@synapsor/runner 0.1.0-alpha.1 → 0.1.0-alpha.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (66) hide show
  1. package/README.md +426 -19
  2. package/TRADEMARKS.md +23 -0
  3. package/dist/cli.d.ts +4 -0
  4. package/dist/cli.d.ts.map +1 -1
  5. package/dist/cli.js +20 -8723
  6. package/dist/runner.mjs +12958 -0
  7. package/docs/README.md +53 -0
  8. package/docs/app-owned-executors.md +21 -0
  9. package/docs/cloud-mode.md +24 -0
  10. package/docs/current-scope.md +24 -0
  11. package/docs/dependency-license-inventory.md +35 -0
  12. package/docs/getting-started-own-database.md +460 -0
  13. package/docs/http-mcp.md +276 -0
  14. package/docs/licensing.md +36 -0
  15. package/docs/limitations.md +95 -0
  16. package/docs/local-mode.md +351 -0
  17. package/docs/mcp-audit.md +152 -0
  18. package/docs/mcp-client-setup.md +270 -0
  19. package/docs/openai-agents-sdk.md +57 -0
  20. package/docs/recipes.md +61 -0
  21. package/docs/release-notes.md +158 -0
  22. package/docs/security-boundary.md +94 -0
  23. package/docs/troubleshooting-first-run.md +248 -0
  24. package/docs/use-your-own-database.md +18 -0
  25. package/docs/writeback-executors.md +220 -0
  26. package/examples/app-owned-writeback/README.md +120 -0
  27. package/examples/app-owned-writeback/business-actions.md +221 -0
  28. package/examples/app-owned-writeback/command-handler.mjs +46 -0
  29. package/examples/app-owned-writeback/node-fastify-handler.mjs +55 -0
  30. package/examples/app-owned-writeback/python-fastapi-handler.py +57 -0
  31. package/examples/dangerous-mcp-tools.json +88 -0
  32. package/examples/mcp-postgres-billing-app-handler/README.md +82 -0
  33. package/examples/mcp-postgres-billing-app-handler/app-handler.mjs +197 -0
  34. package/examples/mcp-postgres-billing-app-handler/docker-compose.yml +13 -0
  35. package/examples/mcp-postgres-billing-app-handler/schema.sql +59 -0
  36. package/examples/mcp-postgres-billing-app-handler/scripts/run-demo.sh +99 -0
  37. package/examples/mcp-postgres-billing-app-handler/seed.sql +39 -0
  38. package/examples/mcp-postgres-billing-app-handler/synapsor.runner.json +157 -0
  39. package/examples/openai-agents-http/README.md +64 -0
  40. package/examples/openai-agents-http/agent.py +54 -0
  41. package/examples/openai-agents-http/requirements.txt +1 -0
  42. package/examples/openai-agents-stdio/README.md +66 -0
  43. package/examples/openai-agents-stdio/agent.py +72 -0
  44. package/examples/openai-agents-stdio/requirements.txt +1 -0
  45. package/examples/reference-support-billing-app/README.md +137 -0
  46. package/examples/reference-support-billing-app/docker-compose.yml +13 -0
  47. package/examples/reference-support-billing-app/mcp-client.generic.json +11 -0
  48. package/examples/reference-support-billing-app/schema.sql +68 -0
  49. package/examples/reference-support-billing-app/scripts/run-demo.sh +7 -0
  50. package/examples/reference-support-billing-app/seed.sql +33 -0
  51. package/examples/reference-support-billing-app/synapsor.runner.json +241 -0
  52. package/fixtures/benchmark/mcp-efficiency.json +53 -0
  53. package/fixtures/benchmark/mcp-efficiency.txt +25 -0
  54. package/fixtures/protocol/MANIFEST.json +54 -0
  55. package/fixtures/protocol/change-set.late-fee-waiver.v1.json +72 -0
  56. package/fixtures/protocol/execution-receipt.applied.v1.json +14 -0
  57. package/fixtures/protocol/execution-receipt.conflict.v1.json +15 -0
  58. package/fixtures/protocol/runner-registration.v1.json +22 -0
  59. package/fixtures/protocol/writeback-job.late-fee-waiver.v1.json +44 -0
  60. package/package.json +14 -4
  61. package/recipes/accounts.trial_extension.json +42 -0
  62. package/recipes/billing.late_fee_waiver.json +46 -0
  63. package/recipes/credits.account_credit.json +45 -0
  64. package/recipes/orders.refund_review.json +57 -0
  65. package/recipes/support.ticket_resolution.json +51 -0
  66. package/dist/bin.cjs +0 -13
@@ -0,0 +1,276 @@
1
+ # HTTP MCP
2
+
3
+ Use HTTP MCP when an app, server-side agent, container, or Python/Node process
4
+ needs to connect to a long-running Synapsor Runner service.
5
+
6
+ Use stdio MCP when a local MCP client such as Claude Desktop, Cursor, or a
7
+ local agent tool can launch Synapsor Runner directly.
8
+
9
+ Synapsor Runner has two HTTP modes:
10
+
11
+ - `mcp serve-streamable-http`: spec-compatible MCP Streamable HTTP. Use this
12
+ when an MCP SDK/client expects `initialize`, session IDs, POST/GET/DELETE, and
13
+ standard HTTP MCP behavior.
14
+ - `mcp serve-http`: a lightweight authenticated JSON-RPC bridge for
15
+ `tools/list`, `tools/call`, and `resources/read`. Use this when your app wants
16
+ simple POST calls or an explicit wrapper around Runner tools.
17
+
18
+ ## Start Standard Streamable HTTP MCP
19
+
20
+ ```bash
21
+ export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
22
+
23
+ synapsor-runner mcp serve-streamable-http \
24
+ --host 127.0.0.1 \
25
+ --port 8766 \
26
+ --config ./synapsor.runner.json \
27
+ --store ./.synapsor/local.db \
28
+ --auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
29
+ ```
30
+
31
+ For OpenAI Agents SDK, expose OpenAI-safe aliases because OpenAI function names
32
+ cannot contain dots:
33
+
34
+ ```bash
35
+ synapsor-runner mcp serve-streamable-http \
36
+ --host 127.0.0.1 \
37
+ --port 8766 \
38
+ --config ./synapsor.runner.json \
39
+ --store ./.synapsor/local.db \
40
+ --auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN \
41
+ --alias-mode openai
42
+ ```
43
+
44
+ Equivalent unified command:
45
+
46
+ ```bash
47
+ synapsor-runner mcp serve \
48
+ --transport streamable-http \
49
+ --host 127.0.0.1 \
50
+ --port 8766 \
51
+ --config ./synapsor.runner.json \
52
+ --store ./.synapsor/local.db \
53
+ --auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN \
54
+ --alias-mode openai
55
+ ```
56
+
57
+ The model sees aliases such as `billing__inspect_invoice`. MCP tool metadata
58
+ still includes `synapsor.canonical_tool_name`, and Runner maps calls back to
59
+ the canonical Synapsor capability such as `billing.inspect_invoice`. Use
60
+ `--alias-mode both` only during migrations where some clients still need
61
+ canonical dotted names.
62
+
63
+ Defaults:
64
+
65
+ ```text
66
+ host: 127.0.0.1
67
+ port: 8766
68
+ auth: bearer token required
69
+ cors: disabled
70
+ sessions: in-memory
71
+ ```
72
+
73
+ Use `/mcp` as the MCP endpoint. Health is available at `/healthz`.
74
+
75
+ ## Start The JSON-RPC Bridge
76
+
77
+ ```bash
78
+ export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
79
+
80
+ synapsor-runner mcp serve-http \
81
+ --host 127.0.0.1 \
82
+ --port 8765 \
83
+ --config ./synapsor.runner.json \
84
+ --store ./.synapsor/local.db \
85
+ --auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
86
+ ```
87
+
88
+ Defaults:
89
+
90
+ ```text
91
+ host: 127.0.0.1
92
+ port: 8765
93
+ auth: bearer token required
94
+ cors: disabled
95
+ ```
96
+
97
+ Bridge scope: `serve-http` does not implement MCP Streamable HTTP
98
+ `initialize`/session behavior. Standard SDK HTTP MCP clients should use
99
+ `serve-streamable-http` instead.
100
+
101
+ Startup output prints the URL, config path, store path, and token environment
102
+ variable name. It does not print token values or database URLs.
103
+
104
+ ## Health Check
105
+
106
+ ```bash
107
+ curl -i http://127.0.0.1:8766/healthz
108
+ curl -i http://127.0.0.1:8765/healthz
109
+ ```
110
+
111
+ The health endpoint is secret-free:
112
+
113
+ ```json
114
+ {
115
+ "ok": true,
116
+ "transport": "streamable-http",
117
+ "tools": 1,
118
+ "mode": "read_only"
119
+ }
120
+ ```
121
+
122
+ ## List Tools Through The JSON-RPC Bridge
123
+
124
+ Unauthorized requests fail:
125
+
126
+ ```bash
127
+ curl -i \
128
+ -H "Content-Type: application/json" \
129
+ -d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' \
130
+ http://127.0.0.1:8765/mcp
131
+ ```
132
+
133
+ Authorized requests include the bearer token:
134
+
135
+ ```bash
136
+ curl -i \
137
+ -H "Authorization: Bearer dev-local-token" \
138
+ -H "Content-Type: application/json" \
139
+ -d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' \
140
+ http://127.0.0.1:8765/mcp
141
+ ```
142
+
143
+ The tool catalog should contain semantic tools such as:
144
+
145
+ ```text
146
+ billing.inspect_invoice
147
+ billing.propose_late_fee_waiver
148
+ ```
149
+
150
+ It should not contain:
151
+
152
+ ```text
153
+ execute_sql
154
+ raw_sql
155
+ approval tools
156
+ commit/apply tools
157
+ database URLs
158
+ write credentials
159
+ model-controlled tenant authority
160
+ arbitrary table or column names
161
+ ```
162
+
163
+ ## Call A Tool Through The JSON-RPC Bridge
164
+
165
+ ```bash
166
+ curl -i \
167
+ -H "Authorization: Bearer dev-local-token" \
168
+ -H "Content-Type: application/json" \
169
+ -d '{
170
+ "jsonrpc": "2.0",
171
+ "id": 2,
172
+ "method": "tools/call",
173
+ "params": {
174
+ "name": "billing.inspect_invoice",
175
+ "arguments": { "invoice_id": "INV-3001" }
176
+ }
177
+ }' \
178
+ http://127.0.0.1:8765/mcp
179
+ ```
180
+
181
+ The response includes scoped data, trusted context, evidence handles, and
182
+ `source_database_mutated: false`. The agent still does not receive SQL,
183
+ database credentials, or approval/commit authority.
184
+
185
+ ## Read Evidence Or Replay Resources Through The JSON-RPC Bridge
186
+
187
+ Use `resources/read` with a `synapsor://...` handle returned by a tool call:
188
+
189
+ ```bash
190
+ curl -i \
191
+ -H "Authorization: Bearer dev-local-token" \
192
+ -H "Content-Type: application/json" \
193
+ -d '{
194
+ "jsonrpc": "2.0",
195
+ "id": 3,
196
+ "method": "resources/read",
197
+ "params": { "uri": "synapsor://evidence/ev_..." }
198
+ }' \
199
+ http://127.0.0.1:8765/mcp
200
+ ```
201
+
202
+ ## CORS
203
+
204
+ CORS is disabled by default. If a local browser app needs access during
205
+ development, allow one explicit origin:
206
+
207
+ ```bash
208
+ synapsor-runner mcp serve-http \
209
+ --config ./synapsor.runner.json \
210
+ --store ./.synapsor/local.db \
211
+ --cors-origin http://localhost:3000
212
+ ```
213
+
214
+ Do not use wildcard CORS for a model-facing database tool service.
215
+
216
+ ## Network Exposure
217
+
218
+ Synapsor Runner binds to `127.0.0.1` by default.
219
+
220
+ If you explicitly bind to all interfaces:
221
+
222
+ ```bash
223
+ synapsor-runner mcp serve-http --host 0.0.0.0
224
+ ```
225
+
226
+ the CLI prints a warning. Treat this as a production-like service:
227
+
228
+ - keep bearer auth enabled;
229
+ - use TLS or a trusted reverse proxy;
230
+ - prefer private networking;
231
+ - add rate limits and request-size limits at the edge;
232
+ - do not log request bodies by default;
233
+ - rotate the bearer token if it is exposed.
234
+
235
+ `--dev-no-auth` is accepted only on `localhost` or `127.0.0.1`. It fails closed
236
+ with `--host 0.0.0.0`.
237
+
238
+ ## Trusted Context
239
+
240
+ Tenant and principal values must come from trusted configuration such as
241
+ environment variables or a server-side session. HTTP request arguments cannot
242
+ override trusted fields such as:
243
+
244
+ ```text
245
+ tenant_id
246
+ principal
247
+ principal_id
248
+ project_id
249
+ source_id
250
+ allowed_columns
251
+ approval_identity
252
+ ```
253
+
254
+ Use `read_only` mode first. Proposal/review mode should use a separate trusted
255
+ write path and a separate write credential. The model-facing HTTP MCP endpoint
256
+ must not receive write credentials.
257
+
258
+ ## OpenAI Agents SDK
259
+
260
+ See:
261
+
262
+ ```text
263
+ examples/openai-agents-http/
264
+ examples/openai-agents-stdio/
265
+ ```
266
+
267
+ Both examples use the MCP client integration from the OpenAI Agents SDK when it
268
+ is available. The stdio example launches Runner as a child process. The HTTP
269
+ example connects to `synapsor-runner mcp serve-streamable-http` through
270
+ `MCPServerStreamableHttp`. Use the JSON-RPC bridge only when you intentionally
271
+ want a small app-owned wrapper instead of standard HTTP MCP.
272
+
273
+ The boundary is the same in both modes: the agent calls a semantic Synapsor
274
+ tool, not raw SQL. OpenAI-facing examples use `--alias-mode openai` so
275
+ the model sees OpenAI-valid aliases while Runner preserves canonical Synapsor
276
+ tool names in metadata.
@@ -0,0 +1,36 @@
1
+ # Licensing
2
+
3
+ Synapsor Runner is open source under the Apache License 2.0 (`Apache-2.0`).
4
+
5
+ This page is a plain-English summary, not legal advice. If this summary
6
+ conflicts with `../LICENSE`, the `LICENSE` file controls.
7
+
8
+ Apache-2.0 applies to the code in this runner repository. It grants copyright
9
+ and patent rights under the license terms.
10
+
11
+ Apache-2.0 does not grant trademark rights. The Synapsor name, Synapsor Runner
12
+ name, logos, hosted Cloud service, and proprietary Synapsor platform features
13
+ remain separate. See `../TRADEMARKS.md`.
14
+
15
+ This license applies only to `synapsor-runner`. It does not open source:
16
+
17
+ - Synapsor Cloud;
18
+ - the hosted control plane;
19
+ - hosted capability registry;
20
+ - advanced policy/capability compiler;
21
+ - team approvals, RBAC, or SSO;
22
+ - hosted audit/evidence ledger;
23
+ - managed runners;
24
+ - production writeback orchestration;
25
+ - workflow builder;
26
+ - native Synapsor engine;
27
+ - C++/DBMS internals;
28
+ - branching, time travel, or settlement;
29
+ - compliance exports or production support/SLA.
30
+
31
+ Synapsor Cloud is a separate hosted commercial service. Use Cloud when your team
32
+ needs shared approvals, RBAC, hosted evidence/replay search, runner fleet
33
+ status, leases, retention, audit visibility, enterprise controls, and support.
34
+
35
+ Before public release, license and trademark text should be reviewed by the
36
+ release owner or qualified counsel.
@@ -0,0 +1,95 @@
1
+ # Limitations
2
+
3
+ Synapsor Runner is intentionally narrow in the current alpha.
4
+
5
+ ## Supported
6
+
7
+ - Stdio MCP server for semantic database capabilities.
8
+ - Local read and proposal tools.
9
+ - Local SQLite evidence/proposal/query-audit/replay store.
10
+ - Human approval through CLI commands.
11
+ - Public protocol objects:
12
+ - `synapsor.change-set.v1`
13
+ - `synapsor.writeback-job.v1`
14
+ - `synapsor.execution-receipt.v1`
15
+ - `synapsor.runner-registration.v1`
16
+ - Guarded single-row `UPDATE` for Postgres and MySQL.
17
+ - App/API handler writeback through approved `http_handler` executors.
18
+ - Local script writeback through approved `command_handler` executors.
19
+ - Primary-key guard.
20
+ - Tenant guard.
21
+ - Allowed-column validation.
22
+ - Version-column or explicit weak row-hash conflict guard.
23
+ - Idempotency receipts.
24
+ - Named local trusted contexts for capability configs.
25
+ - Capability recipes that generate reviewed starter configs.
26
+ - Shadow-mode proposal-vs-human-action comparison.
27
+ - Static MCP database risk review.
28
+ - Local indexed search for proposals, evidence bundles, query audit, writeback
29
+ receipts, and proposal replay.
30
+
31
+ ## Runtime Contract
32
+
33
+ Local capabilities are config-defined, not built into the server. The runtime
34
+ does not special-case billing, support, orders, refunds, invoices, or tickets.
35
+ Those domains appear only in demos, smoke tests, and optional recipe JSON files.
36
+ When you connect your own database, `synapsor.runner.json` is the source of
37
+ truth for the model-facing tools.
38
+
39
+ ## Not Supported
40
+
41
+ - Arbitrary SQL.
42
+ - Model-generated SQL.
43
+ - DDL.
44
+ - INSERT.
45
+ - DELETE.
46
+ - UPSERT.
47
+ - Multi-row UPDATE.
48
+ - Stored procedures.
49
+ - Cross-database transactions.
50
+ - Physical branching of Postgres/MySQL.
51
+ - Full Synapsor workflow/DAG execution.
52
+ - `CREATE AGENT WORKFLOW` or hosted Synapsor SQL generation.
53
+ - Auto-merge or settlement policy semantics.
54
+ - Automatic rollback of external database writes.
55
+ - Model-callable approval or commit tools.
56
+ - Generic MCP firewall behavior.
57
+ - Prompt-injection prevention.
58
+ - High availability, SLA, compliance certification, or production support guarantee.
59
+
60
+ ## Important External Database Semantics
61
+
62
+ External Postgres/MySQL databases are not branched or merged by Synapsor Runner.
63
+
64
+ The proposal, evidence, replay, and approval state live in Synapsor Runner locally or in Synapsor Cloud. The external source database changes only when a trusted runner applies an approved writeback job.
65
+
66
+ Local replay means replay of records captured by the runner:
67
+
68
+ - trusted context values used by the capability;
69
+ - captured/projected source-row excerpts;
70
+ - query audit fingerprints and redacted parameter metadata;
71
+ - proposal before/proposed diffs;
72
+ - approval/rejection events;
73
+ - guarded writeback jobs;
74
+ - applied/conflict/failed receipts.
75
+
76
+ It does not mean external Postgres/MySQL time travel. Runner cannot reconstruct
77
+ arbitrary historical rows that were never captured as evidence, and it does not
78
+ provide `AS OF` queries over an external source.
79
+
80
+ Local search is single-node SQLite search over the local runner store. It is
81
+ useful for local/dev/staging usage. It is not a hosted central evidence ledger,
82
+ not cross-runner aggregation, not RBAC/SSO, and not compliance retention.
83
+
84
+ Use this wording:
85
+
86
+ ```text
87
+ External DB = Synapsor review state + trusted writeback
88
+ Synapsor-native = real branch + merge
89
+ ```
90
+
91
+ Do not describe external approval as merge.
92
+
93
+ ## Weak Conflict Guards
94
+
95
+ A version/timestamp column is the preferred conflict guard. A weak row-hash guard can be acknowledged for local/dev use, but it should not be presented as equivalent to a durable version column.