refactor: modernize demos for SDK v2.5+ PoP-default#17
Closed
beonde wants to merge 20 commits into
Closed
Conversation
- Rename directory demo-one/ to enforcement-demo/ - Update all internal references (logger names, docstrings, banners) - Update Makefile targets, README.md, run_video.py, scripts/setup.sh - No functional changes
- Rewrite enforcement-demo/README.md: quick start first, expected output, troubleshooting table, all 5 scenarios documented - Root README: single copy-paste setup block, numbered prerequisites, de-emphasize demo-two, link to full docs instead of duplicating - .env.example: default SERVER_ID to 'auto' for zero-friction setup
- Add --auto / --no-pause flag to skip interactive pauses - Replace prose summary with visual results table (pass/fail per scenario) - Suppress gRPC C-core noise (GRPC_VERBOSITY=NONE) - Reorder setup.sh: scaffold .env before venv/deps (credentials first) - Add binary download context (what it is, why ~15 MB) - Document --auto flag in README with expected summary output
- Remove CAPISCIO_REGISTRY_ENDPOINT (orphaned — no demo code reads it) - Remove CAPISCIO_TRUSTED/UNTRUSTED_AGENT_NAME (auto-generated, clutters example) - Comment out CAPISCIO_SERVER_URL (has sensible default, rarely overridden) - Clarify CAPISCIO_SERVER_ID: document 'auto' behavior, mark as optional - Only one required env var: CAPISCIO_API_KEY - Update README env table with Required/Default columns - Simplify setup.sh credential messaging
The Go binary (capiscio-core) reads CAPISCIO_REGISTRY_ENDPOINT to build the JWKS URL for badge signature verification. Without it, BadgeVerifier is nil and all badge checks return ErrBadgeInvalid — breaking scenarios 1 and 2 (trusted agent with valid badge → should ALLOW, would DENY). CAPISCIO_SERVER_URL (Python SDK) and CAPISCIO_REGISTRY_ENDPOINT (Go binary) look like duplicates but serve different components. Both must point to the same registry. Added inline comments explaining this. TODO: capiscio-mcp-python should auto-forward SERVER_URL → REGISTRY_ENDPOINT before spawning the binary, eliminating the duplication.
Consistent naming with enforcement-demo and mcp-demo. Updated all internal references (docstrings, loggers, banners, comments).
- Server subprocess: logging level INFO → WARNING (eliminates all the capiscio_mcp, mcp.server, policy-demo.server INFO lines) - Add gRPC noise suppression to both run_demo.py and server/main.py - Add show_policy_yaml() — renders the active policy YAML inline with box-drawing characters so you can read/copy it from the terminal - Shown before each phase's scenarios run
Each phase now flows: header → expected table → ACTION REQUIRED with the YAML to copy/paste → pause → run scenarios. Phase 1 (baseline) now also pauses so the user can set the initial policy first.
Each phase now ends with a clear verdict comparing actual vs expected outcomes. Mismatches show which scenario failed and what was expected.
- enforcement-demo: Updated agents to use CapiscIO.connect() with keys_dir (PoP-default). Simplified run_demo.py scenarios. Updated server/main.py to use current MCP patterns. - policy-demo: Same SDK updates + updated policy YAML to match current policy engine format. - Removed stale mcp-demo/ (replaced by policy-demo MCP integration). - Updated CI, Makefile, README for new demo structure.
…ix key mismatch - Pin capiscio-sdk and capiscio-mcp to >=2.7.1 (did:web fix) - Add policy-demo install to Makefile install target - Fix enforcement-demo Makefile runner (remove broken source cmd) - Add policy-demo Makefile runner target - Add --verbose flag to both demos - Remove scenario 5 (fake revocation) from enforcement-demo - Fix key mismatch between enforcement and policy demos - Suppress PoP fallback warnings in demos - Fix stale badge bug in policy-demo (fresh get_badge per scenario)
- Replace time.sleep(1) with await asyncio.sleep(1) in async context - Remove scenario 5 (badge revocation) references from all READMEs - Add policy-demo to Makefile .PHONY targets - Update scenario counts from 5 to 4 in docs
There was a problem hiding this comment.
Pull request overview
Modernizes and reorganizes the CapiscIO A2A demo suite for SDK v2.5+ / PoP-default behavior, simplifying the developer walkthroughs while updating CI, Make targets, and demo scripts to the new folder structure.
Changes:
- Renames/restructures demos into
enforcement-demo/,policy-demo/, andmulti-agent-demo/, and removes stale demo/video-plan assets. - Updates demo runners/scripts to match new SDK behavior (policy hot-swap flow, verbose payload display, phase verdict output).
- Introduces a shared
capiscio-eventspackage undermulti-agent-demo/shared/, updates Makefile + CI paths accordingly.
Reviewed changes
Copilot reviewed 56 out of 68 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| run_video.py | Removes deprecated video runner helper. |
| README.md | Rewrites top-level README for new demo structure and commands. |
| PYCON_EXECUTION_PLAN.md | Removes stale execution plan doc. |
| Makefile | Updates targets and install flows for new demo layout. |
| .gitignore | Adds .envrc ignore. |
| .github/workflows/ci.yml | Updates CI to use new shared/agent paths and pins actions by SHA. |
| .github/copilot-instructions.md | Updates repo layout guidance for the new structure. |
| enforcement-demo/setup.sh | Adds/adjusts env scaffolding + setup messaging for enforcement demo. |
| enforcement-demo/server/main.py | New guarded MCP server for enforcement demo. |
| enforcement-demo/run_demo.py | New orchestrator: server verification + 4 scenarios + verbose mode. |
| enforcement-demo/requirements.txt | Bumps CapiscIO deps and updates demo requirements. |
| enforcement-demo/README.md | New enforcement demo walkthrough and expected output. |
| enforcement-demo/agents/trusted_agent.py | New badged agent wrapper for enforcement demo. |
| enforcement-demo/agents/untrusted_agent.py | New unbadged agent wrapper for enforcement demo. |
| enforcement-demo/.env.example | New env template for enforcement demo. |
| policy-demo/setup.sh | Renames/demo branding updates for policy demo setup. |
| policy-demo/server/main.py | New guarded MCP server for policy demo. |
| policy-demo/run_demo.py | New 3-phase policy demo runner (single warm server, verdicts, verbose). |
| policy-demo/scripts/setup_policies.py | Policy proposal creation script (renamed/updated output). |
| policy-demo/requirements.txt | Bumps CapiscIO deps and ensures YAML support. |
| policy-demo/README.md | Updates policy demo README title/branding. |
| policy-demo/.env.example | Updates env template for policy demo. |
| policy-demo/policies/baseline.yaml | Adds baseline policy definition. |
| policy-demo/policies/lockdown.yaml | Adds lockdown policy definition. |
| policy-demo/policies/selective.yaml | Updates selective policy to new trust-level semantics. |
| policy-demo/agents/trusted_agent.py | New badged agent wrapper for policy demo. |
| policy-demo/agents/untrusted_agent.py | New unbadged agent wrapper for policy demo. |
| multi-agent-demo/README.md | New multi-agent demo README and CLI docs. |
| multi-agent-demo/setup.sh | Updates setup script paths and env scaffolding for new location. |
| multi-agent-demo/run-agents.sh | Updates run script to new location and driver command. |
| multi-agent-demo/run_demo.py | Minor import cleanup in demo driver. |
| multi-agent-demo/.env.example | Adds consolidated env template for multi-agent demo. |
| multi-agent-demo/shared/pyproject.toml | Introduces capiscio-events shared package metadata. |
| multi-agent-demo/shared/README.md | Documents shared event emitter usage. |
| multi-agent-demo/shared/capiscio_events/init.py | Exposes shared emitter/types. |
| multi-agent-demo/shared/capiscio_events/types.py | Adds event type/severity enums. |
| multi-agent-demo/shared/capiscio_events/emitter.py | Implements HTTP event emitter (sync/async). |
| multi-agent-demo/agents/langchain-agent/main.py | New LangChain agent server with A2A endpoints, tools, events, badge endpoint. |
| multi-agent-demo/agents/langchain-agent/README.md | Adds LangChain agent docs. |
| multi-agent-demo/agents/langchain-agent/requirements.txt | Updates LangChain agent dependency pins. |
| multi-agent-demo/agents/crewai-agent/main.py | New CrewAI agent server with A2A endpoints, events, badge endpoint. |
| multi-agent-demo/agents/crewai-agent/README.md | Adds CrewAI agent docs. |
| multi-agent-demo/agents/crewai-agent/requirements.txt | Updates CrewAI agent dependency pins. |
| multi-agent-demo/agents/langgraph-agent/main.py | Formatting/lint fixes in LangGraph agent server. |
| multi-agent-demo/agents/langgraph-agent/README.md | Adds LangGraph agent docs. |
| multi-agent-demo/agents/langgraph-agent/requirements.txt | Updates LangGraph agent dependency pins. |
| mcp-demo/* | Removes the MCP demo (server/client/docker/docs) as stale/replaced. |
| demo-one/* | Removes old demo-one implementation after rename to enforcement-demo. |
| demo-two/* | Removes old demo-two implementation after rename to policy-demo. |
Comments suppressed due to low confidence (6)
policy-demo/.env.example:24
- scripts/setup_policies.py requires CAPISCIO_ADMIN_JWT (and CAPISCIO_ORG_ID), but the .env.example no longer includes CAPISCIO_ADMIN_JWT or guidance for generating it. Add CAPISCIO_ADMIN_JWT back to the template (with a clear 'do not commit' warning) or update the setup script to not require it.
README.md:159 - The example .env block uses key-like placeholders (OPENAI_API_KEY=sk-..., CAPISCIO_API_KEY=sk_live_...). These often trigger secret scanning and conflict with the repo’s own "grep for sk_live/sk_proj" guidance. Switch to placeholders that don’t resemble real keys.
Edit `multi-agent-demo/.env` with your credentials:
```env
OPENAI_API_KEY=sk-your-openai-key
OPENAI_MODEL=gpt-4o-mini
CAPISCIO_SERVER_URL=https://registry.capisc.io
CAPISCIO_API_KEY=sk_live_your_api_key_here
SECURITY_MODE=ca
multi-agent-demo/agents/langchain-agent/requirements.txt:18
- PR description says dependencies are pinned to >=2.7.1, but this file uses capiscio-sdk>=2.7.0. Either bump to >=2.7.1 here (and in the other agent requirements) or adjust the PR description to match the actual minimum.
multi-agent-demo/agents/crewai-agent/requirements.txt:19 - PR description claims deps are pinned to >=2.7.1, but this file has capiscio-sdk>=2.7.0. Please align the minimum version across demos/agents or update the PR description.
multi-agent-demo/agents/langgraph-agent/requirements.txt:12 - PR description says pinned deps are >=2.7.1, but this agent requirement is capiscio-sdk>=2.7.0. Align version minimums across the repo (or update the PR description).
multi-agent-demo/agents/langchain-agent/requirements.txt:17 - PR description says dependencies are pinned to >=2.7.1, but this agent uses capiscio-sdk>=2.7.0. Either bump to >=2.7.1 (to match the other demos) or update the PR description to reflect the actual minimum.
Comment on lines
+65
to
+70
| capture_output=True, | ||
| ) | ||
| if result.returncode == 0: | ||
| print(" [cleanup] Terminated stale capiscio-core processes.") | ||
| except FileNotFoundError: | ||
| pass # pkill not available on this platform |
Comment on lines
+52
to
+58
| def _cleanup_core_processes() -> None: | ||
| """Kill any lingering capiscio-core (rpc) subprocesses.""" | ||
| try: | ||
| result = subprocess.run( | ||
| ["pkill", "-f", "capiscio rpc"], | ||
| capture_output=True, | ||
| ) |
Comment on lines
+232
to
+235
| Returns (outcome, detail, elapsed_ms). | ||
| """ | ||
| _verbose_log(tool_name, args, client._credential.badge_jws) | ||
| t0 = time.monotonic() |
Comment on lines
+271
to
+276
| """Call a tool, catching exceptions as DENY/ERROR outcomes. | ||
|
|
||
| Returns (outcome, detail, elapsed_ms). | ||
| """ | ||
| _verbose_log(tool_name, args, client._credential.badge_jws) | ||
| t0 = time.monotonic() |
Comment on lines
+9
to
+11
| # These two vars look redundant but serve different components: | ||
| # SERVER_URL → Python SDK (badge issuance, agent registration) | ||
| # Both must point to the same registry. |
| **Agent** — one line to connect: | ||
| ```python | ||
| identity = CapiscIO.connect(api_key=..., auto_badge=True) | ||
| identity = CapiscIO.connect(api_key="sk_live_...", auto_badge=True) |
| # Demo Two | ||
| cd demo-two && $(PYTHON) -m pip install -r requirements.txt --no-deps -q 2>/dev/null || true | ||
| # Enforcement Demo | ||
| cd enforcement-demo && $(PYTHON) -m pip install -r requirements.txt --no-deps -q 2>/dev/null || true |
| @echo "║ make demo-two Run Demo Two (Policy as Code) ║" | ||
| @echo "║ make agents Setup agent environments ║" | ||
| @echo "║ make enforcement-demo Run Enforcement Demo ║" | ||
| @echo "║ make multi-agent-demo Run Multi-Agent Demo ║" |
|
|
||
| **Agent** — one line to connect: | ||
| ```python | ||
| identity = CapiscIO.connect(api_key="sk_live_...", auto_badge=True) |
| python run_demo.py --agent langchain | ||
|
|
||
| # Start single agent server | ||
| cd agents/langchain-agent && source .venv/bin/activate && python main.py --serve |
…nt, Makefile - Add timeout=5 to subprocess.run pkill calls (enforcement + policy demos) - Replace sk_live_ API key placeholders with generic 'your-api-key-here' - Add CAPISCIO_REGISTRY_ENDPOINT to .env.example - Fix lockdown.yaml comment (allowlist has placeholder, not empty) - Add policy-demo to Makefile help and dev targets - Fix copilot-instructions.md agent path
Member
Author
|
Closing: duplicate of already-merged #16. Branch was erroneously re-pushed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Demo Modernization
Major refactor of the A2A demo suite to align with SDK v2.5+ PoP-default behavior and improve developer experience.
Renames
demo-one/→enforcement-demo/— clearer purposedemo-two/→policy-demo/— clearer purposeshared/→multi-agent-demo/shared/— co-located with its consumerRemoved
mcp-demo/— stale, replaced bycapiscio-mcp-pythonreporun_video.py— replaced by--autoflag on each demoPYCON_EXECUTION_PLAN.md— executed and archivedImprovements
>=2.7.1--verboseflag.github/copilot-instructions.md68 files changed, +1795/-2503