
+  // v1.1.1 F-13: --version / -v short-circuit before any other parsing.
+  maybePrintVersionAndExit(process.argv);
   const args = parseArgs(process.argv.slice(2));
 
   const agentId = args['agent-id'];
   const logDir = resolve(args['log-dir'] || './watchmyagents-logs');
   const apiKey = args['api-key'] || process.env.WMA_API_KEY;
   const salt = args.salt || process.env.WMA_SIGNALS_SALT;
-  const displayName = args['display-name'] || agentId;
+  // v1.1.1 F-11: sanitize the customer-supplied display name with the
+  // same cleanLabel used by the Watch daemon (defense-in-depth vs log
+  // injection / Fortress payload injection via control bytes).
+  const displayName = cleanLabel(args['display-name'] || agentId) || agentId;
   const dryRun = !!args['dry-run'];
 
   // Resolve Fortress base URL. Accepts:

package/src/labels.js

@@ -0,0 +1,39 @@
+// ────────────────────────────────────────────────────────────────────────
+// labels — shared sanitization for human-facing identifiers
+// ────────────────────────────────────────────────────────────────────────
+//
+// Customer-set strings (agent display names, workspace labels, etc.) end
+// up in:
+//   - log lines (stdout/stderr of the Watch + Shield daemons)
+//   - the Fortress ingest-signals payload (`display_name` field)
+//   - eventually rendered in the Fortress dashboard
+//
+// We don't trust them. A name carrying:
+//   - control bytes (0x00-0x1F, 0x7F) can poison terminal output (ANSI
+//     escape sequences) or break NDJSON parsing
+//   - excessive length can bloat payloads and break UI columns
+//
+// `cleanLabel()` is the single, shared sanitizer. Both wma-fetch (the
+// daemon) and wma-upload-fortress (the one-shot uploader) MUST run
+// every customer-supplied label through it before logging or shipping.
+// Extracted to its own module in v1.1.1 (F-11 Codex audit fix) so a
+// future change benefits both consumers automatically.
+
+const MAX_LABEL_CHARS = 60;
+
+/**
+ * Strip control bytes (< 0x20 and 0x7F DEL) and truncate to MAX_LABEL_CHARS
+ * characters. Returns the empty string for null/undefined input.
+ *
+ * Uses [...str] to iterate by code point so surrogate pairs aren't split.
+ */
+export function cleanLabel(s) {
+  return [...String(s ?? '')]
+    .filter((c) => {
+      const code = c.charCodeAt(0);
+      return code >= 32 && code !== 127;
+    })
+    .join('')
+    .slice(0, MAX_LABEL_CHARS)
+    .trim();
+}

package/src/shield/policy-stream.js

@@ -37,6 +37,13 @@ const RECONNECT_MIN_MS = 1_000;
 const RECONNECT_MAX_MS = 60_000;
 const FALLBACK_RETRY_INTERVAL_MS = 5 * 60_000;
 const PERMANENT_FAILURE_LOG_INTERVAL_MS = 5 * 60_000;
+// v1.1.1 F-9 (P2 Codex audit): hard cap on a single SSE event's buffer.
+// A buggy or compromised Fortress endpoint could stream bytes forever
+// without emitting the "\n\n" event separator, growing Shield's memory.
+// 1 MB is far above any legitimate `policy_changed` payload (the data
+// field carries {rule_id, action, ts, kind} = maybe 200 bytes) so we
+// abort the connection and reconnect on overflow.
+const MAX_SSE_EVENT_BYTES = 1 * 1024 * 1024;
 
 export class PolicyStream extends EventEmitter {
   constructor({ url, apiKey, anthropicAgentId, onError, onInfo }) {
@@ -147,6 +154,17 @@ export class PolicyStream extends EventEmitter {
       let buffer = '';
       res.on('data', (chunk) => {
         buffer += chunk;
+        // v1.1.1 F-9: cap on a single SSE event buffer. A buggy/compromised
+        // endpoint that never emits "\n\n" would otherwise OOM Shield.
+        // Abort + reconnect on overflow; the buffer is dropped so we
+        // restart fresh on the new connection.
+        if (buffer.length > MAX_SSE_EVENT_BYTES) {
+          this.onError(new Error(`policy-stream: SSE event exceeded ${MAX_SSE_EVENT_BYTES} bytes — aborting connection and reconnecting`));
+          buffer = '';
+          try { res.destroy(); } catch { /* already destroyed */ }
+          if (!this._closed) this._scheduleReconnect();
+          return;
+        }
         // SSE events are separated by a blank line ("\n\n").
         let eolIdx;
         while ((eolIdx = buffer.indexOf('\n\n')) !== -1) {

package/src/shield/policy.js

@@ -32,13 +32,27 @@ export async function loadPolicies(path) {
     throw new Error(`policy file ${path} has no "policies" array`);
   }
   // Pre-compile regex for performance + early failure on bad patterns.
+  const VALID_ACTIONS = ['allow', 'deny', 'interrupt'];
   for (const p of data.policies) {
     compileMatchRegexes(p.match || {});
-    if (!['allow', 'deny', 'interrupt'].includes(p.action)) {
+    if (!VALID_ACTIONS.includes(p.action)) {
       throw new Error(`policy ${p.id || p.name}: unsupported action "${p.action}"`);
     }
   }
+  // v1.1.2 F-14 (P2 Codex audit): validate the ruleset's default.action
+  // against the SAME canonical set as per-policy actions. Before this fix
+  // a typo like `default: { action: "drop" }` was accepted silently — at
+  // evaluation time evaluate() returned `decision: "drop"`, which the
+  // interrupt-mode runtime treated as a no-op (only deny/interrupt trigger
+  // termination) and the tool_confirmation-mode runtime left dangling
+  // (no allow/deny event sent). Either way the agent ran without
+  // enforcement, exactly opposite of the operator's intent.
   data.default = data.default || { action: 'allow' };
+  if (!VALID_ACTIONS.includes(data.default.action)) {
+    throw new Error(
+      `policy file ${path} default.action "${data.default.action}" is invalid — must be one of: ${VALID_ACTIONS.join(', ')}`,
+    );
+  }
   return data;
 }
 

package/src/shield/sources/fortress.js

@@ -14,6 +14,15 @@ import { URL } from 'node:url';
 import { fortressEndpoint } from '../../fortress/url.js';
 
 const DEFAULT_TIMEOUT_MS = 15_000;
+// v1.1.2 F-17 (P3 Codex audit): cap on the total bytes we'll accumulate
+// for a Fortress JSON response before aborting the request. A misconfigured
+// or compromised endpoint streaming an unbounded body would otherwise
+// exhaust Shield's memory, despite the HTTPS-only + timeout guards.
+// 8 MB is far above the realistic ceiling for a customer's policy ruleset
+// (hundreds of policies × ~1 KB each → ~hundreds of KB). On overflow we
+// destroy the request, which propagates to onError + cached-ruleset
+// fallback.
+const MAX_RESPONSE_BYTES = 8 * 1024 * 1024;
 
 function httpsJson(method, url, headers, body, timeoutMs = DEFAULT_TIMEOUT_MS) {
   return new Promise((resolveReq, rejectReq) => {
@@ -35,8 +44,23 @@ function httpsJson(method, url, headers, body, timeoutMs = DEFAULT_TIMEOUT_MS) {
     };
     const req = httpsRequest(opts, (res) => {
       const chunks = [];
-      res.on('data', (c) => chunks.push(c));
+      let receivedBytes = 0;
+      let aborted = false;
+      res.on('data', (c) => {
+        if (aborted) return;
+        receivedBytes += c.length;
+        if (receivedBytes > MAX_RESPONSE_BYTES) {
+          aborted = true;
+          // Free anything we already buffered, then tear down the request.
+          chunks.length = 0;
+          try { req.destroy(); } catch { /* already destroyed */ }
+          rejectReq(new Error(`Fortress response exceeded ${MAX_RESPONSE_BYTES} bytes — aborting (received ${receivedBytes} so far)`));
+          return;
+        }
+        chunks.push(c);
+      });
       res.on('end', () => {
+        if (aborted) return;
         const raw = Buffer.concat(chunks).toString('utf8');
         let parsed = null;
         try { parsed = raw ? JSON.parse(raw) : null; } catch { /* keep raw */ }
@@ -179,6 +203,17 @@ export class FortressPolicySource {
           this.onError(new Error(`skipping invalid Fortress policy "${p?.rule_id || p?.name || '?'}": ${e.message}`));
         }
       }
+      // v1.1.2 F-15 (P2 Codex audit): the policy evaluator is "first match
+      // wins" (src/shield/policy.js evaluate()), so policy order matters.
+      // Fortress validates `priority` server-side, but the API does not
+      // contractually guarantee that the returned array is sorted by
+      // priority. If a wide "allow" rule sat before a higher-priority
+      // "deny" rule in the response, the deny would never fire. Sort
+      // client-side by descending priority (higher priority first) before
+      // assigning to ruleset. Policies without `priority` (or with equal
+      // priorities) keep their relative order via the stable sort
+      // guarantee in V8 — predictable behavior.
+      compiled.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
       this.ruleset = {
         version: 1,
         policies: compiled,

package/src/shield/stream.js

@@ -9,6 +9,15 @@
 const API_BASE = 'https://api.anthropic.com';
 const BETA = 'managed-agents-2026-04-01';
 const VERSION = '2023-06-01';
+// v1.1.2 F-16 (P2 Codex audit): hard cap on a single SSE frame buffer.
+// A buggy upstream proxy that strips event separators OR a compromised
+// Anthropic-style endpoint streaming bytes forever without "\n\n" would
+// otherwise OOM Shield's host. 1 MB is far above any real Anthropic
+// event payload (the heaviest events are agent.thinking + agent.message
+// which carry at most a few hundred KB of text). On overflow we throw,
+// which propagates through the generator and triggers the caller's
+// reconnect logic — same outcome as a network error.
+const MAX_SSE_FRAME_BYTES = 1 * 1024 * 1024;
 
 function authHeaders(apiKey) {
   return {
@@ -43,6 +52,14 @@ export async function* openEventStream({ apiKey, sessionId, signal }) {
       if (done) break;
       buffer += decoder.decode(value, { stream: true });
 
+      // v1.1.2 F-16: guard against an upstream that never emits "\n\n" —
+      // throw to abort the stream cleanly, the caller's reconnect logic
+      // will pick up. Drop the buffer to free memory before throwing.
+      if (buffer.length > MAX_SSE_FRAME_BYTES) {
+        buffer = '';
+        throw new Error(`SSE frame exceeded ${MAX_SSE_FRAME_BYTES} bytes — aborting stream (caller should reconnect)`);
+      }
+
       // SSE frames are separated by a blank line ("\n\n"). Each frame may
       // contain multiple lines; we only care about `data:` lines for now.
       let nlIdx;

package/src/sources/anthropic-managed.js

@@ -29,6 +29,12 @@ const VERSION = '2023-06-01';
 // Hard cap on any single GET so a hung connection can't pin Watch/Shield
 // forever. getWithRetry will retry on timeout (the error propagates here).
 const REQUEST_TIMEOUT_MS = 30_000;
+// v1.1.2 F-17 (P3 Codex audit): cap on a single Anthropic response body.
+// Event history pages (/v1/sessions/{id}/events) can carry up to ~1000
+// events × thousands of bytes each, so 16 MB is the headroom we leave
+// before we conclude something is wrong. Above this we abort the
+// request and getWithRetry will retry on the next attempt.
+const MAX_ANTHROPIC_RESPONSE_BYTES = 16 * 1024 * 1024;
 
 function httpGet(apiKey, path) {
   return new Promise((resolve, reject) => {
@@ -43,8 +49,22 @@ function httpGet(apiKey, path) {
       },
     }, res => {
       const chunks = [];
-      res.on('data', c => chunks.push(c));
+      let receivedBytes = 0;
+      let aborted = false;
+      res.on('data', c => {
+        if (aborted) return;
+        receivedBytes += c.length;
+        if (receivedBytes > MAX_ANTHROPIC_RESPONSE_BYTES) {
+          aborted = true;
+          chunks.length = 0;
+          try { req.destroy(); } catch { /* already destroyed */ }
+          reject(new Error(`Anthropic response exceeded ${MAX_ANTHROPIC_RESPONSE_BYTES} bytes — aborting (${path})`));
+          return;
+        }
+        chunks.push(c);
+      });
       res.on('end', () => {
+        if (aborted) return;
         const body = Buffer.concat(chunks).toString('utf8');
         if (res.statusCode >= 200 && res.statusCode < 300) {
           try { resolve(JSON.parse(body)); } catch (e) { reject(e); }
@@ -326,6 +346,11 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
         isMcp: type === 'agent.mcp_tool_use',
         input: ev.input ?? null,
         mcpServer: ev.server_name ?? ev.mcp_server_name ?? null,
+        // v1.1.1 F-8: capture sub-agent context at storage time so the
+        // end-of-session flush yields entries with the right attribution.
+        startTimestamp: ts,
+        session_thread_id,
+        agent_name,
       });
       continue;
     }
@@ -483,6 +508,37 @@ export async function* fetchSessionEntries({ apiKey, agentId, sessionId, model }
       continue;
     }
   }
+
+  // v1.1.1 F-8 (P1 Codex audit): flush remaining pendingToolUse entries
+  // as explicit "no_result_observed" tool_use events. These are tool
+  // calls that started (we saw agent.tool_use) but never produced a
+  // result (no agent.tool_result paired): most commonly because Shield
+  // pre-blocked them, the operator denied via tool_confirmation, the
+  // tool died mid-execution, or the session terminated before the
+  // result event arrived. For a security audit product, these incomplete
+  // calls are often the MOST useful signals — a blocked exfil attempt
+  // shows up here, not in successful tool_results. Yielding them
+  // explicitly with status='error' keeps the local NDJSON, anonymizer
+  // signals (counts, IoC hashes, tool_counts), and Fortress decisions
+  // honest about what actually happened.
+  for (const [toolUseId, pending] of pendingToolUse) {
+    yield {
+      ...base,
+      session_thread_id: pending.session_thread_id,
+      agent_name: pending.agent_name,
+      id: toolUseId,
+      action_type: pending.isMcp ? 'mcp_tool_use' : 'tool_use',
+      tool_name: pending.name,
+      model: model || null,
+      timestamp: pending.startTimestamp,
+      duration_ms: null,
+      status: 'error',
+      error: 'no_result_observed',
+      input: pending.input,
+      output: { mcp_server: pending.mcpServer ?? undefined },
+    };
+  }
+  pendingToolUse.clear();
 }
 
 // ────────────────────────────────────────────────────────────────────────

package/src/version.js

@@ -0,0 +1,52 @@
+// ────────────────────────────────────────────────────────────────────────
+// version — shared --version flag handler for the wma-* CLI binaries
+// ────────────────────────────────────────────────────────────────────────
+//
+// v1.1.1 F-13: every CLI binary (wma-fetch, wma-shield, wma-signals,
+// wma-upload-fortress, wma-inspect, wma-agents, wma-service) gets a
+// --version / -v flag that prints the installed version and exits.
+// Operators previously had to grep package.json under npm root to know
+// what was deployed; this is now a one-liner.
+//
+// We resolve the version from the package.json next to the SDK source
+// (../package.json relative to this file) so it stays in sync with the
+// release that's actually executing.
+
+import { readFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const HERE = dirname(fileURLToPath(import.meta.url));
+const PKG_PATH = join(HERE, '..', 'package.json');
+
+let cachedVersion = null;
+
+/** Returns the installed watchmyagents version, parsed from package.json. */
+export function getVersion() {
+  if (cachedVersion) return cachedVersion;
+  try {
+    const pkg = JSON.parse(readFileSync(PKG_PATH, 'utf8'));
+    cachedVersion = pkg.version || 'unknown';
+  } catch {
+    cachedVersion = 'unknown';
+  }
+  return cachedVersion;
+}
+
+/**
+ * If argv contains --version or -v, print the version and exit(0).
+ * Call this BEFORE any other parsing so it short-circuits on bad input
+ * (e.g., the user types `wma-fetch --version` with no env vars set).
+ *
+ * Usage at the top of every wma-* script:
+ *   import { maybePrintVersionAndExit } from '../src/version.js';
+ *   maybePrintVersionAndExit(process.argv);
+ */
+export function maybePrintVersionAndExit(argv) {
+  for (const a of argv) {
+    if (a === '--version' || a === '-v') {
+      process.stdout.write(`watchmyagents ${getVersion()}\n`);
+      process.exit(0);
+    }
+  }
+}