@synapsor/runner 0.1.0-alpha.4 → 0.1.0-alpha.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (38) hide show
  1. package/README.md +193 -25
  2. package/dist/cli.d.ts.map +1 -1
  3. package/dist/runner.mjs +903 -80
  4. package/docs/README.md +32 -54
  5. package/docs/getting-started-own-database.md +40 -8
  6. package/docs/http-mcp.md +200 -0
  7. package/docs/local-mode.md +40 -4
  8. package/docs/mcp-audit.md +0 -4
  9. package/docs/mcp-client-setup.md +40 -1
  10. package/examples/openai-agents-http/README.md +55 -0
  11. package/examples/openai-agents-http/agent.py +90 -0
  12. package/examples/openai-agents-http/requirements.txt +1 -0
  13. package/examples/openai-agents-stdio/README.md +62 -0
  14. package/examples/openai-agents-stdio/agent.py +70 -0
  15. package/examples/openai-agents-stdio/requirements.txt +1 -0
  16. package/package.json +3 -1
  17. package/docs/MCP_RUNNER_IMPLEMENTATION_PLAN.md +0 -187
  18. package/docs/architecture.md +0 -65
  19. package/docs/capability-config.md +0 -180
  20. package/docs/cloud-mode.md +0 -140
  21. package/docs/config-migrations.md +0 -67
  22. package/docs/demo-transcript.md +0 -161
  23. package/docs/dependency-license-inventory.md +0 -35
  24. package/docs/first-10-minutes.md +0 -172
  25. package/docs/licensing.md +0 -38
  26. package/docs/local-ui.md +0 -163
  27. package/docs/mcp-efficiency-benchmark.md +0 -84
  28. package/docs/open-source-feature-inventory.md +0 -254
  29. package/docs/operations.md +0 -38
  30. package/docs/own-db-20-minutes.md +0 -185
  31. package/docs/production-readiness.md +0 -39
  32. package/docs/protocol.md +0 -90
  33. package/docs/roadmap.md +0 -13
  34. package/docs/schema-inspection.md +0 -88
  35. package/docs/shadow-mode.md +0 -67
  36. package/docs/telemetry.md +0 -28
  37. package/docs/threat-model.md +0 -25
  38. package/docs/trusted-context.md +0 -70
package/docs/local-ui.md DELETED
@@ -1,163 +0,0 @@
1
- # Local UI
2
-
3
- `synapsor ui` starts a lightweight browser review surface for a local Runner
4
- store.
5
-
6
- From a source checkout, use `./bin/synapsor ui ...` if the global binary is not
7
- linked yet.
8
-
9
- ```bash
10
- npx -y -p @synapsor/runner@alpha synapsor ui --config ./synapsor.runner.json --store ./.synapsor/local.db
11
- ```
12
-
13
- By default it binds to localhost only and prints a per-run URL:
14
-
15
- ```text
16
- Synapsor Runner local UI: http://127.0.0.1:51234/?token=...
17
- ```
18
-
19
- Use the UI after `synapsor mcp serve` has created local proposals. The UI is a
20
- review surface; it is not a raw SQL console and it does not serve MCP tools.
21
-
22
- ## The Review Console
23
-
24
- Selecting a proposal opens a **Review** tab that tells the story of what
25
- happened, step by step, instead of leading with raw JSON:
26
-
27
- 1. **Agent requested a change** — the semantic tool that was called and the
28
- object it targeted (for example `billing.propose_late_fee_waiver for
29
- INV-3001`). The model could request, but had no SQL, approve, or commit
30
- tools.
31
- 2. **Synapsor Runner created a proposal** — proposal id, tenant, and principal.
32
- 3. **The proposed change** — an exact before/proposed field diff.
33
- 4. **Safety result** — `Source database changed: No/Yes`.
34
- 5. **Approval boundary** — “Approval happened outside MCP. The model did not get
35
- approve or commit tools,” plus the current approval status.
36
- 6. **Commit result** — the terminal outcome in plain language, e.g. “Conflict:
37
- the row changed after the proposal. No write applied,” with an expandable
38
- guard checklist.
39
- 7. **Replay** — a timeline of evidence, proposal, approval, writeback receipt,
40
- and conflict events.
41
-
42
- A second **View raw JSON** tab exposes the full proposal, events, receipts, and
43
- evidence payloads for developers who want the underlying records. Each
44
- configuration card also keeps its raw JSON behind a per-card drawer.
45
-
46
- ## What It Shows
47
-
48
- The setup summary shows:
49
-
50
- - config path and local store path;
51
- - Runner mode;
52
- - source engine and environment-variable names;
53
- - trusted context binding;
54
- - selected table/view targets;
55
- - semantic capabilities;
56
- - config validation status;
57
- - whether forbidden model-facing tools such as raw SQL or approval/commit tools
58
- are present.
59
-
60
- The tools view shows:
61
-
62
- - semantic tool names;
63
- - read/proposal labels;
64
- - target table/view;
65
- - input schema;
66
- - hidden trusted bindings;
67
- - visible columns;
68
- - allowed patch columns;
69
- - conflict guard;
70
- - clear “No raw SQL” status.
71
-
72
- The proposals view shows:
73
-
74
- - pending, approved, rejected, applied, conflict, and failed states;
75
- - tenant/object/principal;
76
- - source database changed: yes/no;
77
- - source row before approval/writeback;
78
- - proposed patch values;
79
- - expected version guard;
80
- - exact before/proposed field diff;
81
- - evidence handle and summary;
82
- - receipts when present.
83
-
84
- The review panel lets a local reviewer:
85
-
86
- - approve outside the model-facing MCP tool surface;
87
- - reject with a reason;
88
- - see the message “The model can propose this change. It cannot approve or
89
- commit it.” before execution;
90
- - see “Commit executed by trusted runner” after terminal writeback;
91
- - see “Conflict: source row changed after proposal” for stale-row cases;
92
- - inspect the guard checklist for tenant scope, allowed columns, primary key,
93
- conflict/version column, idempotency key, and affected-row count;
94
- - inspect writeback mode and executor status;
95
- - inspect replay for the selected proposal.
96
-
97
- Approval and rejection record the reviewer identity against the exact proposal
98
- hash/version in the local SQLite proposal store.
99
-
100
- ## Security Boundary
101
-
102
- The local UI keeps the same authority split as the CLI:
103
-
104
- ```text
105
- MCP tool call = request/proposal authority
106
- Trusted local UI/CLI reviewer = approval authority
107
- Trusted runner apply path = execution authority
108
- ```
109
-
110
- Security behavior:
111
-
112
- - binds to `127.0.0.1` by default;
113
- - refuses non-localhost binding unless `--allow-remote-bind` is explicitly
114
- passed;
115
- - requires a per-run local session token;
116
- - sets the local session token in an HttpOnly SameSite cookie after the first
117
- token URL load;
118
- - requires a CSRF token for approve/reject actions;
119
- - does not expose database URLs, passwords, bearer tokens, runner tokens, or
120
- obvious secret strings in JSON API responses;
121
- - does not expose a raw SQL editor;
122
- - does not expose approval, commit, or writeback tools through MCP;
123
- - does not allow widening configured tables, columns, or mutable fields from the
124
- browser.
125
-
126
- The UI displays proposal business data from the local store, so use reviewed
127
- visible columns and denied-column rules before creating proposals. Obvious
128
- secret-looking fields and connection strings are redacted defensively, but the
129
- UI is not a replacement for selecting safe capability projections.
130
-
131
- ## Remote Binding
132
-
133
- For normal use, do not bind the UI to anything except localhost.
134
-
135
- For a deliberate trusted local-network demo:
136
-
137
- ```bash
138
- npx -y -p @synapsor/runner@alpha synapsor ui --host 0.0.0.0 --allow-remote-bind
139
- ```
140
-
141
- Do this only in an isolated environment. The local UI is not a hosted
142
- multi-user approval product; use Synapsor Cloud when a team needs shared RBAC,
143
- approval queues, audit retention, and hosted replay search.
144
-
145
- ## Current Limits
146
-
147
- The UI is intentionally small in the current alpha:
148
-
149
- - proposal review and replay only;
150
- - no graphical capability builder;
151
- - no raw SQL editor;
152
- - no direct writeback apply button;
153
- - no hosted/team auth;
154
- - no Cloud approval queue replacement.
155
-
156
- Use the CLI apply path after approval:
157
-
158
- ```bash
159
- npx -y -p @synapsor/runner@alpha synapsor proposals writeback-job wrp_123 --store ./.synapsor/local.db --output job.json
160
- SYNAPSOR_ENGINE=postgres \
161
- SYNAPSOR_DATABASE_URL="$SYNAPSOR_DATABASE_WRITE_URL" \
162
- npx -y -p @synapsor/runner@alpha synapsor apply --job job.json --config synapsor.runner.json --store ./.synapsor/local.db
163
- ```
@@ -1,84 +0,0 @@
1
- # MCP Efficiency Benchmark
2
-
3
- Run:
4
-
5
- From a source checkout, use `corepack pnpm runner benchmark mcp-efficiency`.
6
- The global `synapsor` command is only needed after installing or linking the
7
- CLI.
8
-
9
- ```bash
10
- npx -y -p @synapsor/runner@alpha synapsor benchmark mcp-efficiency
11
- ```
12
-
13
- For machine-readable output:
14
-
15
- ```bash
16
- npx -y -p @synapsor/runner@alpha synapsor benchmark mcp-efficiency --json
17
- ```
18
-
19
- The benchmark compares an included fixture, not universal model behavior.
20
-
21
- Current fixture:
22
-
23
- ```text
24
- late-fee-waiver
25
- ```
26
-
27
- Checked-in snapshots:
28
-
29
- ```text
30
- fixtures/benchmark/mcp-efficiency.txt
31
- fixtures/benchmark/mcp-efficiency.json
32
- ```
33
-
34
- The CLI tests compare both human-readable and machine-readable output against
35
- those snapshots, so changes to the fixture, tokenizer, measurements, or wording
36
- are reviewable.
37
-
38
- Reference path:
39
-
40
- ```text
41
- list_tables
42
- describe_table invoices
43
- query_database SELECT invoice
44
- formulate raw UPDATE
45
- execute_sql UPDATE invoice
46
- ```
47
-
48
- Synapsor Runner semantic path:
49
-
50
- ```text
51
- billing.inspect_invoice
52
- billing.propose_late_fee_waiver
53
- ```
54
-
55
- It measures:
56
-
57
- - number of exposed tools;
58
- - serialized `tools/list` bytes;
59
- - token count with a pinned deterministic fixture tokenizer;
60
- - scripted tool-call count;
61
- - schema/context bytes and tokens exposed;
62
- - business result bytes and tokens;
63
- - whether raw SQL is exposed;
64
- - whether write credentials are exposed;
65
- - whether approval is separated;
66
- - whether stale-row conflict is checked.
67
-
68
- Tokenizer:
69
-
70
- ```text
71
- synapsor-fixture-tokenizer-v1
72
- ```
73
-
74
- This tokenizer is a deterministic regex tokenizer used only for repeatable
75
- fixture comparison. It is not a model billing tokenizer.
76
-
77
- Allowed README phrasing after implementation:
78
-
79
- > In the included fixture, semantic capabilities replace generic schema
80
- > exploration and raw SQL with two compact business tools. Run the benchmark to
81
- > inspect tool definitions, reference tool-call count, and tokenized context
82
- > size.
83
-
84
- Do not claim guaranteed percentage savings across workloads.
@@ -1,254 +0,0 @@
1
- # Synapsor Runner Open-Source Feature Inventory
2
-
3
- Date: 2026-06-23
4
-
5
- Branch inspected: `runner-segment-scale-adoption`
6
-
7
- This inventory tracks the open-source runner boundary. It is not a list of
8
- Synapsor Cloud or Synapsor DBMS features.
9
-
10
- ## Summary
11
-
12
- Synapsor Runner now has a local evidence/replay ledger for real
13
- Postgres/MySQL-backed MCP interactions:
14
-
15
- - config-defined semantic MCP tools instead of raw SQL;
16
- - trusted tenant/principal context binding;
17
- - scoped source reads;
18
- - local evidence bundles and query audit;
19
- - proposal-first writes with before/proposed diffs;
20
- - local approval/rejection outside MCP;
21
- - guarded single-row writeback;
22
- - writeback receipts;
23
- - proposal replay;
24
- - local indexed search over proposals, evidence, query audit, receipts, and
25
- replay links.
26
- - npm/package trust checks for the public `synapsor` bin and legacy
27
- `synapsor-runner` alias;
28
- - a fixture-only `demo --quick` that seeds an inspectable local ledger without
29
- Docker;
30
- - shareable MCP audit JSON/Markdown output;
31
- - redacted doctor Markdown report output.
32
-
33
- The local store is SQLite and intended for local/dev/staging usage. It is not a
34
- hosted central audit ledger, not RBAC/SSO, not cross-runner search, not
35
- enterprise retention, and not compliance export.
36
-
37
- ## Implemented Local Concepts
38
-
39
- | Synapsor concept | Runner implementation | Status |
40
- | --- | --- | --- |
41
- | Context bindings | Trusted tenant/principal from env/static dev/HTTP/cloud session config | Implemented |
42
- | Capabilities | Reviewed semantic MCP tools from `synapsor.runner.json` | Implemented |
43
- | Evidence bundles | Captured/projected rows and metadata persisted locally | Implemented |
44
- | Query audit | Source/table/fingerprint/row-count/redacted-parameter records | Implemented |
45
- | Proposals | Immutable before/proposed change sets | Implemented |
46
- | Approval | Local CLI/UI approval/rejection outside MCP | Implemented |
47
- | Guarded writeback | Single-row Postgres/MySQL `UPDATE` with primary-key, tenant, allowed-column, conflict, idempotency, and affected-row checks | Implemented |
48
- | Receipts | Applied/conflict/failed writeback receipts | Implemented |
49
- | Replay | Proposal replay from local captured records | Implemented |
50
- | MCP audit | Static risk review for database MCP tool shapes | Implemented |
51
- | Local indexed search | CLI filters for activity, proposals, evidence, query audit, and receipts | Implemented |
52
-
53
- ## New Local Ledger Commands
54
-
55
- ```bash
56
- synapsor activity search --tenant acme --object invoice:INV-3001
57
- synapsor proposals list --tenant acme --capability billing.propose_late_fee_waiver --object invoice:INV-3001 --status approved
58
- synapsor evidence list --tenant acme --capability billing.inspect_invoice --source app_postgres --table invoices
59
- synapsor evidence show ev_...
60
- synapsor evidence export ev_... --format json --output evidence.json
61
- synapsor evidence export ev_... --format markdown --output evidence.md
62
- synapsor query-audit list --evidence ev_... --source app_postgres --table invoices
63
- synapsor query-audit show <audit_id>
64
- synapsor query-audit export <audit_id> --format json --output audit.json
65
- synapsor receipts list --proposal wrp_...
66
- synapsor receipts show <receipt_id>
67
- synapsor replay show --proposal wrp_...
68
- synapsor replay show --replay replay_wrp_...
69
- synapsor replay show --evidence ev_...
70
- synapsor replay export --proposal wrp_... --format json --output replay.json
71
- synapsor replay export --proposal wrp_... --format markdown --output replay.md
72
- synapsor doctor --config synapsor.runner.json --report --redact --output synapsor-doctor.md
73
- synapsor store stats --store ./.synapsor/local.db
74
- synapsor store vacuum --store ./.synapsor/local.db
75
- synapsor store prune --store ./.synapsor/local.db --older-than 30d --dry-run
76
- ```
77
-
78
- Unknown top-level commands now return a nonzero error instead of generic help.
79
- Unsupported flags on the new search/list commands fail clearly rather than
80
- being silently ignored.
81
-
82
- ## Local Store Schema And Search
83
-
84
- The store remains backward-compatible with existing local SQLite files. New
85
- metadata columns are nullable and are backfilled from existing JSON where safe.
86
-
87
- New/important searchable metadata:
88
-
89
- - proposal tenant, principal, capability/action, business object, object id,
90
- state, source, table, created time;
91
- - evidence tenant, principal, capability, proposal id, business object, object
92
- id, source, table, query fingerprint, created time;
93
- - query audit tenant, proposal id, evidence id, source, table, primary-key
94
- value, query fingerprint, created time;
95
- - writeback receipt proposal id, writeback job id, idempotency key, status,
96
- created time.
97
-
98
- Indexes are created idempotently on the local store for:
99
-
100
- - proposals by tenant/time, action/time, capability/time, principal/time,
101
- object/time, state/time, source/table/time;
102
- - evidence bundles by tenant/time, proposal id, created time, capability/time,
103
- principal/time, object/time, source/table/time, query fingerprint/time;
104
- - evidence items by evidence bundle id;
105
- - query audit by evidence id, proposal id, source/table/time,
106
- query fingerprint/time, tenant/time, object/time, primary-key/time;
107
- - writeback receipts by proposal id, writeback job id, idempotency key,
108
- status/time;
109
- - replay records by proposal id and created time;
110
- - approvals by proposal id and status/time;
111
- - proposal events by proposal id and kind/time.
112
-
113
- These are local metadata indexes. Runner does not index customer Postgres/MySQL
114
- tables.
115
-
116
- ## Read-Only Evidence
117
-
118
- Read-only MCP tools can record evidence bundles and query-audit rows. The MCP
119
- tool response returns an evidence handle. The user can now inspect that handle
120
- later:
121
-
122
- ```bash
123
- synapsor evidence show ev_...
124
- synapsor evidence list --tenant acme --capability billing.inspect_invoice
125
- synapsor query-audit list --evidence ev_...
126
- synapsor activity search --tenant acme --source app_postgres --table invoices
127
- ```
128
-
129
- Read-only evidence inspection does not rerun the external database read. It
130
- shows captured/projected evidence that was already persisted locally.
131
-
132
- Proposal replay remains proposal-centric. `replay show --evidence ev_...`
133
- works only when the evidence bundle is linked to a replayable proposal.
134
-
135
- ## Replay Versus Time Travel
136
-
137
- Runner replay is local captured interaction replay:
138
-
139
- ```text
140
- trusted context
141
- -> captured source-row excerpt
142
- -> query audit/fingerprint
143
- -> proposal before/proposed diff
144
- -> approval/rejection events
145
- -> writeback job
146
- -> terminal receipt
147
- ```
148
-
149
- It is not:
150
-
151
- - external DB time travel;
152
- - `AS OF` query support over Postgres/MySQL;
153
- - native branch creation;
154
- - external DB merge;
155
- - auto-merge;
156
- - settlement-policy execution.
157
-
158
- Synapsor-native branching, time travel, settlement, and workflow DAG execution
159
- remain proprietary Synapsor Cloud/DBMS features.
160
-
161
- ## MCP Resource Boundary
162
-
163
- MCP resources remain read-only:
164
-
165
- - `synapsor://proposals/{proposal_id}`;
166
- - `synapsor://evidence/{evidence_bundle_id}`;
167
- - `synapsor://replay/{replay_id}`.
168
-
169
- They inspect local store records and do not mutate source databases. They also
170
- do not list/search all local records through MCP; local search is a CLI/local UI
171
- concern.
172
-
173
- ## Not Included In OSS Runner
174
-
175
- - C++ DBMS internals;
176
- - native Synapsor branches;
177
- - external DB time travel;
178
- - `AS OF` external DB queries;
179
- - external DB merge;
180
- - auto-merge;
181
- - settlement policies;
182
- - workflow DAG engine;
183
- - `CREATE AGENT WORKFLOW`;
184
- - hosted workflow graph builder;
185
- - governed memory;
186
- - RBAC/SSO;
187
- - hosted evidence ledger;
188
- - central org-wide activity search;
189
- - managed runner fleet;
190
- - compliance exports;
191
- - enterprise retention controls;
192
- - production CDC machinery.
193
-
194
- ## Safety Boundary Verification
195
-
196
- The runner keeps these out of the model-facing MCP tool surface:
197
-
198
- - `execute_sql`;
199
- - `raw_sql`;
200
- - `query_database`;
201
- - approval tools;
202
- - reject tools;
203
- - apply/commit/writeback tools;
204
- - database URLs;
205
- - write credentials;
206
- - model-controlled tenant authority.
207
-
208
- Approval, rejection, and writeback stay in CLI/UI/app-handler/runner paths
209
- outside the MCP tool surface.
210
-
211
- ## Current Rough Edges
212
-
213
- - The local UI is still proposal-review oriented. The CLI now has first-class
214
- local evidence/search commands, but UI search/export for evidence/query-audit
215
- is not yet a full dedicated workflow.
216
- - Read-only evidence has CLI inspection and activity search, but read-only
217
- replay is not a standalone replay object unless linked to a proposal.
218
- - The current direct DB writeback adapter intentionally supports guarded
219
- single-row `UPDATE` only. App-owned HTTP/command handlers are the path for
220
- richer business writes.
221
- - The alpha package requires Node >= 22.5.0 because the local ledger uses
222
- Node's `node:sqlite` runtime. The package declares this and the bin wrapper
223
- exits early with a clear message on older Node versions.
224
-
225
- ## Tests Covering This Inventory
226
-
227
- Relevant local tests:
228
-
229
- ```bash
230
- corepack pnpm exec vitest run packages/proposal-store/src/index.test.ts
231
- corepack pnpm exec vitest run apps/runner/src/cli.test.ts
232
- corepack pnpm exec vitest run packages/mcp-server/src/index.test.ts
233
- corepack pnpm test:first-run
234
- corepack pnpm test:mcp-client-configs
235
- ./scripts/verify-public-commands.sh
236
- ./scripts/verify-packed-runner.sh
237
- ```
238
-
239
- The current implementation pass specifically added coverage for:
240
-
241
- - unknown command nonzero behavior;
242
- - unsupported search flags failing clearly;
243
- - proposal filters by tenant/capability/object/status;
244
- - evidence show/list/export JSON/Markdown;
245
- - query-audit list/show/export;
246
- - receipts list/show;
247
- - replay by proposal id, replay id, and linked evidence id;
248
- - replay JSON and Markdown export;
249
- - activity search by tenant/object;
250
- - local metadata indexes and idempotent migration/reopen.
251
- - `demo --quick` creating an inspectable local fixture store;
252
- - built-in audit example JSON/Markdown output;
253
- - clean packed-tarball command execution.
254
- - local store stats, vacuum, and dry-run/apply prune.
@@ -1,38 +0,0 @@
1
- # Operations
2
-
3
- ## Required configuration
4
-
5
- - `SYNAPSOR_CONTROL_PLANE_URL`
6
- - `SYNAPSOR_RUNNER_TOKEN`
7
- - `SYNAPSOR_RUNNER_ID`
8
- - `SYNAPSOR_SOURCE_ID`
9
- - `SYNAPSOR_DATABASE_URL`
10
- - `SYNAPSOR_ENGINE=postgres|mysql`
11
-
12
- ## Routine checks
13
-
14
- ```bash
15
- npx -y -p @synapsor/runner@alpha synapsor doctor
16
- npx -y -p @synapsor/runner@alpha synapsor validate --job examples/postgres-support/job.approved.json
17
- npx -y -p @synapsor/runner@alpha synapsor validate --job examples/mysql-orders/job.approved.json
18
- ```
19
-
20
- `doctor` validates local configuration, calls Synapsor's runner-token doctor endpoint, confirms the token is authenticated for the configured source, checks database reachability and engine version, creates/verifies `synapsor_writeback_receipts`, and performs a rollback-only receipt insert to prove the configured credential can write runner receipts. It does not mutate business tables.
21
-
22
- ## Local fixture smoke
23
-
24
- Run this before cutting a release or changing the adapters:
25
-
26
- ```bash
27
- corepack pnpm test:docker
28
- ```
29
-
30
- The smoke starts the local Postgres and MySQL fixtures, validates approved jobs, applies one guarded single-row update, retries the same idempotency key, verifies stale-version conflict, verifies tenant mismatch rejection, verifies disallowed-column validation, and tears down the containers with volumes.
31
-
32
- ## Shutdown
33
-
34
- The runner handles `SIGINT` and `SIGTERM` by stopping the poll loop. In-flight database transactions complete or roll back through the adapter.
35
-
36
- ## Logs
37
-
38
- Default logs include runner id, job id, proposal id, source id, engine, schema/table names, patch column names, status/error code, and durations. Logs must not include database URL/password, runner token, full patch values, full source rows, or customer data.