@synapsor/runner 0.1.0-alpha.3 → 0.1.0-alpha.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +284 -13
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +5 -0
- package/dist/runner.mjs +2982 -127
- package/docs/README.md +32 -54
- package/docs/getting-started-own-database.md +40 -8
- package/docs/http-mcp.md +200 -0
- package/docs/limitations.md +20 -0
- package/docs/local-mode.md +101 -2
- package/docs/mcp-audit.md +10 -4
- package/docs/mcp-client-setup.md +40 -1
- package/docs/security-boundary.md +17 -0
- package/examples/openai-agents-http/README.md +55 -0
- package/examples/openai-agents-http/agent.py +90 -0
- package/examples/openai-agents-http/requirements.txt +1 -0
- package/examples/openai-agents-stdio/README.md +62 -0
- package/examples/openai-agents-stdio/agent.py +70 -0
- package/examples/openai-agents-stdio/requirements.txt +1 -0
- package/examples/reference-support-billing-app/README.md +51 -0
- package/examples/reference-support-billing-app/schema.sql +14 -1
- package/examples/reference-support-billing-app/seed.sql +12 -5
- package/examples/reference-support-billing-app/synapsor.runner.json +105 -0
- package/package.json +3 -1
- package/docs/MCP_RUNNER_IMPLEMENTATION_PLAN.md +0 -187
- package/docs/architecture.md +0 -65
- package/docs/capability-config.md +0 -180
- package/docs/cloud-mode.md +0 -140
- package/docs/config-migrations.md +0 -67
- package/docs/demo-transcript.md +0 -73
- package/docs/dependency-license-inventory.md +0 -35
- package/docs/first-10-minutes.md +0 -147
- package/docs/licensing.md +0 -38
- package/docs/local-ui.md +0 -163
- package/docs/mcp-efficiency-benchmark.md +0 -84
- package/docs/operations.md +0 -38
- package/docs/own-db-20-minutes.md +0 -185
- package/docs/production-readiness.md +0 -39
- package/docs/protocol.md +0 -90
- package/docs/roadmap.md +0 -13
- package/docs/schema-inspection.md +0 -88
- package/docs/shadow-mode.md +0 -67
- package/docs/telemetry.md +0 -28
- package/docs/threat-model.md +0 -25
- package/docs/trusted-context.md +0 -70
package/docs/README.md
CHANGED
|
@@ -1,56 +1,34 @@
|
|
|
1
1
|
# Synapsor Runner Docs
|
|
2
2
|
|
|
3
|
-
Start with the
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
`mcp serve` and local UI commands.
|
|
36
|
-
|
|
37
|
-
For disposable dev RDS databases with local CA issues:
|
|
38
|
-
|
|
39
|
-
```bash
|
|
40
|
-
./scripts/use-your-db.sh --allow-insecure-ssl
|
|
41
|
-
```
|
|
42
|
-
|
|
43
|
-
Use certificate verification with the database CA bundle for real staging or
|
|
44
|
-
production-like databases.
|
|
45
|
-
|
|
46
|
-
Read: [Connect Your Own Database](getting-started-own-database.md).
|
|
47
|
-
|
|
48
|
-
## Important References
|
|
49
|
-
|
|
50
|
-
- [Schema Inspection](schema-inspection.md)
|
|
51
|
-
- [MCP Client Setup](mcp-client-setup.md)
|
|
52
|
-
- [Capability Config](capability-config.md)
|
|
53
|
-
- [Local UI](local-ui.md)
|
|
54
|
-
- [Writeback Executors](writeback-executors.md)
|
|
55
|
-
- [Security Boundary](security-boundary.md)
|
|
56
|
-
- [Current Scope And Limitations](limitations.md)
|
|
3
|
+
Start with the README. Use these docs only when you need the next level of
|
|
4
|
+
detail.
|
|
5
|
+
|
|
6
|
+
## First Setup
|
|
7
|
+
|
|
8
|
+
- [Connect Your Own Database](getting-started-own-database.md): inspect a
|
|
9
|
+
staging Postgres/MySQL database, generate `synapsor.runner.json`, preview
|
|
10
|
+
semantic tools, and serve them over MCP.
|
|
11
|
+
- [MCP Client Setup](mcp-client-setup.md): connect Claude, Cursor, VS Code, or
|
|
12
|
+
another stdio MCP client.
|
|
13
|
+
- [HTTP MCP](http-mcp.md): run Synapsor Runner as an authenticated HTTP MCP
|
|
14
|
+
service for app/server agents.
|
|
15
|
+
|
|
16
|
+
## Safety And Operations
|
|
17
|
+
|
|
18
|
+
- [Security Boundary](security-boundary.md): what the model can and cannot see.
|
|
19
|
+
- [Current Limitations](limitations.md): current alpha scope.
|
|
20
|
+
- [Troubleshooting First Run](troubleshooting-first-run.md): common setup
|
|
21
|
+
failures and fixes.
|
|
22
|
+
- [Local Mode](local-mode.md): local store, proposals, approval, replay, and
|
|
23
|
+
writeback flow.
|
|
24
|
+
|
|
25
|
+
## Features
|
|
26
|
+
|
|
27
|
+
- [MCP Audit](mcp-audit.md): static risk review for database MCP tools.
|
|
28
|
+
- [Recipes](recipes.md): starter business-capability templates.
|
|
29
|
+
- [Writeback Executors](writeback-executors.md): app-owned writeback handlers
|
|
30
|
+
for approved proposals.
|
|
31
|
+
|
|
32
|
+
The public docs intentionally stay small. Historical implementation reports,
|
|
33
|
+
release checklists, and internal planning notes are not part of the public
|
|
34
|
+
getting-started path.
|
|
@@ -7,6 +7,11 @@ Do not start with your most sensitive production database. The current alpha
|
|
|
7
7
|
runner is a local commit-safety runtime for reviewed single-row business
|
|
8
8
|
actions, not a production certification.
|
|
9
9
|
|
|
10
|
+
If you only ran `synapsor demo --quick`, you have tested the fixture-only
|
|
11
|
+
teaching path and local ledger commands. This page is the real own-database
|
|
12
|
+
path: it inspects your Postgres/MySQL metadata and generates reviewed semantic
|
|
13
|
+
tools from your selections.
|
|
14
|
+
|
|
10
15
|
## Fast path
|
|
11
16
|
|
|
12
17
|
Set one read-only database URL and run the wrapper from this repo:
|
|
@@ -128,10 +133,17 @@ In an interactive terminal, run the guided wizard:
|
|
|
128
133
|
npx -y -p @synapsor/runner@alpha synapsor init --from-env DATABASE_URL --mode read_only --wizard
|
|
129
134
|
```
|
|
130
135
|
|
|
131
|
-
The generated capabilities are based on your selections. Synapsor
|
|
132
|
-
not force billing, support, order, or any other built-in domain.
|
|
133
|
-
|
|
134
|
-
|
|
136
|
+
The generated context and capabilities are based on your selections. Synapsor
|
|
137
|
+
Runner does not force billing, support, order, or any other built-in domain.
|
|
138
|
+
The local shape is:
|
|
139
|
+
|
|
140
|
+
```text
|
|
141
|
+
trusted context -> capability -> MCP tool
|
|
142
|
+
```
|
|
143
|
+
|
|
144
|
+
You choose the source object, trusted tenant/principal bindings, namespace,
|
|
145
|
+
object name, lookup argument, visible fields, proposal fields, guards, and
|
|
146
|
+
approval role.
|
|
135
147
|
|
|
136
148
|
Start with `read_only` to prove safe database reads first. Use `--mode review`
|
|
137
149
|
when you are ready to create proposal tools and guarded writeback setup.
|
|
@@ -141,9 +153,10 @@ The wizard:
|
|
|
141
153
|
- asks for the engine and read URL environment-variable name;
|
|
142
154
|
- tests read connectivity through schema inspection;
|
|
143
155
|
- lists discovered schemas and tables/views;
|
|
144
|
-
- asks
|
|
145
|
-
|
|
146
|
-
|
|
156
|
+
- asks which source object backs the local context;
|
|
157
|
+
- asks which tenant/scope column and backend session env vars are trusted;
|
|
158
|
+
- asks you to confirm primary key, conflict/version column, visible columns,
|
|
159
|
+
mode, semantic capability names, and proposal patch mappings;
|
|
147
160
|
- previews the MCP tools and what is not exposed;
|
|
148
161
|
- writes the generated config, `.env.example`, and MCP client snippets only
|
|
149
162
|
after final confirmation.
|
|
@@ -302,12 +315,31 @@ npx -y -p @synapsor/runner@alpha synapsor doctor --config synapsor.runner.json -
|
|
|
302
315
|
|
|
303
316
|
## 8. Serve semantic MCP tools
|
|
304
317
|
|
|
318
|
+
Use stdio when a local MCP client can launch Synapsor Runner:
|
|
319
|
+
|
|
305
320
|
```bash
|
|
306
321
|
export SYNAPSOR_TENANT_ID="acme"
|
|
307
322
|
export SYNAPSOR_PRINCIPAL="local_operator"
|
|
308
323
|
npx -y -p @synapsor/runner@alpha synapsor mcp serve --config ./synapsor.runner.json --store ./.synapsor/local.db
|
|
309
324
|
```
|
|
310
325
|
|
|
326
|
+
Use HTTP when an app/server agent connects to a long-running Runner process:
|
|
327
|
+
|
|
328
|
+
```bash
|
|
329
|
+
export SYNAPSOR_TENANT_ID="acme"
|
|
330
|
+
export SYNAPSOR_PRINCIPAL="local_operator"
|
|
331
|
+
export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
|
|
332
|
+
|
|
333
|
+
npx -y -p @synapsor/runner@alpha synapsor mcp serve-http \
|
|
334
|
+
--config ./synapsor.runner.json \
|
|
335
|
+
--store ./.synapsor/local.db \
|
|
336
|
+
--auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
|
|
337
|
+
```
|
|
338
|
+
|
|
339
|
+
HTTP defaults to `127.0.0.1:8765` and requires bearer auth by default. Use
|
|
340
|
+
private networking/TLS before exposing it beyond localhost. See
|
|
341
|
+
[HTTP MCP](http-mcp.md).
|
|
342
|
+
|
|
311
343
|
The model-facing MCP server exposes semantic tools such as:
|
|
312
344
|
|
|
313
345
|
```text
|
|
@@ -349,7 +381,7 @@ payload, not arbitrary model SQL:
|
|
|
349
381
|
npx -y -p @synapsor/runner@alpha synapsor apply --proposal wrp_123 --config synapsor.runner.json --store ./.synapsor/local.db
|
|
350
382
|
```
|
|
351
383
|
|
|
352
|
-
See
|
|
384
|
+
See [Writeback Executors](writeback-executors.md).
|
|
353
385
|
|
|
354
386
|
Replay afterward:
|
|
355
387
|
|
package/docs/http-mcp.md
ADDED
|
@@ -0,0 +1,200 @@
|
|
|
1
|
+
# HTTP MCP
|
|
2
|
+
|
|
3
|
+
Use HTTP MCP when an app, server-side agent, container, or Python/Node process
|
|
4
|
+
needs to connect to a long-running Synapsor Runner service.
|
|
5
|
+
|
|
6
|
+
Use stdio MCP when a local MCP client such as Claude Desktop, Cursor, or a
|
|
7
|
+
local agent tool can launch Synapsor Runner directly.
|
|
8
|
+
|
|
9
|
+
## Start The HTTP Server
|
|
10
|
+
|
|
11
|
+
```bash
|
|
12
|
+
export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
|
|
13
|
+
|
|
14
|
+
synapsor mcp serve-http \
|
|
15
|
+
--host 127.0.0.1 \
|
|
16
|
+
--port 8765 \
|
|
17
|
+
--config ./synapsor.runner.json \
|
|
18
|
+
--store ./.synapsor/local.db \
|
|
19
|
+
--auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
|
|
20
|
+
```
|
|
21
|
+
|
|
22
|
+
Defaults:
|
|
23
|
+
|
|
24
|
+
```text
|
|
25
|
+
host: 127.0.0.1
|
|
26
|
+
port: 8765
|
|
27
|
+
auth: bearer token required
|
|
28
|
+
cors: disabled
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
Startup output prints the URL, config path, store path, and token environment
|
|
32
|
+
variable name. It does not print token values or database URLs.
|
|
33
|
+
|
|
34
|
+
## Health Check
|
|
35
|
+
|
|
36
|
+
```bash
|
|
37
|
+
curl -i http://127.0.0.1:8765/healthz
|
|
38
|
+
```
|
|
39
|
+
|
|
40
|
+
The health endpoint is secret-free:
|
|
41
|
+
|
|
42
|
+
```json
|
|
43
|
+
{
|
|
44
|
+
"ok": true,
|
|
45
|
+
"transport": "http",
|
|
46
|
+
"tools": 1,
|
|
47
|
+
"mode": "read_only"
|
|
48
|
+
}
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
## List Tools
|
|
52
|
+
|
|
53
|
+
Unauthorized requests fail:
|
|
54
|
+
|
|
55
|
+
```bash
|
|
56
|
+
curl -i \
|
|
57
|
+
-H "Content-Type: application/json" \
|
|
58
|
+
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' \
|
|
59
|
+
http://127.0.0.1:8765/mcp
|
|
60
|
+
```
|
|
61
|
+
|
|
62
|
+
Authorized requests include the bearer token:
|
|
63
|
+
|
|
64
|
+
```bash
|
|
65
|
+
curl -i \
|
|
66
|
+
-H "Authorization: Bearer dev-local-token" \
|
|
67
|
+
-H "Content-Type: application/json" \
|
|
68
|
+
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' \
|
|
69
|
+
http://127.0.0.1:8765/mcp
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
The tool catalog should contain semantic tools such as:
|
|
73
|
+
|
|
74
|
+
```text
|
|
75
|
+
billing.inspect_invoice
|
|
76
|
+
billing.propose_late_fee_waiver
|
|
77
|
+
```
|
|
78
|
+
|
|
79
|
+
It should not contain:
|
|
80
|
+
|
|
81
|
+
```text
|
|
82
|
+
execute_sql
|
|
83
|
+
raw_sql
|
|
84
|
+
approval tools
|
|
85
|
+
commit/apply tools
|
|
86
|
+
database URLs
|
|
87
|
+
write credentials
|
|
88
|
+
model-controlled tenant authority
|
|
89
|
+
arbitrary table or column names
|
|
90
|
+
```
|
|
91
|
+
|
|
92
|
+
## Call A Tool
|
|
93
|
+
|
|
94
|
+
```bash
|
|
95
|
+
curl -i \
|
|
96
|
+
-H "Authorization: Bearer dev-local-token" \
|
|
97
|
+
-H "Content-Type: application/json" \
|
|
98
|
+
-d '{
|
|
99
|
+
"jsonrpc": "2.0",
|
|
100
|
+
"id": 2,
|
|
101
|
+
"method": "tools/call",
|
|
102
|
+
"params": {
|
|
103
|
+
"name": "billing.inspect_invoice",
|
|
104
|
+
"arguments": { "invoice_id": "INV-3001" }
|
|
105
|
+
}
|
|
106
|
+
}' \
|
|
107
|
+
http://127.0.0.1:8765/mcp
|
|
108
|
+
```
|
|
109
|
+
|
|
110
|
+
The response includes scoped data, trusted context, evidence handles, and
|
|
111
|
+
`source_database_mutated: false`. The agent still does not receive SQL,
|
|
112
|
+
database credentials, or approval/commit authority.
|
|
113
|
+
|
|
114
|
+
## Read Evidence Or Replay Resources
|
|
115
|
+
|
|
116
|
+
Use `resources/read` with a `synapsor://...` handle returned by a tool call:
|
|
117
|
+
|
|
118
|
+
```bash
|
|
119
|
+
curl -i \
|
|
120
|
+
-H "Authorization: Bearer dev-local-token" \
|
|
121
|
+
-H "Content-Type: application/json" \
|
|
122
|
+
-d '{
|
|
123
|
+
"jsonrpc": "2.0",
|
|
124
|
+
"id": 3,
|
|
125
|
+
"method": "resources/read",
|
|
126
|
+
"params": { "uri": "synapsor://evidence/ev_..." }
|
|
127
|
+
}' \
|
|
128
|
+
http://127.0.0.1:8765/mcp
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
## CORS
|
|
132
|
+
|
|
133
|
+
CORS is disabled by default. If a local browser app needs access during
|
|
134
|
+
development, allow one explicit origin:
|
|
135
|
+
|
|
136
|
+
```bash
|
|
137
|
+
synapsor mcp serve-http \
|
|
138
|
+
--config ./synapsor.runner.json \
|
|
139
|
+
--store ./.synapsor/local.db \
|
|
140
|
+
--cors-origin http://localhost:3000
|
|
141
|
+
```
|
|
142
|
+
|
|
143
|
+
Do not use wildcard CORS for a model-facing database tool service.
|
|
144
|
+
|
|
145
|
+
## Network Exposure
|
|
146
|
+
|
|
147
|
+
Synapsor Runner binds to `127.0.0.1` by default.
|
|
148
|
+
|
|
149
|
+
If you explicitly bind to all interfaces:
|
|
150
|
+
|
|
151
|
+
```bash
|
|
152
|
+
synapsor mcp serve-http --host 0.0.0.0
|
|
153
|
+
```
|
|
154
|
+
|
|
155
|
+
the CLI prints a warning. Treat this as a production-like service:
|
|
156
|
+
|
|
157
|
+
- keep bearer auth enabled;
|
|
158
|
+
- use TLS or a trusted reverse proxy;
|
|
159
|
+
- prefer private networking;
|
|
160
|
+
- add rate limits and request-size limits at the edge;
|
|
161
|
+
- do not log request bodies by default;
|
|
162
|
+
- rotate the bearer token if it is exposed.
|
|
163
|
+
|
|
164
|
+
`--dev-no-auth` is accepted only on `localhost` or `127.0.0.1`. It fails closed
|
|
165
|
+
with `--host 0.0.0.0`.
|
|
166
|
+
|
|
167
|
+
## Trusted Context
|
|
168
|
+
|
|
169
|
+
Tenant and principal values must come from trusted configuration such as
|
|
170
|
+
environment variables or a server-side session. HTTP request arguments cannot
|
|
171
|
+
override trusted fields such as:
|
|
172
|
+
|
|
173
|
+
```text
|
|
174
|
+
tenant_id
|
|
175
|
+
principal
|
|
176
|
+
principal_id
|
|
177
|
+
project_id
|
|
178
|
+
source_id
|
|
179
|
+
allowed_columns
|
|
180
|
+
approval_identity
|
|
181
|
+
```
|
|
182
|
+
|
|
183
|
+
Use `read_only` mode first. Proposal/review mode should use a separate trusted
|
|
184
|
+
write path and a separate write credential. The model-facing HTTP MCP endpoint
|
|
185
|
+
must not receive write credentials.
|
|
186
|
+
|
|
187
|
+
## OpenAI Agents SDK
|
|
188
|
+
|
|
189
|
+
See:
|
|
190
|
+
|
|
191
|
+
```text
|
|
192
|
+
examples/openai-agents-http/
|
|
193
|
+
examples/openai-agents-stdio/
|
|
194
|
+
```
|
|
195
|
+
|
|
196
|
+
The stdio example uses the MCP client integration from the OpenAI Agents SDK
|
|
197
|
+
when available. The HTTP example uses a minimal JSON-RPC client wrapped as an
|
|
198
|
+
OpenAI function tool because native HTTP MCP client support can vary by SDK
|
|
199
|
+
version. The boundary is the same: the agent calls a semantic Synapsor tool,
|
|
200
|
+
not raw SQL.
|
package/docs/limitations.md
CHANGED
|
@@ -25,6 +25,8 @@ Synapsor Runner is intentionally narrow in the current alpha.
|
|
|
25
25
|
- Capability recipes that generate reviewed starter configs.
|
|
26
26
|
- Shadow-mode proposal-vs-human-action comparison.
|
|
27
27
|
- Static MCP database risk review.
|
|
28
|
+
- Local indexed search for proposals, evidence bundles, query audit, writeback
|
|
29
|
+
receipts, and proposal replay.
|
|
28
30
|
|
|
29
31
|
## Runtime Contract
|
|
30
32
|
|
|
@@ -61,6 +63,24 @@ External Postgres/MySQL databases are not branched or merged by Synapsor Runner.
|
|
|
61
63
|
|
|
62
64
|
The proposal, evidence, replay, and approval state live in Synapsor Runner locally or in Synapsor Cloud. The external source database changes only when a trusted runner applies an approved writeback job.
|
|
63
65
|
|
|
66
|
+
Local replay means replay of records captured by the runner:
|
|
67
|
+
|
|
68
|
+
- trusted context values used by the capability;
|
|
69
|
+
- captured/projected source-row excerpts;
|
|
70
|
+
- query audit fingerprints and redacted parameter metadata;
|
|
71
|
+
- proposal before/proposed diffs;
|
|
72
|
+
- approval/rejection events;
|
|
73
|
+
- guarded writeback jobs;
|
|
74
|
+
- applied/conflict/failed receipts.
|
|
75
|
+
|
|
76
|
+
It does not mean external Postgres/MySQL time travel. Runner cannot reconstruct
|
|
77
|
+
arbitrary historical rows that were never captured as evidence, and it does not
|
|
78
|
+
provide `AS OF` queries over an external source.
|
|
79
|
+
|
|
80
|
+
Local search is single-node SQLite search over the local runner store. It is
|
|
81
|
+
useful for local/dev/staging usage. It is not a hosted central evidence ledger,
|
|
82
|
+
not cross-runner aggregation, not RBAC/SSO, and not compliance retention.
|
|
83
|
+
|
|
64
84
|
Use this wording:
|
|
65
85
|
|
|
66
86
|
```text
|
package/docs/local-mode.md
CHANGED
|
@@ -9,6 +9,14 @@ Command model:
|
|
|
9
9
|
- From a source checkout, use `./bin/synapsor <command>` if the global binary is
|
|
10
10
|
not linked yet.
|
|
11
11
|
|
|
12
|
+
`synapsor demo --quick` creates a fixture ledger for learning and CLI
|
|
13
|
+
verification. In a terminal it walks through the safety model step by step; in
|
|
14
|
+
CI or piped output it prints a short summary and exits without waiting for
|
|
15
|
+
Enter. It does not read or write external Postgres/MySQL. Local mode with
|
|
16
|
+
`synapsor mcp serve`, `synapsor demo`, or an own generated config is the real
|
|
17
|
+
Postgres/MySQL path. Use `synapsor demo inspect` to print the follow-up
|
|
18
|
+
commands for the quick-demo fixture.
|
|
19
|
+
|
|
12
20
|
Current local-mode foundation:
|
|
13
21
|
|
|
14
22
|
- strict JSON capability config validation in `packages/config`;
|
|
@@ -17,13 +25,18 @@ Current local-mode foundation:
|
|
|
17
25
|
- local localhost proposal review UI through `synapsor ui`;
|
|
18
26
|
- static MCP database risk review with `synapsor audit`;
|
|
19
27
|
- local stdio MCP server with semantic read/proposal tools;
|
|
28
|
+
- authenticated HTTP MCP server for app/server agents;
|
|
20
29
|
- MCP resource reads for `synapsor://proposals/*`, `synapsor://evidence/*`, and `synapsor://replay/*`;
|
|
21
30
|
- local approved proposal to `synapsor.writeback-job.v1` job generation;
|
|
22
31
|
- guarded Postgres/MySQL writeback adapters for approved structured jobs.
|
|
23
32
|
|
|
24
33
|
Still pending:
|
|
25
34
|
|
|
26
|
-
|
|
35
|
+
The alpha package requires Node >= 22.5.0 because the local evidence/replay
|
|
36
|
+
ledger uses Node's `node:sqlite` runtime. The published package declares that
|
|
37
|
+
engine requirement and the CLI exits early with a clear message on older Node
|
|
38
|
+
versions. The Docker-backed demo remains the recommended path when you do not
|
|
39
|
+
want to change your host Node version.
|
|
27
40
|
|
|
28
41
|
## Initialize a config
|
|
29
42
|
|
|
@@ -57,6 +70,31 @@ npx -y -p @synapsor/runner@alpha synapsor doctor --config synapsor.runner.json
|
|
|
57
70
|
read/write credential separation, metadata visibility for configured targets,
|
|
58
71
|
and the semantic MCP tool boundary without printing credential values.
|
|
59
72
|
|
|
73
|
+
## Stdio Vs HTTP MCP
|
|
74
|
+
|
|
75
|
+
Use stdio for local MCP clients that launch Synapsor Runner:
|
|
76
|
+
|
|
77
|
+
```bash
|
|
78
|
+
npx -y -p @synapsor/runner@alpha synapsor mcp serve \
|
|
79
|
+
--config ./synapsor.runner.json \
|
|
80
|
+
--store ./.synapsor/local.db
|
|
81
|
+
```
|
|
82
|
+
|
|
83
|
+
Use HTTP when your app/server agent connects to a long-running Runner process:
|
|
84
|
+
|
|
85
|
+
```bash
|
|
86
|
+
export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
|
|
87
|
+
|
|
88
|
+
npx -y -p @synapsor/runner@alpha synapsor mcp serve-http \
|
|
89
|
+
--config ./synapsor.runner.json \
|
|
90
|
+
--store ./.synapsor/local.db \
|
|
91
|
+
--auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
|
|
92
|
+
```
|
|
93
|
+
|
|
94
|
+
HTTP defaults to `127.0.0.1:8765`, requires bearer auth by default, and should
|
|
95
|
+
run behind private networking/TLS before production-like exposure. Details:
|
|
96
|
+
[HTTP MCP](http-mcp.md).
|
|
97
|
+
|
|
60
98
|
## Local safety modes
|
|
61
99
|
|
|
62
100
|
The local runner modes are intentionally narrow:
|
|
@@ -164,6 +202,9 @@ Show replay:
|
|
|
164
202
|
|
|
165
203
|
```bash
|
|
166
204
|
npx -y -p @synapsor/runner@alpha synapsor replay show wrp_123 --store ./.synapsor/local.db
|
|
205
|
+
npx -y -p @synapsor/runner@alpha synapsor replay show --proposal wrp_123 --store ./.synapsor/local.db
|
|
206
|
+
npx -y -p @synapsor/runner@alpha synapsor replay show --replay replay_wrp_123 --store ./.synapsor/local.db
|
|
207
|
+
npx -y -p @synapsor/runner@alpha synapsor replay show --evidence ev_123 --store ./.synapsor/local.db
|
|
167
208
|
```
|
|
168
209
|
|
|
169
210
|
Export replay:
|
|
@@ -172,9 +213,67 @@ Export replay:
|
|
|
172
213
|
npx -y -p @synapsor/runner@alpha synapsor replay export wrp_123 \
|
|
173
214
|
--store ./.synapsor/local.db \
|
|
174
215
|
--output replay.json
|
|
216
|
+
|
|
217
|
+
npx -y -p @synapsor/runner@alpha synapsor replay export --proposal wrp_123 \
|
|
218
|
+
--format markdown \
|
|
219
|
+
--store ./.synapsor/local.db \
|
|
220
|
+
--output replay.md
|
|
175
221
|
```
|
|
176
222
|
|
|
177
223
|
Replay records include proposal metadata, before/after diff, events, writeback receipts, evidence summaries, and query audit rows currently stored for the proposal.
|
|
224
|
+
Human output is concise by default. Use `--details` for reviewer metadata or
|
|
225
|
+
`--json` for complete machine-readable records.
|
|
226
|
+
|
|
227
|
+
## Local evidence, query audit, and receipts
|
|
228
|
+
|
|
229
|
+
The local SQLite store is also searchable without relying on `latest`:
|
|
230
|
+
|
|
231
|
+
```bash
|
|
232
|
+
synapsor activity search \
|
|
233
|
+
--tenant acme \
|
|
234
|
+
--object invoice:INV-3001 \
|
|
235
|
+
--store ./.synapsor/local.db
|
|
236
|
+
|
|
237
|
+
synapsor evidence list \
|
|
238
|
+
--tenant acme \
|
|
239
|
+
--capability billing.inspect_invoice \
|
|
240
|
+
--source app_postgres \
|
|
241
|
+
--table invoices \
|
|
242
|
+
--store ./.synapsor/local.db
|
|
243
|
+
|
|
244
|
+
synapsor evidence show ev_123 --store ./.synapsor/local.db
|
|
245
|
+
synapsor query-audit list --evidence ev_123 --store ./.synapsor/local.db
|
|
246
|
+
synapsor receipts list --proposal wrp_123 --store ./.synapsor/local.db
|
|
247
|
+
synapsor receipts show <receipt_id> --store ./.synapsor/local.db
|
|
248
|
+
```
|
|
249
|
+
|
|
250
|
+
Default inspection output is intentionally short. Add `--details` when you need
|
|
251
|
+
target URIs, primary keys, proposal hash/version, conflict guards, query
|
|
252
|
+
fingerprints, event timestamps, or receipt internals.
|
|
253
|
+
|
|
254
|
+
Read-only MCP tools record evidence bundles and query-audit rows and return an
|
|
255
|
+
evidence handle. Use `evidence show`, `evidence list`, and `query-audit list`
|
|
256
|
+
to inspect those captured rows and fingerprints later without rerunning the
|
|
257
|
+
external database read.
|
|
258
|
+
|
|
259
|
+
This is local indexed search over the runner's SQLite ledger. It is not
|
|
260
|
+
external Postgres/MySQL time travel, not native branching, and not a hosted
|
|
261
|
+
cross-runner audit ledger.
|
|
262
|
+
|
|
263
|
+
## Local store maintenance
|
|
264
|
+
|
|
265
|
+
The local ledger is a developer/staging SQLite file. You can inspect, compact,
|
|
266
|
+
or prune it without touching your source Postgres/MySQL database:
|
|
267
|
+
|
|
268
|
+
```bash
|
|
269
|
+
synapsor store stats --store ./.synapsor/local.db
|
|
270
|
+
synapsor store vacuum --store ./.synapsor/local.db
|
|
271
|
+
synapsor store prune --store ./.synapsor/local.db --older-than 30d --dry-run
|
|
272
|
+
synapsor store prune --store ./.synapsor/local.db --older-than 30d --yes
|
|
273
|
+
```
|
|
274
|
+
|
|
275
|
+
`store prune` defaults to dry-run. Use `--yes` only after reviewing the row
|
|
276
|
+
counts it will remove.
|
|
178
277
|
|
|
179
278
|
## Boundary
|
|
180
279
|
|
|
@@ -184,7 +283,7 @@ Local mode does not expose `approve_proposal` or `commit_proposal` as model-call
|
|
|
184
283
|
MCP tool call
|
|
185
284
|
-> reviewed semantic proposal
|
|
186
285
|
-> local store
|
|
187
|
-
-> human/
|
|
286
|
+
-> human/operator approval outside the model
|
|
188
287
|
-> guarded worker writeback
|
|
189
288
|
-> terminal receipt
|
|
190
289
|
-> replay
|
package/docs/mcp-audit.md
CHANGED
|
@@ -41,13 +41,13 @@ Remote `tools/list` endpoint with a bearer token kept in the environment:
|
|
|
41
41
|
|
|
42
42
|
```bash
|
|
43
43
|
SYNAPSOR_MCP_AUDIT_BEARER="..." \
|
|
44
|
-
npx -y -p @synapsor/runner@alpha synapsor audit https://mcp.example.com --json
|
|
44
|
+
npx -y -p @synapsor/runner@alpha synapsor audit https://mcp.example.com --format json
|
|
45
45
|
```
|
|
46
46
|
|
|
47
47
|
Remote endpoint with a custom bearer-token environment variable:
|
|
48
48
|
|
|
49
49
|
```bash
|
|
50
|
-
npx -y -p @synapsor/runner@alpha synapsor audit https://mcp.example.com --bearer-env MCP_AUDIT_TOKEN --json
|
|
50
|
+
npx -y -p @synapsor/runner@alpha synapsor audit https://mcp.example.com --bearer-env MCP_AUDIT_TOKEN --format json
|
|
51
51
|
```
|
|
52
52
|
|
|
53
53
|
Stdio MCP server:
|
|
@@ -59,14 +59,20 @@ npx -y -p @synapsor/runner@alpha synapsor audit 'stdio:node ./server.mjs' --time
|
|
|
59
59
|
JSON output:
|
|
60
60
|
|
|
61
61
|
```bash
|
|
62
|
-
npx -y -p @synapsor/runner@alpha synapsor audit ./tools-list.json --json
|
|
62
|
+
npx -y -p @synapsor/runner@alpha synapsor audit ./tools-list.json --format json
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
Markdown output for issues, PRs, or security review notes:
|
|
66
|
+
|
|
67
|
+
```bash
|
|
68
|
+
npx -y -p @synapsor/runner@alpha synapsor audit --example dangerous-db-mcp --format markdown
|
|
63
69
|
```
|
|
64
70
|
|
|
65
71
|
During local development, the repo-local wrapper can run the same command:
|
|
66
72
|
|
|
67
73
|
```bash
|
|
68
74
|
./bin/synapsor audit ./tools-list.json
|
|
69
|
-
./bin/synapsor audit ./tools-list.json --json
|
|
75
|
+
./bin/synapsor audit ./tools-list.json --format json
|
|
70
76
|
```
|
|
71
77
|
|
|
72
78
|
## Supported inputs
|
package/docs/mcp-client-setup.md
CHANGED
|
@@ -6,7 +6,10 @@ The primary local proof path is still the one-command Docker demo:
|
|
|
6
6
|
./scripts/demo-docker.sh
|
|
7
7
|
```
|
|
8
8
|
|
|
9
|
-
Use this page after that demo passes and you want to attach a local MCP client.
|
|
9
|
+
Use this page after that demo passes and you want to attach a local MCP client.
|
|
10
|
+
The tested local-client contract here is stdio. HTTP MCP is available for
|
|
11
|
+
app/server deployments where your agent connects to a long-running Runner
|
|
12
|
+
service.
|
|
10
13
|
|
|
11
14
|
Command examples use the published alpha package through `npx`. From a source
|
|
12
15
|
checkout, use `./bin/synapsor ...` only when you intentionally want the local
|
|
@@ -24,6 +27,31 @@ Validate them with:
|
|
|
24
27
|
corepack pnpm test:mcp-client-configs
|
|
25
28
|
```
|
|
26
29
|
|
|
30
|
+
## Stdio Vs HTTP MCP
|
|
31
|
+
|
|
32
|
+
| Mode | Use when | Command |
|
|
33
|
+
| --- | --- | --- |
|
|
34
|
+
| stdio | Claude Desktop, Cursor, VS Code, or another local MCP client can launch Synapsor Runner | `synapsor mcp serve` |
|
|
35
|
+
| HTTP | Your app/server, Python agent, Node service, or container connects to a long-running Runner service | `synapsor mcp serve-http` |
|
|
36
|
+
|
|
37
|
+
Stdio keeps the MCP protocol on process stdin/stdout and is the simplest local
|
|
38
|
+
developer path. HTTP uses JSON-RPC over an authenticated `/mcp` endpoint and is
|
|
39
|
+
better for app/server deployments.
|
|
40
|
+
|
|
41
|
+
HTTP requires bearer auth by default:
|
|
42
|
+
|
|
43
|
+
```bash
|
|
44
|
+
export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
|
|
45
|
+
|
|
46
|
+
npx -y -p @synapsor/runner@alpha synapsor mcp serve-http \
|
|
47
|
+
--config ./synapsor.runner.json \
|
|
48
|
+
--store ./.synapsor/local.db \
|
|
49
|
+
--auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
Use private networking/TLS before exposing HTTP MCP beyond localhost. Details:
|
|
53
|
+
[HTTP MCP](http-mcp.md).
|
|
54
|
+
|
|
27
55
|
## Generate A Client Snippet
|
|
28
56
|
|
|
29
57
|
Print a snippet without modifying any client files:
|
|
@@ -77,6 +105,17 @@ npx -y -p @synapsor/runner@alpha synapsor mcp serve --config ./examples/mcp-post
|
|
|
77
105
|
|
|
78
106
|
For the alpha package, keep the package tag explicit in client configuration.
|
|
79
107
|
|
|
108
|
+
For app/server HTTP mode:
|
|
109
|
+
|
|
110
|
+
```bash
|
|
111
|
+
export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
|
|
112
|
+
|
|
113
|
+
npx -y -p @synapsor/runner@alpha synapsor mcp serve-http \
|
|
114
|
+
--config ./examples/mcp-postgres-billing/synapsor.runner.json \
|
|
115
|
+
--store ./.synapsor/local.db \
|
|
116
|
+
--auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
|
|
117
|
+
```
|
|
118
|
+
|
|
80
119
|
## Generic stdio Client
|
|
81
120
|
|
|
82
121
|
```json
|
|
@@ -3,6 +3,23 @@
|
|
|
3
3
|
Synapsor Runner controls a narrow database path for MCP agents. It does not make
|
|
4
4
|
MCP generally secure and it does not solve prompt injection.
|
|
5
5
|
|
|
6
|
+
## Least-privilege database access
|
|
7
|
+
|
|
8
|
+
Use a read-only database user, restricted views, row-level security, and staging
|
|
9
|
+
data where appropriate. Synapsor Runner is not a replacement for database
|
|
10
|
+
permissions.
|
|
11
|
+
|
|
12
|
+
Database permissions protect the connection. Synapsor Runner shapes the
|
|
13
|
+
model-facing interface: reviewed semantic capabilities, trusted context
|
|
14
|
+
binding, evidence handles, query audit, local inspection, and proposal-first
|
|
15
|
+
writes instead of model-facing commit authority.
|
|
16
|
+
|
|
17
|
+
If all you need is restricted reads, database permissions are a good start.
|
|
18
|
+
Use Synapsor Runner when you also want the agent-facing layer: semantic tools,
|
|
19
|
+
trusted context, evidence handles, query audit, local inspection, and
|
|
20
|
+
proposal-first writes. Proposal workflows add full replay across evidence,
|
|
21
|
+
approval, writeback receipts, and events.
|
|
22
|
+
|
|
6
23
|
The model-facing MCP server exposes reviewed semantic tools such as
|
|
7
24
|
`billing.inspect_invoice` and `billing.propose_late_fee_waiver`.
|
|
8
25
|
|