@synapsor/runner 0.1.0-alpha.1 → 0.1.0-alpha.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +387 -19
- package/TRADEMARKS.md +23 -0
- package/dist/cli.d.ts +4 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +20 -8723
- package/dist/runner.mjs +12759 -0
- package/docs/README.md +36 -0
- package/docs/getting-started-own-database.md +460 -0
- package/docs/http-mcp.md +242 -0
- package/docs/limitations.md +95 -0
- package/docs/local-mode.md +351 -0
- package/docs/mcp-audit.md +152 -0
- package/docs/mcp-client-setup.md +231 -0
- package/docs/recipes.md +61 -0
- package/docs/release-notes.md +129 -0
- package/docs/security-boundary.md +94 -0
- package/docs/troubleshooting-first-run.md +248 -0
- package/docs/writeback-executors.md +209 -0
- package/examples/app-owned-writeback/README.md +120 -0
- package/examples/app-owned-writeback/business-actions.md +221 -0
- package/examples/app-owned-writeback/command-handler.mjs +46 -0
- package/examples/app-owned-writeback/node-fastify-handler.mjs +55 -0
- package/examples/app-owned-writeback/python-fastapi-handler.py +57 -0
- package/examples/dangerous-mcp-tools.json +88 -0
- package/examples/openai-agents-http/README.md +56 -0
- package/examples/openai-agents-http/agent.py +54 -0
- package/examples/openai-agents-http/requirements.txt +1 -0
- package/examples/openai-agents-stdio/README.md +62 -0
- package/examples/openai-agents-stdio/agent.py +70 -0
- package/examples/openai-agents-stdio/requirements.txt +1 -0
- package/examples/reference-support-billing-app/README.md +137 -0
- package/examples/reference-support-billing-app/docker-compose.yml +13 -0
- package/examples/reference-support-billing-app/mcp-client.generic.json +11 -0
- package/examples/reference-support-billing-app/schema.sql +68 -0
- package/examples/reference-support-billing-app/scripts/run-demo.sh +7 -0
- package/examples/reference-support-billing-app/seed.sql +33 -0
- package/examples/reference-support-billing-app/synapsor.runner.json +241 -0
- package/package.json +12 -4
- package/recipes/accounts.trial_extension.json +42 -0
- package/recipes/billing.late_fee_waiver.json +46 -0
- package/recipes/credits.account_credit.json +45 -0
- package/recipes/orders.refund_review.json +57 -0
- package/recipes/support.ticket_resolution.json +51 -0
- package/dist/bin.cjs +0 -13
|
@@ -0,0 +1,152 @@
|
|
|
1
|
+
# MCP database risk review
|
|
2
|
+
|
|
3
|
+
`npx -y -p @synapsor/runner@alpha synapsor-runner audit <target>` performs a
|
|
4
|
+
static MCP database risk review over an exported tool manifest, a remote MCP
|
|
5
|
+
`tools/list` endpoint, or a stdio MCP server. The `mcp audit` subcommand is also
|
|
6
|
+
available for users who look for the command under the MCP namespace.
|
|
7
|
+
|
|
8
|
+
From a source checkout, use `./bin/synapsor-runner ...` if the global binary is not
|
|
9
|
+
linked yet.
|
|
10
|
+
|
|
11
|
+
It does not call business tools. It only inspects names, descriptions, input schemas, output schemas, annotations, and examples when those are present.
|
|
12
|
+
|
|
13
|
+
Every report includes this disclaimer:
|
|
14
|
+
|
|
15
|
+
```text
|
|
16
|
+
This is a static risk review, not proof that an MCP server is secure.
|
|
17
|
+
```
|
|
18
|
+
|
|
19
|
+
MCP annotations are treated as hints, not enforcement.
|
|
20
|
+
|
|
21
|
+
## Usage
|
|
22
|
+
|
|
23
|
+
Built-in database MCP risk example:
|
|
24
|
+
|
|
25
|
+
```bash
|
|
26
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner audit --example dangerous-db-mcp
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
This bundled example does not require a source checkout or local examples file.
|
|
30
|
+
It audits a deliberately risky database MCP shape with `execute_sql`,
|
|
31
|
+
`run_query`, model-callable approval/update/delete tools, arbitrary
|
|
32
|
+
table/column inputs, and model-controlled tenant/principal fields.
|
|
33
|
+
|
|
34
|
+
Human-readable output:
|
|
35
|
+
|
|
36
|
+
```bash
|
|
37
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner audit ./tools-list.json
|
|
38
|
+
```
|
|
39
|
+
|
|
40
|
+
Remote `tools/list` endpoint with a bearer token kept in the environment:
|
|
41
|
+
|
|
42
|
+
```bash
|
|
43
|
+
SYNAPSOR_MCP_AUDIT_BEARER="..." \
|
|
44
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner audit https://mcp.example.com --format json
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
Remote endpoint with a custom bearer-token environment variable:
|
|
48
|
+
|
|
49
|
+
```bash
|
|
50
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner audit https://mcp.example.com --bearer-env MCP_AUDIT_TOKEN --format json
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
Stdio MCP server:
|
|
54
|
+
|
|
55
|
+
```bash
|
|
56
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner audit 'stdio:node ./server.mjs' --timeout-ms 5000
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
JSON output:
|
|
60
|
+
|
|
61
|
+
```bash
|
|
62
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner audit ./tools-list.json --format json
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
Markdown output for issues, PRs, or security review notes:
|
|
66
|
+
|
|
67
|
+
```bash
|
|
68
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner audit --example dangerous-db-mcp --format markdown
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
During local development, the repo-local wrapper can run the same command:
|
|
72
|
+
|
|
73
|
+
```bash
|
|
74
|
+
./bin/synapsor-runner audit ./tools-list.json
|
|
75
|
+
./bin/synapsor-runner audit ./tools-list.json --format json
|
|
76
|
+
```
|
|
77
|
+
|
|
78
|
+
## Supported inputs
|
|
79
|
+
|
|
80
|
+
The audit accepts common exported shapes:
|
|
81
|
+
|
|
82
|
+
```json
|
|
83
|
+
{ "tools": [] }
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
```json
|
|
87
|
+
{ "result": { "tools": [] } }
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
```json
|
|
91
|
+
{ "data": { "tools": [] } }
|
|
92
|
+
```
|
|
93
|
+
|
|
94
|
+
It also scans nested `adapter`, `mcpServers`, and `servers` blocks when they include tool metadata.
|
|
95
|
+
|
|
96
|
+
For live targets, the audit calls only JSON-RPC `tools/list`. It does not call business tools, approval tools, commit tools, or writeback tools.
|
|
97
|
+
|
|
98
|
+
## Findings
|
|
99
|
+
|
|
100
|
+
The audit flags database-commit risks such as:
|
|
101
|
+
|
|
102
|
+
- generic `execute_sql`, `run_query`, or raw SQL tools;
|
|
103
|
+
- tools accepting arbitrary SQL, schema, table, or column identifiers;
|
|
104
|
+
- tools accepting `tenant_id`, `principal`, source ids, allowed columns, row versions, or approval identity as model input;
|
|
105
|
+
- model-callable approval, commit, apply, settle, merge, or writeback tools;
|
|
106
|
+
- write-like tools with no visible proposal, approval, or guarded-writeback boundary;
|
|
107
|
+
- missing structured output schemas;
|
|
108
|
+
- missing idempotency/request-key metadata for direct write-like tools;
|
|
109
|
+
- missing row-version/conflict-guard metadata for direct write-like tools;
|
|
110
|
+
- ambiguous read/write tool boundaries;
|
|
111
|
+
- missing business descriptions, annotations, or fixture examples.
|
|
112
|
+
|
|
113
|
+
## Recommended target shape
|
|
114
|
+
|
|
115
|
+
A safer model-facing database MCP tool should look like a reviewed semantic proposal capability:
|
|
116
|
+
|
|
117
|
+
```json
|
|
118
|
+
{
|
|
119
|
+
"name": "billing.propose_late_fee_waiver",
|
|
120
|
+
"description": "Create an evidence-backed proposal for support lead approval before trusted writeback.",
|
|
121
|
+
"inputSchema": {
|
|
122
|
+
"type": "object",
|
|
123
|
+
"properties": {
|
|
124
|
+
"invoice_id": { "type": "string" },
|
|
125
|
+
"reason": { "type": "string" }
|
|
126
|
+
},
|
|
127
|
+
"required": ["invoice_id", "reason"]
|
|
128
|
+
},
|
|
129
|
+
"outputSchema": {
|
|
130
|
+
"type": "object",
|
|
131
|
+
"properties": {
|
|
132
|
+
"status": { "type": "string" },
|
|
133
|
+
"proposal_id": { "type": "string" },
|
|
134
|
+
"evidence_bundle_id": { "type": "string" },
|
|
135
|
+
"source_database_changed": { "type": "boolean" }
|
|
136
|
+
},
|
|
137
|
+
"required": ["status", "proposal_id", "source_database_changed"]
|
|
138
|
+
},
|
|
139
|
+
"annotations": {
|
|
140
|
+
"readOnlyHint": false,
|
|
141
|
+
"destructiveHint": false
|
|
142
|
+
},
|
|
143
|
+
"examples": [
|
|
144
|
+
{
|
|
145
|
+
"invoice_id": "INV-3001",
|
|
146
|
+
"reason": "customer requested review"
|
|
147
|
+
}
|
|
148
|
+
]
|
|
149
|
+
}
|
|
150
|
+
```
|
|
151
|
+
|
|
152
|
+
Trusted values such as tenant, principal, source, allowed columns, approval identity, row-version guard, and database credentials must come from Synapsor/runner context, not from model-facing arguments.
|
|
@@ -0,0 +1,231 @@
|
|
|
1
|
+
# MCP Client Setup
|
|
2
|
+
|
|
3
|
+
The primary local proof path is still the one-command Docker demo:
|
|
4
|
+
|
|
5
|
+
```bash
|
|
6
|
+
./scripts/demo-docker.sh
|
|
7
|
+
```
|
|
8
|
+
|
|
9
|
+
Use this page after that demo passes and you want to attach a local MCP client
|
|
10
|
+
or SDK. The simplest local-client contract is stdio. Standard HTTP MCP is
|
|
11
|
+
available through Streamable HTTP when your agent connects to a long-running
|
|
12
|
+
Runner service.
|
|
13
|
+
|
|
14
|
+
Command examples use the published alpha package through `npx`. From a source
|
|
15
|
+
checkout, use `./bin/synapsor-runner ...` only when you intentionally want the local
|
|
16
|
+
source wrapper.
|
|
17
|
+
|
|
18
|
+
Checked examples live in:
|
|
19
|
+
|
|
20
|
+
```text
|
|
21
|
+
examples/mcp-client-configs/
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
Validate them with:
|
|
25
|
+
|
|
26
|
+
```bash
|
|
27
|
+
corepack pnpm test:mcp-client-configs
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
## Stdio Vs HTTP MCP
|
|
31
|
+
|
|
32
|
+
| Mode | Use when | Command |
|
|
33
|
+
| --- | --- | --- |
|
|
34
|
+
| stdio | Claude Desktop, Cursor, VS Code, or another local MCP client can launch Synapsor Runner | `synapsor-runner mcp serve` |
|
|
35
|
+
| Streamable HTTP MCP | Your app/server, Python agent, Node service, or container uses a standard HTTP MCP client | `synapsor-runner mcp serve-streamable-http` |
|
|
36
|
+
| JSON-RPC bridge | Your app wants a small explicit wrapper around `tools/list`, `tools/call`, and `resources/read` | `synapsor-runner mcp serve-http` |
|
|
37
|
+
|
|
38
|
+
Stdio keeps the MCP protocol on process stdin/stdout and is the simplest local
|
|
39
|
+
developer path. Streamable HTTP implements MCP initialize/session behavior over
|
|
40
|
+
an authenticated `/mcp` endpoint. The JSON-RPC bridge is intentionally smaller
|
|
41
|
+
and does not implement MCP initialize/session behavior.
|
|
42
|
+
|
|
43
|
+
HTTP requires bearer auth by default:
|
|
44
|
+
|
|
45
|
+
```bash
|
|
46
|
+
export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
|
|
47
|
+
|
|
48
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner mcp serve-streamable-http \
|
|
49
|
+
--config ./synapsor.runner.json \
|
|
50
|
+
--store ./.synapsor/local.db \
|
|
51
|
+
--auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
Use private networking/TLS before exposing HTTP MCP beyond localhost. Details:
|
|
55
|
+
[HTTP MCP](http-mcp.md).
|
|
56
|
+
|
|
57
|
+
## Generate A Client Snippet
|
|
58
|
+
|
|
59
|
+
Print a snippet without modifying any client files:
|
|
60
|
+
|
|
61
|
+
```bash
|
|
62
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner mcp config claude-desktop \
|
|
63
|
+
--config ./synapsor.runner.json \
|
|
64
|
+
--store ./.synapsor/local.db
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
Supported client names:
|
|
68
|
+
|
|
69
|
+
```text
|
|
70
|
+
generic-stdio
|
|
71
|
+
generic
|
|
72
|
+
claude-desktop
|
|
73
|
+
cursor
|
|
74
|
+
vscode
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
The older form is still supported:
|
|
78
|
+
|
|
79
|
+
```bash
|
|
80
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner mcp configure --client claude-desktop --config ./synapsor.runner.json --store ./.synapsor/local.db
|
|
81
|
+
```
|
|
82
|
+
|
|
83
|
+
Write is opt-in and requires an explicit destination:
|
|
84
|
+
|
|
85
|
+
```bash
|
|
86
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner mcp configure \
|
|
87
|
+
--client cursor \
|
|
88
|
+
--config ./synapsor.runner.json \
|
|
89
|
+
--store ./.synapsor/local.db \
|
|
90
|
+
--write \
|
|
91
|
+
--destination ./cursor-mcp.json
|
|
92
|
+
```
|
|
93
|
+
|
|
94
|
+
When the destination already exists, Synapsor Runner creates a timestamped
|
|
95
|
+
backup before writing. Noninteractive scripts must add `--yes`.
|
|
96
|
+
|
|
97
|
+
The command writes only the local stdio MCP command and args. It does not write
|
|
98
|
+
database URLs or passwords into the client config.
|
|
99
|
+
|
|
100
|
+
## Start Command
|
|
101
|
+
|
|
102
|
+
From the runner repository:
|
|
103
|
+
|
|
104
|
+
```bash
|
|
105
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner mcp serve --config ./examples/mcp-postgres-billing/synapsor.runner.json --store ./.synapsor/local.db
|
|
106
|
+
```
|
|
107
|
+
|
|
108
|
+
For the alpha package, keep the package tag explicit in client configuration.
|
|
109
|
+
|
|
110
|
+
For standard app/server HTTP MCP mode:
|
|
111
|
+
|
|
112
|
+
```bash
|
|
113
|
+
export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
|
|
114
|
+
|
|
115
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner mcp serve-streamable-http \
|
|
116
|
+
--config ./examples/mcp-postgres-billing/synapsor.runner.json \
|
|
117
|
+
--store ./.synapsor/local.db \
|
|
118
|
+
--auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
|
|
119
|
+
```
|
|
120
|
+
|
|
121
|
+
For the smaller JSON-RPC bridge, use `synapsor-runner mcp serve-http` instead.
|
|
122
|
+
|
|
123
|
+
## Generic stdio Client
|
|
124
|
+
|
|
125
|
+
```json
|
|
126
|
+
{
|
|
127
|
+
"mcpServers": {
|
|
128
|
+
"synapsor-runner": {
|
|
129
|
+
"command": "npx",
|
|
130
|
+
"args": [
|
|
131
|
+
"-y",
|
|
132
|
+
"-p",
|
|
133
|
+
"@synapsor/runner@alpha",
|
|
134
|
+
"synapsor-runner",
|
|
135
|
+
"mcp",
|
|
136
|
+
"serve",
|
|
137
|
+
"--config",
|
|
138
|
+
"./examples/mcp-postgres-billing/synapsor.runner.json",
|
|
139
|
+
"--store",
|
|
140
|
+
"./.synapsor/local.db"
|
|
141
|
+
],
|
|
142
|
+
"env": {
|
|
143
|
+
"BILLING_POSTGRES_READ_URL": "postgresql://synapsor_reader:...@localhost:55433/synapsor_runner_mcp_billing",
|
|
144
|
+
"SYNAPSOR_TENANT_ID": "acme",
|
|
145
|
+
"SYNAPSOR_PRINCIPAL": "local_billing_agent"
|
|
146
|
+
}
|
|
147
|
+
}
|
|
148
|
+
}
|
|
149
|
+
}
|
|
150
|
+
```
|
|
151
|
+
|
|
152
|
+
The MCP server should list semantic tools such as:
|
|
153
|
+
|
|
154
|
+
```text
|
|
155
|
+
billing.inspect_invoice
|
|
156
|
+
billing.propose_late_fee_waiver
|
|
157
|
+
```
|
|
158
|
+
|
|
159
|
+
It should not list:
|
|
160
|
+
|
|
161
|
+
```text
|
|
162
|
+
execute_sql
|
|
163
|
+
run_query
|
|
164
|
+
approve_proposal
|
|
165
|
+
commit_proposal
|
|
166
|
+
```
|
|
167
|
+
|
|
168
|
+
## Sanity Check The Agent Connection
|
|
169
|
+
|
|
170
|
+
After installing the MCP client snippet, restart the client and run a deliberately
|
|
171
|
+
small tool-call test.
|
|
172
|
+
|
|
173
|
+
First confirm what Runner exposes:
|
|
174
|
+
|
|
175
|
+
```bash
|
|
176
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner tools preview \
|
|
177
|
+
--config ./synapsor.runner.json \
|
|
178
|
+
--store ./.synapsor/local.db
|
|
179
|
+
```
|
|
180
|
+
|
|
181
|
+
Then ask the MCP client:
|
|
182
|
+
|
|
183
|
+
```text
|
|
184
|
+
Use the Synapsor Runner MCP tool to inspect invoice INV-3001.
|
|
185
|
+
Do not answer from memory.
|
|
186
|
+
Return the tool name called, the evidence handle, and whether raw SQL was available.
|
|
187
|
+
```
|
|
188
|
+
|
|
189
|
+
Expected result:
|
|
190
|
+
|
|
191
|
+
- the client calls a tool such as `billing.inspect_invoice`;
|
|
192
|
+
- the response includes an evidence handle or local ledger reference;
|
|
193
|
+
- the model reports that raw SQL, write credentials, approval tools, and commit
|
|
194
|
+
tools were not available.
|
|
195
|
+
|
|
196
|
+
If the answer is generic prose or unrelated task planning with no tool call and
|
|
197
|
+
no evidence handle, Synapsor Runner is not connected to that agent session yet.
|
|
198
|
+
Check the MCP config path, restart the client, set trusted context env vars, and
|
|
199
|
+
run `tools/list` or `synapsor-runner tools preview` again.
|
|
200
|
+
|
|
201
|
+
## Claude Desktop / Cursor / VS Code
|
|
202
|
+
|
|
203
|
+
Use the matching checked-in example as the starting point:
|
|
204
|
+
|
|
205
|
+
```text
|
|
206
|
+
examples/mcp-client-configs/claude-desktop.json
|
|
207
|
+
examples/mcp-client-configs/cursor.json
|
|
208
|
+
examples/mcp-client-configs/vscode.json
|
|
209
|
+
```
|
|
210
|
+
|
|
211
|
+
Each example uses the same stdio command/args/env structure. Replace the placeholder environment variables in your client settings or shell environment.
|
|
212
|
+
|
|
213
|
+
Do not add a write database URL to the MCP server environment unless you are intentionally running a local review/writeback demo. For normal read/proposal tool calls, use the read URL and trusted context values only.
|
|
214
|
+
|
|
215
|
+
Before documenting a client UI as officially tested, verify:
|
|
216
|
+
|
|
217
|
+
1. the server starts;
|
|
218
|
+
2. `tools/list` returns semantic tools;
|
|
219
|
+
3. read tools return evidence handles;
|
|
220
|
+
4. proposal tools return exact diffs and `source_database_changed: false`;
|
|
221
|
+
5. no approval or commit tool is model-callable;
|
|
222
|
+
6. resource reads work for proposal/evidence/replay handles.
|
|
223
|
+
|
|
224
|
+
## Troubleshooting
|
|
225
|
+
|
|
226
|
+
- Server not listed: check the command path, working directory, and config path.
|
|
227
|
+
- Tool schema mismatch: run `synapsor-runner audit <exported-tools.json>`.
|
|
228
|
+
- Missing trusted context: set `SYNAPSOR_TENANT_ID` and `SYNAPSOR_PRINCIPAL`, or use the environment variables configured in `trusted_context.values`.
|
|
229
|
+
- Database unavailable: verify the read credential and host access.
|
|
230
|
+
- Proposal waiting review: approve outside the model with `synapsor-runner proposals approve`.
|
|
231
|
+
- Stale-row conflict: inspect replay; the source row changed after the proposal was created, so the guarded worker refused to commit.
|
package/docs/recipes.md
ADDED
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
# Capability Recipes
|
|
2
|
+
|
|
3
|
+
Recipes are reviewed starter contracts for common database-backed agent actions.
|
|
4
|
+
|
|
5
|
+
They do not introspect and silently guess write authority. They generate a
|
|
6
|
+
starter config that you must map to your actual staging table names, columns,
|
|
7
|
+
tenant key, conflict column, and business limits.
|
|
8
|
+
|
|
9
|
+
List recipes:
|
|
10
|
+
|
|
11
|
+
```bash
|
|
12
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner recipes list
|
|
13
|
+
```
|
|
14
|
+
|
|
15
|
+
Inspect one:
|
|
16
|
+
|
|
17
|
+
```bash
|
|
18
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner recipes show billing.late_fee_waiver
|
|
19
|
+
```
|
|
20
|
+
|
|
21
|
+
Initialize a starter config:
|
|
22
|
+
|
|
23
|
+
```bash
|
|
24
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner recipes init billing.late_fee_waiver --output synapsor.runner.json
|
|
25
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner config validate --config synapsor.runner.json
|
|
26
|
+
```
|
|
27
|
+
|
|
28
|
+
Built-in recipes are JSON files under `recipes/`. They are starter data, not
|
|
29
|
+
runtime hardcoding. You can copy one, edit table/column/tool names for your
|
|
30
|
+
domain, and initialize from your file:
|
|
31
|
+
|
|
32
|
+
```bash
|
|
33
|
+
cp recipes/billing.late_fee_waiver.json my-recipe.json
|
|
34
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner recipes show ./my-recipe.json
|
|
35
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner recipes init ./my-recipe.json --output synapsor.runner.json
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
Available recipes:
|
|
39
|
+
|
|
40
|
+
- `billing.late_fee_waiver`
|
|
41
|
+
- `support.ticket_resolution`
|
|
42
|
+
- `orders.refund_review`
|
|
43
|
+
- `accounts.trial_extension`
|
|
44
|
+
- `credits.account_credit`
|
|
45
|
+
|
|
46
|
+
Each recipe includes:
|
|
47
|
+
|
|
48
|
+
- expected table type;
|
|
49
|
+
- required columns;
|
|
50
|
+
- recommended primary key;
|
|
51
|
+
- recommended tenant key;
|
|
52
|
+
- recommended conflict/version column;
|
|
53
|
+
- visible columns;
|
|
54
|
+
- allowed write columns;
|
|
55
|
+
- patch mapping;
|
|
56
|
+
- numeric/status bounds where relevant;
|
|
57
|
+
- semantic MCP tool names;
|
|
58
|
+
- staging-first notes.
|
|
59
|
+
|
|
60
|
+
Start with staging or a disposable database. Keep production write credentials
|
|
61
|
+
out of the MCP client.
|
|
@@ -0,0 +1,129 @@
|
|
|
1
|
+
# Release Notes
|
|
2
|
+
|
|
3
|
+
These notes track public Synapsor Runner alpha behavior. While the runner is in
|
|
4
|
+
alpha, install with the explicit alpha tag or an exact version. Do not rely on
|
|
5
|
+
the untagged `latest` dist-tag until a stable release is published.
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner demo --quick
|
|
9
|
+
```
|
|
10
|
+
|
|
11
|
+
The OSS runner command is `synapsor-runner`. The `synapsor` command is reserved
|
|
12
|
+
for the Synapsor Cloud CLI.
|
|
13
|
+
|
|
14
|
+
## 0.1.0-alpha.10
|
|
15
|
+
|
|
16
|
+
### First-Run Flow
|
|
17
|
+
|
|
18
|
+
- `synapsor-runner start --from-env DATABASE_URL` is the shortest own-database
|
|
19
|
+
onboarding command. It is an alias for the guided `onboard db --from-env`
|
|
20
|
+
flow, not the legacy cloud worker.
|
|
21
|
+
- The wizard inspects database metadata, creates trusted context bindings,
|
|
22
|
+
generates semantic capabilities, writes `.env.example`, previews MCP tools,
|
|
23
|
+
and prints exact smoke-call, MCP, and UI commands.
|
|
24
|
+
- If you provide a real object id and the required environment variables are
|
|
25
|
+
set, onboarding attempts the first smoke tool call and stores local evidence
|
|
26
|
+
and query audit. If not, it prints the exact `smoke call` command to run
|
|
27
|
+
after setting the values.
|
|
28
|
+
- `synapsor-runner ui --open` opens the local review UI and is the preferred
|
|
29
|
+
way to inspect proposals, evidence, receipts, and replay after a demo or
|
|
30
|
+
smoke call.
|
|
31
|
+
|
|
32
|
+
### MCP Transport
|
|
33
|
+
|
|
34
|
+
- `synapsor-runner mcp serve` is standard stdio MCP for local MCP clients that
|
|
35
|
+
can launch Runner, such as Claude Desktop, Cursor, and similar clients.
|
|
36
|
+
- `synapsor-runner mcp serve-streamable-http` is the standard Streamable HTTP
|
|
37
|
+
MCP path for app/server agents and SDK clients. It implements MCP
|
|
38
|
+
initialize/session behavior on the `/mcp` endpoint.
|
|
39
|
+
- `synapsor-runner mcp serve-http` is an authenticated JSON-RPC bridge for
|
|
40
|
+
simple `tools/list`, `tools/call`, and `resources/read` wrappers. It is not
|
|
41
|
+
the standard Streamable HTTP MCP transport.
|
|
42
|
+
- The OpenAI Agents SDK HTTP example uses the Streamable HTTP MCP path. Use the
|
|
43
|
+
JSON-RPC bridge only when you intentionally want a thin app-owned wrapper.
|
|
44
|
+
|
|
45
|
+
### Writeback
|
|
46
|
+
|
|
47
|
+
- Direct SQL writeback is intentionally narrow: guarded single-row `UPDATE`
|
|
48
|
+
only. It does not support arbitrary SQL, DDL, `INSERT`, `DELETE`, `UPSERT`,
|
|
49
|
+
stored procedures, or multi-row writes.
|
|
50
|
+
- Direct SQL writeback reads the trusted writer connection from the source
|
|
51
|
+
`write_url_env` in `synapsor.runner.json`, such as
|
|
52
|
+
`SYNAPSOR_DATABASE_WRITE_URL`.
|
|
53
|
+
- `SYNAPSOR_DATABASE_URL` is accepted only as a legacy fallback for older
|
|
54
|
+
direct worker/apply flows without a local config.
|
|
55
|
+
- Direct SQL writeback creates or writes `synapsor_writeback_receipts` for
|
|
56
|
+
idempotency and replay. The trusted writer needs permission for that receipt
|
|
57
|
+
table, or an administrator must pre-create the table and grant access.
|
|
58
|
+
- Use `synapsor-runner writeback doctor`, `writeback migration`, and
|
|
59
|
+
`writeback grants` to inspect and prepare the direct writeback path.
|
|
60
|
+
- Use app-owned `http_handler` or `command_handler` executors for rich writes
|
|
61
|
+
such as inserting credit rows, opening tickets, deleting records through app
|
|
62
|
+
policy, or updating multiple related rows.
|
|
63
|
+
- `synapsor-runner handler template` writes starter Node/Fastify,
|
|
64
|
+
Python/FastAPI, or command-handler files so rich writes can start from an
|
|
65
|
+
app-owned transaction boundary instead of hand-writing a handler from
|
|
66
|
+
scratch.
|
|
67
|
+
|
|
68
|
+
### Evidence And Replay
|
|
69
|
+
|
|
70
|
+
- Read-only capabilities produce scoped semantic tools, trusted context
|
|
71
|
+
binding, evidence handles, query audit, and local inspection records.
|
|
72
|
+
- Proposal workflows add full local replay across evidence, approval,
|
|
73
|
+
writeback jobs, execution receipts, and events.
|
|
74
|
+
- External Postgres/MySQL databases are not physically branched by Runner.
|
|
75
|
+
Replay covers records captured by Runner; it is not external database
|
|
76
|
+
time travel.
|
|
77
|
+
|
|
78
|
+
### Known Limitations
|
|
79
|
+
|
|
80
|
+
- This is an alpha local runner, not Synapsor Cloud, not the Synapsor DBMS, and
|
|
81
|
+
not a generic MCP security platform.
|
|
82
|
+
- Runner does not expose model-callable approval, commit, apply, or raw SQL
|
|
83
|
+
tools.
|
|
84
|
+
- Runner does not implement Synapsor Cloud workflow DAGs, native branches,
|
|
85
|
+
auto-merge, settlement policies, hosted RBAC/SSO, hosted evidence retention,
|
|
86
|
+
CDC, managed runner fleets, compliance exports, production SLA, or C++ DBMS
|
|
87
|
+
internals.
|
|
88
|
+
- The local store is single-node SQLite for local/dev/staging usage.
|
|
89
|
+
- Node >= 22.5.0 is required because the local ledger uses Node's
|
|
90
|
+
`node:sqlite` runtime. Use a supported Node runtime or the Docker-backed
|
|
91
|
+
source demo path.
|
|
92
|
+
|
|
93
|
+
### Upgrade Notes From Earlier Alphas
|
|
94
|
+
|
|
95
|
+
- Public command examples now use `synapsor-runner`, not `synapsor`.
|
|
96
|
+
- Standard HTTP MCP examples now use `mcp serve-streamable-http`; `mcp
|
|
97
|
+
serve-http` is documented as the JSON-RPC bridge.
|
|
98
|
+
- Direct SQL writeback docs now use `write_url_env` for writer credentials and
|
|
99
|
+
document `SYNAPSOR_DATABASE_URL` only as a legacy fallback.
|
|
100
|
+
- Receipt-table permissions are now a documented writeback requirement.
|
|
101
|
+
- The quick demo is guided in interactive terminals, concise in noninteractive
|
|
102
|
+
mode, and keeps the longer explanation behind `--details`.
|
|
103
|
+
|
|
104
|
+
## Stable Release Policy
|
|
105
|
+
|
|
106
|
+
Stay on `@synapsor/runner@alpha` or an exact alpha version while first-run
|
|
107
|
+
onboarding, MCP transport behavior, and writeback documentation are still
|
|
108
|
+
changing. A stable `0.1.0` release should only be tagged after:
|
|
109
|
+
|
|
110
|
+
- the README's npm commands match the published package;
|
|
111
|
+
- a clean temporary directory can run the quick demo, own-database onboarding,
|
|
112
|
+
MCP config generation, smoke call, UI, and replay commands;
|
|
113
|
+
- stdio MCP and Streamable HTTP MCP are covered by tests and examples;
|
|
114
|
+
- direct and app-owned writeback requirements are documented and verified; and
|
|
115
|
+
- known limitations are still accurate.
|
|
116
|
+
|
|
117
|
+
For the local tarball before publish, run:
|
|
118
|
+
|
|
119
|
+
```bash
|
|
120
|
+
./scripts/verify-packed-runner.sh
|
|
121
|
+
./scripts/verify-packed-own-db.sh
|
|
122
|
+
```
|
|
123
|
+
|
|
124
|
+
After publishing an alpha, verify the public package from a clean temporary
|
|
125
|
+
directory:
|
|
126
|
+
|
|
127
|
+
```bash
|
|
128
|
+
./scripts/verify-published-alpha.sh 0.1.0-alpha.10
|
|
129
|
+
```
|
|
@@ -0,0 +1,94 @@
|
|
|
1
|
+
# Security Boundary
|
|
2
|
+
|
|
3
|
+
Synapsor Runner controls a narrow database path for MCP agents. It does not make
|
|
4
|
+
MCP generally secure and it does not solve prompt injection.
|
|
5
|
+
|
|
6
|
+
## Least-privilege database access
|
|
7
|
+
|
|
8
|
+
Use a read-only database user, restricted views, row-level security, and staging
|
|
9
|
+
data where appropriate. Synapsor Runner is not a replacement for database
|
|
10
|
+
permissions.
|
|
11
|
+
|
|
12
|
+
Database permissions protect the connection. Synapsor Runner shapes the
|
|
13
|
+
model-facing interface: reviewed semantic capabilities, trusted context
|
|
14
|
+
binding, evidence handles, query audit, local inspection, and proposal-first
|
|
15
|
+
writes instead of model-facing commit authority.
|
|
16
|
+
|
|
17
|
+
If all you need is restricted reads, database permissions are a good start.
|
|
18
|
+
Use Synapsor Runner when you also want the agent-facing layer: semantic tools,
|
|
19
|
+
trusted context, evidence handles, query audit, local inspection, and
|
|
20
|
+
proposal-first writes. Proposal workflows add full replay across evidence,
|
|
21
|
+
approval, writeback receipts, and events.
|
|
22
|
+
|
|
23
|
+
The model-facing MCP server exposes reviewed semantic tools such as
|
|
24
|
+
`billing.inspect_invoice` and `billing.propose_late_fee_waiver`.
|
|
25
|
+
|
|
26
|
+
The model does not receive:
|
|
27
|
+
|
|
28
|
+
- raw SQL;
|
|
29
|
+
- a generic `execute_sql` tool;
|
|
30
|
+
- arbitrary table, schema, or column names;
|
|
31
|
+
- database URLs or credentials;
|
|
32
|
+
- approval tools;
|
|
33
|
+
- commit/writeback tools;
|
|
34
|
+
- trusted tenant or principal authority as ordinary model arguments.
|
|
35
|
+
|
|
36
|
+
Trusted context comes from local configuration, environment bindings, or Cloud
|
|
37
|
+
session context in Cloud mode. Tenant, principal, and authorization scope must
|
|
38
|
+
not be accepted from the model as authority.
|
|
39
|
+
|
|
40
|
+
Proposal tools read the current row through the read credential, store evidence
|
|
41
|
+
and an exact before/after diff, and leave the source database unchanged.
|
|
42
|
+
|
|
43
|
+
The local proposal store rejects obvious credential material before persistence:
|
|
44
|
+
database URLs, bearer tokens, Synapsor runner tokens, private-key blocks, and
|
|
45
|
+
secret-like fields such as password, token, API key, private key, cookie,
|
|
46
|
+
credential, connection string, read URL, or write URL. If a selected table
|
|
47
|
+
contains one of those fields, remove it from the reviewed visible/evidence
|
|
48
|
+
projection before creating proposals.
|
|
49
|
+
|
|
50
|
+
Writeback is separate. A trusted local runner/apply path uses a write credential
|
|
51
|
+
outside the model-facing MCP server and verifies:
|
|
52
|
+
|
|
53
|
+
- local reviewed config;
|
|
54
|
+
- source and capability identity;
|
|
55
|
+
- fixed safe schema, table, and column identifiers;
|
|
56
|
+
- local approval state;
|
|
57
|
+
- proposal and job digests;
|
|
58
|
+
- target schema/table;
|
|
59
|
+
- primary-key and tenant guards;
|
|
60
|
+
- allowed mutable columns;
|
|
61
|
+
- conflict/version guard;
|
|
62
|
+
- idempotency key;
|
|
63
|
+
- job expiry;
|
|
64
|
+
- exactly one affected row.
|
|
65
|
+
|
|
66
|
+
If any authority check cannot be verified, the write fails closed.
|
|
67
|
+
|
|
68
|
+
For direct SQL writeback, the writer connection is the env var named by the
|
|
69
|
+
source `write_url_env` in `synapsor.runner.json`. Direct SQL writeback also
|
|
70
|
+
creates or writes `synapsor_writeback_receipts` for idempotency and replay, so
|
|
71
|
+
the writer needs permission for that receipt table or an administrator must
|
|
72
|
+
pre-create and grant it. If your database policy forbids Runner-managed receipt
|
|
73
|
+
tables, use an app-owned `http_handler` or `command_handler` executor instead.
|
|
74
|
+
|
|
75
|
+
When a capability uses an `http_handler` or `command_handler` executor, the
|
|
76
|
+
same approval boundary applies. The runner sends a structured proposal/job
|
|
77
|
+
payload to the configured handler after approval. Handler URLs, commands, bearer
|
|
78
|
+
tokens, database URLs, and write credentials come from environment variables and
|
|
79
|
+
are not exposed to MCP tools.
|
|
80
|
+
|
|
81
|
+
Writeback jobs and change sets also reject path-traversal or SQL-fragment-like
|
|
82
|
+
database identifiers such as `../private`, `id/../../tenant_id`, or
|
|
83
|
+
`status; DROP TABLE tickets` before adapter execution. Local CLI file paths
|
|
84
|
+
remain explicit user-provided paths; they are not model-facing authority.
|
|
85
|
+
|
|
86
|
+
Local review can happen through the CLI or `synapsor-runner ui`. The UI is a localhost
|
|
87
|
+
review surface with a per-run session token and CSRF protection for
|
|
88
|
+
approve/reject actions. It does not expose raw SQL, database URLs, write
|
|
89
|
+
credentials, approval tools, commit tools, or controls that widen reviewed
|
|
90
|
+
tables/columns.
|
|
91
|
+
|
|
92
|
+
Synapsor Runner supports reviewed single-row business actions only in the
|
|
93
|
+
current alpha. It does not support arbitrary SQL, DDL, `INSERT`, `DELETE`,
|
|
94
|
+
`UPSERT`, or multi-row updates.
|