Each of the four probes is now a natural-language prompt to claude
instead of a bash escape via `!`. The agent uses its Bash tool, runs
the literal curl/git command, and narrates what pipelock or git-gate
returned. More authentic to actual product use, at the cost of a
longer recording (59s vs 26s) and a non-deterministic narration.
To keep claude on-task, the demo agent now ships a system prompt
that frames the bottle as a security-testing sandbox: synthetic
credentials, intentional probes, and an instruction to invoke curl
with `--proxy "$HTTPS_PROXY"` since curl ignores the uppercase
HTTP_PROXY env var (an upstream curl quirk — the env var is set, but
only the explicit flag actually routes through pipelock).
Theme moves to BirdsOfParadise (warmer palette against Claude TUI's
red accents). README copy updated to describe the prompt flow.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Two changes:
- VHS theme moves from Catppuccin Mocha to Brogrammer (slightly higher
contrast against the Claude TUI's red accents).
- First probe is now a plain `hello there` prompt to claude instead of
a curl to an allowlisted host. The reply proves api.anthropic.com is
reachable through pipelock end-to-end (bumped TLS, DLP scan,
forward) -- a stronger baseline than a static curl, and a more
honest "the agent works" beat before the three block scenarios.
README copy updated to match. GIF re-recorded and re-encoded
(960px / 10fps / 64-color palette, 2.2 MB).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The previous demo harness called the backend Python API directly,
which didn't match what a user typing `./cli.py start <agent>` would
actually see. The recording now goes through the real CLI surface:
- claude-bottle.demo.json + scripts/demo-setup.sh stage a demo
manifest (one bottle, FAKE_TOKEN env, one unreachable git upstream)
alongside a dummy SSH identity at ~/.cache/claude-bottle-demo/.
- docs/demo.tape types `./cli.py start demo`, answers the y/N
preflight, and runs four bash probes via claude's `!` prefix
(curl x3 + git push), so the recording shows real preflight output
and real probe results.
- scripts/demo.sh wraps setup -> cli.py -> teardown for human use;
scripts/demo-record.sh does the same around `vhs docs/demo.tape`.
- .gitignore picks up claude-bottle.json so a user's local manifest
doesn't get tracked alongside .example / .demo siblings.
scripts/demo_harness.py is removed -- its behavior is fully replaced
by the cli.py + `!` flow.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
scripts/demo.sh + scripts/demo_harness.py drive a real bottle through
four probes (pipelock allow, host-allowlist block, DLP body-scan
block, git-gate gitleaks rejection). docs/demo.tape is the VHS source
that renders docs/demo.gif, embedded at the top of the README as a
working proof of the security model the prose describes.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
didericis