@synapsor/runner 0.1.0-alpha.3 → 0.1.0-alpha.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/README.md +284 -13
  2. package/dist/cli.d.ts.map +1 -1
  3. package/dist/cli.js +5 -0
  4. package/dist/runner.mjs +2982 -127
  5. package/docs/README.md +32 -54
  6. package/docs/getting-started-own-database.md +40 -8
  7. package/docs/http-mcp.md +200 -0
  8. package/docs/limitations.md +20 -0
  9. package/docs/local-mode.md +101 -2
  10. package/docs/mcp-audit.md +10 -4
  11. package/docs/mcp-client-setup.md +40 -1
  12. package/docs/security-boundary.md +17 -0
  13. package/examples/openai-agents-http/README.md +55 -0
  14. package/examples/openai-agents-http/agent.py +90 -0
  15. package/examples/openai-agents-http/requirements.txt +1 -0
  16. package/examples/openai-agents-stdio/README.md +62 -0
  17. package/examples/openai-agents-stdio/agent.py +70 -0
  18. package/examples/openai-agents-stdio/requirements.txt +1 -0
  19. package/examples/reference-support-billing-app/README.md +51 -0
  20. package/examples/reference-support-billing-app/schema.sql +14 -1
  21. package/examples/reference-support-billing-app/seed.sql +12 -5
  22. package/examples/reference-support-billing-app/synapsor.runner.json +105 -0
  23. package/package.json +3 -1
  24. package/docs/MCP_RUNNER_IMPLEMENTATION_PLAN.md +0 -187
  25. package/docs/architecture.md +0 -65
  26. package/docs/capability-config.md +0 -180
  27. package/docs/cloud-mode.md +0 -140
  28. package/docs/config-migrations.md +0 -67
  29. package/docs/demo-transcript.md +0 -73
  30. package/docs/dependency-license-inventory.md +0 -35
  31. package/docs/first-10-minutes.md +0 -147
  32. package/docs/licensing.md +0 -38
  33. package/docs/local-ui.md +0 -163
  34. package/docs/mcp-efficiency-benchmark.md +0 -84
  35. package/docs/operations.md +0 -38
  36. package/docs/own-db-20-minutes.md +0 -185
  37. package/docs/production-readiness.md +0 -39
  38. package/docs/protocol.md +0 -90
  39. package/docs/roadmap.md +0 -13
  40. package/docs/schema-inspection.md +0 -88
  41. package/docs/shadow-mode.md +0 -67
  42. package/docs/telemetry.md +0 -28
  43. package/docs/threat-model.md +0 -25
  44. package/docs/trusted-context.md +0 -70
package/docs/README.md CHANGED
@@ -1,56 +1,34 @@
1
1
  # Synapsor Runner Docs
2
2
 
3
- Start with the practical paths, not the internals.
4
-
5
- ## Try The Local Trust Loop
6
-
7
- ```bash
8
- ./scripts/try-synapsor.sh
9
- ```
10
-
11
- This runs disposable Postgres/MySQL fixtures and proves the core loop:
12
-
13
- ```text
14
- MCP tool call
15
- -> trusted context
16
- -> scoped read
17
- -> evidence
18
- -> proposal diff
19
- -> approval outside MCP
20
- -> guarded commit or stale-row conflict
21
- -> receipt/replay
22
- ```
23
-
24
- Read: [First 10 Minutes](first-10-minutes.md).
25
-
26
- ## Use Your Own Staging Postgres/MySQL
27
-
28
- ```bash
29
- export DATABASE_URL="<postgres-or-mysql-read-url>"
30
- ./scripts/use-your-db.sh
31
- ```
32
-
33
- This inspects your schema, opens the guided setup, generates
34
- `synapsor.runner.json`, previews the semantic MCP tools, and prints the
35
- `mcp serve` and local UI commands.
36
-
37
- For disposable dev RDS databases with local CA issues:
38
-
39
- ```bash
40
- ./scripts/use-your-db.sh --allow-insecure-ssl
41
- ```
42
-
43
- Use certificate verification with the database CA bundle for real staging or
44
- production-like databases.
45
-
46
- Read: [Connect Your Own Database](getting-started-own-database.md).
47
-
48
- ## Important References
49
-
50
- - [Schema Inspection](schema-inspection.md)
51
- - [MCP Client Setup](mcp-client-setup.md)
52
- - [Capability Config](capability-config.md)
53
- - [Local UI](local-ui.md)
54
- - [Writeback Executors](writeback-executors.md)
55
- - [Security Boundary](security-boundary.md)
56
- - [Current Scope And Limitations](limitations.md)
3
+ Start with the README. Use these docs only when you need the next level of
4
+ detail.
5
+
6
+ ## First Setup
7
+
8
+ - [Connect Your Own Database](getting-started-own-database.md): inspect a
9
+ staging Postgres/MySQL database, generate `synapsor.runner.json`, preview
10
+ semantic tools, and serve them over MCP.
11
+ - [MCP Client Setup](mcp-client-setup.md): connect Claude, Cursor, VS Code, or
12
+ another stdio MCP client.
13
+ - [HTTP MCP](http-mcp.md): run Synapsor Runner as an authenticated HTTP MCP
14
+ service for app/server agents.
15
+
16
+ ## Safety And Operations
17
+
18
+ - [Security Boundary](security-boundary.md): what the model can and cannot see.
19
+ - [Current Limitations](limitations.md): current alpha scope.
20
+ - [Troubleshooting First Run](troubleshooting-first-run.md): common setup
21
+ failures and fixes.
22
+ - [Local Mode](local-mode.md): local store, proposals, approval, replay, and
23
+ writeback flow.
24
+
25
+ ## Features
26
+
27
+ - [MCP Audit](mcp-audit.md): static risk review for database MCP tools.
28
+ - [Recipes](recipes.md): starter business-capability templates.
29
+ - [Writeback Executors](writeback-executors.md): app-owned writeback handlers
30
+ for approved proposals.
31
+
32
+ The public docs intentionally stay small. Historical implementation reports,
33
+ release checklists, and internal planning notes are not part of the public
34
+ getting-started path.
@@ -7,6 +7,11 @@ Do not start with your most sensitive production database. The current alpha
7
7
  runner is a local commit-safety runtime for reviewed single-row business
8
8
  actions, not a production certification.
9
9
 
10
+ If you only ran `synapsor demo --quick`, you have tested the fixture-only
11
+ teaching path and local ledger commands. This page is the real own-database
12
+ path: it inspects your Postgres/MySQL metadata and generates reviewed semantic
13
+ tools from your selections.
14
+
10
15
  ## Fast path
11
16
 
12
17
  Set one read-only database URL and run the wrapper from this repo:
@@ -128,10 +133,17 @@ In an interactive terminal, run the guided wizard:
128
133
  npx -y -p @synapsor/runner@alpha synapsor init --from-env DATABASE_URL --mode read_only --wizard
129
134
  ```
130
135
 
131
- The generated capabilities are based on your selections. Synapsor Runner does
132
- not force billing, support, order, or any other built-in domain. You choose the
133
- namespace, object name, lookup argument, visible fields, proposal fields, guards,
134
- and approval role.
136
+ The generated context and capabilities are based on your selections. Synapsor
137
+ Runner does not force billing, support, order, or any other built-in domain.
138
+ The local shape is:
139
+
140
+ ```text
141
+ trusted context -> capability -> MCP tool
142
+ ```
143
+
144
+ You choose the source object, trusted tenant/principal bindings, namespace,
145
+ object name, lookup argument, visible fields, proposal fields, guards, and
146
+ approval role.
135
147
 
136
148
  Start with `read_only` to prove safe database reads first. Use `--mode review`
137
149
  when you are ready to create proposal tools and guarded writeback setup.
@@ -141,9 +153,10 @@ The wizard:
141
153
  - asks for the engine and read URL environment-variable name;
142
154
  - tests read connectivity through schema inspection;
143
155
  - lists discovered schemas and tables/views;
144
- - asks you to confirm primary key, tenant/scope column, conflict/version
145
- column, visible columns, mode, semantic names, trusted context env vars, and
146
- proposal patch mappings;
156
+ - asks which source object backs the local context;
157
+ - asks which tenant/scope column and backend session env vars are trusted;
158
+ - asks you to confirm primary key, conflict/version column, visible columns,
159
+ mode, semantic capability names, and proposal patch mappings;
147
160
  - previews the MCP tools and what is not exposed;
148
161
  - writes the generated config, `.env.example`, and MCP client snippets only
149
162
  after final confirmation.
@@ -302,12 +315,31 @@ npx -y -p @synapsor/runner@alpha synapsor doctor --config synapsor.runner.json -
302
315
 
303
316
  ## 8. Serve semantic MCP tools
304
317
 
318
+ Use stdio when a local MCP client can launch Synapsor Runner:
319
+
305
320
  ```bash
306
321
  export SYNAPSOR_TENANT_ID="acme"
307
322
  export SYNAPSOR_PRINCIPAL="local_operator"
308
323
  npx -y -p @synapsor/runner@alpha synapsor mcp serve --config ./synapsor.runner.json --store ./.synapsor/local.db
309
324
  ```
310
325
 
326
+ Use HTTP when an app/server agent connects to a long-running Runner process:
327
+
328
+ ```bash
329
+ export SYNAPSOR_TENANT_ID="acme"
330
+ export SYNAPSOR_PRINCIPAL="local_operator"
331
+ export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
332
+
333
+ npx -y -p @synapsor/runner@alpha synapsor mcp serve-http \
334
+ --config ./synapsor.runner.json \
335
+ --store ./.synapsor/local.db \
336
+ --auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
337
+ ```
338
+
339
+ HTTP defaults to `127.0.0.1:8765` and requires bearer auth by default. Use
340
+ private networking/TLS before exposing it beyond localhost. See
341
+ [HTTP MCP](http-mcp.md).
342
+
311
343
  The model-facing MCP server exposes semantic tools such as:
312
344
 
313
345
  ```text
@@ -349,7 +381,7 @@ payload, not arbitrary model SQL:
349
381
  npx -y -p @synapsor/runner@alpha synapsor apply --proposal wrp_123 --config synapsor.runner.json --store ./.synapsor/local.db
350
382
  ```
351
383
 
352
- See `docs/writeback-executors.md`.
384
+ See [Writeback Executors](writeback-executors.md).
353
385
 
354
386
  Replay afterward:
355
387
 
@@ -0,0 +1,200 @@
1
+ # HTTP MCP
2
+
3
+ Use HTTP MCP when an app, server-side agent, container, or Python/Node process
4
+ needs to connect to a long-running Synapsor Runner service.
5
+
6
+ Use stdio MCP when a local MCP client such as Claude Desktop, Cursor, or a
7
+ local agent tool can launch Synapsor Runner directly.
8
+
9
+ ## Start The HTTP Server
10
+
11
+ ```bash
12
+ export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
13
+
14
+ synapsor mcp serve-http \
15
+ --host 127.0.0.1 \
16
+ --port 8765 \
17
+ --config ./synapsor.runner.json \
18
+ --store ./.synapsor/local.db \
19
+ --auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
20
+ ```
21
+
22
+ Defaults:
23
+
24
+ ```text
25
+ host: 127.0.0.1
26
+ port: 8765
27
+ auth: bearer token required
28
+ cors: disabled
29
+ ```
30
+
31
+ Startup output prints the URL, config path, store path, and token environment
32
+ variable name. It does not print token values or database URLs.
33
+
34
+ ## Health Check
35
+
36
+ ```bash
37
+ curl -i http://127.0.0.1:8765/healthz
38
+ ```
39
+
40
+ The health endpoint is secret-free:
41
+
42
+ ```json
43
+ {
44
+ "ok": true,
45
+ "transport": "http",
46
+ "tools": 1,
47
+ "mode": "read_only"
48
+ }
49
+ ```
50
+
51
+ ## List Tools
52
+
53
+ Unauthorized requests fail:
54
+
55
+ ```bash
56
+ curl -i \
57
+ -H "Content-Type: application/json" \
58
+ -d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' \
59
+ http://127.0.0.1:8765/mcp
60
+ ```
61
+
62
+ Authorized requests include the bearer token:
63
+
64
+ ```bash
65
+ curl -i \
66
+ -H "Authorization: Bearer dev-local-token" \
67
+ -H "Content-Type: application/json" \
68
+ -d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' \
69
+ http://127.0.0.1:8765/mcp
70
+ ```
71
+
72
+ The tool catalog should contain semantic tools such as:
73
+
74
+ ```text
75
+ billing.inspect_invoice
76
+ billing.propose_late_fee_waiver
77
+ ```
78
+
79
+ It should not contain:
80
+
81
+ ```text
82
+ execute_sql
83
+ raw_sql
84
+ approval tools
85
+ commit/apply tools
86
+ database URLs
87
+ write credentials
88
+ model-controlled tenant authority
89
+ arbitrary table or column names
90
+ ```
91
+
92
+ ## Call A Tool
93
+
94
+ ```bash
95
+ curl -i \
96
+ -H "Authorization: Bearer dev-local-token" \
97
+ -H "Content-Type: application/json" \
98
+ -d '{
99
+ "jsonrpc": "2.0",
100
+ "id": 2,
101
+ "method": "tools/call",
102
+ "params": {
103
+ "name": "billing.inspect_invoice",
104
+ "arguments": { "invoice_id": "INV-3001" }
105
+ }
106
+ }' \
107
+ http://127.0.0.1:8765/mcp
108
+ ```
109
+
110
+ The response includes scoped data, trusted context, evidence handles, and
111
+ `source_database_mutated: false`. The agent still does not receive SQL,
112
+ database credentials, or approval/commit authority.
113
+
114
+ ## Read Evidence Or Replay Resources
115
+
116
+ Use `resources/read` with a `synapsor://...` handle returned by a tool call:
117
+
118
+ ```bash
119
+ curl -i \
120
+ -H "Authorization: Bearer dev-local-token" \
121
+ -H "Content-Type: application/json" \
122
+ -d '{
123
+ "jsonrpc": "2.0",
124
+ "id": 3,
125
+ "method": "resources/read",
126
+ "params": { "uri": "synapsor://evidence/ev_..." }
127
+ }' \
128
+ http://127.0.0.1:8765/mcp
129
+ ```
130
+
131
+ ## CORS
132
+
133
+ CORS is disabled by default. If a local browser app needs access during
134
+ development, allow one explicit origin:
135
+
136
+ ```bash
137
+ synapsor mcp serve-http \
138
+ --config ./synapsor.runner.json \
139
+ --store ./.synapsor/local.db \
140
+ --cors-origin http://localhost:3000
141
+ ```
142
+
143
+ Do not use wildcard CORS for a model-facing database tool service.
144
+
145
+ ## Network Exposure
146
+
147
+ Synapsor Runner binds to `127.0.0.1` by default.
148
+
149
+ If you explicitly bind to all interfaces:
150
+
151
+ ```bash
152
+ synapsor mcp serve-http --host 0.0.0.0
153
+ ```
154
+
155
+ the CLI prints a warning. Treat this as a production-like service:
156
+
157
+ - keep bearer auth enabled;
158
+ - use TLS or a trusted reverse proxy;
159
+ - prefer private networking;
160
+ - add rate limits and request-size limits at the edge;
161
+ - do not log request bodies by default;
162
+ - rotate the bearer token if it is exposed.
163
+
164
+ `--dev-no-auth` is accepted only on `localhost` or `127.0.0.1`. It fails closed
165
+ with `--host 0.0.0.0`.
166
+
167
+ ## Trusted Context
168
+
169
+ Tenant and principal values must come from trusted configuration such as
170
+ environment variables or a server-side session. HTTP request arguments cannot
171
+ override trusted fields such as:
172
+
173
+ ```text
174
+ tenant_id
175
+ principal
176
+ principal_id
177
+ project_id
178
+ source_id
179
+ allowed_columns
180
+ approval_identity
181
+ ```
182
+
183
+ Use `read_only` mode first. Proposal/review mode should use a separate trusted
184
+ write path and a separate write credential. The model-facing HTTP MCP endpoint
185
+ must not receive write credentials.
186
+
187
+ ## OpenAI Agents SDK
188
+
189
+ See:
190
+
191
+ ```text
192
+ examples/openai-agents-http/
193
+ examples/openai-agents-stdio/
194
+ ```
195
+
196
+ The stdio example uses the MCP client integration from the OpenAI Agents SDK
197
+ when available. The HTTP example uses a minimal JSON-RPC client wrapped as an
198
+ OpenAI function tool because native HTTP MCP client support can vary by SDK
199
+ version. The boundary is the same: the agent calls a semantic Synapsor tool,
200
+ not raw SQL.
@@ -25,6 +25,8 @@ Synapsor Runner is intentionally narrow in the current alpha.
25
25
  - Capability recipes that generate reviewed starter configs.
26
26
  - Shadow-mode proposal-vs-human-action comparison.
27
27
  - Static MCP database risk review.
28
+ - Local indexed search for proposals, evidence bundles, query audit, writeback
29
+ receipts, and proposal replay.
28
30
 
29
31
  ## Runtime Contract
30
32
 
@@ -61,6 +63,24 @@ External Postgres/MySQL databases are not branched or merged by Synapsor Runner.
61
63
 
62
64
  The proposal, evidence, replay, and approval state live in Synapsor Runner locally or in Synapsor Cloud. The external source database changes only when a trusted runner applies an approved writeback job.
63
65
 
66
+ Local replay means replay of records captured by the runner:
67
+
68
+ - trusted context values used by the capability;
69
+ - captured/projected source-row excerpts;
70
+ - query audit fingerprints and redacted parameter metadata;
71
+ - proposal before/proposed diffs;
72
+ - approval/rejection events;
73
+ - guarded writeback jobs;
74
+ - applied/conflict/failed receipts.
75
+
76
+ It does not mean external Postgres/MySQL time travel. Runner cannot reconstruct
77
+ arbitrary historical rows that were never captured as evidence, and it does not
78
+ provide `AS OF` queries over an external source.
79
+
80
+ Local search is single-node SQLite search over the local runner store. It is
81
+ useful for local/dev/staging usage. It is not a hosted central evidence ledger,
82
+ not cross-runner aggregation, not RBAC/SSO, and not compliance retention.
83
+
64
84
  Use this wording:
65
85
 
66
86
  ```text
@@ -9,6 +9,14 @@ Command model:
9
9
  - From a source checkout, use `./bin/synapsor <command>` if the global binary is
10
10
  not linked yet.
11
11
 
12
+ `synapsor demo --quick` creates a fixture ledger for learning and CLI
13
+ verification. In a terminal it walks through the safety model step by step; in
14
+ CI or piped output it prints a short summary and exits without waiting for
15
+ Enter. It does not read or write external Postgres/MySQL. Local mode with
16
+ `synapsor mcp serve`, `synapsor demo`, or an own generated config is the real
17
+ Postgres/MySQL path. Use `synapsor demo inspect` to print the follow-up
18
+ commands for the quick-demo fixture.
19
+
12
20
  Current local-mode foundation:
13
21
 
14
22
  - strict JSON capability config validation in `packages/config`;
@@ -17,13 +25,18 @@ Current local-mode foundation:
17
25
  - local localhost proposal review UI through `synapsor ui`;
18
26
  - static MCP database risk review with `synapsor audit`;
19
27
  - local stdio MCP server with semantic read/proposal tools;
28
+ - authenticated HTTP MCP server for app/server agents;
20
29
  - MCP resource reads for `synapsor://proposals/*`, `synapsor://evidence/*`, and `synapsor://replay/*`;
21
30
  - local approved proposal to `synapsor.writeback-job.v1` job generation;
22
31
  - guarded Postgres/MySQL writeback adapters for approved structured jobs.
23
32
 
24
33
  Still pending:
25
34
 
26
- - Public-release hardening around the experimental `node:sqlite` dependency.
35
+ The alpha package requires Node >= 22.5.0 because the local evidence/replay
36
+ ledger uses Node's `node:sqlite` runtime. The published package declares that
37
+ engine requirement and the CLI exits early with a clear message on older Node
38
+ versions. The Docker-backed demo remains the recommended path when you do not
39
+ want to change your host Node version.
27
40
 
28
41
  ## Initialize a config
29
42
 
@@ -57,6 +70,31 @@ npx -y -p @synapsor/runner@alpha synapsor doctor --config synapsor.runner.json
57
70
  read/write credential separation, metadata visibility for configured targets,
58
71
  and the semantic MCP tool boundary without printing credential values.
59
72
 
73
+ ## Stdio Vs HTTP MCP
74
+
75
+ Use stdio for local MCP clients that launch Synapsor Runner:
76
+
77
+ ```bash
78
+ npx -y -p @synapsor/runner@alpha synapsor mcp serve \
79
+ --config ./synapsor.runner.json \
80
+ --store ./.synapsor/local.db
81
+ ```
82
+
83
+ Use HTTP when your app/server agent connects to a long-running Runner process:
84
+
85
+ ```bash
86
+ export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
87
+
88
+ npx -y -p @synapsor/runner@alpha synapsor mcp serve-http \
89
+ --config ./synapsor.runner.json \
90
+ --store ./.synapsor/local.db \
91
+ --auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
92
+ ```
93
+
94
+ HTTP defaults to `127.0.0.1:8765`, requires bearer auth by default, and should
95
+ run behind private networking/TLS before production-like exposure. Details:
96
+ [HTTP MCP](http-mcp.md).
97
+
60
98
  ## Local safety modes
61
99
 
62
100
  The local runner modes are intentionally narrow:
@@ -164,6 +202,9 @@ Show replay:
164
202
 
165
203
  ```bash
166
204
  npx -y -p @synapsor/runner@alpha synapsor replay show wrp_123 --store ./.synapsor/local.db
205
+ npx -y -p @synapsor/runner@alpha synapsor replay show --proposal wrp_123 --store ./.synapsor/local.db
206
+ npx -y -p @synapsor/runner@alpha synapsor replay show --replay replay_wrp_123 --store ./.synapsor/local.db
207
+ npx -y -p @synapsor/runner@alpha synapsor replay show --evidence ev_123 --store ./.synapsor/local.db
167
208
  ```
168
209
 
169
210
  Export replay:
@@ -172,9 +213,67 @@ Export replay:
172
213
  npx -y -p @synapsor/runner@alpha synapsor replay export wrp_123 \
173
214
  --store ./.synapsor/local.db \
174
215
  --output replay.json
216
+
217
+ npx -y -p @synapsor/runner@alpha synapsor replay export --proposal wrp_123 \
218
+ --format markdown \
219
+ --store ./.synapsor/local.db \
220
+ --output replay.md
175
221
  ```
176
222
 
177
223
  Replay records include proposal metadata, before/after diff, events, writeback receipts, evidence summaries, and query audit rows currently stored for the proposal.
224
+ Human output is concise by default. Use `--details` for reviewer metadata or
225
+ `--json` for complete machine-readable records.
226
+
227
+ ## Local evidence, query audit, and receipts
228
+
229
+ The local SQLite store is also searchable without relying on `latest`:
230
+
231
+ ```bash
232
+ synapsor activity search \
233
+ --tenant acme \
234
+ --object invoice:INV-3001 \
235
+ --store ./.synapsor/local.db
236
+
237
+ synapsor evidence list \
238
+ --tenant acme \
239
+ --capability billing.inspect_invoice \
240
+ --source app_postgres \
241
+ --table invoices \
242
+ --store ./.synapsor/local.db
243
+
244
+ synapsor evidence show ev_123 --store ./.synapsor/local.db
245
+ synapsor query-audit list --evidence ev_123 --store ./.synapsor/local.db
246
+ synapsor receipts list --proposal wrp_123 --store ./.synapsor/local.db
247
+ synapsor receipts show <receipt_id> --store ./.synapsor/local.db
248
+ ```
249
+
250
+ Default inspection output is intentionally short. Add `--details` when you need
251
+ target URIs, primary keys, proposal hash/version, conflict guards, query
252
+ fingerprints, event timestamps, or receipt internals.
253
+
254
+ Read-only MCP tools record evidence bundles and query-audit rows and return an
255
+ evidence handle. Use `evidence show`, `evidence list`, and `query-audit list`
256
+ to inspect those captured rows and fingerprints later without rerunning the
257
+ external database read.
258
+
259
+ This is local indexed search over the runner's SQLite ledger. It is not
260
+ external Postgres/MySQL time travel, not native branching, and not a hosted
261
+ cross-runner audit ledger.
262
+
263
+ ## Local store maintenance
264
+
265
+ The local ledger is a developer/staging SQLite file. You can inspect, compact,
266
+ or prune it without touching your source Postgres/MySQL database:
267
+
268
+ ```bash
269
+ synapsor store stats --store ./.synapsor/local.db
270
+ synapsor store vacuum --store ./.synapsor/local.db
271
+ synapsor store prune --store ./.synapsor/local.db --older-than 30d --dry-run
272
+ synapsor store prune --store ./.synapsor/local.db --older-than 30d --yes
273
+ ```
274
+
275
+ `store prune` defaults to dry-run. Use `--yes` only after reviewing the row
276
+ counts it will remove.
178
277
 
179
278
  ## Boundary
180
279
 
@@ -184,7 +283,7 @@ Local mode does not expose `approve_proposal` or `commit_proposal` as model-call
184
283
  MCP tool call
185
284
  -> reviewed semantic proposal
186
285
  -> local store
187
- -> human/policy approval outside the model
286
+ -> human/operator approval outside the model
188
287
  -> guarded worker writeback
189
288
  -> terminal receipt
190
289
  -> replay
package/docs/mcp-audit.md CHANGED
@@ -41,13 +41,13 @@ Remote `tools/list` endpoint with a bearer token kept in the environment:
41
41
 
42
42
  ```bash
43
43
  SYNAPSOR_MCP_AUDIT_BEARER="..." \
44
- npx -y -p @synapsor/runner@alpha synapsor audit https://mcp.example.com --json
44
+ npx -y -p @synapsor/runner@alpha synapsor audit https://mcp.example.com --format json
45
45
  ```
46
46
 
47
47
  Remote endpoint with a custom bearer-token environment variable:
48
48
 
49
49
  ```bash
50
- npx -y -p @synapsor/runner@alpha synapsor audit https://mcp.example.com --bearer-env MCP_AUDIT_TOKEN --json
50
+ npx -y -p @synapsor/runner@alpha synapsor audit https://mcp.example.com --bearer-env MCP_AUDIT_TOKEN --format json
51
51
  ```
52
52
 
53
53
  Stdio MCP server:
@@ -59,14 +59,20 @@ npx -y -p @synapsor/runner@alpha synapsor audit 'stdio:node ./server.mjs' --time
59
59
  JSON output:
60
60
 
61
61
  ```bash
62
- npx -y -p @synapsor/runner@alpha synapsor audit ./tools-list.json --json
62
+ npx -y -p @synapsor/runner@alpha synapsor audit ./tools-list.json --format json
63
+ ```
64
+
65
+ Markdown output for issues, PRs, or security review notes:
66
+
67
+ ```bash
68
+ npx -y -p @synapsor/runner@alpha synapsor audit --example dangerous-db-mcp --format markdown
63
69
  ```
64
70
 
65
71
  During local development, the repo-local wrapper can run the same command:
66
72
 
67
73
  ```bash
68
74
  ./bin/synapsor audit ./tools-list.json
69
- ./bin/synapsor audit ./tools-list.json --json
75
+ ./bin/synapsor audit ./tools-list.json --format json
70
76
  ```
71
77
 
72
78
  ## Supported inputs
@@ -6,7 +6,10 @@ The primary local proof path is still the one-command Docker demo:
6
6
  ./scripts/demo-docker.sh
7
7
  ```
8
8
 
9
- Use this page after that demo passes and you want to attach a local MCP client. The tested integration contract here is stdio. Client-specific UIs change, so the checked-in examples verify config shape and `tools/list`, not every client screen.
9
+ Use this page after that demo passes and you want to attach a local MCP client.
10
+ The tested local-client contract here is stdio. HTTP MCP is available for
11
+ app/server deployments where your agent connects to a long-running Runner
12
+ service.
10
13
 
11
14
  Command examples use the published alpha package through `npx`. From a source
12
15
  checkout, use `./bin/synapsor ...` only when you intentionally want the local
@@ -24,6 +27,31 @@ Validate them with:
24
27
  corepack pnpm test:mcp-client-configs
25
28
  ```
26
29
 
30
+ ## Stdio Vs HTTP MCP
31
+
32
+ | Mode | Use when | Command |
33
+ | --- | --- | --- |
34
+ | stdio | Claude Desktop, Cursor, VS Code, or another local MCP client can launch Synapsor Runner | `synapsor mcp serve` |
35
+ | HTTP | Your app/server, Python agent, Node service, or container connects to a long-running Runner service | `synapsor mcp serve-http` |
36
+
37
+ Stdio keeps the MCP protocol on process stdin/stdout and is the simplest local
38
+ developer path. HTTP uses JSON-RPC over an authenticated `/mcp` endpoint and is
39
+ better for app/server deployments.
40
+
41
+ HTTP requires bearer auth by default:
42
+
43
+ ```bash
44
+ export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
45
+
46
+ npx -y -p @synapsor/runner@alpha synapsor mcp serve-http \
47
+ --config ./synapsor.runner.json \
48
+ --store ./.synapsor/local.db \
49
+ --auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
50
+ ```
51
+
52
+ Use private networking/TLS before exposing HTTP MCP beyond localhost. Details:
53
+ [HTTP MCP](http-mcp.md).
54
+
27
55
  ## Generate A Client Snippet
28
56
 
29
57
  Print a snippet without modifying any client files:
@@ -77,6 +105,17 @@ npx -y -p @synapsor/runner@alpha synapsor mcp serve --config ./examples/mcp-post
77
105
 
78
106
  For the alpha package, keep the package tag explicit in client configuration.
79
107
 
108
+ For app/server HTTP mode:
109
+
110
+ ```bash
111
+ export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
112
+
113
+ npx -y -p @synapsor/runner@alpha synapsor mcp serve-http \
114
+ --config ./examples/mcp-postgres-billing/synapsor.runner.json \
115
+ --store ./.synapsor/local.db \
116
+ --auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
117
+ ```
118
+
80
119
  ## Generic stdio Client
81
120
 
82
121
  ```json
@@ -3,6 +3,23 @@
3
3
  Synapsor Runner controls a narrow database path for MCP agents. It does not make
4
4
  MCP generally secure and it does not solve prompt injection.
5
5
 
6
+ ## Least-privilege database access
7
+
8
+ Use a read-only database user, restricted views, row-level security, and staging
9
+ data where appropriate. Synapsor Runner is not a replacement for database
10
+ permissions.
11
+
12
+ Database permissions protect the connection. Synapsor Runner shapes the
13
+ model-facing interface: reviewed semantic capabilities, trusted context
14
+ binding, evidence handles, query audit, local inspection, and proposal-first
15
+ writes instead of model-facing commit authority.
16
+
17
+ If all you need is restricted reads, database permissions are a good start.
18
+ Use Synapsor Runner when you also want the agent-facing layer: semantic tools,
19
+ trusted context, evidence handles, query audit, local inspection, and
20
+ proposal-first writes. Proposal workflows add full replay across evidence,
21
+ approval, writeback receipts, and events.
22
+
6
23
  The model-facing MCP server exposes reviewed semantic tools such as
7
24
  `billing.inspect_invoice` and `billing.propose_late_fee_waiver`.
8
25