@synapsor/runner 0.1.0-alpha.1 → 0.1.0-alpha.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +426 -19
- package/TRADEMARKS.md +23 -0
- package/dist/cli.d.ts +4 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +20 -8723
- package/dist/runner.mjs +12958 -0
- package/docs/README.md +53 -0
- package/docs/app-owned-executors.md +21 -0
- package/docs/cloud-mode.md +24 -0
- package/docs/current-scope.md +24 -0
- package/docs/dependency-license-inventory.md +35 -0
- package/docs/getting-started-own-database.md +460 -0
- package/docs/http-mcp.md +276 -0
- package/docs/licensing.md +36 -0
- package/docs/limitations.md +95 -0
- package/docs/local-mode.md +351 -0
- package/docs/mcp-audit.md +152 -0
- package/docs/mcp-client-setup.md +270 -0
- package/docs/openai-agents-sdk.md +57 -0
- package/docs/recipes.md +61 -0
- package/docs/release-notes.md +158 -0
- package/docs/security-boundary.md +94 -0
- package/docs/troubleshooting-first-run.md +248 -0
- package/docs/use-your-own-database.md +18 -0
- package/docs/writeback-executors.md +220 -0
- package/examples/app-owned-writeback/README.md +120 -0
- package/examples/app-owned-writeback/business-actions.md +221 -0
- package/examples/app-owned-writeback/command-handler.mjs +46 -0
- package/examples/app-owned-writeback/node-fastify-handler.mjs +55 -0
- package/examples/app-owned-writeback/python-fastapi-handler.py +57 -0
- package/examples/dangerous-mcp-tools.json +88 -0
- package/examples/mcp-postgres-billing-app-handler/README.md +82 -0
- package/examples/mcp-postgres-billing-app-handler/app-handler.mjs +197 -0
- package/examples/mcp-postgres-billing-app-handler/docker-compose.yml +13 -0
- package/examples/mcp-postgres-billing-app-handler/schema.sql +59 -0
- package/examples/mcp-postgres-billing-app-handler/scripts/run-demo.sh +99 -0
- package/examples/mcp-postgres-billing-app-handler/seed.sql +39 -0
- package/examples/mcp-postgres-billing-app-handler/synapsor.runner.json +157 -0
- package/examples/openai-agents-http/README.md +64 -0
- package/examples/openai-agents-http/agent.py +54 -0
- package/examples/openai-agents-http/requirements.txt +1 -0
- package/examples/openai-agents-stdio/README.md +66 -0
- package/examples/openai-agents-stdio/agent.py +72 -0
- package/examples/openai-agents-stdio/requirements.txt +1 -0
- package/examples/reference-support-billing-app/README.md +137 -0
- package/examples/reference-support-billing-app/docker-compose.yml +13 -0
- package/examples/reference-support-billing-app/mcp-client.generic.json +11 -0
- package/examples/reference-support-billing-app/schema.sql +68 -0
- package/examples/reference-support-billing-app/scripts/run-demo.sh +7 -0
- package/examples/reference-support-billing-app/seed.sql +33 -0
- package/examples/reference-support-billing-app/synapsor.runner.json +241 -0
- package/fixtures/benchmark/mcp-efficiency.json +53 -0
- package/fixtures/benchmark/mcp-efficiency.txt +25 -0
- package/fixtures/protocol/MANIFEST.json +54 -0
- package/fixtures/protocol/change-set.late-fee-waiver.v1.json +72 -0
- package/fixtures/protocol/execution-receipt.applied.v1.json +14 -0
- package/fixtures/protocol/execution-receipt.conflict.v1.json +15 -0
- package/fixtures/protocol/runner-registration.v1.json +22 -0
- package/fixtures/protocol/writeback-job.late-fee-waiver.v1.json +44 -0
- package/package.json +14 -4
- package/recipes/accounts.trial_extension.json +42 -0
- package/recipes/billing.late_fee_waiver.json +46 -0
- package/recipes/credits.account_credit.json +45 -0
- package/recipes/orders.refund_review.json +57 -0
- package/recipes/support.ticket_resolution.json +51 -0
- package/dist/bin.cjs +0 -13
|
@@ -0,0 +1,270 @@
|
|
|
1
|
+
# MCP Client Setup
|
|
2
|
+
|
|
3
|
+
The primary local proof path is still the one-command Docker demo:
|
|
4
|
+
|
|
5
|
+
```bash
|
|
6
|
+
./scripts/demo-docker.sh
|
|
7
|
+
```
|
|
8
|
+
|
|
9
|
+
Use this page after that demo passes and you want to attach a local MCP client
|
|
10
|
+
or SDK. The simplest local-client contract is stdio. Standard HTTP MCP is
|
|
11
|
+
available through Streamable HTTP when your agent connects to a long-running
|
|
12
|
+
Runner service.
|
|
13
|
+
|
|
14
|
+
Command examples use the published alpha package through `npx`. From a source
|
|
15
|
+
checkout, use `./bin/synapsor-runner ...` only when you intentionally want the local
|
|
16
|
+
source wrapper.
|
|
17
|
+
|
|
18
|
+
Checked examples live in:
|
|
19
|
+
|
|
20
|
+
```text
|
|
21
|
+
examples/mcp-client-configs/
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
Validate them with:
|
|
25
|
+
|
|
26
|
+
```bash
|
|
27
|
+
corepack pnpm test:mcp-client-configs
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
## Stdio Vs HTTP MCP
|
|
31
|
+
|
|
32
|
+
| Mode | Use when | Command |
|
|
33
|
+
| --- | --- | --- |
|
|
34
|
+
| stdio | Claude Desktop, Cursor, VS Code, or another local MCP client can launch Synapsor Runner | `synapsor-runner mcp serve` |
|
|
35
|
+
| Streamable HTTP MCP | Your app/server, Python agent, Node service, or container uses a standard HTTP MCP client | `synapsor-runner mcp serve-streamable-http` |
|
|
36
|
+
| JSON-RPC bridge | Your app wants a small explicit wrapper around `tools/list`, `tools/call`, and `resources/read` | `synapsor-runner mcp serve-http` |
|
|
37
|
+
|
|
38
|
+
Stdio keeps the MCP protocol on process stdin/stdout and is the simplest local
|
|
39
|
+
developer path. Streamable HTTP implements MCP initialize/session behavior over
|
|
40
|
+
an authenticated `/mcp` endpoint. The JSON-RPC bridge is intentionally smaller
|
|
41
|
+
and does not implement MCP initialize/session behavior.
|
|
42
|
+
|
|
43
|
+
HTTP requires bearer auth by default:
|
|
44
|
+
|
|
45
|
+
```bash
|
|
46
|
+
export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
|
|
47
|
+
|
|
48
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner mcp serve-streamable-http \
|
|
49
|
+
--config ./synapsor.runner.json \
|
|
50
|
+
--store ./.synapsor/local.db \
|
|
51
|
+
--auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
OpenAI Agents SDK rejects dotted function/tool names such as
|
|
55
|
+
`billing.inspect_invoice`. For OpenAI-facing transports, ask Runner to expose
|
|
56
|
+
OpenAI-safe aliases while keeping canonical Synapsor capability names in MCP
|
|
57
|
+
metadata:
|
|
58
|
+
|
|
59
|
+
```bash
|
|
60
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner mcp serve-streamable-http \
|
|
61
|
+
--config ./synapsor.runner.json \
|
|
62
|
+
--store ./.synapsor/local.db \
|
|
63
|
+
--auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN \
|
|
64
|
+
--alias-mode openai
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
The model sees names such as `billing__inspect_invoice`; `_meta` includes
|
|
68
|
+
`synapsor.canonical_tool_name = billing.inspect_invoice`, and Runner routes the
|
|
69
|
+
alias back to the canonical capability. Use `--alias-mode both` only when a
|
|
70
|
+
migration needs canonical dotted names and OpenAI-safe aliases exposed at the
|
|
71
|
+
same time.
|
|
72
|
+
|
|
73
|
+
Preview the exact alias mapping before wiring a client:
|
|
74
|
+
|
|
75
|
+
```bash
|
|
76
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner tools preview \
|
|
77
|
+
--config ./synapsor.runner.json \
|
|
78
|
+
--store ./.synapsor/local.db \
|
|
79
|
+
--alias-mode openai
|
|
80
|
+
```
|
|
81
|
+
|
|
82
|
+
Use private networking/TLS before exposing HTTP MCP beyond localhost. Details:
|
|
83
|
+
[HTTP MCP](http-mcp.md).
|
|
84
|
+
|
|
85
|
+
## Generate A Client Snippet
|
|
86
|
+
|
|
87
|
+
Print a snippet without modifying any client files:
|
|
88
|
+
|
|
89
|
+
```bash
|
|
90
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner mcp config claude-desktop \
|
|
91
|
+
--config ./synapsor.runner.json \
|
|
92
|
+
--store ./.synapsor/local.db
|
|
93
|
+
```
|
|
94
|
+
|
|
95
|
+
Supported client names:
|
|
96
|
+
|
|
97
|
+
```text
|
|
98
|
+
generic-stdio
|
|
99
|
+
generic
|
|
100
|
+
claude-desktop
|
|
101
|
+
cursor
|
|
102
|
+
vscode
|
|
103
|
+
openai-agents
|
|
104
|
+
```
|
|
105
|
+
|
|
106
|
+
For OpenAI Agents SDK, generate the Streamable HTTP start command and Python
|
|
107
|
+
snippet:
|
|
108
|
+
|
|
109
|
+
```bash
|
|
110
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner mcp client-config \
|
|
111
|
+
--client openai-agents \
|
|
112
|
+
--config ./synapsor.runner.json \
|
|
113
|
+
--store ./.synapsor/local.db
|
|
114
|
+
```
|
|
115
|
+
|
|
116
|
+
The older form is still supported:
|
|
117
|
+
|
|
118
|
+
```bash
|
|
119
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner mcp configure --client claude-desktop --config ./synapsor.runner.json --store ./.synapsor/local.db
|
|
120
|
+
```
|
|
121
|
+
|
|
122
|
+
Write is opt-in and requires an explicit destination:
|
|
123
|
+
|
|
124
|
+
```bash
|
|
125
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner mcp configure \
|
|
126
|
+
--client cursor \
|
|
127
|
+
--config ./synapsor.runner.json \
|
|
128
|
+
--store ./.synapsor/local.db \
|
|
129
|
+
--write \
|
|
130
|
+
--destination ./cursor-mcp.json
|
|
131
|
+
```
|
|
132
|
+
|
|
133
|
+
When the destination already exists, Synapsor Runner creates a timestamped
|
|
134
|
+
backup before writing. Noninteractive scripts must add `--yes`.
|
|
135
|
+
|
|
136
|
+
The command writes only the local stdio MCP command and args. It does not write
|
|
137
|
+
database URLs or passwords into the client config.
|
|
138
|
+
|
|
139
|
+
## Start Command
|
|
140
|
+
|
|
141
|
+
From the runner repository:
|
|
142
|
+
|
|
143
|
+
```bash
|
|
144
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner mcp serve --config ./examples/mcp-postgres-billing/synapsor.runner.json --store ./.synapsor/local.db
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
For the alpha package, keep the package tag explicit in client configuration.
|
|
148
|
+
|
|
149
|
+
For standard app/server HTTP MCP mode:
|
|
150
|
+
|
|
151
|
+
```bash
|
|
152
|
+
export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
|
|
153
|
+
|
|
154
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner mcp serve-streamable-http \
|
|
155
|
+
--config ./examples/mcp-postgres-billing/synapsor.runner.json \
|
|
156
|
+
--store ./.synapsor/local.db \
|
|
157
|
+
--auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
|
|
158
|
+
```
|
|
159
|
+
|
|
160
|
+
For the smaller JSON-RPC bridge, use `synapsor-runner mcp serve-http` instead.
|
|
161
|
+
|
|
162
|
+
## Generic stdio Client
|
|
163
|
+
|
|
164
|
+
```json
|
|
165
|
+
{
|
|
166
|
+
"mcpServers": {
|
|
167
|
+
"synapsor-runner": {
|
|
168
|
+
"command": "npx",
|
|
169
|
+
"args": [
|
|
170
|
+
"-y",
|
|
171
|
+
"-p",
|
|
172
|
+
"@synapsor/runner@alpha",
|
|
173
|
+
"synapsor-runner",
|
|
174
|
+
"mcp",
|
|
175
|
+
"serve",
|
|
176
|
+
"--config",
|
|
177
|
+
"./examples/mcp-postgres-billing/synapsor.runner.json",
|
|
178
|
+
"--store",
|
|
179
|
+
"./.synapsor/local.db"
|
|
180
|
+
],
|
|
181
|
+
"env": {
|
|
182
|
+
"BILLING_POSTGRES_READ_URL": "postgresql://synapsor_reader:...@localhost:55433/synapsor_runner_mcp_billing",
|
|
183
|
+
"SYNAPSOR_TENANT_ID": "acme",
|
|
184
|
+
"SYNAPSOR_PRINCIPAL": "local_billing_agent"
|
|
185
|
+
}
|
|
186
|
+
}
|
|
187
|
+
}
|
|
188
|
+
}
|
|
189
|
+
```
|
|
190
|
+
|
|
191
|
+
The MCP server should list semantic tools such as:
|
|
192
|
+
|
|
193
|
+
```text
|
|
194
|
+
billing.inspect_invoice
|
|
195
|
+
billing.propose_late_fee_waiver
|
|
196
|
+
```
|
|
197
|
+
|
|
198
|
+
It should not list:
|
|
199
|
+
|
|
200
|
+
```text
|
|
201
|
+
execute_sql
|
|
202
|
+
run_query
|
|
203
|
+
approve_proposal
|
|
204
|
+
commit_proposal
|
|
205
|
+
```
|
|
206
|
+
|
|
207
|
+
## Sanity Check The Agent Connection
|
|
208
|
+
|
|
209
|
+
After installing the MCP client snippet, restart the client and run a deliberately
|
|
210
|
+
small tool-call test.
|
|
211
|
+
|
|
212
|
+
First confirm what Runner exposes:
|
|
213
|
+
|
|
214
|
+
```bash
|
|
215
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner tools preview \
|
|
216
|
+
--config ./synapsor.runner.json \
|
|
217
|
+
--store ./.synapsor/local.db
|
|
218
|
+
```
|
|
219
|
+
|
|
220
|
+
Then ask the MCP client:
|
|
221
|
+
|
|
222
|
+
```text
|
|
223
|
+
Use the Synapsor Runner MCP tool to inspect invoice INV-3001.
|
|
224
|
+
Do not answer from memory.
|
|
225
|
+
Return the tool name called, the evidence handle, and whether raw SQL was available.
|
|
226
|
+
```
|
|
227
|
+
|
|
228
|
+
Expected result:
|
|
229
|
+
|
|
230
|
+
- the client calls a tool such as `billing.inspect_invoice`;
|
|
231
|
+
- the response includes an evidence handle or local ledger reference;
|
|
232
|
+
- the model reports that raw SQL, write credentials, approval tools, and commit
|
|
233
|
+
tools were not available.
|
|
234
|
+
|
|
235
|
+
If the answer is generic prose or unrelated task planning with no tool call and
|
|
236
|
+
no evidence handle, Synapsor Runner is not connected to that agent session yet.
|
|
237
|
+
Check the MCP config path, restart the client, set trusted context env vars, and
|
|
238
|
+
run `tools/list` or `synapsor-runner tools preview` again.
|
|
239
|
+
|
|
240
|
+
## Claude Desktop / Cursor / VS Code
|
|
241
|
+
|
|
242
|
+
Use the matching checked-in example as the starting point:
|
|
243
|
+
|
|
244
|
+
```text
|
|
245
|
+
examples/mcp-client-configs/claude-desktop.json
|
|
246
|
+
examples/mcp-client-configs/cursor.json
|
|
247
|
+
examples/mcp-client-configs/vscode.json
|
|
248
|
+
```
|
|
249
|
+
|
|
250
|
+
Each example uses the same stdio command/args/env structure. Replace the placeholder environment variables in your client settings or shell environment.
|
|
251
|
+
|
|
252
|
+
Do not add a write database URL to the MCP server environment unless you are intentionally running a local review/writeback demo. For normal read/proposal tool calls, use the read URL and trusted context values only.
|
|
253
|
+
|
|
254
|
+
Before documenting a client UI as officially tested, verify:
|
|
255
|
+
|
|
256
|
+
1. the server starts;
|
|
257
|
+
2. `tools/list` returns semantic tools;
|
|
258
|
+
3. read tools return evidence handles;
|
|
259
|
+
4. proposal tools return exact diffs and `source_database_changed: false`;
|
|
260
|
+
5. no approval or commit tool is model-callable;
|
|
261
|
+
6. resource reads work for proposal/evidence/replay handles.
|
|
262
|
+
|
|
263
|
+
## Troubleshooting
|
|
264
|
+
|
|
265
|
+
- Server not listed: check the command path, working directory, and config path.
|
|
266
|
+
- Tool schema mismatch: run `synapsor-runner audit <exported-tools.json>`.
|
|
267
|
+
- Missing trusted context: set `SYNAPSOR_TENANT_ID` and `SYNAPSOR_PRINCIPAL`, or use the environment variables configured in `trusted_context.values`.
|
|
268
|
+
- Database unavailable: verify the read credential and host access.
|
|
269
|
+
- Proposal waiting review: approve outside the model with `synapsor-runner proposals approve`.
|
|
270
|
+
- Stale-row conflict: inspect replay; the source row changed after the proposal was created, so the guarded worker refused to commit.
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
# OpenAI Agents SDK
|
|
2
|
+
|
|
3
|
+
Use Synapsor Runner with the OpenAI Agents SDK through standard MCP Streamable
|
|
4
|
+
HTTP. Runner exposes semantic database tools to the model and keeps approval,
|
|
5
|
+
writeback, database URLs, and write credentials outside the model-facing tool
|
|
6
|
+
surface.
|
|
7
|
+
|
|
8
|
+
## Start Runner
|
|
9
|
+
|
|
10
|
+
```bash
|
|
11
|
+
export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
|
|
12
|
+
|
|
13
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner mcp serve-streamable-http \
|
|
14
|
+
--config ./synapsor.runner.json \
|
|
15
|
+
--store ./.synapsor/local.db \
|
|
16
|
+
--auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN \
|
|
17
|
+
--alias-mode openai
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
`--alias-mode openai` is important because OpenAI function/tool names cannot
|
|
21
|
+
contain dots. Runner exposes names such as `billing__inspect_invoice` to the
|
|
22
|
+
model and maps calls back to canonical Synapsor capability names such as
|
|
23
|
+
`billing.inspect_invoice`.
|
|
24
|
+
|
|
25
|
+
## Generate The Snippet
|
|
26
|
+
|
|
27
|
+
```bash
|
|
28
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner mcp client-config \
|
|
29
|
+
--client openai-agents \
|
|
30
|
+
--config ./synapsor.runner.json \
|
|
31
|
+
--store ./.synapsor/local.db
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
The generated output includes:
|
|
35
|
+
|
|
36
|
+
- the Streamable HTTP server command;
|
|
37
|
+
- the `/mcp` URL;
|
|
38
|
+
- a Python `MCPServerStreamableHttp` snippet;
|
|
39
|
+
- the OpenAI alias note.
|
|
40
|
+
|
|
41
|
+
It does not include database URLs, passwords, write credentials, API keys, or
|
|
42
|
+
bearer token values.
|
|
43
|
+
|
|
44
|
+
## Sanity Check
|
|
45
|
+
|
|
46
|
+
Before giving the agent a real task, ask it to inspect one known object and
|
|
47
|
+
return the tool name it called plus the evidence handle. A healthy setup calls a
|
|
48
|
+
semantic tool such as `billing__inspect_invoice`. It should not expose
|
|
49
|
+
`execute_sql`, approval tools, commit/apply tools, database URLs, or write
|
|
50
|
+
credentials.
|
|
51
|
+
|
|
52
|
+
## Examples
|
|
53
|
+
|
|
54
|
+
```text
|
|
55
|
+
examples/openai-agents-http/
|
|
56
|
+
examples/openai-agents-stdio/
|
|
57
|
+
```
|
package/docs/recipes.md
ADDED
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
# Capability Recipes
|
|
2
|
+
|
|
3
|
+
Recipes are reviewed starter contracts for common database-backed agent actions.
|
|
4
|
+
|
|
5
|
+
They do not introspect and silently guess write authority. They generate a
|
|
6
|
+
starter config that you must map to your actual staging table names, columns,
|
|
7
|
+
tenant key, conflict column, and business limits.
|
|
8
|
+
|
|
9
|
+
List recipes:
|
|
10
|
+
|
|
11
|
+
```bash
|
|
12
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner recipes list
|
|
13
|
+
```
|
|
14
|
+
|
|
15
|
+
Inspect one:
|
|
16
|
+
|
|
17
|
+
```bash
|
|
18
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner recipes show billing.late_fee_waiver
|
|
19
|
+
```
|
|
20
|
+
|
|
21
|
+
Initialize a starter config:
|
|
22
|
+
|
|
23
|
+
```bash
|
|
24
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner recipes init billing.late_fee_waiver --output synapsor.runner.json
|
|
25
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner config validate --config synapsor.runner.json
|
|
26
|
+
```
|
|
27
|
+
|
|
28
|
+
Built-in recipes are JSON files under `recipes/`. They are starter data, not
|
|
29
|
+
runtime hardcoding. You can copy one, edit table/column/tool names for your
|
|
30
|
+
domain, and initialize from your file:
|
|
31
|
+
|
|
32
|
+
```bash
|
|
33
|
+
cp recipes/billing.late_fee_waiver.json my-recipe.json
|
|
34
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner recipes show ./my-recipe.json
|
|
35
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner recipes init ./my-recipe.json --output synapsor.runner.json
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
Available recipes:
|
|
39
|
+
|
|
40
|
+
- `billing.late_fee_waiver`
|
|
41
|
+
- `support.ticket_resolution`
|
|
42
|
+
- `orders.refund_review`
|
|
43
|
+
- `accounts.trial_extension`
|
|
44
|
+
- `credits.account_credit`
|
|
45
|
+
|
|
46
|
+
Each recipe includes:
|
|
47
|
+
|
|
48
|
+
- expected table type;
|
|
49
|
+
- required columns;
|
|
50
|
+
- recommended primary key;
|
|
51
|
+
- recommended tenant key;
|
|
52
|
+
- recommended conflict/version column;
|
|
53
|
+
- visible columns;
|
|
54
|
+
- allowed write columns;
|
|
55
|
+
- patch mapping;
|
|
56
|
+
- numeric/status bounds where relevant;
|
|
57
|
+
- semantic MCP tool names;
|
|
58
|
+
- staging-first notes.
|
|
59
|
+
|
|
60
|
+
Start with staging or a disposable database. Keep production write credentials
|
|
61
|
+
out of the MCP client.
|
|
@@ -0,0 +1,158 @@
|
|
|
1
|
+
# Release Notes
|
|
2
|
+
|
|
3
|
+
These notes track public Synapsor Runner alpha behavior. While the runner is in
|
|
4
|
+
alpha, install with the explicit alpha tag or an exact version. Do not rely on
|
|
5
|
+
the untagged `latest` dist-tag until a stable release is published.
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
npx -y -p @synapsor/runner@alpha synapsor-runner demo --quick
|
|
9
|
+
```
|
|
10
|
+
|
|
11
|
+
The OSS runner command is `synapsor-runner`. The `synapsor` command is reserved
|
|
12
|
+
for the Synapsor Cloud CLI.
|
|
13
|
+
|
|
14
|
+
## 0.1.0-alpha.11
|
|
15
|
+
|
|
16
|
+
### OpenAI MCP Aliases
|
|
17
|
+
|
|
18
|
+
- `synapsor-runner mcp serve` and `synapsor-runner mcp serve-streamable-http`
|
|
19
|
+
now accept `--alias-mode openai` and `--openai-tool-aliases`.
|
|
20
|
+
- `synapsor-runner mcp serve --transport streamable-http` is available as a
|
|
21
|
+
unified command form for the standard HTTP MCP server.
|
|
22
|
+
- `synapsor-runner mcp client-config --client openai-agents` prints a
|
|
23
|
+
Streamable HTTP start command and OpenAI Agents SDK snippet.
|
|
24
|
+
- `synapsor-runner tools preview --alias-mode openai` shows model-visible alias
|
|
25
|
+
names and the canonical Synapsor capability each alias maps to.
|
|
26
|
+
- `examples/mcp-postgres-billing-app-handler/` adds a disposable Postgres proof
|
|
27
|
+
for the app-owned executor path: proposal first, approval outside MCP,
|
|
28
|
+
account-credit row inserted by the app handler, idempotent retry, and replay.
|
|
29
|
+
- `--alias-mode both` exposes canonical dotted names and OpenAI-safe aliases
|
|
30
|
+
together for migration/debugging.
|
|
31
|
+
- OpenAI alias mode exposes MCP tool names such as
|
|
32
|
+
`billing__inspect_invoice` instead of canonical dotted names such as
|
|
33
|
+
`billing.inspect_invoice`.
|
|
34
|
+
- Tool metadata includes `synapsor.canonical_tool_name`,
|
|
35
|
+
`synapsor.exposed_tool_name`, and `synapsor.tool_name_style`, so reviewers
|
|
36
|
+
can still see the canonical Synapsor capability.
|
|
37
|
+
- Runner routes alias calls back to the canonical capability. This removes the
|
|
38
|
+
need for user-written OpenAI wrapper code whose only job is replacing dots in
|
|
39
|
+
tool names.
|
|
40
|
+
- The OpenAI Agents SDK stdio and Streamable HTTP examples now document the
|
|
41
|
+
built-in alias mode.
|
|
42
|
+
|
|
43
|
+
## 0.1.0-alpha.10
|
|
44
|
+
|
|
45
|
+
### First-Run Flow
|
|
46
|
+
|
|
47
|
+
- `synapsor-runner start --from-env DATABASE_URL` is the shortest own-database
|
|
48
|
+
onboarding command. It is an alias for the guided `onboard db --from-env`
|
|
49
|
+
flow, not the legacy cloud worker.
|
|
50
|
+
- The wizard inspects database metadata, creates trusted context bindings,
|
|
51
|
+
generates semantic capabilities, writes `.env.example`, previews MCP tools,
|
|
52
|
+
and prints exact smoke-call, MCP, and UI commands.
|
|
53
|
+
- If you provide a real object id and the required environment variables are
|
|
54
|
+
set, onboarding attempts the first smoke tool call and stores local evidence
|
|
55
|
+
and query audit. If not, it prints the exact `smoke call` command to run
|
|
56
|
+
after setting the values.
|
|
57
|
+
- `synapsor-runner ui --open` opens the local review UI and is the preferred
|
|
58
|
+
way to inspect proposals, evidence, receipts, and replay after a demo or
|
|
59
|
+
smoke call.
|
|
60
|
+
|
|
61
|
+
### MCP Transport
|
|
62
|
+
|
|
63
|
+
- `synapsor-runner mcp serve` is standard stdio MCP for local MCP clients that
|
|
64
|
+
can launch Runner, such as Claude Desktop, Cursor, and similar clients.
|
|
65
|
+
- `synapsor-runner mcp serve-streamable-http` is the standard Streamable HTTP
|
|
66
|
+
MCP path for app/server agents and SDK clients. It implements MCP
|
|
67
|
+
initialize/session behavior on the `/mcp` endpoint.
|
|
68
|
+
- `synapsor-runner mcp serve-http` is an authenticated JSON-RPC bridge for
|
|
69
|
+
simple `tools/list`, `tools/call`, and `resources/read` wrappers. It is not
|
|
70
|
+
the standard Streamable HTTP MCP transport.
|
|
71
|
+
- The OpenAI Agents SDK HTTP example uses the Streamable HTTP MCP path. Use the
|
|
72
|
+
JSON-RPC bridge only when you intentionally want a thin app-owned wrapper.
|
|
73
|
+
|
|
74
|
+
### Writeback
|
|
75
|
+
|
|
76
|
+
- Direct SQL writeback is intentionally narrow: guarded single-row `UPDATE`
|
|
77
|
+
only. It does not support arbitrary SQL, DDL, `INSERT`, `DELETE`, `UPSERT`,
|
|
78
|
+
stored procedures, or multi-row writes.
|
|
79
|
+
- Direct SQL writeback reads the trusted writer connection from the source
|
|
80
|
+
`write_url_env` in `synapsor.runner.json`, such as
|
|
81
|
+
`SYNAPSOR_DATABASE_WRITE_URL`.
|
|
82
|
+
- `SYNAPSOR_DATABASE_URL` is accepted only as a legacy fallback for older
|
|
83
|
+
direct worker/apply flows without a local config.
|
|
84
|
+
- Direct SQL writeback creates or writes `synapsor_writeback_receipts` for
|
|
85
|
+
idempotency and replay. The trusted writer needs permission for that receipt
|
|
86
|
+
table, or an administrator must pre-create the table and grant access.
|
|
87
|
+
- Use `synapsor-runner writeback doctor`, `writeback migration`, and
|
|
88
|
+
`writeback grants` to inspect and prepare the direct writeback path.
|
|
89
|
+
- Use app-owned `http_handler` or `command_handler` executors for rich writes
|
|
90
|
+
such as inserting credit rows, opening tickets, deleting records through app
|
|
91
|
+
policy, or updating multiple related rows.
|
|
92
|
+
- `synapsor-runner handler template` writes starter Node/Fastify,
|
|
93
|
+
Python/FastAPI, or command-handler files so rich writes can start from an
|
|
94
|
+
app-owned transaction boundary instead of hand-writing a handler from
|
|
95
|
+
scratch.
|
|
96
|
+
|
|
97
|
+
### Evidence And Replay
|
|
98
|
+
|
|
99
|
+
- Read-only capabilities produce scoped semantic tools, trusted context
|
|
100
|
+
binding, evidence handles, query audit, and local inspection records.
|
|
101
|
+
- Proposal workflows add full local replay across evidence, approval,
|
|
102
|
+
writeback jobs, execution receipts, and events.
|
|
103
|
+
- External Postgres/MySQL databases are not physically branched by Runner.
|
|
104
|
+
Replay covers records captured by Runner; it is not external database
|
|
105
|
+
time travel.
|
|
106
|
+
|
|
107
|
+
### Known Limitations
|
|
108
|
+
|
|
109
|
+
- This is an alpha local runner, not Synapsor Cloud, not the Synapsor DBMS, and
|
|
110
|
+
not a generic MCP security platform.
|
|
111
|
+
- Runner does not expose model-callable approval, commit, apply, or raw SQL
|
|
112
|
+
tools.
|
|
113
|
+
- Runner does not implement Synapsor Cloud workflow DAGs, native branches,
|
|
114
|
+
auto-merge, settlement policies, hosted RBAC/SSO, hosted evidence retention,
|
|
115
|
+
CDC, managed runner fleets, compliance exports, production SLA, or C++ DBMS
|
|
116
|
+
internals.
|
|
117
|
+
- The local store is single-node SQLite for local/dev/staging usage.
|
|
118
|
+
- Node >= 22.5.0 is required because the local ledger uses Node's
|
|
119
|
+
`node:sqlite` runtime. Use a supported Node runtime or the Docker-backed
|
|
120
|
+
source demo path.
|
|
121
|
+
|
|
122
|
+
### Upgrade Notes From Earlier Alphas
|
|
123
|
+
|
|
124
|
+
- Public command examples now use `synapsor-runner`, not `synapsor`.
|
|
125
|
+
- Standard HTTP MCP examples now use `mcp serve-streamable-http`; `mcp
|
|
126
|
+
serve-http` is documented as the JSON-RPC bridge.
|
|
127
|
+
- Direct SQL writeback docs now use `write_url_env` for writer credentials and
|
|
128
|
+
document `SYNAPSOR_DATABASE_URL` only as a legacy fallback.
|
|
129
|
+
- Receipt-table permissions are now a documented writeback requirement.
|
|
130
|
+
- The quick demo is guided in interactive terminals, concise in noninteractive
|
|
131
|
+
mode, and keeps the longer explanation behind `--details`.
|
|
132
|
+
|
|
133
|
+
## Stable Release Policy
|
|
134
|
+
|
|
135
|
+
Stay on `@synapsor/runner@alpha` or an exact alpha version while first-run
|
|
136
|
+
onboarding, MCP transport behavior, and writeback documentation are still
|
|
137
|
+
changing. A stable `0.1.0` release should only be tagged after:
|
|
138
|
+
|
|
139
|
+
- the README's npm commands match the published package;
|
|
140
|
+
- a clean temporary directory can run the quick demo, own-database onboarding,
|
|
141
|
+
MCP config generation, smoke call, UI, and replay commands;
|
|
142
|
+
- stdio MCP and Streamable HTTP MCP are covered by tests and examples;
|
|
143
|
+
- direct and app-owned writeback requirements are documented and verified; and
|
|
144
|
+
- known limitations are still accurate.
|
|
145
|
+
|
|
146
|
+
For the local tarball before publish, run:
|
|
147
|
+
|
|
148
|
+
```bash
|
|
149
|
+
./scripts/verify-packed-runner.sh
|
|
150
|
+
./scripts/verify-packed-own-db.sh
|
|
151
|
+
```
|
|
152
|
+
|
|
153
|
+
After publishing an alpha, verify the public package from a clean temporary
|
|
154
|
+
directory:
|
|
155
|
+
|
|
156
|
+
```bash
|
|
157
|
+
./scripts/verify-published-alpha.sh 0.1.0-alpha.11
|
|
158
|
+
```
|
|
@@ -0,0 +1,94 @@
|
|
|
1
|
+
# Security Boundary
|
|
2
|
+
|
|
3
|
+
Synapsor Runner controls a narrow database path for MCP agents. It does not make
|
|
4
|
+
MCP generally secure and it does not solve prompt injection.
|
|
5
|
+
|
|
6
|
+
## Least-privilege database access
|
|
7
|
+
|
|
8
|
+
Use a read-only database user, restricted views, row-level security, and staging
|
|
9
|
+
data where appropriate. Synapsor Runner is not a replacement for database
|
|
10
|
+
permissions.
|
|
11
|
+
|
|
12
|
+
Database permissions protect the connection. Synapsor Runner shapes the
|
|
13
|
+
model-facing interface: reviewed semantic capabilities, trusted context
|
|
14
|
+
binding, evidence handles, query audit, local inspection, and proposal-first
|
|
15
|
+
writes instead of model-facing commit authority.
|
|
16
|
+
|
|
17
|
+
If all you need is restricted reads, database permissions are a good start.
|
|
18
|
+
Use Synapsor Runner when you also want the agent-facing layer: semantic tools,
|
|
19
|
+
trusted context, evidence handles, query audit, local inspection, and
|
|
20
|
+
proposal-first writes. Proposal workflows add full replay across evidence,
|
|
21
|
+
approval, writeback receipts, and events.
|
|
22
|
+
|
|
23
|
+
The model-facing MCP server exposes reviewed semantic tools such as
|
|
24
|
+
`billing.inspect_invoice` and `billing.propose_late_fee_waiver`.
|
|
25
|
+
|
|
26
|
+
The model does not receive:
|
|
27
|
+
|
|
28
|
+
- raw SQL;
|
|
29
|
+
- a generic `execute_sql` tool;
|
|
30
|
+
- arbitrary table, schema, or column names;
|
|
31
|
+
- database URLs or credentials;
|
|
32
|
+
- approval tools;
|
|
33
|
+
- commit/writeback tools;
|
|
34
|
+
- trusted tenant or principal authority as ordinary model arguments.
|
|
35
|
+
|
|
36
|
+
Trusted context comes from local configuration, environment bindings, or Cloud
|
|
37
|
+
session context in Cloud mode. Tenant, principal, and authorization scope must
|
|
38
|
+
not be accepted from the model as authority.
|
|
39
|
+
|
|
40
|
+
Proposal tools read the current row through the read credential, store evidence
|
|
41
|
+
and an exact before/after diff, and leave the source database unchanged.
|
|
42
|
+
|
|
43
|
+
The local proposal store rejects obvious credential material before persistence:
|
|
44
|
+
database URLs, bearer tokens, Synapsor runner tokens, private-key blocks, and
|
|
45
|
+
secret-like fields such as password, token, API key, private key, cookie,
|
|
46
|
+
credential, connection string, read URL, or write URL. If a selected table
|
|
47
|
+
contains one of those fields, remove it from the reviewed visible/evidence
|
|
48
|
+
projection before creating proposals.
|
|
49
|
+
|
|
50
|
+
Writeback is separate. A trusted local runner/apply path uses a write credential
|
|
51
|
+
outside the model-facing MCP server and verifies:
|
|
52
|
+
|
|
53
|
+
- local reviewed config;
|
|
54
|
+
- source and capability identity;
|
|
55
|
+
- fixed safe schema, table, and column identifiers;
|
|
56
|
+
- local approval state;
|
|
57
|
+
- proposal and job digests;
|
|
58
|
+
- target schema/table;
|
|
59
|
+
- primary-key and tenant guards;
|
|
60
|
+
- allowed mutable columns;
|
|
61
|
+
- conflict/version guard;
|
|
62
|
+
- idempotency key;
|
|
63
|
+
- job expiry;
|
|
64
|
+
- exactly one affected row.
|
|
65
|
+
|
|
66
|
+
If any authority check cannot be verified, the write fails closed.
|
|
67
|
+
|
|
68
|
+
For direct SQL writeback, the writer connection is the env var named by the
|
|
69
|
+
source `write_url_env` in `synapsor.runner.json`. Direct SQL writeback also
|
|
70
|
+
creates or writes `synapsor_writeback_receipts` for idempotency and replay, so
|
|
71
|
+
the writer needs permission for that receipt table or an administrator must
|
|
72
|
+
pre-create and grant it. If your database policy forbids Runner-managed receipt
|
|
73
|
+
tables, use an app-owned `http_handler` or `command_handler` executor instead.
|
|
74
|
+
|
|
75
|
+
When a capability uses an `http_handler` or `command_handler` executor, the
|
|
76
|
+
same approval boundary applies. The runner sends a structured proposal/job
|
|
77
|
+
payload to the configured handler after approval. Handler URLs, commands, bearer
|
|
78
|
+
tokens, database URLs, and write credentials come from environment variables and
|
|
79
|
+
are not exposed to MCP tools.
|
|
80
|
+
|
|
81
|
+
Writeback jobs and change sets also reject path-traversal or SQL-fragment-like
|
|
82
|
+
database identifiers such as `../private`, `id/../../tenant_id`, or
|
|
83
|
+
`status; DROP TABLE tickets` before adapter execution. Local CLI file paths
|
|
84
|
+
remain explicit user-provided paths; they are not model-facing authority.
|
|
85
|
+
|
|
86
|
+
Local review can happen through the CLI or `synapsor-runner ui`. The UI is a localhost
|
|
87
|
+
review surface with a per-run session token and CSRF protection for
|
|
88
|
+
approve/reject actions. It does not expose raw SQL, database URLs, write
|
|
89
|
+
credentials, approval tools, commit tools, or controls that widen reviewed
|
|
90
|
+
tables/columns.
|
|
91
|
+
|
|
92
|
+
Synapsor Runner supports reviewed single-row business actions only in the
|
|
93
|
+
current alpha. It does not support arbitrary SQL, DDL, `INSERT`, `DELETE`,
|
|
94
|
+
`UPSERT`, or multi-row updates.
|