feat: v0.29.0 — check MCP tool, proxy metrics, Mermaid export

- Add `check` as 8th MCP tool: pre-install CVE lookup via OSV.dev
  with name@version parsing, @latest resolution, scoped npm support
- Add ProxyMetrics: tool call counters, blocked call tracking,
  latency percentiles (p50/p95), JSONL summary on exit
- Add Mermaid diagram export (--format mermaid): CVE → package →
  server → agent → credentials flowchart with severity styling
- Wire mermaid into CLI as --format option with file output
- Update all deployment artifacts to 8 tools: toolhive server.json,
  Dockerfile.sse, README.md, server card
- Fix bump-version.py to not clobber SARIF "2.1.0" version strings
- Bump version 0.28.1 → 0.29.0 across 17 locations
- 801 tests passing, ruff clean

Author: agent-bom

Dockerfile.sse

@@ -1,6 +1,6 @@
 # MCP Server — Streamable HTTP transport for remote clients.
 #
-# Exposes agent-bom's 7 MCP tools over streamable HTTP so that Smithery, Claude
+# Exposes agent-bom's 8 MCP tools over streamable HTTP so that Smithery, Claude
 # Desktop (remote mode), and any other MCP client can connect via public URL.
 #
 # Build:   docker build -f Dockerfile.sse -t agent-bom-sse .
@@ -13,7 +13,7 @@
 
 FROM python:3.12-slim
 
-ARG VERSION=0.28.1
+ARG VERSION=0.29.0
 
 LABEL org.opencontainers.image.title="agent-bom MCP Server"
 LABEL org.opencontainers.image.description="AI supply chain security scanner — MCP server with streamable HTTP transport"

README.md

@@ -578,7 +578,7 @@ Unverified servers in your configs trigger a warning. Policy rules can block the
 |------|---------|----------|
 | Developer CLI | `agent-bom scan` | Local audit, pre-commit checks |
 | Pre-install check | `agent-bom check express@4.18.2 -e npm` | Before running any MCP server |
-| GitHub Action | `uses: msaad00/agent-bom@v0.28.1` | CI/CD gate + Security tab |
+| GitHub Action | `uses: msaad00/agent-bom@v0.29.0 | CI/CD gate + Security tab |
 | Docker | `docker run agentbom/agent-bom scan` | Isolated, reproducible scans |
 | REST API | `agent-bom api` | Dashboards, SIEM, scripting |
 | Dashboard | `agent-bom serve` | Team-visible security dashboard |
@@ -593,7 +593,7 @@ Use agent-bom directly in your CI/CD pipeline:
 
 ```yaml
 - name: AI supply chain scan
-  uses: msaad00/agent-bom@v0.28.1
+  uses: msaad00/agent-bom@v0.29.0
   with:
     severity-threshold: high
     upload-sarif: true
@@ -602,7 +602,7 @@ Use agent-bom directly in your CI/CD pipeline:
 Full options:
 
 ```yaml
-- uses: msaad00/agent-bom@v0.28.1
+- uses: msaad00/agent-bom@v0.29.0
   with:
     severity-threshold: high        # fail on high+ CVEs
     policy: policy.json             # policy-as-code gates
@@ -713,7 +713,7 @@ agent-bom mcp-server --transport sse    # SSE (remote clients)
 | **ToolHive** | `thv run agent-bom` | [ToolHive registry entry](integrations/toolhive/server.json) — runs in isolated container |
 | **OpenClaw** | `clawhub install agent-bom` | [OpenClaw skill](integrations/openclaw/SKILL.md) — teaches agents to run security scans |
 | **MCP Registry** | `uvx agent-bom mcp-server` | [Registry entry](integrations/mcp-registry/server.json) — official MCP Registry |
-| **GitHub Actions** | `uses: msaad00/agent-bom@v0.28.1` | SARIF upload to Security tab, policy gating |
+| **GitHub Actions** | `uses: msaad00/agent-bom@v0.29.0 | SARIF upload to Security tab, policy gating |
 
 ---
 
@@ -835,7 +835,7 @@ These tools solve different problems and are **complementary**.
 - [x] Model binary file detection — .gguf, .safetensors, .onnx, .pt, .pkl security flags, 13 formats
 - [x] API server hardening — API key authentication, per-IP rate limiting, CORS tightening, job cleanup
 - [x] CLI tree labels — explicit 🤖 Agent / 🔌 MCP Server / 📦 Package prefixes with summary stats
-- [x] MCP server — expose scan, blast_radius, policy_check, registry_lookup, generate_sbom as MCP tools
+- [x] MCP server — 8 tools: scan, check, blast_radius, policy_check, registry_lookup, generate_sbom, compliance, remediate
 - [x] ToolHive integration — registry entry + MCP container for enterprise deployment
 - [x] OpenClaw skill — ClawHub-compatible skill for AI agent security scanning
 - [x] GitHub Action enhancements — image, config-dir, sbom, remediate inputs

integrations/mcp-registry/server.json

@@ -3,7 +3,7 @@
   "name": "io.github.msaad00/agent-bom",
   "description": "AI supply chain security scanner — CVE scanning, blast radius analysis, policy enforcement, and SBOM generation for MCP servers and AI agents",
   "title": "agent-bom",
-  "version": "0.28.1",
+  "version": "0.29.0",
   "repository": {
     "url": "https://github.com/msaad00/agent-bom",
     "source": "github"
@@ -12,7 +12,7 @@
     {
       "registryType": "pypi",
       "identifier": "agent-bom",
-      "version": "0.28.1",
+      "version": "0.29.0",
       "transport": {
         "type": "stdio"
       },

integrations/openclaw/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-bom
 description: Scan AI agents and MCP servers for CVEs, generate SBOMs, map blast radius, enforce security policies
-version: 0.28.1
+version: 0.29.0
 metadata:
   openclaw:
     requires:

integrations/toolhive/Dockerfile.mcp

@@ -1,6 +1,6 @@
 FROM python:3.12-slim
 
-ARG VERSION=0.28.1
+ARG VERSION=0.29.0
 
 LABEL maintainer="agent-bom <261858605+agent-bom@users.noreply.github.com>"
 LABEL description="agent-bom MCP Server: AI supply chain security scanning via MCP protocol"

integrations/toolhive/server.json

@@ -3,15 +3,15 @@
   "name": "io.github.msaad00/agent-bom",
   "description": "AI supply chain security scanner — CVE scanning, blast radius analysis, policy enforcement, and SBOM generation for MCP servers and AI agents",
   "title": "agent-bom",
-  "version": "0.28.1",
+  "version": "0.29.0",
   "repository": {
     "url": "https://github.com/msaad00/agent-bom",
     "source": "github"
   },
   "packages": [
     {
       "registryType": "oci",
-      "identifier": "ghcr.io/msaad00/agent-bom:v0.28.1",
+      "identifier": "ghcr.io/msaad00/agent-bom:v0.29.0",
       "transport": {
         "type": "stdio"
       },
@@ -28,7 +28,7 @@
   "_meta": {
     "io.modelcontextprotocol.registry/publisher-provided": {
       "io.github.msaad00": {
-        "ghcr.io/msaad00/agent-bom:v0.28.1": {
+        "ghcr.io/msaad00/agent-bom:v0.29.0": {
           "tier": "Community",
           "status": "Active",
           "tags": [
@@ -41,6 +41,7 @@
           ],
           "tools": [
             "scan",
+            "check",
             "blast_radius",
             "policy_check",
             "registry_lookup",

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "agent-bom"
-version = "0.28.1"
+version = "0.29.0"
 description = "AI Bill of Materials (AI-BOM) generator — CVE scanning, blast radius, enterprise remediation plans, OWASP LLM Top 10 + MITRE ATLAS + NIST AI RMF threat mapping, LLM-powered enrichment, OpenClaw discovery, MCP runtime introspection, and MCP registry for AI agents."
 readme = "README.md"
 license = {text = "Apache-2.0"}

scripts/bump-version.py

@@ -39,7 +39,8 @@
     ("README.md", re.compile(r"(msaad00/agent-bom@v)[^\s\"]+"), r"\g<1>{v}"),
     # tests/test_core.py — version assertions
     ("tests/test_core.py", re.compile(r'(assert\s+__version__\s*==\s*")[^"]+(")', re.M), r"\g<1>{v}\g<2>"),
-    ("tests/test_core.py", re.compile(r'(assert\s+data\["version"\]\s*==\s*")[^"]+(")', re.M), r"\g<1>{v}\g<2>"),
+    # Only match version assertions that currently contain a semver pattern (avoids clobbering SARIF "2.1.0")
+    ("tests/test_core.py", re.compile(r'(assert\s+data\["version"\]\s*==\s*")0\.\d+\.\d+(")', re.M), r"\g<1>{v}\g<2>"),
 ]
 
 

src/agent_bom/__init__.py

@@ -5,4 +5,4 @@
 try:
     __version__ = version("agent-bom")
 except PackageNotFoundError:
-    __version__ = "0.28.1"
+    __version__ = "0.29.0"

src/agent_bom/cli.py

@@ -99,7 +99,7 @@ def main():
 @click.option("--output", "-o", type=str, help="Output file path (use '-' for stdout)")
 @click.option(
     "--format", "-f", "output_format",
-    type=click.Choice(["console", "json", "cyclonedx", "sarif", "spdx", "text", "html", "prometheus", "graph"]),
+    type=click.Choice(["console", "json", "cyclonedx", "sarif", "spdx", "text", "html", "prometheus", "graph", "mermaid"]),
     default="console",
     help="Output format",
 )
@@ -1051,6 +1051,9 @@ async def _verify_all():
             from agent_bom.output.graph import build_graph_elements
             elements = build_graph_elements(report, blast_radii)
             sys.stdout.write(json.dumps({"elements": elements, "format": "cytoscape"}, indent=2))
+        elif output_format == "mermaid":
+            from agent_bom.output.mermaid import to_mermaid
+            sys.stdout.write(to_mermaid(report, blast_radii))
         else:
             sys.stdout.write(json.dumps(to_json(report), indent=2))
         sys.stdout.write("\n")
@@ -1142,6 +1145,12 @@ async def _verify_all():
         Path(out_path).write_text(json.dumps({"elements": elements, "format": "cytoscape"}, indent=2))
         con.print(f"\n  [green]✓[/green] Graph JSON: {out_path}")
         con.print("  [dim]Cytoscape.js-compatible element list — open with Cytoscape desktop or any JS graph library[/dim]")
+    elif output_format == "mermaid":
+        from agent_bom.output.mermaid import to_mermaid
+        out_path = output or "agent-bom-blast-radius.mmd"
+        Path(out_path).write_text(to_mermaid(report, blast_radii))
+        con.print(f"\n  [green]✓[/green] Mermaid diagram: {out_path}")
+        con.print("  [dim]Render with: mermaid-cli, GitHub markdown, or mermaid.live[/dim]")
     elif output_format == "text" and output:
         Path(output).write_text(_format_text(report, blast_radii))
         con.print(f"\n  [green]✓[/green] Text report: {output}")