@synapsor/runner 0.1.0-alpha.1 → 0.1.0-alpha.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (66) hide show
  1. package/README.md +426 -19
  2. package/TRADEMARKS.md +23 -0
  3. package/dist/cli.d.ts +4 -0
  4. package/dist/cli.d.ts.map +1 -1
  5. package/dist/cli.js +20 -8723
  6. package/dist/runner.mjs +12958 -0
  7. package/docs/README.md +53 -0
  8. package/docs/app-owned-executors.md +21 -0
  9. package/docs/cloud-mode.md +24 -0
  10. package/docs/current-scope.md +24 -0
  11. package/docs/dependency-license-inventory.md +35 -0
  12. package/docs/getting-started-own-database.md +460 -0
  13. package/docs/http-mcp.md +276 -0
  14. package/docs/licensing.md +36 -0
  15. package/docs/limitations.md +95 -0
  16. package/docs/local-mode.md +351 -0
  17. package/docs/mcp-audit.md +152 -0
  18. package/docs/mcp-client-setup.md +270 -0
  19. package/docs/openai-agents-sdk.md +57 -0
  20. package/docs/recipes.md +61 -0
  21. package/docs/release-notes.md +158 -0
  22. package/docs/security-boundary.md +94 -0
  23. package/docs/troubleshooting-first-run.md +248 -0
  24. package/docs/use-your-own-database.md +18 -0
  25. package/docs/writeback-executors.md +220 -0
  26. package/examples/app-owned-writeback/README.md +120 -0
  27. package/examples/app-owned-writeback/business-actions.md +221 -0
  28. package/examples/app-owned-writeback/command-handler.mjs +46 -0
  29. package/examples/app-owned-writeback/node-fastify-handler.mjs +55 -0
  30. package/examples/app-owned-writeback/python-fastapi-handler.py +57 -0
  31. package/examples/dangerous-mcp-tools.json +88 -0
  32. package/examples/mcp-postgres-billing-app-handler/README.md +82 -0
  33. package/examples/mcp-postgres-billing-app-handler/app-handler.mjs +197 -0
  34. package/examples/mcp-postgres-billing-app-handler/docker-compose.yml +13 -0
  35. package/examples/mcp-postgres-billing-app-handler/schema.sql +59 -0
  36. package/examples/mcp-postgres-billing-app-handler/scripts/run-demo.sh +99 -0
  37. package/examples/mcp-postgres-billing-app-handler/seed.sql +39 -0
  38. package/examples/mcp-postgres-billing-app-handler/synapsor.runner.json +157 -0
  39. package/examples/openai-agents-http/README.md +64 -0
  40. package/examples/openai-agents-http/agent.py +54 -0
  41. package/examples/openai-agents-http/requirements.txt +1 -0
  42. package/examples/openai-agents-stdio/README.md +66 -0
  43. package/examples/openai-agents-stdio/agent.py +72 -0
  44. package/examples/openai-agents-stdio/requirements.txt +1 -0
  45. package/examples/reference-support-billing-app/README.md +137 -0
  46. package/examples/reference-support-billing-app/docker-compose.yml +13 -0
  47. package/examples/reference-support-billing-app/mcp-client.generic.json +11 -0
  48. package/examples/reference-support-billing-app/schema.sql +68 -0
  49. package/examples/reference-support-billing-app/scripts/run-demo.sh +7 -0
  50. package/examples/reference-support-billing-app/seed.sql +33 -0
  51. package/examples/reference-support-billing-app/synapsor.runner.json +241 -0
  52. package/fixtures/benchmark/mcp-efficiency.json +53 -0
  53. package/fixtures/benchmark/mcp-efficiency.txt +25 -0
  54. package/fixtures/protocol/MANIFEST.json +54 -0
  55. package/fixtures/protocol/change-set.late-fee-waiver.v1.json +72 -0
  56. package/fixtures/protocol/execution-receipt.applied.v1.json +14 -0
  57. package/fixtures/protocol/execution-receipt.conflict.v1.json +15 -0
  58. package/fixtures/protocol/runner-registration.v1.json +22 -0
  59. package/fixtures/protocol/writeback-job.late-fee-waiver.v1.json +44 -0
  60. package/package.json +14 -4
  61. package/recipes/accounts.trial_extension.json +42 -0
  62. package/recipes/billing.late_fee_waiver.json +46 -0
  63. package/recipes/credits.account_credit.json +45 -0
  64. package/recipes/orders.refund_review.json +57 -0
  65. package/recipes/support.ticket_resolution.json +51 -0
  66. package/dist/bin.cjs +0 -13
@@ -0,0 +1,270 @@
1
+ # MCP Client Setup
2
+
3
+ The primary local proof path is still the one-command Docker demo:
4
+
5
+ ```bash
6
+ ./scripts/demo-docker.sh
7
+ ```
8
+
9
+ Use this page after that demo passes and you want to attach a local MCP client
10
+ or SDK. The simplest local-client contract is stdio. Standard HTTP MCP is
11
+ available through Streamable HTTP when your agent connects to a long-running
12
+ Runner service.
13
+
14
+ Command examples use the published alpha package through `npx`. From a source
15
+ checkout, use `./bin/synapsor-runner ...` only when you intentionally want the local
16
+ source wrapper.
17
+
18
+ Checked examples live in:
19
+
20
+ ```text
21
+ examples/mcp-client-configs/
22
+ ```
23
+
24
+ Validate them with:
25
+
26
+ ```bash
27
+ corepack pnpm test:mcp-client-configs
28
+ ```
29
+
30
+ ## Stdio Vs HTTP MCP
31
+
32
+ | Mode | Use when | Command |
33
+ | --- | --- | --- |
34
+ | stdio | Claude Desktop, Cursor, VS Code, or another local MCP client can launch Synapsor Runner | `synapsor-runner mcp serve` |
35
+ | Streamable HTTP MCP | Your app/server, Python agent, Node service, or container uses a standard HTTP MCP client | `synapsor-runner mcp serve-streamable-http` |
36
+ | JSON-RPC bridge | Your app wants a small explicit wrapper around `tools/list`, `tools/call`, and `resources/read` | `synapsor-runner mcp serve-http` |
37
+
38
+ Stdio keeps the MCP protocol on process stdin/stdout and is the simplest local
39
+ developer path. Streamable HTTP implements MCP initialize/session behavior over
40
+ an authenticated `/mcp` endpoint. The JSON-RPC bridge is intentionally smaller
41
+ and does not implement MCP initialize/session behavior.
42
+
43
+ HTTP requires bearer auth by default:
44
+
45
+ ```bash
46
+ export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
47
+
48
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp serve-streamable-http \
49
+ --config ./synapsor.runner.json \
50
+ --store ./.synapsor/local.db \
51
+ --auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
52
+ ```
53
+
54
+ OpenAI Agents SDK rejects dotted function/tool names such as
55
+ `billing.inspect_invoice`. For OpenAI-facing transports, ask Runner to expose
56
+ OpenAI-safe aliases while keeping canonical Synapsor capability names in MCP
57
+ metadata:
58
+
59
+ ```bash
60
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp serve-streamable-http \
61
+ --config ./synapsor.runner.json \
62
+ --store ./.synapsor/local.db \
63
+ --auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN \
64
+ --alias-mode openai
65
+ ```
66
+
67
+ The model sees names such as `billing__inspect_invoice`; `_meta` includes
68
+ `synapsor.canonical_tool_name = billing.inspect_invoice`, and Runner routes the
69
+ alias back to the canonical capability. Use `--alias-mode both` only when a
70
+ migration needs canonical dotted names and OpenAI-safe aliases exposed at the
71
+ same time.
72
+
73
+ Preview the exact alias mapping before wiring a client:
74
+
75
+ ```bash
76
+ npx -y -p @synapsor/runner@alpha synapsor-runner tools preview \
77
+ --config ./synapsor.runner.json \
78
+ --store ./.synapsor/local.db \
79
+ --alias-mode openai
80
+ ```
81
+
82
+ Use private networking/TLS before exposing HTTP MCP beyond localhost. Details:
83
+ [HTTP MCP](http-mcp.md).
84
+
85
+ ## Generate A Client Snippet
86
+
87
+ Print a snippet without modifying any client files:
88
+
89
+ ```bash
90
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp config claude-desktop \
91
+ --config ./synapsor.runner.json \
92
+ --store ./.synapsor/local.db
93
+ ```
94
+
95
+ Supported client names:
96
+
97
+ ```text
98
+ generic-stdio
99
+ generic
100
+ claude-desktop
101
+ cursor
102
+ vscode
103
+ openai-agents
104
+ ```
105
+
106
+ For OpenAI Agents SDK, generate the Streamable HTTP start command and Python
107
+ snippet:
108
+
109
+ ```bash
110
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp client-config \
111
+ --client openai-agents \
112
+ --config ./synapsor.runner.json \
113
+ --store ./.synapsor/local.db
114
+ ```
115
+
116
+ The older form is still supported:
117
+
118
+ ```bash
119
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp configure --client claude-desktop --config ./synapsor.runner.json --store ./.synapsor/local.db
120
+ ```
121
+
122
+ Write is opt-in and requires an explicit destination:
123
+
124
+ ```bash
125
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp configure \
126
+ --client cursor \
127
+ --config ./synapsor.runner.json \
128
+ --store ./.synapsor/local.db \
129
+ --write \
130
+ --destination ./cursor-mcp.json
131
+ ```
132
+
133
+ When the destination already exists, Synapsor Runner creates a timestamped
134
+ backup before writing. Noninteractive scripts must add `--yes`.
135
+
136
+ The command writes only the local stdio MCP command and args. It does not write
137
+ database URLs or passwords into the client config.
138
+
139
+ ## Start Command
140
+
141
+ From the runner repository:
142
+
143
+ ```bash
144
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp serve --config ./examples/mcp-postgres-billing/synapsor.runner.json --store ./.synapsor/local.db
145
+ ```
146
+
147
+ For the alpha package, keep the package tag explicit in client configuration.
148
+
149
+ For standard app/server HTTP MCP mode:
150
+
151
+ ```bash
152
+ export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
153
+
154
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp serve-streamable-http \
155
+ --config ./examples/mcp-postgres-billing/synapsor.runner.json \
156
+ --store ./.synapsor/local.db \
157
+ --auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
158
+ ```
159
+
160
+ For the smaller JSON-RPC bridge, use `synapsor-runner mcp serve-http` instead.
161
+
162
+ ## Generic stdio Client
163
+
164
+ ```json
165
+ {
166
+ "mcpServers": {
167
+ "synapsor-runner": {
168
+ "command": "npx",
169
+ "args": [
170
+ "-y",
171
+ "-p",
172
+ "@synapsor/runner@alpha",
173
+ "synapsor-runner",
174
+ "mcp",
175
+ "serve",
176
+ "--config",
177
+ "./examples/mcp-postgres-billing/synapsor.runner.json",
178
+ "--store",
179
+ "./.synapsor/local.db"
180
+ ],
181
+ "env": {
182
+ "BILLING_POSTGRES_READ_URL": "postgresql://synapsor_reader:...@localhost:55433/synapsor_runner_mcp_billing",
183
+ "SYNAPSOR_TENANT_ID": "acme",
184
+ "SYNAPSOR_PRINCIPAL": "local_billing_agent"
185
+ }
186
+ }
187
+ }
188
+ }
189
+ ```
190
+
191
+ The MCP server should list semantic tools such as:
192
+
193
+ ```text
194
+ billing.inspect_invoice
195
+ billing.propose_late_fee_waiver
196
+ ```
197
+
198
+ It should not list:
199
+
200
+ ```text
201
+ execute_sql
202
+ run_query
203
+ approve_proposal
204
+ commit_proposal
205
+ ```
206
+
207
+ ## Sanity Check The Agent Connection
208
+
209
+ After installing the MCP client snippet, restart the client and run a deliberately
210
+ small tool-call test.
211
+
212
+ First confirm what Runner exposes:
213
+
214
+ ```bash
215
+ npx -y -p @synapsor/runner@alpha synapsor-runner tools preview \
216
+ --config ./synapsor.runner.json \
217
+ --store ./.synapsor/local.db
218
+ ```
219
+
220
+ Then ask the MCP client:
221
+
222
+ ```text
223
+ Use the Synapsor Runner MCP tool to inspect invoice INV-3001.
224
+ Do not answer from memory.
225
+ Return the tool name called, the evidence handle, and whether raw SQL was available.
226
+ ```
227
+
228
+ Expected result:
229
+
230
+ - the client calls a tool such as `billing.inspect_invoice`;
231
+ - the response includes an evidence handle or local ledger reference;
232
+ - the model reports that raw SQL, write credentials, approval tools, and commit
233
+ tools were not available.
234
+
235
+ If the answer is generic prose or unrelated task planning with no tool call and
236
+ no evidence handle, Synapsor Runner is not connected to that agent session yet.
237
+ Check the MCP config path, restart the client, set trusted context env vars, and
238
+ run `tools/list` or `synapsor-runner tools preview` again.
239
+
240
+ ## Claude Desktop / Cursor / VS Code
241
+
242
+ Use the matching checked-in example as the starting point:
243
+
244
+ ```text
245
+ examples/mcp-client-configs/claude-desktop.json
246
+ examples/mcp-client-configs/cursor.json
247
+ examples/mcp-client-configs/vscode.json
248
+ ```
249
+
250
+ Each example uses the same stdio command/args/env structure. Replace the placeholder environment variables in your client settings or shell environment.
251
+
252
+ Do not add a write database URL to the MCP server environment unless you are intentionally running a local review/writeback demo. For normal read/proposal tool calls, use the read URL and trusted context values only.
253
+
254
+ Before documenting a client UI as officially tested, verify:
255
+
256
+ 1. the server starts;
257
+ 2. `tools/list` returns semantic tools;
258
+ 3. read tools return evidence handles;
259
+ 4. proposal tools return exact diffs and `source_database_changed: false`;
260
+ 5. no approval or commit tool is model-callable;
261
+ 6. resource reads work for proposal/evidence/replay handles.
262
+
263
+ ## Troubleshooting
264
+
265
+ - Server not listed: check the command path, working directory, and config path.
266
+ - Tool schema mismatch: run `synapsor-runner audit <exported-tools.json>`.
267
+ - Missing trusted context: set `SYNAPSOR_TENANT_ID` and `SYNAPSOR_PRINCIPAL`, or use the environment variables configured in `trusted_context.values`.
268
+ - Database unavailable: verify the read credential and host access.
269
+ - Proposal waiting review: approve outside the model with `synapsor-runner proposals approve`.
270
+ - Stale-row conflict: inspect replay; the source row changed after the proposal was created, so the guarded worker refused to commit.
@@ -0,0 +1,57 @@
1
+ # OpenAI Agents SDK
2
+
3
+ Use Synapsor Runner with the OpenAI Agents SDK through standard MCP Streamable
4
+ HTTP. Runner exposes semantic database tools to the model and keeps approval,
5
+ writeback, database URLs, and write credentials outside the model-facing tool
6
+ surface.
7
+
8
+ ## Start Runner
9
+
10
+ ```bash
11
+ export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
12
+
13
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp serve-streamable-http \
14
+ --config ./synapsor.runner.json \
15
+ --store ./.synapsor/local.db \
16
+ --auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN \
17
+ --alias-mode openai
18
+ ```
19
+
20
+ `--alias-mode openai` is important because OpenAI function/tool names cannot
21
+ contain dots. Runner exposes names such as `billing__inspect_invoice` to the
22
+ model and maps calls back to canonical Synapsor capability names such as
23
+ `billing.inspect_invoice`.
24
+
25
+ ## Generate The Snippet
26
+
27
+ ```bash
28
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp client-config \
29
+ --client openai-agents \
30
+ --config ./synapsor.runner.json \
31
+ --store ./.synapsor/local.db
32
+ ```
33
+
34
+ The generated output includes:
35
+
36
+ - the Streamable HTTP server command;
37
+ - the `/mcp` URL;
38
+ - a Python `MCPServerStreamableHttp` snippet;
39
+ - the OpenAI alias note.
40
+
41
+ It does not include database URLs, passwords, write credentials, API keys, or
42
+ bearer token values.
43
+
44
+ ## Sanity Check
45
+
46
+ Before giving the agent a real task, ask it to inspect one known object and
47
+ return the tool name it called plus the evidence handle. A healthy setup calls a
48
+ semantic tool such as `billing__inspect_invoice`. It should not expose
49
+ `execute_sql`, approval tools, commit/apply tools, database URLs, or write
50
+ credentials.
51
+
52
+ ## Examples
53
+
54
+ ```text
55
+ examples/openai-agents-http/
56
+ examples/openai-agents-stdio/
57
+ ```
@@ -0,0 +1,61 @@
1
+ # Capability Recipes
2
+
3
+ Recipes are reviewed starter contracts for common database-backed agent actions.
4
+
5
+ They do not introspect and silently guess write authority. They generate a
6
+ starter config that you must map to your actual staging table names, columns,
7
+ tenant key, conflict column, and business limits.
8
+
9
+ List recipes:
10
+
11
+ ```bash
12
+ npx -y -p @synapsor/runner@alpha synapsor-runner recipes list
13
+ ```
14
+
15
+ Inspect one:
16
+
17
+ ```bash
18
+ npx -y -p @synapsor/runner@alpha synapsor-runner recipes show billing.late_fee_waiver
19
+ ```
20
+
21
+ Initialize a starter config:
22
+
23
+ ```bash
24
+ npx -y -p @synapsor/runner@alpha synapsor-runner recipes init billing.late_fee_waiver --output synapsor.runner.json
25
+ npx -y -p @synapsor/runner@alpha synapsor-runner config validate --config synapsor.runner.json
26
+ ```
27
+
28
+ Built-in recipes are JSON files under `recipes/`. They are starter data, not
29
+ runtime hardcoding. You can copy one, edit table/column/tool names for your
30
+ domain, and initialize from your file:
31
+
32
+ ```bash
33
+ cp recipes/billing.late_fee_waiver.json my-recipe.json
34
+ npx -y -p @synapsor/runner@alpha synapsor-runner recipes show ./my-recipe.json
35
+ npx -y -p @synapsor/runner@alpha synapsor-runner recipes init ./my-recipe.json --output synapsor.runner.json
36
+ ```
37
+
38
+ Available recipes:
39
+
40
+ - `billing.late_fee_waiver`
41
+ - `support.ticket_resolution`
42
+ - `orders.refund_review`
43
+ - `accounts.trial_extension`
44
+ - `credits.account_credit`
45
+
46
+ Each recipe includes:
47
+
48
+ - expected table type;
49
+ - required columns;
50
+ - recommended primary key;
51
+ - recommended tenant key;
52
+ - recommended conflict/version column;
53
+ - visible columns;
54
+ - allowed write columns;
55
+ - patch mapping;
56
+ - numeric/status bounds where relevant;
57
+ - semantic MCP tool names;
58
+ - staging-first notes.
59
+
60
+ Start with staging or a disposable database. Keep production write credentials
61
+ out of the MCP client.
@@ -0,0 +1,158 @@
1
+ # Release Notes
2
+
3
+ These notes track public Synapsor Runner alpha behavior. While the runner is in
4
+ alpha, install with the explicit alpha tag or an exact version. Do not rely on
5
+ the untagged `latest` dist-tag until a stable release is published.
6
+
7
+ ```bash
8
+ npx -y -p @synapsor/runner@alpha synapsor-runner demo --quick
9
+ ```
10
+
11
+ The OSS runner command is `synapsor-runner`. The `synapsor` command is reserved
12
+ for the Synapsor Cloud CLI.
13
+
14
+ ## 0.1.0-alpha.11
15
+
16
+ ### OpenAI MCP Aliases
17
+
18
+ - `synapsor-runner mcp serve` and `synapsor-runner mcp serve-streamable-http`
19
+ now accept `--alias-mode openai` and `--openai-tool-aliases`.
20
+ - `synapsor-runner mcp serve --transport streamable-http` is available as a
21
+ unified command form for the standard HTTP MCP server.
22
+ - `synapsor-runner mcp client-config --client openai-agents` prints a
23
+ Streamable HTTP start command and OpenAI Agents SDK snippet.
24
+ - `synapsor-runner tools preview --alias-mode openai` shows model-visible alias
25
+ names and the canonical Synapsor capability each alias maps to.
26
+ - `examples/mcp-postgres-billing-app-handler/` adds a disposable Postgres proof
27
+ for the app-owned executor path: proposal first, approval outside MCP,
28
+ account-credit row inserted by the app handler, idempotent retry, and replay.
29
+ - `--alias-mode both` exposes canonical dotted names and OpenAI-safe aliases
30
+ together for migration/debugging.
31
+ - OpenAI alias mode exposes MCP tool names such as
32
+ `billing__inspect_invoice` instead of canonical dotted names such as
33
+ `billing.inspect_invoice`.
34
+ - Tool metadata includes `synapsor.canonical_tool_name`,
35
+ `synapsor.exposed_tool_name`, and `synapsor.tool_name_style`, so reviewers
36
+ can still see the canonical Synapsor capability.
37
+ - Runner routes alias calls back to the canonical capability. This removes the
38
+ need for user-written OpenAI wrapper code whose only job is replacing dots in
39
+ tool names.
40
+ - The OpenAI Agents SDK stdio and Streamable HTTP examples now document the
41
+ built-in alias mode.
42
+
43
+ ## 0.1.0-alpha.10
44
+
45
+ ### First-Run Flow
46
+
47
+ - `synapsor-runner start --from-env DATABASE_URL` is the shortest own-database
48
+ onboarding command. It is an alias for the guided `onboard db --from-env`
49
+ flow, not the legacy cloud worker.
50
+ - The wizard inspects database metadata, creates trusted context bindings,
51
+ generates semantic capabilities, writes `.env.example`, previews MCP tools,
52
+ and prints exact smoke-call, MCP, and UI commands.
53
+ - If you provide a real object id and the required environment variables are
54
+ set, onboarding attempts the first smoke tool call and stores local evidence
55
+ and query audit. If not, it prints the exact `smoke call` command to run
56
+ after setting the values.
57
+ - `synapsor-runner ui --open` opens the local review UI and is the preferred
58
+ way to inspect proposals, evidence, receipts, and replay after a demo or
59
+ smoke call.
60
+
61
+ ### MCP Transport
62
+
63
+ - `synapsor-runner mcp serve` is standard stdio MCP for local MCP clients that
64
+ can launch Runner, such as Claude Desktop, Cursor, and similar clients.
65
+ - `synapsor-runner mcp serve-streamable-http` is the standard Streamable HTTP
66
+ MCP path for app/server agents and SDK clients. It implements MCP
67
+ initialize/session behavior on the `/mcp` endpoint.
68
+ - `synapsor-runner mcp serve-http` is an authenticated JSON-RPC bridge for
69
+ simple `tools/list`, `tools/call`, and `resources/read` wrappers. It is not
70
+ the standard Streamable HTTP MCP transport.
71
+ - The OpenAI Agents SDK HTTP example uses the Streamable HTTP MCP path. Use the
72
+ JSON-RPC bridge only when you intentionally want a thin app-owned wrapper.
73
+
74
+ ### Writeback
75
+
76
+ - Direct SQL writeback is intentionally narrow: guarded single-row `UPDATE`
77
+ only. It does not support arbitrary SQL, DDL, `INSERT`, `DELETE`, `UPSERT`,
78
+ stored procedures, or multi-row writes.
79
+ - Direct SQL writeback reads the trusted writer connection from the source
80
+ `write_url_env` in `synapsor.runner.json`, such as
81
+ `SYNAPSOR_DATABASE_WRITE_URL`.
82
+ - `SYNAPSOR_DATABASE_URL` is accepted only as a legacy fallback for older
83
+ direct worker/apply flows without a local config.
84
+ - Direct SQL writeback creates or writes `synapsor_writeback_receipts` for
85
+ idempotency and replay. The trusted writer needs permission for that receipt
86
+ table, or an administrator must pre-create the table and grant access.
87
+ - Use `synapsor-runner writeback doctor`, `writeback migration`, and
88
+ `writeback grants` to inspect and prepare the direct writeback path.
89
+ - Use app-owned `http_handler` or `command_handler` executors for rich writes
90
+ such as inserting credit rows, opening tickets, deleting records through app
91
+ policy, or updating multiple related rows.
92
+ - `synapsor-runner handler template` writes starter Node/Fastify,
93
+ Python/FastAPI, or command-handler files so rich writes can start from an
94
+ app-owned transaction boundary instead of hand-writing a handler from
95
+ scratch.
96
+
97
+ ### Evidence And Replay
98
+
99
+ - Read-only capabilities produce scoped semantic tools, trusted context
100
+ binding, evidence handles, query audit, and local inspection records.
101
+ - Proposal workflows add full local replay across evidence, approval,
102
+ writeback jobs, execution receipts, and events.
103
+ - External Postgres/MySQL databases are not physically branched by Runner.
104
+ Replay covers records captured by Runner; it is not external database
105
+ time travel.
106
+
107
+ ### Known Limitations
108
+
109
+ - This is an alpha local runner, not Synapsor Cloud, not the Synapsor DBMS, and
110
+ not a generic MCP security platform.
111
+ - Runner does not expose model-callable approval, commit, apply, or raw SQL
112
+ tools.
113
+ - Runner does not implement Synapsor Cloud workflow DAGs, native branches,
114
+ auto-merge, settlement policies, hosted RBAC/SSO, hosted evidence retention,
115
+ CDC, managed runner fleets, compliance exports, production SLA, or C++ DBMS
116
+ internals.
117
+ - The local store is single-node SQLite for local/dev/staging usage.
118
+ - Node >= 22.5.0 is required because the local ledger uses Node's
119
+ `node:sqlite` runtime. Use a supported Node runtime or the Docker-backed
120
+ source demo path.
121
+
122
+ ### Upgrade Notes From Earlier Alphas
123
+
124
+ - Public command examples now use `synapsor-runner`, not `synapsor`.
125
+ - Standard HTTP MCP examples now use `mcp serve-streamable-http`; `mcp
126
+ serve-http` is documented as the JSON-RPC bridge.
127
+ - Direct SQL writeback docs now use `write_url_env` for writer credentials and
128
+ document `SYNAPSOR_DATABASE_URL` only as a legacy fallback.
129
+ - Receipt-table permissions are now a documented writeback requirement.
130
+ - The quick demo is guided in interactive terminals, concise in noninteractive
131
+ mode, and keeps the longer explanation behind `--details`.
132
+
133
+ ## Stable Release Policy
134
+
135
+ Stay on `@synapsor/runner@alpha` or an exact alpha version while first-run
136
+ onboarding, MCP transport behavior, and writeback documentation are still
137
+ changing. A stable `0.1.0` release should only be tagged after:
138
+
139
+ - the README's npm commands match the published package;
140
+ - a clean temporary directory can run the quick demo, own-database onboarding,
141
+ MCP config generation, smoke call, UI, and replay commands;
142
+ - stdio MCP and Streamable HTTP MCP are covered by tests and examples;
143
+ - direct and app-owned writeback requirements are documented and verified; and
144
+ - known limitations are still accurate.
145
+
146
+ For the local tarball before publish, run:
147
+
148
+ ```bash
149
+ ./scripts/verify-packed-runner.sh
150
+ ./scripts/verify-packed-own-db.sh
151
+ ```
152
+
153
+ After publishing an alpha, verify the public package from a clean temporary
154
+ directory:
155
+
156
+ ```bash
157
+ ./scripts/verify-published-alpha.sh 0.1.0-alpha.11
158
+ ```
@@ -0,0 +1,94 @@
1
+ # Security Boundary
2
+
3
+ Synapsor Runner controls a narrow database path for MCP agents. It does not make
4
+ MCP generally secure and it does not solve prompt injection.
5
+
6
+ ## Least-privilege database access
7
+
8
+ Use a read-only database user, restricted views, row-level security, and staging
9
+ data where appropriate. Synapsor Runner is not a replacement for database
10
+ permissions.
11
+
12
+ Database permissions protect the connection. Synapsor Runner shapes the
13
+ model-facing interface: reviewed semantic capabilities, trusted context
14
+ binding, evidence handles, query audit, local inspection, and proposal-first
15
+ writes instead of model-facing commit authority.
16
+
17
+ If all you need is restricted reads, database permissions are a good start.
18
+ Use Synapsor Runner when you also want the agent-facing layer: semantic tools,
19
+ trusted context, evidence handles, query audit, local inspection, and
20
+ proposal-first writes. Proposal workflows add full replay across evidence,
21
+ approval, writeback receipts, and events.
22
+
23
+ The model-facing MCP server exposes reviewed semantic tools such as
24
+ `billing.inspect_invoice` and `billing.propose_late_fee_waiver`.
25
+
26
+ The model does not receive:
27
+
28
+ - raw SQL;
29
+ - a generic `execute_sql` tool;
30
+ - arbitrary table, schema, or column names;
31
+ - database URLs or credentials;
32
+ - approval tools;
33
+ - commit/writeback tools;
34
+ - trusted tenant or principal authority as ordinary model arguments.
35
+
36
+ Trusted context comes from local configuration, environment bindings, or Cloud
37
+ session context in Cloud mode. Tenant, principal, and authorization scope must
38
+ not be accepted from the model as authority.
39
+
40
+ Proposal tools read the current row through the read credential, store evidence
41
+ and an exact before/after diff, and leave the source database unchanged.
42
+
43
+ The local proposal store rejects obvious credential material before persistence:
44
+ database URLs, bearer tokens, Synapsor runner tokens, private-key blocks, and
45
+ secret-like fields such as password, token, API key, private key, cookie,
46
+ credential, connection string, read URL, or write URL. If a selected table
47
+ contains one of those fields, remove it from the reviewed visible/evidence
48
+ projection before creating proposals.
49
+
50
+ Writeback is separate. A trusted local runner/apply path uses a write credential
51
+ outside the model-facing MCP server and verifies:
52
+
53
+ - local reviewed config;
54
+ - source and capability identity;
55
+ - fixed safe schema, table, and column identifiers;
56
+ - local approval state;
57
+ - proposal and job digests;
58
+ - target schema/table;
59
+ - primary-key and tenant guards;
60
+ - allowed mutable columns;
61
+ - conflict/version guard;
62
+ - idempotency key;
63
+ - job expiry;
64
+ - exactly one affected row.
65
+
66
+ If any authority check cannot be verified, the write fails closed.
67
+
68
+ For direct SQL writeback, the writer connection is the env var named by the
69
+ source `write_url_env` in `synapsor.runner.json`. Direct SQL writeback also
70
+ creates or writes `synapsor_writeback_receipts` for idempotency and replay, so
71
+ the writer needs permission for that receipt table or an administrator must
72
+ pre-create and grant it. If your database policy forbids Runner-managed receipt
73
+ tables, use an app-owned `http_handler` or `command_handler` executor instead.
74
+
75
+ When a capability uses an `http_handler` or `command_handler` executor, the
76
+ same approval boundary applies. The runner sends a structured proposal/job
77
+ payload to the configured handler after approval. Handler URLs, commands, bearer
78
+ tokens, database URLs, and write credentials come from environment variables and
79
+ are not exposed to MCP tools.
80
+
81
+ Writeback jobs and change sets also reject path-traversal or SQL-fragment-like
82
+ database identifiers such as `../private`, `id/../../tenant_id`, or
83
+ `status; DROP TABLE tickets` before adapter execution. Local CLI file paths
84
+ remain explicit user-provided paths; they are not model-facing authority.
85
+
86
+ Local review can happen through the CLI or `synapsor-runner ui`. The UI is a localhost
87
+ review surface with a per-run session token and CSRF protection for
88
+ approve/reject actions. It does not expose raw SQL, database URLs, write
89
+ credentials, approval tools, commit tools, or controls that widen reviewed
90
+ tables/columns.
91
+
92
+ Synapsor Runner supports reviewed single-row business actions only in the
93
+ current alpha. It does not support arbitrary SQL, DDL, `INSERT`, `DELETE`,
94
+ `UPSERT`, or multi-row updates.