@synapsor/runner 0.1.0-alpha.4 → 0.1.0-alpha.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +193 -25
- package/dist/cli.d.ts.map +1 -1
- package/dist/runner.mjs +903 -80
- package/docs/README.md +32 -54
- package/docs/getting-started-own-database.md +40 -8
- package/docs/http-mcp.md +200 -0
- package/docs/local-mode.md +40 -4
- package/docs/mcp-audit.md +0 -4
- package/docs/mcp-client-setup.md +40 -1
- package/examples/openai-agents-http/README.md +55 -0
- package/examples/openai-agents-http/agent.py +90 -0
- package/examples/openai-agents-http/requirements.txt +1 -0
- package/examples/openai-agents-stdio/README.md +62 -0
- package/examples/openai-agents-stdio/agent.py +70 -0
- package/examples/openai-agents-stdio/requirements.txt +1 -0
- package/package.json +3 -1
- package/docs/MCP_RUNNER_IMPLEMENTATION_PLAN.md +0 -187
- package/docs/architecture.md +0 -65
- package/docs/capability-config.md +0 -180
- package/docs/cloud-mode.md +0 -140
- package/docs/config-migrations.md +0 -67
- package/docs/demo-transcript.md +0 -161
- package/docs/dependency-license-inventory.md +0 -35
- package/docs/first-10-minutes.md +0 -172
- package/docs/licensing.md +0 -38
- package/docs/local-ui.md +0 -163
- package/docs/mcp-efficiency-benchmark.md +0 -84
- package/docs/open-source-feature-inventory.md +0 -254
- package/docs/operations.md +0 -38
- package/docs/own-db-20-minutes.md +0 -185
- package/docs/production-readiness.md +0 -39
- package/docs/protocol.md +0 -90
- package/docs/roadmap.md +0 -13
- package/docs/schema-inspection.md +0 -88
- package/docs/shadow-mode.md +0 -67
- package/docs/telemetry.md +0 -28
- package/docs/threat-model.md +0 -25
- package/docs/trusted-context.md +0 -70
|
@@ -1,185 +0,0 @@
|
|
|
1
|
-
# Own Database In 10 Minutes
|
|
2
|
-
|
|
3
|
-
This path is for a developer who already understands the local demo and wants
|
|
4
|
-
to try one staging Postgres/MySQL table without writing `synapsor.runner.json`
|
|
5
|
-
by hand.
|
|
6
|
-
|
|
7
|
-
Do not start with your most sensitive production database. Start with staging,
|
|
8
|
-
a disposable database, or a least-privilege view.
|
|
9
|
-
|
|
10
|
-
## 1. Create A Read-Only Credential
|
|
11
|
-
|
|
12
|
-
Use a database user that can inspect metadata and read only the tables/views
|
|
13
|
-
needed for the experiment.
|
|
14
|
-
|
|
15
|
-
Set the connection string in an environment variable:
|
|
16
|
-
|
|
17
|
-
```bash
|
|
18
|
-
export DATABASE_URL="<postgres-or-mysql-read-url>"
|
|
19
|
-
```
|
|
20
|
-
|
|
21
|
-
Do not paste database URLs into MCP client configs or committed JSON files.
|
|
22
|
-
|
|
23
|
-
## 2. Inspect The Database
|
|
24
|
-
|
|
25
|
-
Fast path:
|
|
26
|
-
|
|
27
|
-
```bash
|
|
28
|
-
./scripts/use-your-db.sh
|
|
29
|
-
```
|
|
30
|
-
|
|
31
|
-
That command runs inspection, guided config generation, and tool preview. The
|
|
32
|
-
rest of this page shows the same steps explicitly.
|
|
33
|
-
|
|
34
|
-
```bash
|
|
35
|
-
npx -y -p @synapsor/runner@alpha synapsor inspect --from-env DATABASE_URL --engine auto
|
|
36
|
-
```
|
|
37
|
-
|
|
38
|
-
This prints discovered tables/views, primary keys, possible tenant/scope
|
|
39
|
-
columns, possible conflict/version columns, and fields suggested for review.
|
|
40
|
-
Inspection reads metadata and table shape. It does not expose raw SQL tools or
|
|
41
|
-
write credentials to the model.
|
|
42
|
-
|
|
43
|
-
For disposable staging databases, this shorter form also works:
|
|
44
|
-
|
|
45
|
-
```bash
|
|
46
|
-
npx -y -p @synapsor/runner@alpha synapsor inspect "$DATABASE_URL" --engine auto
|
|
47
|
-
```
|
|
48
|
-
|
|
49
|
-
Prefer `--from-env` on shared machines so URLs do not land in shell history.
|
|
50
|
-
|
|
51
|
-
## 3. Run The Guided Wizard
|
|
52
|
-
|
|
53
|
-
```bash
|
|
54
|
-
npx -y -p @synapsor/runner@alpha synapsor init --from-env DATABASE_URL --mode review --wizard
|
|
55
|
-
```
|
|
56
|
-
|
|
57
|
-
The wizard asks for:
|
|
58
|
-
|
|
59
|
-
- database engine;
|
|
60
|
-
- read URL environment-variable name;
|
|
61
|
-
- schema/database;
|
|
62
|
-
- table or view;
|
|
63
|
-
- primary key;
|
|
64
|
-
- tenant/scope column;
|
|
65
|
-
- conflict/version column;
|
|
66
|
-
- read-visible fields;
|
|
67
|
-
- mode: `read_only`, `shadow`, or `review`;
|
|
68
|
-
- business object name and namespace;
|
|
69
|
-
- proposal patch mapping if you choose `shadow` or `review`;
|
|
70
|
-
- trusted tenant/principal env vars;
|
|
71
|
-
- approval role;
|
|
72
|
-
- final confirmation before files are written.
|
|
73
|
-
|
|
74
|
-
The default mode for unknown schemas should be treated as a cautious staging
|
|
75
|
-
path. Do not enable real writeback until the read/proposal path is reviewed.
|
|
76
|
-
|
|
77
|
-
You can still run the complete wrapper:
|
|
78
|
-
|
|
79
|
-
```bash
|
|
80
|
-
./scripts/use-your-db.sh
|
|
81
|
-
```
|
|
82
|
-
|
|
83
|
-
It runs inspection, guided init, tool preview, and next-step printing in one
|
|
84
|
-
flow. For the lower-level CLI path, `synapsor onboard db --from-env
|
|
85
|
-
DATABASE_URL` runs the same own-database onboarding from the runner command.
|
|
86
|
-
|
|
87
|
-
## 4. What Gets Generated
|
|
88
|
-
|
|
89
|
-
The wizard creates:
|
|
90
|
-
|
|
91
|
-
- `synapsor.runner.json`;
|
|
92
|
-
- `.env.example`;
|
|
93
|
-
- `.synapsor/mcp/generic-stdio.json`;
|
|
94
|
-
- `.synapsor/mcp/claude-desktop.json`;
|
|
95
|
-
- `.synapsor/mcp/cursor.json`;
|
|
96
|
-
- `.synapsor/mcp/vscode.json`.
|
|
97
|
-
|
|
98
|
-
The generated config stores environment-variable names, not database secrets.
|
|
99
|
-
|
|
100
|
-
## 5. Preview What The Model Sees
|
|
101
|
-
|
|
102
|
-
```bash
|
|
103
|
-
npx -y -p @synapsor/runner@alpha synapsor config validate --config synapsor.runner.json
|
|
104
|
-
npx -y -p @synapsor/runner@alpha synapsor doctor --config synapsor.runner.json
|
|
105
|
-
npx -y -p @synapsor/runner@alpha synapsor tools preview --config synapsor.runner.json --store ./.synapsor/local.db
|
|
106
|
-
```
|
|
107
|
-
|
|
108
|
-
`doctor` checks config shape, trusted context env vars, source env vars,
|
|
109
|
-
read/write credential separation, source metadata when reachable, handler env
|
|
110
|
-
vars, and the semantic MCP tool boundary.
|
|
111
|
-
|
|
112
|
-
`tools preview` lists what the model would see and confirms:
|
|
113
|
-
|
|
114
|
-
- semantic tools present;
|
|
115
|
-
- `execute_sql` absent;
|
|
116
|
-
- approval tools absent;
|
|
117
|
-
- commit tools absent;
|
|
118
|
-
- database URLs absent;
|
|
119
|
-
- write credentials absent.
|
|
120
|
-
|
|
121
|
-
## 6. Serve MCP
|
|
122
|
-
|
|
123
|
-
```bash
|
|
124
|
-
export SYNAPSOR_TENANT_ID="acme"
|
|
125
|
-
export SYNAPSOR_PRINCIPAL="local_operator"
|
|
126
|
-
|
|
127
|
-
npx -y -p @synapsor/runner@alpha synapsor mcp serve \
|
|
128
|
-
--config ./synapsor.runner.json \
|
|
129
|
-
--store ./.synapsor/local.db
|
|
130
|
-
```
|
|
131
|
-
|
|
132
|
-
The MCP server exposes only the configured semantic tools. It does not expose
|
|
133
|
-
raw SQL, approval tools, commit tools, database URLs, write credentials, or
|
|
134
|
-
model-controlled tenant authority.
|
|
135
|
-
|
|
136
|
-
## 7. Review Proposals
|
|
137
|
-
|
|
138
|
-
If a proposal is created:
|
|
139
|
-
|
|
140
|
-
```bash
|
|
141
|
-
npx -y -p @synapsor/runner@alpha synapsor proposals list --store ./.synapsor/local.db
|
|
142
|
-
npx -y -p @synapsor/runner@alpha synapsor proposals show <proposal_id> --store ./.synapsor/local.db
|
|
143
|
-
npx -y -p @synapsor/runner@alpha synapsor replay show <proposal_id> --store ./.synapsor/local.db
|
|
144
|
-
```
|
|
145
|
-
|
|
146
|
-
Open the UI:
|
|
147
|
-
|
|
148
|
-
```bash
|
|
149
|
-
npx -y -p @synapsor/runner@alpha synapsor ui --tour --config ./synapsor.runner.json --store ./.synapsor/local.db
|
|
150
|
-
```
|
|
151
|
-
|
|
152
|
-
## 8. Apply Only After Review
|
|
153
|
-
|
|
154
|
-
For direct SQL writeback, set a separate writer credential only when ready:
|
|
155
|
-
|
|
156
|
-
```bash
|
|
157
|
-
export SYNAPSOR_DATABASE_WRITE_URL="<postgres-or-mysql-writer-url>"
|
|
158
|
-
```
|
|
159
|
-
|
|
160
|
-
Then:
|
|
161
|
-
|
|
162
|
-
```bash
|
|
163
|
-
npx -y -p @synapsor/runner@alpha synapsor proposals approve <proposal_id> --store ./.synapsor/local.db --actor local_reviewer --yes
|
|
164
|
-
npx -y -p @synapsor/runner@alpha synapsor proposals writeback-job <proposal_id> --store ./.synapsor/local.db --output job.json
|
|
165
|
-
|
|
166
|
-
SYNAPSOR_ENGINE=postgres \
|
|
167
|
-
SYNAPSOR_DATABASE_URL="$SYNAPSOR_DATABASE_WRITE_URL" \
|
|
168
|
-
npx -y -p @synapsor/runner@alpha synapsor apply --job job.json --config synapsor.runner.json --store ./.synapsor/local.db
|
|
169
|
-
```
|
|
170
|
-
|
|
171
|
-
If your application should own the business write, configure an `http_handler`
|
|
172
|
-
or `command_handler` executor instead of direct SQL writeback. See
|
|
173
|
-
[writeback-executors.md](writeback-executors.md).
|
|
174
|
-
|
|
175
|
-
## Safety Rules
|
|
176
|
-
|
|
177
|
-
- Never infer write authority silently.
|
|
178
|
-
- Every allowed write column must be explicitly reviewed.
|
|
179
|
-
- Every patch mapping must be explicitly reviewed.
|
|
180
|
-
- If no tenant column exists, use a safe view or explicitly acknowledge
|
|
181
|
-
single-tenant dev mode.
|
|
182
|
-
- If no conflict column exists, stay in `read_only` or `shadow` unless you
|
|
183
|
-
intentionally accept a weak guard for local testing.
|
|
184
|
-
- Never write during onboarding.
|
|
185
|
-
- Never put secrets in generated config.
|
|
@@ -1,39 +0,0 @@
|
|
|
1
|
-
# Production Readiness
|
|
2
|
-
|
|
3
|
-
Synapsor Runner is a local, open-source MCP data-plane/runtime for reviewed
|
|
4
|
-
Postgres/MySQL business actions. It is not Synapsor Cloud and it is not the
|
|
5
|
-
Synapsor C++ DBMS.
|
|
6
|
-
|
|
7
|
-
Use a staging or disposable database first.
|
|
8
|
-
|
|
9
|
-
Allowed current claims:
|
|
10
|
-
|
|
11
|
-
- semantic MCP tools instead of raw SQL;
|
|
12
|
-
- source database remains unchanged during proposal creation;
|
|
13
|
-
- separate read and write credentials;
|
|
14
|
-
- exact row diff;
|
|
15
|
-
- local approval outside MCP;
|
|
16
|
-
- tenant, column, version, affected-row, and idempotency checks;
|
|
17
|
-
- approved app/API handler writeback with handler secrets kept in environment
|
|
18
|
-
variables;
|
|
19
|
-
- shadow-mode comparison between agent proposals and human actions;
|
|
20
|
-
- stale-row conflict detection in included fixtures;
|
|
21
|
-
- local replay for proposal/evidence/approval/writeback receipts.
|
|
22
|
-
|
|
23
|
-
Do not claim from this repository alone:
|
|
24
|
-
|
|
25
|
-
- high availability;
|
|
26
|
-
- compliance certification;
|
|
27
|
-
- mission-critical SLA;
|
|
28
|
-
- exactly-once across networks;
|
|
29
|
-
- general MCP security;
|
|
30
|
-
- prompt-injection immunity;
|
|
31
|
-
- physical branches for Postgres/MySQL;
|
|
32
|
-
- arbitrary business invariants are automatically understood.
|
|
33
|
-
|
|
34
|
-
Synapsor Cloud is the production/team control plane for shared approvals, RBAC,
|
|
35
|
-
hosted evidence/replay search, runner fleet status, leases, retention, audit
|
|
36
|
-
visibility, and support.
|
|
37
|
-
|
|
38
|
-
Before a public production-data claim, complete the release checklist, counsel
|
|
39
|
-
review, security review, and operational validation.
|
package/docs/protocol.md
DELETED
|
@@ -1,90 +0,0 @@
|
|
|
1
|
-
# Protocol
|
|
2
|
-
|
|
3
|
-
The public protocol has four versioned identifiers:
|
|
4
|
-
|
|
5
|
-
```text
|
|
6
|
-
synapsor.change-set.v1
|
|
7
|
-
synapsor.writeback-job.v1
|
|
8
|
-
synapsor.execution-receipt.v1
|
|
9
|
-
synapsor.runner-registration.v1
|
|
10
|
-
```
|
|
11
|
-
|
|
12
|
-
The schemas live in `schemas/`. Golden fixtures live in `fixtures/protocol/` and are copied into the main Synapsor repository so Cloud/C++/SDK work can validate the same contract.
|
|
13
|
-
|
|
14
|
-
`fixtures/protocol/MANIFEST.json` is the shared checksum note for the public protocol set. The same logical manifest is copied to the main Synapsor repository as `protocol/MANIFEST.json`. Tests in both repositories verify the SHA-256 digest for every schema and fixture.
|
|
15
|
-
|
|
16
|
-
The current alpha write path supports one operation:
|
|
17
|
-
|
|
18
|
-
```text
|
|
19
|
-
single_row_update
|
|
20
|
-
```
|
|
21
|
-
|
|
22
|
-
It does not support arbitrary SQL, DDL, INSERT, DELETE, UPSERT, stored procedures, dynamic table/column names from model input, or multi-row writes.
|
|
23
|
-
Schema, table, primary-key, tenant, conflict-guard, allowed-column, and patch
|
|
24
|
-
column identifiers must be fixed safe identifiers. Path-traversal strings and
|
|
25
|
-
SQL-fragment-like identifiers are rejected by protocol validation before the
|
|
26
|
-
Postgres/MySQL adapter can run.
|
|
27
|
-
|
|
28
|
-
## Change set
|
|
29
|
-
|
|
30
|
-
`synapsor.change-set.v1` describes the proposal created after a semantic capability reads the current row and derives an exact diff. It includes:
|
|
31
|
-
|
|
32
|
-
- proposal id and version;
|
|
33
|
-
- action name;
|
|
34
|
-
- trusted principal provenance;
|
|
35
|
-
- tenant/business-object scope;
|
|
36
|
-
- source table and primary key;
|
|
37
|
-
- before/patch/after maps;
|
|
38
|
-
- allowed columns;
|
|
39
|
-
- expected version guard;
|
|
40
|
-
- evidence bundle/query fingerprint;
|
|
41
|
-
- approval state;
|
|
42
|
-
- writeback state;
|
|
43
|
-
- `source_database_mutated: false`;
|
|
44
|
-
- proposal hash.
|
|
45
|
-
|
|
46
|
-
## Writeback job
|
|
47
|
-
|
|
48
|
-
`synapsor.writeback-job.v1` is the only object a runner may use to mutate the external database. Required fields include:
|
|
49
|
-
|
|
50
|
-
- `writeback_job_id`;
|
|
51
|
-
- `proposal_id`;
|
|
52
|
-
- `proposal_version`;
|
|
53
|
-
- `proposal_hash`;
|
|
54
|
-
- `runner_scope.project_id`;
|
|
55
|
-
- `runner_scope.source_id`;
|
|
56
|
-
- `engine`;
|
|
57
|
-
- `operation: single_row_update`;
|
|
58
|
-
- `target.schema`;
|
|
59
|
-
- `target.table`;
|
|
60
|
-
- `target.primary_key`;
|
|
61
|
-
- `tenant_guard`;
|
|
62
|
-
- `allowed_columns`;
|
|
63
|
-
- `patch`;
|
|
64
|
-
- `conflict_guard`;
|
|
65
|
-
- `idempotency_key`;
|
|
66
|
-
- `lease`.
|
|
67
|
-
|
|
68
|
-
The protocol package normalizes this public shape into the existing internal `protocol_version: "1.0"` worker shape so current Postgres/MySQL adapters remain stable while the public contract evolves.
|
|
69
|
-
|
|
70
|
-
## Execution receipt
|
|
71
|
-
|
|
72
|
-
`synapsor.execution-receipt.v1` records the terminal result:
|
|
73
|
-
|
|
74
|
-
```text
|
|
75
|
-
applied
|
|
76
|
-
conflict
|
|
77
|
-
failed
|
|
78
|
-
canceled
|
|
79
|
-
already_applied
|
|
80
|
-
```
|
|
81
|
-
|
|
82
|
-
Receipts include the writeback job id, proposal id, runner id, rows affected, idempotency key, version fields when available, source mutation state, safe error code, execution timestamp, and receipt hash.
|
|
83
|
-
|
|
84
|
-
## Runner registration
|
|
85
|
-
|
|
86
|
-
`synapsor.runner-registration.v1` describes a runner's id, version, supported engines, capabilities, project/source scope, and registration timestamp.
|
|
87
|
-
|
|
88
|
-
## Compatibility
|
|
89
|
-
|
|
90
|
-
Existing Cloud endpoints may still return the legacy `protocol_version: "1.0"` job/result envelope during migration. The runner validates both formats. New public examples and MCP work should use the `synapsor.*.v1` schema ids.
|
package/docs/roadmap.md
DELETED
|
@@ -1,13 +0,0 @@
|
|
|
1
|
-
# Roadmap
|
|
2
|
-
|
|
3
|
-
Future packages can live in this same monorepo:
|
|
4
|
-
|
|
5
|
-
- MCP adapter
|
|
6
|
-
- LangGraph adapter
|
|
7
|
-
- OpenAI Agents SDK adapter
|
|
8
|
-
- CrewAI adapter
|
|
9
|
-
- ORM helpers for Prisma, Drizzle, Django, Rails, and SQLAlchemy
|
|
10
|
-
- Local read runner when product requirements and security review are complete
|
|
11
|
-
|
|
12
|
-
Do not add package stubs until the implementation is ready.
|
|
13
|
-
|
|
@@ -1,88 +0,0 @@
|
|
|
1
|
-
# Schema Inspection
|
|
2
|
-
|
|
3
|
-
`synapsor inspect` reads database metadata so you can choose a
|
|
4
|
-
narrow reviewed capability without writing an entire runner config by hand.
|
|
5
|
-
|
|
6
|
-
Use the public `synapsor ...` runner CLI. From a source checkout, use
|
|
7
|
-
`./bin/synapsor ...` if the global binary is not linked yet.
|
|
8
|
-
|
|
9
|
-
```bash
|
|
10
|
-
npx -y -p @synapsor/runner@alpha synapsor inspect \
|
|
11
|
-
--engine auto \
|
|
12
|
-
--from-env SYNAPSOR_DATABASE_READ_URL \
|
|
13
|
-
--schema public
|
|
14
|
-
```
|
|
15
|
-
|
|
16
|
-
JSON output:
|
|
17
|
-
|
|
18
|
-
```bash
|
|
19
|
-
npx -y -p @synapsor/runner@alpha synapsor inspect \
|
|
20
|
-
--engine mysql \
|
|
21
|
-
--from-env SYNAPSOR_DATABASE_READ_URL \
|
|
22
|
-
--schema app \
|
|
23
|
-
--json
|
|
24
|
-
```
|
|
25
|
-
|
|
26
|
-
## What It Reads
|
|
27
|
-
|
|
28
|
-
The inspector collects metadata only:
|
|
29
|
-
|
|
30
|
-
- engine and server version;
|
|
31
|
-
- current database user;
|
|
32
|
-
- schemas/databases visible to the credential;
|
|
33
|
-
- tables and views;
|
|
34
|
-
- columns, types, nullability, defaults, and generated status;
|
|
35
|
-
- primary keys;
|
|
36
|
-
- unique constraints;
|
|
37
|
-
- foreign keys;
|
|
38
|
-
- index summaries;
|
|
39
|
-
- best-effort table writability from object type;
|
|
40
|
-
- suggested tenant columns;
|
|
41
|
-
- suggested conflict/version columns;
|
|
42
|
-
- suggested sensitive or large/binary fields.
|
|
43
|
-
|
|
44
|
-
It does not sample normal business rows by default.
|
|
45
|
-
|
|
46
|
-
## Suggestions Are Not Authority
|
|
47
|
-
|
|
48
|
-
Tenant, conflict, sensitive-field, and default-visible-column suggestions are
|
|
49
|
-
heuristics. You must review them before generating or serving a capability.
|
|
50
|
-
|
|
51
|
-
Suggested tenant column names include:
|
|
52
|
-
|
|
53
|
-
```text
|
|
54
|
-
tenant_id, account_id, organization_id, org_id, workspace_id, customer_id
|
|
55
|
-
```
|
|
56
|
-
|
|
57
|
-
Suggested conflict/version columns include:
|
|
58
|
-
|
|
59
|
-
```text
|
|
60
|
-
updated_at, modified_at, row_version, version, lock_version, etag
|
|
61
|
-
```
|
|
62
|
-
|
|
63
|
-
Likely sensitive fields include names containing:
|
|
64
|
-
|
|
65
|
-
```text
|
|
66
|
-
password, secret, token, api_key, private_key, session, cookie, ssn,
|
|
67
|
-
credit_card, card_number, cvv, refresh_token, oauth
|
|
68
|
-
```
|
|
69
|
-
|
|
70
|
-
Binary/blob/vector columns are excluded from generated default visible columns.
|
|
71
|
-
|
|
72
|
-
## Safety Behavior
|
|
73
|
-
|
|
74
|
-
- Use a read-only database credential.
|
|
75
|
-
- Pass the connection through an environment variable name, not a command-line
|
|
76
|
-
URL.
|
|
77
|
-
- Inspection opens read-only transactions where supported.
|
|
78
|
-
- Inspection applies statement timeouts.
|
|
79
|
-
- Inspection does not issue DDL or DML.
|
|
80
|
-
- Errors are sanitized to avoid printing connection strings.
|
|
81
|
-
|
|
82
|
-
## Next Step
|
|
83
|
-
|
|
84
|
-
Use the inspection result to create `onboarding-selection.json`, then run:
|
|
85
|
-
|
|
86
|
-
```bash
|
|
87
|
-
npx -y -p @synapsor/runner@alpha synapsor init --spec onboarding-selection.json --non-interactive
|
|
88
|
-
```
|
package/docs/shadow-mode.md
DELETED
|
@@ -1,67 +0,0 @@
|
|
|
1
|
-
# Shadow Mode
|
|
2
|
-
|
|
3
|
-
Shadow mode lets you evaluate autonomy before allowing writes.
|
|
4
|
-
|
|
5
|
-
The model can create proposals and evidence, but the source database is never
|
|
6
|
-
mutated. A human continues doing the real work in the application. You can then
|
|
7
|
-
record what the human actually did and compare it to the agent proposal.
|
|
8
|
-
|
|
9
|
-
Run a shadow config:
|
|
10
|
-
|
|
11
|
-
```json
|
|
12
|
-
{
|
|
13
|
-
"mode": "shadow"
|
|
14
|
-
}
|
|
15
|
-
```
|
|
16
|
-
|
|
17
|
-
List shadow proposals:
|
|
18
|
-
|
|
19
|
-
```bash
|
|
20
|
-
npx -y -p @synapsor/runner@alpha synapsor shadow list --store ./.synapsor/local.db
|
|
21
|
-
```
|
|
22
|
-
|
|
23
|
-
Record the human action:
|
|
24
|
-
|
|
25
|
-
```bash
|
|
26
|
-
cat > human-action.json <<'JSON'
|
|
27
|
-
{
|
|
28
|
-
"late_fee_cents": 0,
|
|
29
|
-
"waiver_reason": "customer requested review"
|
|
30
|
-
}
|
|
31
|
-
JSON
|
|
32
|
-
|
|
33
|
-
npx -y -p @synapsor/runner@alpha synapsor shadow record-human-action wrp_123 \
|
|
34
|
-
--store ./.synapsor/local.db \
|
|
35
|
-
--patch human-action.json \
|
|
36
|
-
--actor human_operator \
|
|
37
|
-
--notes "matched support lead decision"
|
|
38
|
-
```
|
|
39
|
-
|
|
40
|
-
Compare:
|
|
41
|
-
|
|
42
|
-
```bash
|
|
43
|
-
npx -y -p @synapsor/runner@alpha synapsor shadow compare wrp_123 --store ./.synapsor/local.db
|
|
44
|
-
```
|
|
45
|
-
|
|
46
|
-
Report:
|
|
47
|
-
|
|
48
|
-
```bash
|
|
49
|
-
npx -y -p @synapsor/runner@alpha synapsor shadow report --store ./.synapsor/local.db
|
|
50
|
-
```
|
|
51
|
-
|
|
52
|
-
The report counts:
|
|
53
|
-
|
|
54
|
-
- total shadow proposals;
|
|
55
|
-
- proposals with human actions;
|
|
56
|
-
- exact matches;
|
|
57
|
-
- partial matches;
|
|
58
|
-
- mismatches;
|
|
59
|
-
- proposals with no human action yet.
|
|
60
|
-
|
|
61
|
-
Use this path to move gradually:
|
|
62
|
-
|
|
63
|
-
```text
|
|
64
|
-
read-only -> shadow proposals -> human-reviewed commits -> policy-approved commits later
|
|
65
|
-
```
|
|
66
|
-
|
|
67
|
-
This goal does not add policy auto-approval.
|
package/docs/telemetry.md
DELETED
|
@@ -1,28 +0,0 @@
|
|
|
1
|
-
# Telemetry
|
|
2
|
-
|
|
3
|
-
Local mode does not send telemetry to Synapsor Cloud.
|
|
4
|
-
|
|
5
|
-
By default, Synapsor Runner local commands do not upload:
|
|
6
|
-
|
|
7
|
-
- schema metadata;
|
|
8
|
-
- table names;
|
|
9
|
-
- database rows;
|
|
10
|
-
- prompts;
|
|
11
|
-
- proposal contents;
|
|
12
|
-
- credentials or database URLs;
|
|
13
|
-
- usage data.
|
|
14
|
-
|
|
15
|
-
Cloud communication occurs only after an explicit Cloud action, such as
|
|
16
|
-
`synapsor cloud connect`, or when a config uses `mode: "cloud"`.
|
|
17
|
-
|
|
18
|
-
The local MCP server keeps database credentials in the local environment. MCP
|
|
19
|
-
client snippets reference the local command and store path; they must not
|
|
20
|
-
include database URLs or passwords.
|
|
21
|
-
|
|
22
|
-
Cloud mode may exchange documented control-plane metadata for runner
|
|
23
|
-
registration, heartbeats, tool catalogs, proposal/job leases, result reporting,
|
|
24
|
-
and replay/audit workflows. Cloud mode must remain testable and must not upload
|
|
25
|
-
database credentials.
|
|
26
|
-
|
|
27
|
-
If a future feature adds opt-in telemetry, it must be documented, disabled by
|
|
28
|
-
default for local mode, and must not include secrets or row payloads.
|
package/docs/threat-model.md
DELETED
|
@@ -1,25 +0,0 @@
|
|
|
1
|
-
# Threat Model
|
|
2
|
-
|
|
3
|
-
## Boundary
|
|
4
|
-
|
|
5
|
-
Synapsor Runner is the local trusted writeback boundary. The write credential stays in the customer environment. Synapsor Cloud sends approved structured jobs, not database URLs, passwords, raw SQL, prompts, or model confidence.
|
|
6
|
-
|
|
7
|
-
## Threats covered
|
|
8
|
-
|
|
9
|
-
- Compromised or prompt-injected model: runner ignores prompts and accepts only structured approved jobs.
|
|
10
|
-
- Malicious model arguments: target, tenant, allowed columns, conflict guard, and idempotency key come from Synapsor proposal state.
|
|
11
|
-
- Over-broad proposal target: runner requires primary key and tenant guard.
|
|
12
|
-
- Compromised runner token: token is scoped to one source and limited to configured runner permissions such as adapter read/invoke, runner heartbeat, job claim, and result reporting; it does not grant approval or arbitrary SQL authority.
|
|
13
|
-
- Replayed job: receipt table makes applied retries idempotent.
|
|
14
|
-
- Concurrent runners: receipt row and target row are locked inside a transaction.
|
|
15
|
-
- Stale row/version conflict: version-column mismatch returns `conflict`.
|
|
16
|
-
- Tenant mismatch: missing target row under tenant guard returns conflict and does not write.
|
|
17
|
-
- Multi-row impact: affected rows must equal one.
|
|
18
|
-
- Database outage mid-transaction: transaction rolls back and reports failed.
|
|
19
|
-
- Control-plane outage after commit: receipt table allows safe idempotent result retry.
|
|
20
|
-
- Log leakage: default logs redact tokens and database URLs.
|
|
21
|
-
- Dependency compromise: CI, lockfile review, and dependency audit are release gates.
|
|
22
|
-
|
|
23
|
-
## Limitations
|
|
24
|
-
|
|
25
|
-
The current alpha does not support arbitrary SQL, inserts, deletes, DDL, stored procedures, multi-row updates, cross-database transactions, automatic schema changes, or a self-hosted Synapsor control plane.
|
package/docs/trusted-context.md
DELETED
|
@@ -1,70 +0,0 @@
|
|
|
1
|
-
# Trusted Context
|
|
2
|
-
|
|
3
|
-
Trusted context is the data Synapsor Runner uses as authority but does not allow
|
|
4
|
-
the model to choose freely.
|
|
5
|
-
|
|
6
|
-
Examples:
|
|
7
|
-
|
|
8
|
-
- tenant ID;
|
|
9
|
-
- principal/user ID;
|
|
10
|
-
- role;
|
|
11
|
-
- environment or workspace scope.
|
|
12
|
-
|
|
13
|
-
In local mode, the supported provider is environment binding:
|
|
14
|
-
|
|
15
|
-
```json
|
|
16
|
-
{
|
|
17
|
-
"trusted_context": {
|
|
18
|
-
"provider": "environment",
|
|
19
|
-
"values": {
|
|
20
|
-
"tenant_id_env": "SYNAPSOR_TENANT_ID",
|
|
21
|
-
"principal_env": "SYNAPSOR_PRINCIPAL"
|
|
22
|
-
}
|
|
23
|
-
}
|
|
24
|
-
}
|
|
25
|
-
```
|
|
26
|
-
|
|
27
|
-
For larger configs, use named contexts so each capability says which trusted
|
|
28
|
-
binding it uses:
|
|
29
|
-
|
|
30
|
-
```json
|
|
31
|
-
{
|
|
32
|
-
"contexts": {
|
|
33
|
-
"local_support_operator": {
|
|
34
|
-
"provider": "environment",
|
|
35
|
-
"values": {
|
|
36
|
-
"tenant_id_env": "SYNAPSOR_TENANT_ID",
|
|
37
|
-
"principal_env": "SYNAPSOR_PRINCIPAL"
|
|
38
|
-
}
|
|
39
|
-
}
|
|
40
|
-
},
|
|
41
|
-
"capabilities": [
|
|
42
|
-
{
|
|
43
|
-
"name": "support.inspect_ticket",
|
|
44
|
-
"context": "local_support_operator"
|
|
45
|
-
}
|
|
46
|
-
]
|
|
47
|
-
}
|
|
48
|
-
```
|
|
49
|
-
|
|
50
|
-
Backward compatibility: `trusted_context` still works as the global fallback.
|
|
51
|
-
If a capability names `context`, that named context is used for that capability.
|
|
52
|
-
If a capability does not name `context`, the global `trusted_context` is used.
|
|
53
|
-
Config validation fails when a capability references a missing named context.
|
|
54
|
-
|
|
55
|
-
At runtime:
|
|
56
|
-
|
|
57
|
-
```bash
|
|
58
|
-
export SYNAPSOR_TENANT_ID="acme"
|
|
59
|
-
export SYNAPSOR_PRINCIPAL="local_operator"
|
|
60
|
-
```
|
|
61
|
-
|
|
62
|
-
The model may pass business identifiers such as `invoice_id` or `ticket_id`.
|
|
63
|
-
Those identifiers are validated inside the trusted tenant scope.
|
|
64
|
-
|
|
65
|
-
The model must not pass `tenant_id`, principal, role, or authorization scope as
|
|
66
|
-
ordinary authority arguments. If a tool schema appears to require those fields
|
|
67
|
-
from the model, treat it as a bug.
|
|
68
|
-
|
|
69
|
-
Cloud mode may bind trusted context from Cloud runner/session context, but
|
|
70
|
-
database credentials still stay local.
|