@synapsor/runner 0.1.0-alpha.3 → 0.1.0-alpha.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/README.md +284 -13
  2. package/dist/cli.d.ts.map +1 -1
  3. package/dist/cli.js +5 -0
  4. package/dist/runner.mjs +2982 -127
  5. package/docs/README.md +32 -54
  6. package/docs/getting-started-own-database.md +40 -8
  7. package/docs/http-mcp.md +200 -0
  8. package/docs/limitations.md +20 -0
  9. package/docs/local-mode.md +101 -2
  10. package/docs/mcp-audit.md +10 -4
  11. package/docs/mcp-client-setup.md +40 -1
  12. package/docs/security-boundary.md +17 -0
  13. package/examples/openai-agents-http/README.md +55 -0
  14. package/examples/openai-agents-http/agent.py +90 -0
  15. package/examples/openai-agents-http/requirements.txt +1 -0
  16. package/examples/openai-agents-stdio/README.md +62 -0
  17. package/examples/openai-agents-stdio/agent.py +70 -0
  18. package/examples/openai-agents-stdio/requirements.txt +1 -0
  19. package/examples/reference-support-billing-app/README.md +51 -0
  20. package/examples/reference-support-billing-app/schema.sql +14 -1
  21. package/examples/reference-support-billing-app/seed.sql +12 -5
  22. package/examples/reference-support-billing-app/synapsor.runner.json +105 -0
  23. package/package.json +3 -1
  24. package/docs/MCP_RUNNER_IMPLEMENTATION_PLAN.md +0 -187
  25. package/docs/architecture.md +0 -65
  26. package/docs/capability-config.md +0 -180
  27. package/docs/cloud-mode.md +0 -140
  28. package/docs/config-migrations.md +0 -67
  29. package/docs/demo-transcript.md +0 -73
  30. package/docs/dependency-license-inventory.md +0 -35
  31. package/docs/first-10-minutes.md +0 -147
  32. package/docs/licensing.md +0 -38
  33. package/docs/local-ui.md +0 -163
  34. package/docs/mcp-efficiency-benchmark.md +0 -84
  35. package/docs/operations.md +0 -38
  36. package/docs/own-db-20-minutes.md +0 -185
  37. package/docs/production-readiness.md +0 -39
  38. package/docs/protocol.md +0 -90
  39. package/docs/roadmap.md +0 -13
  40. package/docs/schema-inspection.md +0 -88
  41. package/docs/shadow-mode.md +0 -67
  42. package/docs/telemetry.md +0 -28
  43. package/docs/threat-model.md +0 -25
  44. package/docs/trusted-context.md +0 -70
package/README.md CHANGED
@@ -7,39 +7,199 @@ Runner lets an MCP agent inspect scoped data and request database-backed
7
7
  business actions without receiving raw SQL, write credentials, approval tools,
8
8
  or commit tools.
9
9
 
10
- ## Run The Alpha
10
+ ```text
11
+ AI agent or MCP client
12
+ (Claude, Cursor, OpenAI Agents SDK, LangGraph)
13
+ |
14
+ | calls reviewed MCP tool
15
+ v
16
+ +--------------------------------+
17
+ | Synapsor Runner MCP |
18
+ | semantic capabilities only |
19
+ | trusted tenant/principal ctx |
20
+ | evidence + query audit |
21
+ +--------------------------------+
22
+ |
23
+ | scoped read / guarded proposal
24
+ v
25
+ +--------------------------------+
26
+ | Your Postgres or MySQL |
27
+ | source of truth |
28
+ +--------------------------------+
29
+
30
+ Local Runner store:
31
+ evidence · query audit · proposals · receipts · replay
32
+ ```
33
+
34
+ Your database stays the source of truth. Synapsor Runner owns the
35
+ model-facing boundary: what the agent can read, what it can propose, what
36
+ evidence is saved, and what can later be reviewed or replayed.
37
+
38
+ ## What Runner Does
39
+
40
+ When an agent uses Runner:
41
+
42
+ - the model gets reviewed capabilities, not raw database authority;
43
+ - reads produce evidence handles and query audit;
44
+ - writes become proposals, not direct mutations;
45
+ - approval and writeback happen outside the model-facing MCP surface;
46
+ - replay shows what the agent saw, proposed, and what was applied or blocked.
47
+
48
+ ## Start Here
49
+
50
+ Run the guided quick demo first. It does not require Docker, a database, a
51
+ config file, an MCP client, or a Synapsor Cloud account.
11
52
 
12
53
  ```bash
13
- npx -y -p @synapsor/runner@alpha synapsor --help
14
54
  npx -y -p @synapsor/runner@alpha synapsor demo --quick
15
- npx -y -p @synapsor/runner@alpha synapsor audit --example dangerous-db-mcp
55
+ ```
56
+
57
+ In a terminal, it walks through the safety model step by step. In CI, piped
58
+ output, or other non-interactive mode, it prints a short summary and exits
59
+ without waiting for Enter.
60
+
61
+ That command creates a local ledger fixture at `./.synapsor/quick-demo.db`.
62
+ It does not prove database connectivity. It shows the proposal, evidence, and
63
+ replay flow without giving the runner a database URL.
64
+
65
+ ```bash
66
+ npx -y -p @synapsor/runner@alpha synapsor demo inspect
67
+ ```
68
+
69
+ Human output is concise by default. Use `--details` for reviewer metadata or
70
+ `--json` for complete machine-readable records.
71
+
72
+ Useful quick-demo modes:
73
+
74
+ ```bash
75
+ synapsor demo --quick --guided
76
+ synapsor demo --quick --no-interactive
77
+ synapsor demo --quick --details
78
+ synapsor demo inspect --npx
79
+ ```
80
+
81
+ Then choose one path:
82
+
83
+ ```text
84
+ Full disposable proof -> npx -y -p @synapsor/runner@alpha synapsor demo
85
+ Your own staging DB -> export DATABASE_URL=... then run the inspect command below
86
+ MCP risk review -> npx -y -p @synapsor/runner@alpha synapsor audit --example dangerous-db-mcp
16
87
  ```
17
88
 
18
89
  `synapsor` is the public command. `synapsor-runner` remains available as a
19
- backward-compatible alias for earlier alpha commands.
90
+ backward-compatible alias.
20
91
 
21
- `synapsor demo --quick` is fixture-only and does not require Docker. Use
22
- `synapsor demo` for the disposable local Postgres-backed demo.
92
+ ## Connect Your Own Staging Database
23
93
 
24
- Use it with a local or staging database:
94
+ Put a read-only connection string in the environment:
25
95
 
26
96
  ```bash
27
97
  export DATABASE_URL="postgresql://readonly_user:password@localhost:5432/app"
28
- synapsor inspect --engine auto --from-env DATABASE_URL --schema public
29
- synapsor init --wizard --engine auto --from-env DATABASE_URL --schema public
30
- synapsor tools preview
31
- synapsor mcp serve
32
98
  ```
33
99
 
100
+ For disposable dev RDS fixtures only, use `sslmode=no-verify` if your local
101
+ Node/Postgres TLS stack cannot verify the test certificate chain. For real
102
+ staging or production-like databases, keep certificate verification enabled.
103
+
104
+ Inspect metadata:
105
+
106
+ ```bash
107
+ npx -y -p @synapsor/runner@alpha synapsor inspect \
108
+ --engine auto \
109
+ --from-env DATABASE_URL \
110
+ --schema public
111
+ ```
112
+
113
+ Generate a reviewed read-only config first. The wizard creates this local
114
+ flow:
115
+
116
+ ```text
117
+ trusted context -> capability -> MCP tool
118
+ ```
119
+
120
+ It asks which table/view backs the context, which tenant/scope column and
121
+ backend session env vars are trusted, which fields are visible, and what
122
+ semantic capability name to expose.
123
+
124
+ ```bash
125
+ npx -y -p @synapsor/runner@alpha synapsor init \
126
+ --wizard \
127
+ --engine auto \
128
+ --from-env DATABASE_URL \
129
+ --schema public \
130
+ --mode read_only
131
+ ```
132
+
133
+ Preview and serve the semantic tools:
134
+
135
+ ```bash
136
+ npx -y -p @synapsor/runner@alpha synapsor tools preview \
137
+ --config ./synapsor.runner.json \
138
+ --store ./.synapsor/local.db
139
+
140
+ npx -y -p @synapsor/runner@alpha synapsor mcp serve \
141
+ --config ./synapsor.runner.json \
142
+ --store ./.synapsor/local.db
143
+ ```
144
+
145
+ ## Two Ways To Run MCP
146
+
147
+ Use stdio when the MCP client runs locally and can launch Synapsor Runner. Use
148
+ HTTP when your agent service runs as an app/server and connects to a
149
+ long-running Runner process.
150
+
151
+ Local MCP clients:
152
+
153
+ ```bash
154
+ synapsor mcp serve \
155
+ --config ./synapsor.runner.json \
156
+ --store ./.synapsor/local.db
157
+ ```
158
+
159
+ App/server deployments:
160
+
161
+ ```bash
162
+ export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
163
+
164
+ synapsor mcp serve-http \
165
+ --config ./synapsor.runner.json \
166
+ --store ./.synapsor/local.db \
167
+ --auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
168
+ ```
169
+
170
+ HTTP defaults to `127.0.0.1:8765`, requires bearer auth by default, and should
171
+ use private networking, TLS, and rate limits before being exposed beyond a
172
+ local machine.
173
+
174
+ OpenAI Agents SDK examples:
175
+
176
+ ```text
177
+ examples/openai-agents-stdio/
178
+ examples/openai-agents-http/
179
+ ```
180
+
181
+ Use `--mode review` only when you are ready to create proposal tools and test
182
+ guarded writeback with a separate trusted write credential.
183
+
184
+ The disposable reference app includes proposal-first write examples for:
185
+
186
+ - `billing.propose_late_fee_waiver`
187
+ - `support.propose_plan_credit`
188
+ - `orders.propose_status_change`
189
+
190
+ Each tool creates evidence, a before/after diff, and a proposal. The source
191
+ database remains unchanged until approval outside MCP and guarded writeback.
192
+
34
193
  For a longer local session, you can install the alpha package explicitly:
35
194
 
36
195
  ```bash
37
196
  npm install -g @synapsor/runner@alpha
38
197
  ```
39
198
 
40
- ## What It Does
199
+ ## Runtime Flow
41
200
 
42
- The local runner implements a small Synapsor-style trust loop:
201
+ The local runner keeps the model-facing tool call separate from approval and
202
+ writeback:
43
203
 
44
204
  ```text
45
205
  MCP tool call
@@ -55,6 +215,117 @@ MCP tool call
55
215
  Your Postgres/MySQL database remains the source of truth. The runner stores
56
216
  local proposals, evidence, receipts, and replay data in a local SQLite store.
57
217
 
218
+ ## Why Not Just Use A Read-Only Database User?
219
+
220
+ You should use one.
221
+
222
+ Synapsor Runner is not a replacement for least-privilege database permissions.
223
+ Start with a read-only user, restricted views, row-level security, and staging
224
+ data where appropriate.
225
+
226
+ The difference is that database permissions protect the connection. Synapsor
227
+ Runner shapes the model-facing interface.
228
+
229
+ Instead of exposing `execute_sql`, `query_database`, table names, or
230
+ model-controlled tenant filters, Synapsor exposes reviewed business
231
+ capabilities such as `billing.inspect_invoice` and
232
+ `billing.propose_late_fee_waiver`.
233
+
234
+ For read-only use cases, Runner provides scoped semantic tools, trusted context
235
+ binding, evidence handles, query audit, and local inspection. Proposal
236
+ workflows add full replay across evidence, approval, writeback receipts, and
237
+ events.
238
+
239
+ If all you need is restricted reads, database permissions are a good start.
240
+ Use Synapsor Runner when you also want the agent-facing layer: semantic tools,
241
+ trusted context, evidence handles, query audit, local inspection, and
242
+ proposal-first writes.
243
+
244
+ ## Fixture Benchmark
245
+
246
+ Run the included MCP efficiency fixture:
247
+
248
+ ```bash
249
+ synapsor benchmark mcp-efficiency
250
+ ```
251
+
252
+ Current fixture result for the late-fee-waiver workflow:
253
+
254
+ ```text
255
+ Generic database MCP reference:
256
+ exposed tools: 4
257
+ scripted tool calls: 5
258
+ raw SQL exposed: yes
259
+ approval separated: no
260
+ stale-row conflict checked: no
261
+
262
+ Synapsor Runner semantic path:
263
+ exposed tools: 2
264
+ scripted tool calls: 2
265
+ raw SQL exposed: no
266
+ approval separated: yes
267
+ stale-row conflict checked: yes
268
+ ```
269
+
270
+ The fixture tokenizer is deterministic and repeatable for this package. It is
271
+ not a model billing tokenizer and not a universal token-savings claim.
272
+
273
+ ## Find Evidence And Replay
274
+
275
+ The commands in this section require this checkout or an alpha package that
276
+ includes the local-ledger CLI surface.
277
+
278
+ The runner stores a local SQLite evidence/replay ledger. Search it without
279
+ relying on `latest`:
280
+
281
+ ```bash
282
+ synapsor activity search --tenant acme --object invoice:INV-3001
283
+ synapsor proposals list --tenant acme --object invoice:INV-3001 --status approved
284
+ synapsor evidence show ev_...
285
+ synapsor query-audit list --evidence ev_...
286
+ synapsor receipts list --proposal wrp_...
287
+ synapsor receipts show <receipt_id>
288
+ synapsor replay show --proposal wrp_...
289
+ synapsor replay show --replay replay_wrp_...
290
+ ```
291
+
292
+ Default inspection output is meant for first-run clarity. Add `--details` for
293
+ target URIs, primary keys, proposal hash/version, conflict guards, query
294
+ fingerprints, event timestamps, and receipt internals.
295
+
296
+ Export captured evidence or proposal replay:
297
+
298
+ ```bash
299
+ synapsor evidence export ev_... --format markdown --output evidence.md
300
+ synapsor replay export --proposal wrp_... --format json --output replay.json
301
+ synapsor replay export --proposal wrp_... --format markdown --output replay.md
302
+ ```
303
+
304
+ Create a redacted local diagnostic report:
305
+
306
+ ```bash
307
+ synapsor doctor --config synapsor.runner.json --report --redact --output synapsor-doctor.md
308
+ ```
309
+
310
+ Inspect or compact the local ledger:
311
+
312
+ ```bash
313
+ synapsor store stats --store ./.synapsor/local.db
314
+ synapsor store vacuum --store ./.synapsor/local.db
315
+ synapsor store prune --store ./.synapsor/local.db --older-than 30d --dry-run
316
+ ```
317
+
318
+ This is local indexed search for local/dev/staging usage. It is not external
319
+ database time travel, not cross-runner search, and not hosted compliance
320
+ retention.
321
+
322
+ ## App-Owned Writeback
323
+
324
+ Use direct guarded DB writeback for simple local/staging single-row updates. If
325
+ your application service already owns business writes, configure an
326
+ `http_handler` or `command_handler` executor. Approval still happens outside
327
+ MCP, and the handler returns an applied/conflict/failed receipt for replay.
328
+
58
329
  ## Command Name
59
330
 
60
331
  This package installs `synapsor` as the primary binary and `synapsor-runner` as
package/dist/cli.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAiBA,OAAO,EAOL,KAAK,gBAAgB,EAEtB,MAAM,mCAAmC,CAAC;AA0H3C,wBAAsB,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAqC1D;AA0DD,KAAK,SAAS,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;AAE9E,wBAAsB,aAAa,CACjC,IAAI,EAAE,MAAM,EAAE,EACd,OAAO,GAAE;IACP,GAAG,CAAC,EAAE,SAAS,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;IACxB,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAC9B,MAAM,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;CACvC,GACL,OAAO,CAAC,MAAM,CAAC,CA0KjB"}
1
+ {"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AA+BA,OAAO,EAOL,KAAK,gBAAgB,EAEtB,MAAM,mCAAmC,CAAC;AA4H3C,wBAAsB,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CA8C1D;AA0DD,KAAK,SAAS,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;AAE9E,wBAAsB,aAAa,CACjC,IAAI,EAAE,MAAM,EAAE,EACd,OAAO,GAAE;IACP,GAAG,CAAC,EAAE,SAAS,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;IACxB,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAC9B,MAAM,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;CACvC,GACL,OAAO,CAAC,MAAM,CAAC,CAiLjB"}
package/dist/cli.js CHANGED
@@ -6,6 +6,11 @@ import { fileURLToPath } from 'node:url';
6
6
  const __dirname = dirname(fileURLToPath(import.meta.url));
7
7
  const invoked = basename(process.argv[1] || 'synapsor');
8
8
  const commandName = invoked === 'synapsor-runner' ? 'synapsor-runner' : 'synapsor';
9
+ const [major, minor] = process.versions.node.split('.').map(Number);
10
+ if (!(major > 22 || (major === 22 && minor >= 5))) {
11
+ console.error(`Synapsor Runner requires Node >= 22.5.0 because the local ledger uses Node's node:sqlite runtime. Current Node: ${process.versions.node}. Upgrade Node or use the Docker demo from a source checkout.`);
12
+ process.exit(1);
13
+ }
9
14
  const result = spawnSync(process.execPath, ['--no-warnings', join(__dirname, 'runner.mjs'), ...process.argv.slice(2)], {
10
15
  stdio: 'inherit',
11
16
  env: { ...process.env, NODE_NO_WARNINGS: '1', SYNAPSOR_RUNNER_COMMAND_NAME: commandName },