@synapsor/runner 0.1.0-alpha.3 → 0.1.0-alpha.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +284 -13
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +5 -0
- package/dist/runner.mjs +2982 -127
- package/docs/README.md +32 -54
- package/docs/getting-started-own-database.md +40 -8
- package/docs/http-mcp.md +200 -0
- package/docs/limitations.md +20 -0
- package/docs/local-mode.md +101 -2
- package/docs/mcp-audit.md +10 -4
- package/docs/mcp-client-setup.md +40 -1
- package/docs/security-boundary.md +17 -0
- package/examples/openai-agents-http/README.md +55 -0
- package/examples/openai-agents-http/agent.py +90 -0
- package/examples/openai-agents-http/requirements.txt +1 -0
- package/examples/openai-agents-stdio/README.md +62 -0
- package/examples/openai-agents-stdio/agent.py +70 -0
- package/examples/openai-agents-stdio/requirements.txt +1 -0
- package/examples/reference-support-billing-app/README.md +51 -0
- package/examples/reference-support-billing-app/schema.sql +14 -1
- package/examples/reference-support-billing-app/seed.sql +12 -5
- package/examples/reference-support-billing-app/synapsor.runner.json +105 -0
- package/package.json +3 -1
- package/docs/MCP_RUNNER_IMPLEMENTATION_PLAN.md +0 -187
- package/docs/architecture.md +0 -65
- package/docs/capability-config.md +0 -180
- package/docs/cloud-mode.md +0 -140
- package/docs/config-migrations.md +0 -67
- package/docs/demo-transcript.md +0 -73
- package/docs/dependency-license-inventory.md +0 -35
- package/docs/first-10-minutes.md +0 -147
- package/docs/licensing.md +0 -38
- package/docs/local-ui.md +0 -163
- package/docs/mcp-efficiency-benchmark.md +0 -84
- package/docs/operations.md +0 -38
- package/docs/own-db-20-minutes.md +0 -185
- package/docs/production-readiness.md +0 -39
- package/docs/protocol.md +0 -90
- package/docs/roadmap.md +0 -13
- package/docs/schema-inspection.md +0 -88
- package/docs/shadow-mode.md +0 -67
- package/docs/telemetry.md +0 -28
- package/docs/threat-model.md +0 -25
- package/docs/trusted-context.md +0 -70
package/README.md
CHANGED
|
@@ -7,39 +7,199 @@ Runner lets an MCP agent inspect scoped data and request database-backed
|
|
|
7
7
|
business actions without receiving raw SQL, write credentials, approval tools,
|
|
8
8
|
or commit tools.
|
|
9
9
|
|
|
10
|
-
|
|
10
|
+
```text
|
|
11
|
+
AI agent or MCP client
|
|
12
|
+
(Claude, Cursor, OpenAI Agents SDK, LangGraph)
|
|
13
|
+
|
|
|
14
|
+
| calls reviewed MCP tool
|
|
15
|
+
v
|
|
16
|
+
+--------------------------------+
|
|
17
|
+
| Synapsor Runner MCP |
|
|
18
|
+
| semantic capabilities only |
|
|
19
|
+
| trusted tenant/principal ctx |
|
|
20
|
+
| evidence + query audit |
|
|
21
|
+
+--------------------------------+
|
|
22
|
+
|
|
|
23
|
+
| scoped read / guarded proposal
|
|
24
|
+
v
|
|
25
|
+
+--------------------------------+
|
|
26
|
+
| Your Postgres or MySQL |
|
|
27
|
+
| source of truth |
|
|
28
|
+
+--------------------------------+
|
|
29
|
+
|
|
30
|
+
Local Runner store:
|
|
31
|
+
evidence · query audit · proposals · receipts · replay
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
Your database stays the source of truth. Synapsor Runner owns the
|
|
35
|
+
model-facing boundary: what the agent can read, what it can propose, what
|
|
36
|
+
evidence is saved, and what can later be reviewed or replayed.
|
|
37
|
+
|
|
38
|
+
## What Runner Does
|
|
39
|
+
|
|
40
|
+
When an agent uses Runner:
|
|
41
|
+
|
|
42
|
+
- the model gets reviewed capabilities, not raw database authority;
|
|
43
|
+
- reads produce evidence handles and query audit;
|
|
44
|
+
- writes become proposals, not direct mutations;
|
|
45
|
+
- approval and writeback happen outside the model-facing MCP surface;
|
|
46
|
+
- replay shows what the agent saw, proposed, and what was applied or blocked.
|
|
47
|
+
|
|
48
|
+
## Start Here
|
|
49
|
+
|
|
50
|
+
Run the guided quick demo first. It does not require Docker, a database, a
|
|
51
|
+
config file, an MCP client, or a Synapsor Cloud account.
|
|
11
52
|
|
|
12
53
|
```bash
|
|
13
|
-
npx -y -p @synapsor/runner@alpha synapsor --help
|
|
14
54
|
npx -y -p @synapsor/runner@alpha synapsor demo --quick
|
|
15
|
-
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
In a terminal, it walks through the safety model step by step. In CI, piped
|
|
58
|
+
output, or other non-interactive mode, it prints a short summary and exits
|
|
59
|
+
without waiting for Enter.
|
|
60
|
+
|
|
61
|
+
That command creates a local ledger fixture at `./.synapsor/quick-demo.db`.
|
|
62
|
+
It does not prove database connectivity. It shows the proposal, evidence, and
|
|
63
|
+
replay flow without giving the runner a database URL.
|
|
64
|
+
|
|
65
|
+
```bash
|
|
66
|
+
npx -y -p @synapsor/runner@alpha synapsor demo inspect
|
|
67
|
+
```
|
|
68
|
+
|
|
69
|
+
Human output is concise by default. Use `--details` for reviewer metadata or
|
|
70
|
+
`--json` for complete machine-readable records.
|
|
71
|
+
|
|
72
|
+
Useful quick-demo modes:
|
|
73
|
+
|
|
74
|
+
```bash
|
|
75
|
+
synapsor demo --quick --guided
|
|
76
|
+
synapsor demo --quick --no-interactive
|
|
77
|
+
synapsor demo --quick --details
|
|
78
|
+
synapsor demo inspect --npx
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
Then choose one path:
|
|
82
|
+
|
|
83
|
+
```text
|
|
84
|
+
Full disposable proof -> npx -y -p @synapsor/runner@alpha synapsor demo
|
|
85
|
+
Your own staging DB -> export DATABASE_URL=... then run the inspect command below
|
|
86
|
+
MCP risk review -> npx -y -p @synapsor/runner@alpha synapsor audit --example dangerous-db-mcp
|
|
16
87
|
```
|
|
17
88
|
|
|
18
89
|
`synapsor` is the public command. `synapsor-runner` remains available as a
|
|
19
|
-
backward-compatible alias
|
|
90
|
+
backward-compatible alias.
|
|
20
91
|
|
|
21
|
-
|
|
22
|
-
`synapsor demo` for the disposable local Postgres-backed demo.
|
|
92
|
+
## Connect Your Own Staging Database
|
|
23
93
|
|
|
24
|
-
|
|
94
|
+
Put a read-only connection string in the environment:
|
|
25
95
|
|
|
26
96
|
```bash
|
|
27
97
|
export DATABASE_URL="postgresql://readonly_user:password@localhost:5432/app"
|
|
28
|
-
synapsor inspect --engine auto --from-env DATABASE_URL --schema public
|
|
29
|
-
synapsor init --wizard --engine auto --from-env DATABASE_URL --schema public
|
|
30
|
-
synapsor tools preview
|
|
31
|
-
synapsor mcp serve
|
|
32
98
|
```
|
|
33
99
|
|
|
100
|
+
For disposable dev RDS fixtures only, use `sslmode=no-verify` if your local
|
|
101
|
+
Node/Postgres TLS stack cannot verify the test certificate chain. For real
|
|
102
|
+
staging or production-like databases, keep certificate verification enabled.
|
|
103
|
+
|
|
104
|
+
Inspect metadata:
|
|
105
|
+
|
|
106
|
+
```bash
|
|
107
|
+
npx -y -p @synapsor/runner@alpha synapsor inspect \
|
|
108
|
+
--engine auto \
|
|
109
|
+
--from-env DATABASE_URL \
|
|
110
|
+
--schema public
|
|
111
|
+
```
|
|
112
|
+
|
|
113
|
+
Generate a reviewed read-only config first. The wizard creates this local
|
|
114
|
+
flow:
|
|
115
|
+
|
|
116
|
+
```text
|
|
117
|
+
trusted context -> capability -> MCP tool
|
|
118
|
+
```
|
|
119
|
+
|
|
120
|
+
It asks which table/view backs the context, which tenant/scope column and
|
|
121
|
+
backend session env vars are trusted, which fields are visible, and what
|
|
122
|
+
semantic capability name to expose.
|
|
123
|
+
|
|
124
|
+
```bash
|
|
125
|
+
npx -y -p @synapsor/runner@alpha synapsor init \
|
|
126
|
+
--wizard \
|
|
127
|
+
--engine auto \
|
|
128
|
+
--from-env DATABASE_URL \
|
|
129
|
+
--schema public \
|
|
130
|
+
--mode read_only
|
|
131
|
+
```
|
|
132
|
+
|
|
133
|
+
Preview and serve the semantic tools:
|
|
134
|
+
|
|
135
|
+
```bash
|
|
136
|
+
npx -y -p @synapsor/runner@alpha synapsor tools preview \
|
|
137
|
+
--config ./synapsor.runner.json \
|
|
138
|
+
--store ./.synapsor/local.db
|
|
139
|
+
|
|
140
|
+
npx -y -p @synapsor/runner@alpha synapsor mcp serve \
|
|
141
|
+
--config ./synapsor.runner.json \
|
|
142
|
+
--store ./.synapsor/local.db
|
|
143
|
+
```
|
|
144
|
+
|
|
145
|
+
## Two Ways To Run MCP
|
|
146
|
+
|
|
147
|
+
Use stdio when the MCP client runs locally and can launch Synapsor Runner. Use
|
|
148
|
+
HTTP when your agent service runs as an app/server and connects to a
|
|
149
|
+
long-running Runner process.
|
|
150
|
+
|
|
151
|
+
Local MCP clients:
|
|
152
|
+
|
|
153
|
+
```bash
|
|
154
|
+
synapsor mcp serve \
|
|
155
|
+
--config ./synapsor.runner.json \
|
|
156
|
+
--store ./.synapsor/local.db
|
|
157
|
+
```
|
|
158
|
+
|
|
159
|
+
App/server deployments:
|
|
160
|
+
|
|
161
|
+
```bash
|
|
162
|
+
export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
|
|
163
|
+
|
|
164
|
+
synapsor mcp serve-http \
|
|
165
|
+
--config ./synapsor.runner.json \
|
|
166
|
+
--store ./.synapsor/local.db \
|
|
167
|
+
--auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
|
|
168
|
+
```
|
|
169
|
+
|
|
170
|
+
HTTP defaults to `127.0.0.1:8765`, requires bearer auth by default, and should
|
|
171
|
+
use private networking, TLS, and rate limits before being exposed beyond a
|
|
172
|
+
local machine.
|
|
173
|
+
|
|
174
|
+
OpenAI Agents SDK examples:
|
|
175
|
+
|
|
176
|
+
```text
|
|
177
|
+
examples/openai-agents-stdio/
|
|
178
|
+
examples/openai-agents-http/
|
|
179
|
+
```
|
|
180
|
+
|
|
181
|
+
Use `--mode review` only when you are ready to create proposal tools and test
|
|
182
|
+
guarded writeback with a separate trusted write credential.
|
|
183
|
+
|
|
184
|
+
The disposable reference app includes proposal-first write examples for:
|
|
185
|
+
|
|
186
|
+
- `billing.propose_late_fee_waiver`
|
|
187
|
+
- `support.propose_plan_credit`
|
|
188
|
+
- `orders.propose_status_change`
|
|
189
|
+
|
|
190
|
+
Each tool creates evidence, a before/after diff, and a proposal. The source
|
|
191
|
+
database remains unchanged until approval outside MCP and guarded writeback.
|
|
192
|
+
|
|
34
193
|
For a longer local session, you can install the alpha package explicitly:
|
|
35
194
|
|
|
36
195
|
```bash
|
|
37
196
|
npm install -g @synapsor/runner@alpha
|
|
38
197
|
```
|
|
39
198
|
|
|
40
|
-
##
|
|
199
|
+
## Runtime Flow
|
|
41
200
|
|
|
42
|
-
The local runner
|
|
201
|
+
The local runner keeps the model-facing tool call separate from approval and
|
|
202
|
+
writeback:
|
|
43
203
|
|
|
44
204
|
```text
|
|
45
205
|
MCP tool call
|
|
@@ -55,6 +215,117 @@ MCP tool call
|
|
|
55
215
|
Your Postgres/MySQL database remains the source of truth. The runner stores
|
|
56
216
|
local proposals, evidence, receipts, and replay data in a local SQLite store.
|
|
57
217
|
|
|
218
|
+
## Why Not Just Use A Read-Only Database User?
|
|
219
|
+
|
|
220
|
+
You should use one.
|
|
221
|
+
|
|
222
|
+
Synapsor Runner is not a replacement for least-privilege database permissions.
|
|
223
|
+
Start with a read-only user, restricted views, row-level security, and staging
|
|
224
|
+
data where appropriate.
|
|
225
|
+
|
|
226
|
+
The difference is that database permissions protect the connection. Synapsor
|
|
227
|
+
Runner shapes the model-facing interface.
|
|
228
|
+
|
|
229
|
+
Instead of exposing `execute_sql`, `query_database`, table names, or
|
|
230
|
+
model-controlled tenant filters, Synapsor exposes reviewed business
|
|
231
|
+
capabilities such as `billing.inspect_invoice` and
|
|
232
|
+
`billing.propose_late_fee_waiver`.
|
|
233
|
+
|
|
234
|
+
For read-only use cases, Runner provides scoped semantic tools, trusted context
|
|
235
|
+
binding, evidence handles, query audit, and local inspection. Proposal
|
|
236
|
+
workflows add full replay across evidence, approval, writeback receipts, and
|
|
237
|
+
events.
|
|
238
|
+
|
|
239
|
+
If all you need is restricted reads, database permissions are a good start.
|
|
240
|
+
Use Synapsor Runner when you also want the agent-facing layer: semantic tools,
|
|
241
|
+
trusted context, evidence handles, query audit, local inspection, and
|
|
242
|
+
proposal-first writes.
|
|
243
|
+
|
|
244
|
+
## Fixture Benchmark
|
|
245
|
+
|
|
246
|
+
Run the included MCP efficiency fixture:
|
|
247
|
+
|
|
248
|
+
```bash
|
|
249
|
+
synapsor benchmark mcp-efficiency
|
|
250
|
+
```
|
|
251
|
+
|
|
252
|
+
Current fixture result for the late-fee-waiver workflow:
|
|
253
|
+
|
|
254
|
+
```text
|
|
255
|
+
Generic database MCP reference:
|
|
256
|
+
exposed tools: 4
|
|
257
|
+
scripted tool calls: 5
|
|
258
|
+
raw SQL exposed: yes
|
|
259
|
+
approval separated: no
|
|
260
|
+
stale-row conflict checked: no
|
|
261
|
+
|
|
262
|
+
Synapsor Runner semantic path:
|
|
263
|
+
exposed tools: 2
|
|
264
|
+
scripted tool calls: 2
|
|
265
|
+
raw SQL exposed: no
|
|
266
|
+
approval separated: yes
|
|
267
|
+
stale-row conflict checked: yes
|
|
268
|
+
```
|
|
269
|
+
|
|
270
|
+
The fixture tokenizer is deterministic and repeatable for this package. It is
|
|
271
|
+
not a model billing tokenizer and not a universal token-savings claim.
|
|
272
|
+
|
|
273
|
+
## Find Evidence And Replay
|
|
274
|
+
|
|
275
|
+
The commands in this section require this checkout or an alpha package that
|
|
276
|
+
includes the local-ledger CLI surface.
|
|
277
|
+
|
|
278
|
+
The runner stores a local SQLite evidence/replay ledger. Search it without
|
|
279
|
+
relying on `latest`:
|
|
280
|
+
|
|
281
|
+
```bash
|
|
282
|
+
synapsor activity search --tenant acme --object invoice:INV-3001
|
|
283
|
+
synapsor proposals list --tenant acme --object invoice:INV-3001 --status approved
|
|
284
|
+
synapsor evidence show ev_...
|
|
285
|
+
synapsor query-audit list --evidence ev_...
|
|
286
|
+
synapsor receipts list --proposal wrp_...
|
|
287
|
+
synapsor receipts show <receipt_id>
|
|
288
|
+
synapsor replay show --proposal wrp_...
|
|
289
|
+
synapsor replay show --replay replay_wrp_...
|
|
290
|
+
```
|
|
291
|
+
|
|
292
|
+
Default inspection output is meant for first-run clarity. Add `--details` for
|
|
293
|
+
target URIs, primary keys, proposal hash/version, conflict guards, query
|
|
294
|
+
fingerprints, event timestamps, and receipt internals.
|
|
295
|
+
|
|
296
|
+
Export captured evidence or proposal replay:
|
|
297
|
+
|
|
298
|
+
```bash
|
|
299
|
+
synapsor evidence export ev_... --format markdown --output evidence.md
|
|
300
|
+
synapsor replay export --proposal wrp_... --format json --output replay.json
|
|
301
|
+
synapsor replay export --proposal wrp_... --format markdown --output replay.md
|
|
302
|
+
```
|
|
303
|
+
|
|
304
|
+
Create a redacted local diagnostic report:
|
|
305
|
+
|
|
306
|
+
```bash
|
|
307
|
+
synapsor doctor --config synapsor.runner.json --report --redact --output synapsor-doctor.md
|
|
308
|
+
```
|
|
309
|
+
|
|
310
|
+
Inspect or compact the local ledger:
|
|
311
|
+
|
|
312
|
+
```bash
|
|
313
|
+
synapsor store stats --store ./.synapsor/local.db
|
|
314
|
+
synapsor store vacuum --store ./.synapsor/local.db
|
|
315
|
+
synapsor store prune --store ./.synapsor/local.db --older-than 30d --dry-run
|
|
316
|
+
```
|
|
317
|
+
|
|
318
|
+
This is local indexed search for local/dev/staging usage. It is not external
|
|
319
|
+
database time travel, not cross-runner search, and not hosted compliance
|
|
320
|
+
retention.
|
|
321
|
+
|
|
322
|
+
## App-Owned Writeback
|
|
323
|
+
|
|
324
|
+
Use direct guarded DB writeback for simple local/staging single-row updates. If
|
|
325
|
+
your application service already owns business writes, configure an
|
|
326
|
+
`http_handler` or `command_handler` executor. Approval still happens outside
|
|
327
|
+
MCP, and the handler returns an applied/conflict/failed receipt for replay.
|
|
328
|
+
|
|
58
329
|
## Command Name
|
|
59
330
|
|
|
60
331
|
This package installs `synapsor` as the primary binary and `synapsor-runner` as
|
package/dist/cli.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";
|
|
1
|
+
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AA+BA,OAAO,EAOL,KAAK,gBAAgB,EAEtB,MAAM,mCAAmC,CAAC;AA4H3C,wBAAsB,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CA8C1D;AA0DD,KAAK,SAAS,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;AAE9E,wBAAsB,aAAa,CACjC,IAAI,EAAE,MAAM,EAAE,EACd,OAAO,GAAE;IACP,GAAG,CAAC,EAAE,SAAS,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;IACxB,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAC9B,MAAM,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;CACvC,GACL,OAAO,CAAC,MAAM,CAAC,CAiLjB"}
|
package/dist/cli.js
CHANGED
|
@@ -6,6 +6,11 @@ import { fileURLToPath } from 'node:url';
|
|
|
6
6
|
const __dirname = dirname(fileURLToPath(import.meta.url));
|
|
7
7
|
const invoked = basename(process.argv[1] || 'synapsor');
|
|
8
8
|
const commandName = invoked === 'synapsor-runner' ? 'synapsor-runner' : 'synapsor';
|
|
9
|
+
const [major, minor] = process.versions.node.split('.').map(Number);
|
|
10
|
+
if (!(major > 22 || (major === 22 && minor >= 5))) {
|
|
11
|
+
console.error(`Synapsor Runner requires Node >= 22.5.0 because the local ledger uses Node's node:sqlite runtime. Current Node: ${process.versions.node}. Upgrade Node or use the Docker demo from a source checkout.`);
|
|
12
|
+
process.exit(1);
|
|
13
|
+
}
|
|
9
14
|
const result = spawnSync(process.execPath, ['--no-warnings', join(__dirname, 'runner.mjs'), ...process.argv.slice(2)], {
|
|
10
15
|
stdio: 'inherit',
|
|
11
16
|
env: { ...process.env, NODE_NO_WARNINGS: '1', SYNAPSOR_RUNNER_COMMAND_NAME: commandName },
|