@synapsor/runner 0.1.0-alpha.0 → 0.1.0-alpha.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/README.md +389 -21
  2. package/TRADEMARKS.md +23 -0
  3. package/dist/cli.d.ts +4 -0
  4. package/dist/cli.d.ts.map +1 -1
  5. package/dist/cli.js +20 -8723
  6. package/dist/runner.mjs +12759 -0
  7. package/docs/README.md +36 -0
  8. package/docs/getting-started-own-database.md +460 -0
  9. package/docs/http-mcp.md +242 -0
  10. package/docs/limitations.md +95 -0
  11. package/docs/local-mode.md +351 -0
  12. package/docs/mcp-audit.md +152 -0
  13. package/docs/mcp-client-setup.md +231 -0
  14. package/docs/recipes.md +61 -0
  15. package/docs/release-notes.md +129 -0
  16. package/docs/security-boundary.md +94 -0
  17. package/docs/troubleshooting-first-run.md +248 -0
  18. package/docs/writeback-executors.md +209 -0
  19. package/examples/app-owned-writeback/README.md +120 -0
  20. package/examples/app-owned-writeback/business-actions.md +221 -0
  21. package/examples/app-owned-writeback/command-handler.mjs +46 -0
  22. package/examples/app-owned-writeback/node-fastify-handler.mjs +55 -0
  23. package/examples/app-owned-writeback/python-fastapi-handler.py +57 -0
  24. package/examples/dangerous-mcp-tools.json +88 -0
  25. package/examples/openai-agents-http/README.md +56 -0
  26. package/examples/openai-agents-http/agent.py +54 -0
  27. package/examples/openai-agents-http/requirements.txt +1 -0
  28. package/examples/openai-agents-stdio/README.md +62 -0
  29. package/examples/openai-agents-stdio/agent.py +70 -0
  30. package/examples/openai-agents-stdio/requirements.txt +1 -0
  31. package/examples/reference-support-billing-app/README.md +137 -0
  32. package/examples/reference-support-billing-app/docker-compose.yml +13 -0
  33. package/examples/reference-support-billing-app/mcp-client.generic.json +11 -0
  34. package/examples/reference-support-billing-app/schema.sql +68 -0
  35. package/examples/reference-support-billing-app/scripts/run-demo.sh +7 -0
  36. package/examples/reference-support-billing-app/seed.sql +33 -0
  37. package/examples/reference-support-billing-app/synapsor.runner.json +241 -0
  38. package/package.json +12 -4
  39. package/recipes/accounts.trial_extension.json +42 -0
  40. package/recipes/billing.late_fee_waiver.json +46 -0
  41. package/recipes/credits.account_credit.json +45 -0
  42. package/recipes/orders.refund_review.json +57 -0
  43. package/recipes/support.ticket_resolution.json +51 -0
  44. package/dist/bin.cjs +0 -13
@@ -0,0 +1,152 @@
1
+ # MCP database risk review
2
+
3
+ `npx -y -p @synapsor/runner@alpha synapsor-runner audit <target>` performs a
4
+ static MCP database risk review over an exported tool manifest, a remote MCP
5
+ `tools/list` endpoint, or a stdio MCP server. The `mcp audit` subcommand is also
6
+ available for users who look for the command under the MCP namespace.
7
+
8
+ From a source checkout, use `./bin/synapsor-runner ...` if the global binary is not
9
+ linked yet.
10
+
11
+ It does not call business tools. It only inspects names, descriptions, input schemas, output schemas, annotations, and examples when those are present.
12
+
13
+ Every report includes this disclaimer:
14
+
15
+ ```text
16
+ This is a static risk review, not proof that an MCP server is secure.
17
+ ```
18
+
19
+ MCP annotations are treated as hints, not enforcement.
20
+
21
+ ## Usage
22
+
23
+ Built-in database MCP risk example:
24
+
25
+ ```bash
26
+ npx -y -p @synapsor/runner@alpha synapsor-runner audit --example dangerous-db-mcp
27
+ ```
28
+
29
+ This bundled example does not require a source checkout or local examples file.
30
+ It audits a deliberately risky database MCP shape with `execute_sql`,
31
+ `run_query`, model-callable approval/update/delete tools, arbitrary
32
+ table/column inputs, and model-controlled tenant/principal fields.
33
+
34
+ Human-readable output:
35
+
36
+ ```bash
37
+ npx -y -p @synapsor/runner@alpha synapsor-runner audit ./tools-list.json
38
+ ```
39
+
40
+ Remote `tools/list` endpoint with a bearer token kept in the environment:
41
+
42
+ ```bash
43
+ SYNAPSOR_MCP_AUDIT_BEARER="..." \
44
+ npx -y -p @synapsor/runner@alpha synapsor-runner audit https://mcp.example.com --format json
45
+ ```
46
+
47
+ Remote endpoint with a custom bearer-token environment variable:
48
+
49
+ ```bash
50
+ npx -y -p @synapsor/runner@alpha synapsor-runner audit https://mcp.example.com --bearer-env MCP_AUDIT_TOKEN --format json
51
+ ```
52
+
53
+ Stdio MCP server:
54
+
55
+ ```bash
56
+ npx -y -p @synapsor/runner@alpha synapsor-runner audit 'stdio:node ./server.mjs' --timeout-ms 5000
57
+ ```
58
+
59
+ JSON output:
60
+
61
+ ```bash
62
+ npx -y -p @synapsor/runner@alpha synapsor-runner audit ./tools-list.json --format json
63
+ ```
64
+
65
+ Markdown output for issues, PRs, or security review notes:
66
+
67
+ ```bash
68
+ npx -y -p @synapsor/runner@alpha synapsor-runner audit --example dangerous-db-mcp --format markdown
69
+ ```
70
+
71
+ During local development, the repo-local wrapper can run the same command:
72
+
73
+ ```bash
74
+ ./bin/synapsor-runner audit ./tools-list.json
75
+ ./bin/synapsor-runner audit ./tools-list.json --format json
76
+ ```
77
+
78
+ ## Supported inputs
79
+
80
+ The audit accepts common exported shapes:
81
+
82
+ ```json
83
+ { "tools": [] }
84
+ ```
85
+
86
+ ```json
87
+ { "result": { "tools": [] } }
88
+ ```
89
+
90
+ ```json
91
+ { "data": { "tools": [] } }
92
+ ```
93
+
94
+ It also scans nested `adapter`, `mcpServers`, and `servers` blocks when they include tool metadata.
95
+
96
+ For live targets, the audit calls only JSON-RPC `tools/list`. It does not call business tools, approval tools, commit tools, or writeback tools.
97
+
98
+ ## Findings
99
+
100
+ The audit flags database-commit risks such as:
101
+
102
+ - generic `execute_sql`, `run_query`, or raw SQL tools;
103
+ - tools accepting arbitrary SQL, schema, table, or column identifiers;
104
+ - tools accepting `tenant_id`, `principal`, source ids, allowed columns, row versions, or approval identity as model input;
105
+ - model-callable approval, commit, apply, settle, merge, or writeback tools;
106
+ - write-like tools with no visible proposal, approval, or guarded-writeback boundary;
107
+ - missing structured output schemas;
108
+ - missing idempotency/request-key metadata for direct write-like tools;
109
+ - missing row-version/conflict-guard metadata for direct write-like tools;
110
+ - ambiguous read/write tool boundaries;
111
+ - missing business descriptions, annotations, or fixture examples.
112
+
113
+ ## Recommended target shape
114
+
115
+ A safer model-facing database MCP tool should look like a reviewed semantic proposal capability:
116
+
117
+ ```json
118
+ {
119
+ "name": "billing.propose_late_fee_waiver",
120
+ "description": "Create an evidence-backed proposal for support lead approval before trusted writeback.",
121
+ "inputSchema": {
122
+ "type": "object",
123
+ "properties": {
124
+ "invoice_id": { "type": "string" },
125
+ "reason": { "type": "string" }
126
+ },
127
+ "required": ["invoice_id", "reason"]
128
+ },
129
+ "outputSchema": {
130
+ "type": "object",
131
+ "properties": {
132
+ "status": { "type": "string" },
133
+ "proposal_id": { "type": "string" },
134
+ "evidence_bundle_id": { "type": "string" },
135
+ "source_database_changed": { "type": "boolean" }
136
+ },
137
+ "required": ["status", "proposal_id", "source_database_changed"]
138
+ },
139
+ "annotations": {
140
+ "readOnlyHint": false,
141
+ "destructiveHint": false
142
+ },
143
+ "examples": [
144
+ {
145
+ "invoice_id": "INV-3001",
146
+ "reason": "customer requested review"
147
+ }
148
+ ]
149
+ }
150
+ ```
151
+
152
+ Trusted values such as tenant, principal, source, allowed columns, approval identity, row-version guard, and database credentials must come from Synapsor/runner context, not from model-facing arguments.
@@ -0,0 +1,231 @@
1
+ # MCP Client Setup
2
+
3
+ The primary local proof path is still the one-command Docker demo:
4
+
5
+ ```bash
6
+ ./scripts/demo-docker.sh
7
+ ```
8
+
9
+ Use this page after that demo passes and you want to attach a local MCP client
10
+ or SDK. The simplest local-client contract is stdio. Standard HTTP MCP is
11
+ available through Streamable HTTP when your agent connects to a long-running
12
+ Runner service.
13
+
14
+ Command examples use the published alpha package through `npx`. From a source
15
+ checkout, use `./bin/synapsor-runner ...` only when you intentionally want the local
16
+ source wrapper.
17
+
18
+ Checked examples live in:
19
+
20
+ ```text
21
+ examples/mcp-client-configs/
22
+ ```
23
+
24
+ Validate them with:
25
+
26
+ ```bash
27
+ corepack pnpm test:mcp-client-configs
28
+ ```
29
+
30
+ ## Stdio Vs HTTP MCP
31
+
32
+ | Mode | Use when | Command |
33
+ | --- | --- | --- |
34
+ | stdio | Claude Desktop, Cursor, VS Code, or another local MCP client can launch Synapsor Runner | `synapsor-runner mcp serve` |
35
+ | Streamable HTTP MCP | Your app/server, Python agent, Node service, or container uses a standard HTTP MCP client | `synapsor-runner mcp serve-streamable-http` |
36
+ | JSON-RPC bridge | Your app wants a small explicit wrapper around `tools/list`, `tools/call`, and `resources/read` | `synapsor-runner mcp serve-http` |
37
+
38
+ Stdio keeps the MCP protocol on process stdin/stdout and is the simplest local
39
+ developer path. Streamable HTTP implements MCP initialize/session behavior over
40
+ an authenticated `/mcp` endpoint. The JSON-RPC bridge is intentionally smaller
41
+ and does not implement MCP initialize/session behavior.
42
+
43
+ HTTP requires bearer auth by default:
44
+
45
+ ```bash
46
+ export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
47
+
48
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp serve-streamable-http \
49
+ --config ./synapsor.runner.json \
50
+ --store ./.synapsor/local.db \
51
+ --auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
52
+ ```
53
+
54
+ Use private networking/TLS before exposing HTTP MCP beyond localhost. Details:
55
+ [HTTP MCP](http-mcp.md).
56
+
57
+ ## Generate A Client Snippet
58
+
59
+ Print a snippet without modifying any client files:
60
+
61
+ ```bash
62
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp config claude-desktop \
63
+ --config ./synapsor.runner.json \
64
+ --store ./.synapsor/local.db
65
+ ```
66
+
67
+ Supported client names:
68
+
69
+ ```text
70
+ generic-stdio
71
+ generic
72
+ claude-desktop
73
+ cursor
74
+ vscode
75
+ ```
76
+
77
+ The older form is still supported:
78
+
79
+ ```bash
80
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp configure --client claude-desktop --config ./synapsor.runner.json --store ./.synapsor/local.db
81
+ ```
82
+
83
+ Write is opt-in and requires an explicit destination:
84
+
85
+ ```bash
86
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp configure \
87
+ --client cursor \
88
+ --config ./synapsor.runner.json \
89
+ --store ./.synapsor/local.db \
90
+ --write \
91
+ --destination ./cursor-mcp.json
92
+ ```
93
+
94
+ When the destination already exists, Synapsor Runner creates a timestamped
95
+ backup before writing. Noninteractive scripts must add `--yes`.
96
+
97
+ The command writes only the local stdio MCP command and args. It does not write
98
+ database URLs or passwords into the client config.
99
+
100
+ ## Start Command
101
+
102
+ From the runner repository:
103
+
104
+ ```bash
105
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp serve --config ./examples/mcp-postgres-billing/synapsor.runner.json --store ./.synapsor/local.db
106
+ ```
107
+
108
+ For the alpha package, keep the package tag explicit in client configuration.
109
+
110
+ For standard app/server HTTP MCP mode:
111
+
112
+ ```bash
113
+ export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
114
+
115
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp serve-streamable-http \
116
+ --config ./examples/mcp-postgres-billing/synapsor.runner.json \
117
+ --store ./.synapsor/local.db \
118
+ --auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
119
+ ```
120
+
121
+ For the smaller JSON-RPC bridge, use `synapsor-runner mcp serve-http` instead.
122
+
123
+ ## Generic stdio Client
124
+
125
+ ```json
126
+ {
127
+ "mcpServers": {
128
+ "synapsor-runner": {
129
+ "command": "npx",
130
+ "args": [
131
+ "-y",
132
+ "-p",
133
+ "@synapsor/runner@alpha",
134
+ "synapsor-runner",
135
+ "mcp",
136
+ "serve",
137
+ "--config",
138
+ "./examples/mcp-postgres-billing/synapsor.runner.json",
139
+ "--store",
140
+ "./.synapsor/local.db"
141
+ ],
142
+ "env": {
143
+ "BILLING_POSTGRES_READ_URL": "postgresql://synapsor_reader:...@localhost:55433/synapsor_runner_mcp_billing",
144
+ "SYNAPSOR_TENANT_ID": "acme",
145
+ "SYNAPSOR_PRINCIPAL": "local_billing_agent"
146
+ }
147
+ }
148
+ }
149
+ }
150
+ ```
151
+
152
+ The MCP server should list semantic tools such as:
153
+
154
+ ```text
155
+ billing.inspect_invoice
156
+ billing.propose_late_fee_waiver
157
+ ```
158
+
159
+ It should not list:
160
+
161
+ ```text
162
+ execute_sql
163
+ run_query
164
+ approve_proposal
165
+ commit_proposal
166
+ ```
167
+
168
+ ## Sanity Check The Agent Connection
169
+
170
+ After installing the MCP client snippet, restart the client and run a deliberately
171
+ small tool-call test.
172
+
173
+ First confirm what Runner exposes:
174
+
175
+ ```bash
176
+ npx -y -p @synapsor/runner@alpha synapsor-runner tools preview \
177
+ --config ./synapsor.runner.json \
178
+ --store ./.synapsor/local.db
179
+ ```
180
+
181
+ Then ask the MCP client:
182
+
183
+ ```text
184
+ Use the Synapsor Runner MCP tool to inspect invoice INV-3001.
185
+ Do not answer from memory.
186
+ Return the tool name called, the evidence handle, and whether raw SQL was available.
187
+ ```
188
+
189
+ Expected result:
190
+
191
+ - the client calls a tool such as `billing.inspect_invoice`;
192
+ - the response includes an evidence handle or local ledger reference;
193
+ - the model reports that raw SQL, write credentials, approval tools, and commit
194
+ tools were not available.
195
+
196
+ If the answer is generic prose or unrelated task planning with no tool call and
197
+ no evidence handle, Synapsor Runner is not connected to that agent session yet.
198
+ Check the MCP config path, restart the client, set trusted context env vars, and
199
+ run `tools/list` or `synapsor-runner tools preview` again.
200
+
201
+ ## Claude Desktop / Cursor / VS Code
202
+
203
+ Use the matching checked-in example as the starting point:
204
+
205
+ ```text
206
+ examples/mcp-client-configs/claude-desktop.json
207
+ examples/mcp-client-configs/cursor.json
208
+ examples/mcp-client-configs/vscode.json
209
+ ```
210
+
211
+ Each example uses the same stdio command/args/env structure. Replace the placeholder environment variables in your client settings or shell environment.
212
+
213
+ Do not add a write database URL to the MCP server environment unless you are intentionally running a local review/writeback demo. For normal read/proposal tool calls, use the read URL and trusted context values only.
214
+
215
+ Before documenting a client UI as officially tested, verify:
216
+
217
+ 1. the server starts;
218
+ 2. `tools/list` returns semantic tools;
219
+ 3. read tools return evidence handles;
220
+ 4. proposal tools return exact diffs and `source_database_changed: false`;
221
+ 5. no approval or commit tool is model-callable;
222
+ 6. resource reads work for proposal/evidence/replay handles.
223
+
224
+ ## Troubleshooting
225
+
226
+ - Server not listed: check the command path, working directory, and config path.
227
+ - Tool schema mismatch: run `synapsor-runner audit <exported-tools.json>`.
228
+ - Missing trusted context: set `SYNAPSOR_TENANT_ID` and `SYNAPSOR_PRINCIPAL`, or use the environment variables configured in `trusted_context.values`.
229
+ - Database unavailable: verify the read credential and host access.
230
+ - Proposal waiting review: approve outside the model with `synapsor-runner proposals approve`.
231
+ - Stale-row conflict: inspect replay; the source row changed after the proposal was created, so the guarded worker refused to commit.
@@ -0,0 +1,61 @@
1
+ # Capability Recipes
2
+
3
+ Recipes are reviewed starter contracts for common database-backed agent actions.
4
+
5
+ They do not introspect and silently guess write authority. They generate a
6
+ starter config that you must map to your actual staging table names, columns,
7
+ tenant key, conflict column, and business limits.
8
+
9
+ List recipes:
10
+
11
+ ```bash
12
+ npx -y -p @synapsor/runner@alpha synapsor-runner recipes list
13
+ ```
14
+
15
+ Inspect one:
16
+
17
+ ```bash
18
+ npx -y -p @synapsor/runner@alpha synapsor-runner recipes show billing.late_fee_waiver
19
+ ```
20
+
21
+ Initialize a starter config:
22
+
23
+ ```bash
24
+ npx -y -p @synapsor/runner@alpha synapsor-runner recipes init billing.late_fee_waiver --output synapsor.runner.json
25
+ npx -y -p @synapsor/runner@alpha synapsor-runner config validate --config synapsor.runner.json
26
+ ```
27
+
28
+ Built-in recipes are JSON files under `recipes/`. They are starter data, not
29
+ runtime hardcoding. You can copy one, edit table/column/tool names for your
30
+ domain, and initialize from your file:
31
+
32
+ ```bash
33
+ cp recipes/billing.late_fee_waiver.json my-recipe.json
34
+ npx -y -p @synapsor/runner@alpha synapsor-runner recipes show ./my-recipe.json
35
+ npx -y -p @synapsor/runner@alpha synapsor-runner recipes init ./my-recipe.json --output synapsor.runner.json
36
+ ```
37
+
38
+ Available recipes:
39
+
40
+ - `billing.late_fee_waiver`
41
+ - `support.ticket_resolution`
42
+ - `orders.refund_review`
43
+ - `accounts.trial_extension`
44
+ - `credits.account_credit`
45
+
46
+ Each recipe includes:
47
+
48
+ - expected table type;
49
+ - required columns;
50
+ - recommended primary key;
51
+ - recommended tenant key;
52
+ - recommended conflict/version column;
53
+ - visible columns;
54
+ - allowed write columns;
55
+ - patch mapping;
56
+ - numeric/status bounds where relevant;
57
+ - semantic MCP tool names;
58
+ - staging-first notes.
59
+
60
+ Start with staging or a disposable database. Keep production write credentials
61
+ out of the MCP client.
@@ -0,0 +1,129 @@
1
+ # Release Notes
2
+
3
+ These notes track public Synapsor Runner alpha behavior. While the runner is in
4
+ alpha, install with the explicit alpha tag or an exact version. Do not rely on
5
+ the untagged `latest` dist-tag until a stable release is published.
6
+
7
+ ```bash
8
+ npx -y -p @synapsor/runner@alpha synapsor-runner demo --quick
9
+ ```
10
+
11
+ The OSS runner command is `synapsor-runner`. The `synapsor` command is reserved
12
+ for the Synapsor Cloud CLI.
13
+
14
+ ## 0.1.0-alpha.10
15
+
16
+ ### First-Run Flow
17
+
18
+ - `synapsor-runner start --from-env DATABASE_URL` is the shortest own-database
19
+ onboarding command. It is an alias for the guided `onboard db --from-env`
20
+ flow, not the legacy cloud worker.
21
+ - The wizard inspects database metadata, creates trusted context bindings,
22
+ generates semantic capabilities, writes `.env.example`, previews MCP tools,
23
+ and prints exact smoke-call, MCP, and UI commands.
24
+ - If you provide a real object id and the required environment variables are
25
+ set, onboarding attempts the first smoke tool call and stores local evidence
26
+ and query audit. If not, it prints the exact `smoke call` command to run
27
+ after setting the values.
28
+ - `synapsor-runner ui --open` opens the local review UI and is the preferred
29
+ way to inspect proposals, evidence, receipts, and replay after a demo or
30
+ smoke call.
31
+
32
+ ### MCP Transport
33
+
34
+ - `synapsor-runner mcp serve` is standard stdio MCP for local MCP clients that
35
+ can launch Runner, such as Claude Desktop, Cursor, and similar clients.
36
+ - `synapsor-runner mcp serve-streamable-http` is the standard Streamable HTTP
37
+ MCP path for app/server agents and SDK clients. It implements MCP
38
+ initialize/session behavior on the `/mcp` endpoint.
39
+ - `synapsor-runner mcp serve-http` is an authenticated JSON-RPC bridge for
40
+ simple `tools/list`, `tools/call`, and `resources/read` wrappers. It is not
41
+ the standard Streamable HTTP MCP transport.
42
+ - The OpenAI Agents SDK HTTP example uses the Streamable HTTP MCP path. Use the
43
+ JSON-RPC bridge only when you intentionally want a thin app-owned wrapper.
44
+
45
+ ### Writeback
46
+
47
+ - Direct SQL writeback is intentionally narrow: guarded single-row `UPDATE`
48
+ only. It does not support arbitrary SQL, DDL, `INSERT`, `DELETE`, `UPSERT`,
49
+ stored procedures, or multi-row writes.
50
+ - Direct SQL writeback reads the trusted writer connection from the source
51
+ `write_url_env` in `synapsor.runner.json`, such as
52
+ `SYNAPSOR_DATABASE_WRITE_URL`.
53
+ - `SYNAPSOR_DATABASE_URL` is accepted only as a legacy fallback for older
54
+ direct worker/apply flows without a local config.
55
+ - Direct SQL writeback creates or writes `synapsor_writeback_receipts` for
56
+ idempotency and replay. The trusted writer needs permission for that receipt
57
+ table, or an administrator must pre-create the table and grant access.
58
+ - Use `synapsor-runner writeback doctor`, `writeback migration`, and
59
+ `writeback grants` to inspect and prepare the direct writeback path.
60
+ - Use app-owned `http_handler` or `command_handler` executors for rich writes
61
+ such as inserting credit rows, opening tickets, deleting records through app
62
+ policy, or updating multiple related rows.
63
+ - `synapsor-runner handler template` writes starter Node/Fastify,
64
+ Python/FastAPI, or command-handler files so rich writes can start from an
65
+ app-owned transaction boundary instead of hand-writing a handler from
66
+ scratch.
67
+
68
+ ### Evidence And Replay
69
+
70
+ - Read-only capabilities produce scoped semantic tools, trusted context
71
+ binding, evidence handles, query audit, and local inspection records.
72
+ - Proposal workflows add full local replay across evidence, approval,
73
+ writeback jobs, execution receipts, and events.
74
+ - External Postgres/MySQL databases are not physically branched by Runner.
75
+ Replay covers records captured by Runner; it is not external database
76
+ time travel.
77
+
78
+ ### Known Limitations
79
+
80
+ - This is an alpha local runner, not Synapsor Cloud, not the Synapsor DBMS, and
81
+ not a generic MCP security platform.
82
+ - Runner does not expose model-callable approval, commit, apply, or raw SQL
83
+ tools.
84
+ - Runner does not implement Synapsor Cloud workflow DAGs, native branches,
85
+ auto-merge, settlement policies, hosted RBAC/SSO, hosted evidence retention,
86
+ CDC, managed runner fleets, compliance exports, production SLA, or C++ DBMS
87
+ internals.
88
+ - The local store is single-node SQLite for local/dev/staging usage.
89
+ - Node >= 22.5.0 is required because the local ledger uses Node's
90
+ `node:sqlite` runtime. Use a supported Node runtime or the Docker-backed
91
+ source demo path.
92
+
93
+ ### Upgrade Notes From Earlier Alphas
94
+
95
+ - Public command examples now use `synapsor-runner`, not `synapsor`.
96
+ - Standard HTTP MCP examples now use `mcp serve-streamable-http`; `mcp
97
+ serve-http` is documented as the JSON-RPC bridge.
98
+ - Direct SQL writeback docs now use `write_url_env` for writer credentials and
99
+ document `SYNAPSOR_DATABASE_URL` only as a legacy fallback.
100
+ - Receipt-table permissions are now a documented writeback requirement.
101
+ - The quick demo is guided in interactive terminals, concise in noninteractive
102
+ mode, and keeps the longer explanation behind `--details`.
103
+
104
+ ## Stable Release Policy
105
+
106
+ Stay on `@synapsor/runner@alpha` or an exact alpha version while first-run
107
+ onboarding, MCP transport behavior, and writeback documentation are still
108
+ changing. A stable `0.1.0` release should only be tagged after:
109
+
110
+ - the README's npm commands match the published package;
111
+ - a clean temporary directory can run the quick demo, own-database onboarding,
112
+ MCP config generation, smoke call, UI, and replay commands;
113
+ - stdio MCP and Streamable HTTP MCP are covered by tests and examples;
114
+ - direct and app-owned writeback requirements are documented and verified; and
115
+ - known limitations are still accurate.
116
+
117
+ For the local tarball before publish, run:
118
+
119
+ ```bash
120
+ ./scripts/verify-packed-runner.sh
121
+ ./scripts/verify-packed-own-db.sh
122
+ ```
123
+
124
+ After publishing an alpha, verify the public package from a clean temporary
125
+ directory:
126
+
127
+ ```bash
128
+ ./scripts/verify-published-alpha.sh 0.1.0-alpha.10
129
+ ```
@@ -0,0 +1,94 @@
1
+ # Security Boundary
2
+
3
+ Synapsor Runner controls a narrow database path for MCP agents. It does not make
4
+ MCP generally secure and it does not solve prompt injection.
5
+
6
+ ## Least-privilege database access
7
+
8
+ Use a read-only database user, restricted views, row-level security, and staging
9
+ data where appropriate. Synapsor Runner is not a replacement for database
10
+ permissions.
11
+
12
+ Database permissions protect the connection. Synapsor Runner shapes the
13
+ model-facing interface: reviewed semantic capabilities, trusted context
14
+ binding, evidence handles, query audit, local inspection, and proposal-first
15
+ writes instead of model-facing commit authority.
16
+
17
+ If all you need is restricted reads, database permissions are a good start.
18
+ Use Synapsor Runner when you also want the agent-facing layer: semantic tools,
19
+ trusted context, evidence handles, query audit, local inspection, and
20
+ proposal-first writes. Proposal workflows add full replay across evidence,
21
+ approval, writeback receipts, and events.
22
+
23
+ The model-facing MCP server exposes reviewed semantic tools such as
24
+ `billing.inspect_invoice` and `billing.propose_late_fee_waiver`.
25
+
26
+ The model does not receive:
27
+
28
+ - raw SQL;
29
+ - a generic `execute_sql` tool;
30
+ - arbitrary table, schema, or column names;
31
+ - database URLs or credentials;
32
+ - approval tools;
33
+ - commit/writeback tools;
34
+ - trusted tenant or principal authority as ordinary model arguments.
35
+
36
+ Trusted context comes from local configuration, environment bindings, or Cloud
37
+ session context in Cloud mode. Tenant, principal, and authorization scope must
38
+ not be accepted from the model as authority.
39
+
40
+ Proposal tools read the current row through the read credential, store evidence
41
+ and an exact before/after diff, and leave the source database unchanged.
42
+
43
+ The local proposal store rejects obvious credential material before persistence:
44
+ database URLs, bearer tokens, Synapsor runner tokens, private-key blocks, and
45
+ secret-like fields such as password, token, API key, private key, cookie,
46
+ credential, connection string, read URL, or write URL. If a selected table
47
+ contains one of those fields, remove it from the reviewed visible/evidence
48
+ projection before creating proposals.
49
+
50
+ Writeback is separate. A trusted local runner/apply path uses a write credential
51
+ outside the model-facing MCP server and verifies:
52
+
53
+ - local reviewed config;
54
+ - source and capability identity;
55
+ - fixed safe schema, table, and column identifiers;
56
+ - local approval state;
57
+ - proposal and job digests;
58
+ - target schema/table;
59
+ - primary-key and tenant guards;
60
+ - allowed mutable columns;
61
+ - conflict/version guard;
62
+ - idempotency key;
63
+ - job expiry;
64
+ - exactly one affected row.
65
+
66
+ If any authority check cannot be verified, the write fails closed.
67
+
68
+ For direct SQL writeback, the writer connection is the env var named by the
69
+ source `write_url_env` in `synapsor.runner.json`. Direct SQL writeback also
70
+ creates or writes `synapsor_writeback_receipts` for idempotency and replay, so
71
+ the writer needs permission for that receipt table or an administrator must
72
+ pre-create and grant it. If your database policy forbids Runner-managed receipt
73
+ tables, use an app-owned `http_handler` or `command_handler` executor instead.
74
+
75
+ When a capability uses an `http_handler` or `command_handler` executor, the
76
+ same approval boundary applies. The runner sends a structured proposal/job
77
+ payload to the configured handler after approval. Handler URLs, commands, bearer
78
+ tokens, database URLs, and write credentials come from environment variables and
79
+ are not exposed to MCP tools.
80
+
81
+ Writeback jobs and change sets also reject path-traversal or SQL-fragment-like
82
+ database identifiers such as `../private`, `id/../../tenant_id`, or
83
+ `status; DROP TABLE tickets` before adapter execution. Local CLI file paths
84
+ remain explicit user-provided paths; they are not model-facing authority.
85
+
86
+ Local review can happen through the CLI or `synapsor-runner ui`. The UI is a localhost
87
+ review surface with a per-run session token and CSRF protection for
88
+ approve/reject actions. It does not expose raw SQL, database URLs, write
89
+ credentials, approval tools, commit tools, or controls that widen reviewed
90
+ tables/columns.
91
+
92
+ Synapsor Runner supports reviewed single-row business actions only in the
93
+ current alpha. It does not support arbitrary SQL, DDL, `INSERT`, `DELETE`,
94
+ `UPSERT`, or multi-row updates.