@synapsor/runner 0.1.0-alpha.3 → 0.1.0-alpha.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/README.md +284 -13
  2. package/dist/cli.d.ts.map +1 -1
  3. package/dist/cli.js +5 -0
  4. package/dist/runner.mjs +2982 -127
  5. package/docs/README.md +32 -54
  6. package/docs/getting-started-own-database.md +40 -8
  7. package/docs/http-mcp.md +200 -0
  8. package/docs/limitations.md +20 -0
  9. package/docs/local-mode.md +101 -2
  10. package/docs/mcp-audit.md +10 -4
  11. package/docs/mcp-client-setup.md +40 -1
  12. package/docs/security-boundary.md +17 -0
  13. package/examples/openai-agents-http/README.md +55 -0
  14. package/examples/openai-agents-http/agent.py +90 -0
  15. package/examples/openai-agents-http/requirements.txt +1 -0
  16. package/examples/openai-agents-stdio/README.md +62 -0
  17. package/examples/openai-agents-stdio/agent.py +70 -0
  18. package/examples/openai-agents-stdio/requirements.txt +1 -0
  19. package/examples/reference-support-billing-app/README.md +51 -0
  20. package/examples/reference-support-billing-app/schema.sql +14 -1
  21. package/examples/reference-support-billing-app/seed.sql +12 -5
  22. package/examples/reference-support-billing-app/synapsor.runner.json +105 -0
  23. package/package.json +3 -1
  24. package/docs/MCP_RUNNER_IMPLEMENTATION_PLAN.md +0 -187
  25. package/docs/architecture.md +0 -65
  26. package/docs/capability-config.md +0 -180
  27. package/docs/cloud-mode.md +0 -140
  28. package/docs/config-migrations.md +0 -67
  29. package/docs/demo-transcript.md +0 -73
  30. package/docs/dependency-license-inventory.md +0 -35
  31. package/docs/first-10-minutes.md +0 -147
  32. package/docs/licensing.md +0 -38
  33. package/docs/local-ui.md +0 -163
  34. package/docs/mcp-efficiency-benchmark.md +0 -84
  35. package/docs/operations.md +0 -38
  36. package/docs/own-db-20-minutes.md +0 -185
  37. package/docs/production-readiness.md +0 -39
  38. package/docs/protocol.md +0 -90
  39. package/docs/roadmap.md +0 -13
  40. package/docs/schema-inspection.md +0 -88
  41. package/docs/shadow-mode.md +0 -67
  42. package/docs/telemetry.md +0 -28
  43. package/docs/threat-model.md +0 -25
  44. package/docs/trusted-context.md +0 -70
@@ -1,185 +0,0 @@
1
- # Own Database In 10 Minutes
2
-
3
- This path is for a developer who already understands the local demo and wants
4
- to try one staging Postgres/MySQL table without writing `synapsor.runner.json`
5
- by hand.
6
-
7
- Do not start with your most sensitive production database. Start with staging,
8
- a disposable database, or a least-privilege view.
9
-
10
- ## 1. Create A Read-Only Credential
11
-
12
- Use a database user that can inspect metadata and read only the tables/views
13
- needed for the experiment.
14
-
15
- Set the connection string in an environment variable:
16
-
17
- ```bash
18
- export DATABASE_URL="<postgres-or-mysql-read-url>"
19
- ```
20
-
21
- Do not paste database URLs into MCP client configs or committed JSON files.
22
-
23
- ## 2. Inspect The Database
24
-
25
- Fast path:
26
-
27
- ```bash
28
- ./scripts/use-your-db.sh
29
- ```
30
-
31
- That command runs inspection, guided config generation, and tool preview. The
32
- rest of this page shows the same steps explicitly.
33
-
34
- ```bash
35
- npx -y -p @synapsor/runner@alpha synapsor inspect --from-env DATABASE_URL --engine auto
36
- ```
37
-
38
- This prints discovered tables/views, primary keys, possible tenant/scope
39
- columns, possible conflict/version columns, and fields suggested for review.
40
- Inspection reads metadata and table shape. It does not expose raw SQL tools or
41
- write credentials to the model.
42
-
43
- For disposable staging databases, this shorter form also works:
44
-
45
- ```bash
46
- npx -y -p @synapsor/runner@alpha synapsor inspect "$DATABASE_URL" --engine auto
47
- ```
48
-
49
- Prefer `--from-env` on shared machines so URLs do not land in shell history.
50
-
51
- ## 3. Run The Guided Wizard
52
-
53
- ```bash
54
- npx -y -p @synapsor/runner@alpha synapsor init --from-env DATABASE_URL --mode review --wizard
55
- ```
56
-
57
- The wizard asks for:
58
-
59
- - database engine;
60
- - read URL environment-variable name;
61
- - schema/database;
62
- - table or view;
63
- - primary key;
64
- - tenant/scope column;
65
- - conflict/version column;
66
- - read-visible fields;
67
- - mode: `read_only`, `shadow`, or `review`;
68
- - business object name and namespace;
69
- - proposal patch mapping if you choose `shadow` or `review`;
70
- - trusted tenant/principal env vars;
71
- - approval role;
72
- - final confirmation before files are written.
73
-
74
- The default mode for unknown schemas should be treated as a cautious staging
75
- path. Do not enable real writeback until the read/proposal path is reviewed.
76
-
77
- You can still run the complete wrapper:
78
-
79
- ```bash
80
- ./scripts/use-your-db.sh
81
- ```
82
-
83
- It runs inspection, guided init, tool preview, and next-step printing in one
84
- flow. For the lower-level CLI path, `synapsor onboard db --from-env
85
- DATABASE_URL` runs the same own-database onboarding from the runner command.
86
-
87
- ## 4. What Gets Generated
88
-
89
- The wizard creates:
90
-
91
- - `synapsor.runner.json`;
92
- - `.env.example`;
93
- - `.synapsor/mcp/generic-stdio.json`;
94
- - `.synapsor/mcp/claude-desktop.json`;
95
- - `.synapsor/mcp/cursor.json`;
96
- - `.synapsor/mcp/vscode.json`.
97
-
98
- The generated config stores environment-variable names, not database secrets.
99
-
100
- ## 5. Preview What The Model Sees
101
-
102
- ```bash
103
- npx -y -p @synapsor/runner@alpha synapsor config validate --config synapsor.runner.json
104
- npx -y -p @synapsor/runner@alpha synapsor doctor --config synapsor.runner.json
105
- npx -y -p @synapsor/runner@alpha synapsor tools preview --config synapsor.runner.json --store ./.synapsor/local.db
106
- ```
107
-
108
- `doctor` checks config shape, trusted context env vars, source env vars,
109
- read/write credential separation, source metadata when reachable, handler env
110
- vars, and the semantic MCP tool boundary.
111
-
112
- `tools preview` lists what the model would see and confirms:
113
-
114
- - semantic tools present;
115
- - `execute_sql` absent;
116
- - approval tools absent;
117
- - commit tools absent;
118
- - database URLs absent;
119
- - write credentials absent.
120
-
121
- ## 6. Serve MCP
122
-
123
- ```bash
124
- export SYNAPSOR_TENANT_ID="acme"
125
- export SYNAPSOR_PRINCIPAL="local_operator"
126
-
127
- npx -y -p @synapsor/runner@alpha synapsor mcp serve \
128
- --config ./synapsor.runner.json \
129
- --store ./.synapsor/local.db
130
- ```
131
-
132
- The MCP server exposes only the configured semantic tools. It does not expose
133
- raw SQL, approval tools, commit tools, database URLs, write credentials, or
134
- model-controlled tenant authority.
135
-
136
- ## 7. Review Proposals
137
-
138
- If a proposal is created:
139
-
140
- ```bash
141
- npx -y -p @synapsor/runner@alpha synapsor proposals list --store ./.synapsor/local.db
142
- npx -y -p @synapsor/runner@alpha synapsor proposals show <proposal_id> --store ./.synapsor/local.db
143
- npx -y -p @synapsor/runner@alpha synapsor replay show <proposal_id> --store ./.synapsor/local.db
144
- ```
145
-
146
- Open the UI:
147
-
148
- ```bash
149
- npx -y -p @synapsor/runner@alpha synapsor ui --tour --config ./synapsor.runner.json --store ./.synapsor/local.db
150
- ```
151
-
152
- ## 8. Apply Only After Review
153
-
154
- For direct SQL writeback, set a separate writer credential only when ready:
155
-
156
- ```bash
157
- export SYNAPSOR_DATABASE_WRITE_URL="<postgres-or-mysql-writer-url>"
158
- ```
159
-
160
- Then:
161
-
162
- ```bash
163
- npx -y -p @synapsor/runner@alpha synapsor proposals approve <proposal_id> --store ./.synapsor/local.db --actor local_reviewer --yes
164
- npx -y -p @synapsor/runner@alpha synapsor proposals writeback-job <proposal_id> --store ./.synapsor/local.db --output job.json
165
-
166
- SYNAPSOR_ENGINE=postgres \
167
- SYNAPSOR_DATABASE_URL="$SYNAPSOR_DATABASE_WRITE_URL" \
168
- npx -y -p @synapsor/runner@alpha synapsor apply --job job.json --config synapsor.runner.json --store ./.synapsor/local.db
169
- ```
170
-
171
- If your application should own the business write, configure an `http_handler`
172
- or `command_handler` executor instead of direct SQL writeback. See
173
- [writeback-executors.md](writeback-executors.md).
174
-
175
- ## Safety Rules
176
-
177
- - Never infer write authority silently.
178
- - Every allowed write column must be explicitly reviewed.
179
- - Every patch mapping must be explicitly reviewed.
180
- - If no tenant column exists, use a safe view or explicitly acknowledge
181
- single-tenant dev mode.
182
- - If no conflict column exists, stay in `read_only` or `shadow` unless you
183
- intentionally accept a weak guard for local testing.
184
- - Never write during onboarding.
185
- - Never put secrets in generated config.
@@ -1,39 +0,0 @@
1
- # Production Readiness
2
-
3
- Synapsor Runner is a local, open-source MCP data-plane/runtime for reviewed
4
- Postgres/MySQL business actions. It is not Synapsor Cloud and it is not the
5
- Synapsor C++ DBMS.
6
-
7
- Use a staging or disposable database first.
8
-
9
- Allowed current claims:
10
-
11
- - semantic MCP tools instead of raw SQL;
12
- - source database remains unchanged during proposal creation;
13
- - separate read and write credentials;
14
- - exact row diff;
15
- - local approval outside MCP;
16
- - tenant, column, version, affected-row, and idempotency checks;
17
- - approved app/API handler writeback with handler secrets kept in environment
18
- variables;
19
- - shadow-mode comparison between agent proposals and human actions;
20
- - stale-row conflict detection in included fixtures;
21
- - local replay for proposal/evidence/approval/writeback receipts.
22
-
23
- Do not claim from this repository alone:
24
-
25
- - high availability;
26
- - compliance certification;
27
- - mission-critical SLA;
28
- - exactly-once across networks;
29
- - general MCP security;
30
- - prompt-injection immunity;
31
- - physical branches for Postgres/MySQL;
32
- - arbitrary business invariants are automatically understood.
33
-
34
- Synapsor Cloud is the production/team control plane for shared approvals, RBAC,
35
- hosted evidence/replay search, runner fleet status, leases, retention, audit
36
- visibility, and support.
37
-
38
- Before a public production-data claim, complete the release checklist, counsel
39
- review, security review, and operational validation.
package/docs/protocol.md DELETED
@@ -1,90 +0,0 @@
1
- # Protocol
2
-
3
- The public protocol has four versioned identifiers:
4
-
5
- ```text
6
- synapsor.change-set.v1
7
- synapsor.writeback-job.v1
8
- synapsor.execution-receipt.v1
9
- synapsor.runner-registration.v1
10
- ```
11
-
12
- The schemas live in `schemas/`. Golden fixtures live in `fixtures/protocol/` and are copied into the main Synapsor repository so Cloud/C++/SDK work can validate the same contract.
13
-
14
- `fixtures/protocol/MANIFEST.json` is the shared checksum note for the public protocol set. The same logical manifest is copied to the main Synapsor repository as `protocol/MANIFEST.json`. Tests in both repositories verify the SHA-256 digest for every schema and fixture.
15
-
16
- The current alpha write path supports one operation:
17
-
18
- ```text
19
- single_row_update
20
- ```
21
-
22
- It does not support arbitrary SQL, DDL, INSERT, DELETE, UPSERT, stored procedures, dynamic table/column names from model input, or multi-row writes.
23
- Schema, table, primary-key, tenant, conflict-guard, allowed-column, and patch
24
- column identifiers must be fixed safe identifiers. Path-traversal strings and
25
- SQL-fragment-like identifiers are rejected by protocol validation before the
26
- Postgres/MySQL adapter can run.
27
-
28
- ## Change set
29
-
30
- `synapsor.change-set.v1` describes the proposal created after a semantic capability reads the current row and derives an exact diff. It includes:
31
-
32
- - proposal id and version;
33
- - action name;
34
- - trusted principal provenance;
35
- - tenant/business-object scope;
36
- - source table and primary key;
37
- - before/patch/after maps;
38
- - allowed columns;
39
- - expected version guard;
40
- - evidence bundle/query fingerprint;
41
- - approval state;
42
- - writeback state;
43
- - `source_database_mutated: false`;
44
- - proposal hash.
45
-
46
- ## Writeback job
47
-
48
- `synapsor.writeback-job.v1` is the only object a runner may use to mutate the external database. Required fields include:
49
-
50
- - `writeback_job_id`;
51
- - `proposal_id`;
52
- - `proposal_version`;
53
- - `proposal_hash`;
54
- - `runner_scope.project_id`;
55
- - `runner_scope.source_id`;
56
- - `engine`;
57
- - `operation: single_row_update`;
58
- - `target.schema`;
59
- - `target.table`;
60
- - `target.primary_key`;
61
- - `tenant_guard`;
62
- - `allowed_columns`;
63
- - `patch`;
64
- - `conflict_guard`;
65
- - `idempotency_key`;
66
- - `lease`.
67
-
68
- The protocol package normalizes this public shape into the existing internal `protocol_version: "1.0"` worker shape so current Postgres/MySQL adapters remain stable while the public contract evolves.
69
-
70
- ## Execution receipt
71
-
72
- `synapsor.execution-receipt.v1` records the terminal result:
73
-
74
- ```text
75
- applied
76
- conflict
77
- failed
78
- canceled
79
- already_applied
80
- ```
81
-
82
- Receipts include the writeback job id, proposal id, runner id, rows affected, idempotency key, version fields when available, source mutation state, safe error code, execution timestamp, and receipt hash.
83
-
84
- ## Runner registration
85
-
86
- `synapsor.runner-registration.v1` describes a runner's id, version, supported engines, capabilities, project/source scope, and registration timestamp.
87
-
88
- ## Compatibility
89
-
90
- Existing Cloud endpoints may still return the legacy `protocol_version: "1.0"` job/result envelope during migration. The runner validates both formats. New public examples and MCP work should use the `synapsor.*.v1` schema ids.
package/docs/roadmap.md DELETED
@@ -1,13 +0,0 @@
1
- # Roadmap
2
-
3
- Future packages can live in this same monorepo:
4
-
5
- - MCP adapter
6
- - LangGraph adapter
7
- - OpenAI Agents SDK adapter
8
- - CrewAI adapter
9
- - ORM helpers for Prisma, Drizzle, Django, Rails, and SQLAlchemy
10
- - Local read runner when product requirements and security review are complete
11
-
12
- Do not add package stubs until the implementation is ready.
13
-
@@ -1,88 +0,0 @@
1
- # Schema Inspection
2
-
3
- `synapsor inspect` reads database metadata so you can choose a
4
- narrow reviewed capability without writing an entire runner config by hand.
5
-
6
- Use the public `synapsor ...` runner CLI. From a source checkout, use
7
- `./bin/synapsor ...` if the global binary is not linked yet.
8
-
9
- ```bash
10
- npx -y -p @synapsor/runner@alpha synapsor inspect \
11
- --engine auto \
12
- --from-env SYNAPSOR_DATABASE_READ_URL \
13
- --schema public
14
- ```
15
-
16
- JSON output:
17
-
18
- ```bash
19
- npx -y -p @synapsor/runner@alpha synapsor inspect \
20
- --engine mysql \
21
- --from-env SYNAPSOR_DATABASE_READ_URL \
22
- --schema app \
23
- --json
24
- ```
25
-
26
- ## What It Reads
27
-
28
- The inspector collects metadata only:
29
-
30
- - engine and server version;
31
- - current database user;
32
- - schemas/databases visible to the credential;
33
- - tables and views;
34
- - columns, types, nullability, defaults, and generated status;
35
- - primary keys;
36
- - unique constraints;
37
- - foreign keys;
38
- - index summaries;
39
- - best-effort table writability from object type;
40
- - suggested tenant columns;
41
- - suggested conflict/version columns;
42
- - suggested sensitive or large/binary fields.
43
-
44
- It does not sample normal business rows by default.
45
-
46
- ## Suggestions Are Not Authority
47
-
48
- Tenant, conflict, sensitive-field, and default-visible-column suggestions are
49
- heuristics. You must review them before generating or serving a capability.
50
-
51
- Suggested tenant column names include:
52
-
53
- ```text
54
- tenant_id, account_id, organization_id, org_id, workspace_id, customer_id
55
- ```
56
-
57
- Suggested conflict/version columns include:
58
-
59
- ```text
60
- updated_at, modified_at, row_version, version, lock_version, etag
61
- ```
62
-
63
- Likely sensitive fields include names containing:
64
-
65
- ```text
66
- password, secret, token, api_key, private_key, session, cookie, ssn,
67
- credit_card, card_number, cvv, refresh_token, oauth
68
- ```
69
-
70
- Binary/blob/vector columns are excluded from generated default visible columns.
71
-
72
- ## Safety Behavior
73
-
74
- - Use a read-only database credential.
75
- - Pass the connection through an environment variable name, not a command-line
76
- URL.
77
- - Inspection opens read-only transactions where supported.
78
- - Inspection applies statement timeouts.
79
- - Inspection does not issue DDL or DML.
80
- - Errors are sanitized to avoid printing connection strings.
81
-
82
- ## Next Step
83
-
84
- Use the inspection result to create `onboarding-selection.json`, then run:
85
-
86
- ```bash
87
- npx -y -p @synapsor/runner@alpha synapsor init --spec onboarding-selection.json --non-interactive
88
- ```
@@ -1,67 +0,0 @@
1
- # Shadow Mode
2
-
3
- Shadow mode lets you evaluate autonomy before allowing writes.
4
-
5
- The model can create proposals and evidence, but the source database is never
6
- mutated. A human continues doing the real work in the application. You can then
7
- record what the human actually did and compare it to the agent proposal.
8
-
9
- Run a shadow config:
10
-
11
- ```json
12
- {
13
- "mode": "shadow"
14
- }
15
- ```
16
-
17
- List shadow proposals:
18
-
19
- ```bash
20
- npx -y -p @synapsor/runner@alpha synapsor shadow list --store ./.synapsor/local.db
21
- ```
22
-
23
- Record the human action:
24
-
25
- ```bash
26
- cat > human-action.json <<'JSON'
27
- {
28
- "late_fee_cents": 0,
29
- "waiver_reason": "customer requested review"
30
- }
31
- JSON
32
-
33
- npx -y -p @synapsor/runner@alpha synapsor shadow record-human-action wrp_123 \
34
- --store ./.synapsor/local.db \
35
- --patch human-action.json \
36
- --actor human_operator \
37
- --notes "matched support lead decision"
38
- ```
39
-
40
- Compare:
41
-
42
- ```bash
43
- npx -y -p @synapsor/runner@alpha synapsor shadow compare wrp_123 --store ./.synapsor/local.db
44
- ```
45
-
46
- Report:
47
-
48
- ```bash
49
- npx -y -p @synapsor/runner@alpha synapsor shadow report --store ./.synapsor/local.db
50
- ```
51
-
52
- The report counts:
53
-
54
- - total shadow proposals;
55
- - proposals with human actions;
56
- - exact matches;
57
- - partial matches;
58
- - mismatches;
59
- - proposals with no human action yet.
60
-
61
- Use this path to move gradually:
62
-
63
- ```text
64
- read-only -> shadow proposals -> human-reviewed commits -> policy-approved commits later
65
- ```
66
-
67
- This goal does not add policy auto-approval.
package/docs/telemetry.md DELETED
@@ -1,28 +0,0 @@
1
- # Telemetry
2
-
3
- Local mode does not send telemetry to Synapsor Cloud.
4
-
5
- By default, Synapsor Runner local commands do not upload:
6
-
7
- - schema metadata;
8
- - table names;
9
- - database rows;
10
- - prompts;
11
- - proposal contents;
12
- - credentials or database URLs;
13
- - usage data.
14
-
15
- Cloud communication occurs only after an explicit Cloud action, such as
16
- `synapsor cloud connect`, or when a config uses `mode: "cloud"`.
17
-
18
- The local MCP server keeps database credentials in the local environment. MCP
19
- client snippets reference the local command and store path; they must not
20
- include database URLs or passwords.
21
-
22
- Cloud mode may exchange documented control-plane metadata for runner
23
- registration, heartbeats, tool catalogs, proposal/job leases, result reporting,
24
- and replay/audit workflows. Cloud mode must remain testable and must not upload
25
- database credentials.
26
-
27
- If a future feature adds opt-in telemetry, it must be documented, disabled by
28
- default for local mode, and must not include secrets or row payloads.
@@ -1,25 +0,0 @@
1
- # Threat Model
2
-
3
- ## Boundary
4
-
5
- Synapsor Runner is the local trusted writeback boundary. The write credential stays in the customer environment. Synapsor Cloud sends approved structured jobs, not database URLs, passwords, raw SQL, prompts, or model confidence.
6
-
7
- ## Threats covered
8
-
9
- - Compromised or prompt-injected model: runner ignores prompts and accepts only structured approved jobs.
10
- - Malicious model arguments: target, tenant, allowed columns, conflict guard, and idempotency key come from Synapsor proposal state.
11
- - Over-broad proposal target: runner requires primary key and tenant guard.
12
- - Compromised runner token: token is scoped to one source and limited to configured runner permissions such as adapter read/invoke, runner heartbeat, job claim, and result reporting; it does not grant approval or arbitrary SQL authority.
13
- - Replayed job: receipt table makes applied retries idempotent.
14
- - Concurrent runners: receipt row and target row are locked inside a transaction.
15
- - Stale row/version conflict: version-column mismatch returns `conflict`.
16
- - Tenant mismatch: missing target row under tenant guard returns conflict and does not write.
17
- - Multi-row impact: affected rows must equal one.
18
- - Database outage mid-transaction: transaction rolls back and reports failed.
19
- - Control-plane outage after commit: receipt table allows safe idempotent result retry.
20
- - Log leakage: default logs redact tokens and database URLs.
21
- - Dependency compromise: CI, lockfile review, and dependency audit are release gates.
22
-
23
- ## Limitations
24
-
25
- The current alpha does not support arbitrary SQL, inserts, deletes, DDL, stored procedures, multi-row updates, cross-database transactions, automatic schema changes, or a self-hosted Synapsor control plane.
@@ -1,70 +0,0 @@
1
- # Trusted Context
2
-
3
- Trusted context is the data Synapsor Runner uses as authority but does not allow
4
- the model to choose freely.
5
-
6
- Examples:
7
-
8
- - tenant ID;
9
- - principal/user ID;
10
- - role;
11
- - environment or workspace scope.
12
-
13
- In local mode, the supported provider is environment binding:
14
-
15
- ```json
16
- {
17
- "trusted_context": {
18
- "provider": "environment",
19
- "values": {
20
- "tenant_id_env": "SYNAPSOR_TENANT_ID",
21
- "principal_env": "SYNAPSOR_PRINCIPAL"
22
- }
23
- }
24
- }
25
- ```
26
-
27
- For larger configs, use named contexts so each capability says which trusted
28
- binding it uses:
29
-
30
- ```json
31
- {
32
- "contexts": {
33
- "local_support_operator": {
34
- "provider": "environment",
35
- "values": {
36
- "tenant_id_env": "SYNAPSOR_TENANT_ID",
37
- "principal_env": "SYNAPSOR_PRINCIPAL"
38
- }
39
- }
40
- },
41
- "capabilities": [
42
- {
43
- "name": "support.inspect_ticket",
44
- "context": "local_support_operator"
45
- }
46
- ]
47
- }
48
- ```
49
-
50
- Backward compatibility: `trusted_context` still works as the global fallback.
51
- If a capability names `context`, that named context is used for that capability.
52
- If a capability does not name `context`, the global `trusted_context` is used.
53
- Config validation fails when a capability references a missing named context.
54
-
55
- At runtime:
56
-
57
- ```bash
58
- export SYNAPSOR_TENANT_ID="acme"
59
- export SYNAPSOR_PRINCIPAL="local_operator"
60
- ```
61
-
62
- The model may pass business identifiers such as `invoice_id` or `ticket_id`.
63
- Those identifiers are validated inside the trusted tenant scope.
64
-
65
- The model must not pass `tenant_id`, principal, role, or authorization scope as
66
- ordinary authority arguments. If a tool schema appears to require those fields
67
- from the model, treat it as a bug.
68
-
69
- Cloud mode may bind trusted context from Cloud runner/session context, but
70
- database credentials still stay local.