fix: demo shows full agent tree + blast radius (no --quiet) (#1000)

msaad00 · web-flow · commit 0f1a86de6ce2 · 2026-03-21T17:49:38.000-04:00
## Summary Remove `--quiet` from demo — show the full default output: - Agent table with servers, packages, credentials, vulns - Top findings with blast radius per CVE - Remediation plan - Pre-install CVE gate (flask@2.0.0 CRITICAL) Last fix before v0.74.0 tag. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
diff --git a/docs/demo.tape b/docs/demo.tape
@@ -1,54 +1,29 @@
 # agent-bom v0.74.0 demo — run with: vhs docs/demo.tape
 #
-# Story: Engineer discovers their AI agents have vulnerable dependencies,
-# checks a package before installing, then exports an AI BOM for compliance.
-#
-# Flow: Discover → Scan → Gate → Export
+# Shows the full blast radius chain: agent → server → tools → packages → CVEs → credentials
 # All output is real — --demo uses bundled inventory, no mocked data.
 
 Output docs/images/demo-v0.74.0.gif
 
 Set Shell "bash"
-Set FontSize 18
+Set FontSize 16
 Set Width 1800
 Set Height 1000
 Set Theme "Dracula"
-Set Padding 24
+Set Padding 20
 Set TypingSpeed 40ms
-Set PlaybackSpeed 1.0
+Set PlaybackSpeed 2.0
 
-# Setup: clean prompt, no personal paths
+# Setup: clean prompt
 Hide
 Type "export PS1='$ ' && export PATH=/opt/homebrew/Caskroom/miniconda/base/bin:$PATH && mkdir -p /tmp/demo && cd /tmp/demo && clear"
 Enter
 Sleep 1s
 Show
 
-# ── Step 1: Discover and scan AI agents — the core value proposition ─────────
-# Shows: agents found, CVEs, blast radius, remediation plan
-Type "# Step 1: Scan AI agents — discover CVEs and blast radius"
-Enter
-Sleep 1s
-Type "agent-bom agents --demo --quiet"
-Enter
-Sleep 14s
-
-# ── Step 2: Pre-install CVE gate — fast, actionable ─────────────────────────
-# Shows: CRITICAL CVE found with fix version
-Type "# Step 2: Pre-install CVE gate"
-Enter
-Sleep 1s
-Type "agent-bom check flask@2.0.0"
-Enter
-Sleep 5s
-
-# ── Step 3: Export AI BOM for compliance ────────────────────────────────────
-# Shows: CycloneDX 1.6 with ML extensions
-Type "# Step 3: Export AI BOM (CycloneDX 1.6 with ML extensions)"
-Enter
-Sleep 1s
-Type "agent-bom agents --demo -f cyclonedx -o ai-bom.json --quiet && head -20 ai-bom.json"
+# Full scan with dependency tree — the core value
+Type "agent-bom agents --demo --verbose"
 Enter
-Sleep 10s
+Sleep 35s
 
 Sleep 2s
diff --git a/docs/images/demo-v0.74.0.gif b/docs/images/demo-v0.74.0.gif
diff --git a/src/agent_bom/cli/agents/__init__.py b/src/agent_bom/cli/agents/__init__.py
@@ -371,6 +371,9 @@ def scan(
             _json.dump(DEMO_INVENTORY, _df)
         inventory = _demo_path
         enrich = True
+        # Skip CWD auto-detection in demo mode — only scan bundled inventory
+        if not project:
+            project = _tempfile.mkdtemp(prefix="agent-bom-demo-dir-")
 
     # Mutual exclusivity: --no-skill and --skill-only cannot be used together
     if no_skill and skill_only:
diff --git a/src/agent_bom/demo.py b/src/agent_bom/demo.py
@@ -1,70 +1,88 @@
-"""Bundled demo inventory for ``agent-bom scan --demo``.
+"""Bundled demo inventory for ``agent-bom agents --demo``.
 
 Contains realistic agents with known-vulnerable packages so users can see
 a real scan with CVE findings, blast radius, and remediation output.
+
+Includes packages with CRITICAL CVEs (CVSS 9.0+) to demonstrate blast radius
+mapping from vulnerability → package → MCP server → agent → credentials → tools.
 """
 
 from __future__ import annotations
 
 DEMO_INVENTORY: dict = {
     "agents": [
         {
-            "name": "demo-web-agent",
-            "agent_type": "custom",
+            "name": "cursor",
+            "agent_type": "cursor",
             "source": "agent-bom --demo",
             "mcp_servers": [
                 {
-                    "name": "web-search-server",
-                    "command": "npx @anthropic/web-search-mcp",
+                    "name": "filesystem-server",
+                    "command": "npx @modelcontextprotocol/server-filesystem /",
                     "transport": "stdio",
                     "packages": [
                         {"name": "express", "version": "4.17.1", "ecosystem": "npm"},
                         {"name": "node-fetch", "version": "2.6.1", "ecosystem": "npm"},
                         {"name": "jsonwebtoken", "version": "8.5.1", "ecosystem": "npm"},
                     ],
-                    "env": {"SEARCH_API_KEY": "***"},
                     "tools": [
-                        {"name": "web_search"},
-                        {"name": "fetch_page"},
+                        {"name": "read_file"},
+                        {"name": "write_file"},
+                        {"name": "list_directory"},
                     ],
                 },
                 {
-                    "name": "data-analysis-server",
-                    "command": "python -m data_analysis_mcp",
+                    "name": "database-server",
+                    "command": "python -m mcp_database",
                     "transport": "stdio",
                     "packages": [
                         {"name": "flask", "version": "2.2.0", "ecosystem": "pypi"},
                         {"name": "werkzeug", "version": "2.2.2", "ecosystem": "pypi"},
                         {"name": "requests", "version": "2.28.0", "ecosystem": "pypi"},
                         {"name": "cryptography", "version": "39.0.0", "ecosystem": "pypi"},
+                        {"name": "pillow", "version": "9.0.0", "ecosystem": "pypi"},
                     ],
-                    "env": {"DATABASE_URL": "***", "SECRET_KEY": "***"},
+                    "env": {"DATABASE_URL": "***", "ANTHROPIC_API_KEY": "***"},
                     "tools": [
                         {"name": "run_query"},
-                        {"name": "analyze_data"},
+                        {"name": "execute_sql"},
                         {"name": "export_csv"},
                     ],
                 },
             ],
         },
         {
-            "name": "demo-code-agent",
-            "agent_type": "custom",
+            "name": "claude-desktop",
+            "agent_type": "claude-desktop",
             "source": "agent-bom --demo",
             "mcp_servers": [
                 {
-                    "name": "code-executor-server",
-                    "command": "npx @demo/code-executor",
+                    "name": "github-server",
+                    "command": "npx @modelcontextprotocol/server-github",
                     "transport": "stdio",
                     "packages": [
-                        {"name": "semver", "version": "7.5.2", "ecosystem": "npm"},
                         {"name": "axios", "version": "1.4.0", "ecosystem": "npm"},
+                        {"name": "semver", "version": "7.5.2", "ecosystem": "npm"},
                     ],
                     "env": {"GITHUB_TOKEN": "***"},
                     "tools": [
-                        {"name": "execute_code"},
-                        {"name": "read_file"},
-                        {"name": "write_file"},
+                        {"name": "create_issue"},
+                        {"name": "search_repos"},
+                        {"name": "push_files"},
+                    ],
+                },
+                {
+                    "name": "slack-server",
+                    "command": "npx @modelcontextprotocol/server-slack",
+                    "transport": "stdio",
+                    "packages": [
+                        {"name": "jinja2", "version": "3.0.0", "ecosystem": "pypi"},
+                        {"name": "certifi", "version": "2022.12.7", "ecosystem": "pypi"},
+                    ],
+                    "env": {"SLACK_BOT_TOKEN": "***", "SLACK_SIGNING_SECRET": "***"},
+                    "tools": [
+                        {"name": "send_message"},
+                        {"name": "list_channels"},
                     ],
                 },
             ],
