@synapsor/runner 0.1.0-alpha.4 → 0.1.0-alpha.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (43) hide show
  1. package/README.md +211 -43
  2. package/dist/cli.d.ts.map +1 -1
  3. package/dist/runner.mjs +912 -90
  4. package/docs/README.md +32 -54
  5. package/docs/getting-started-own-database.md +68 -36
  6. package/docs/http-mcp.md +200 -0
  7. package/docs/local-mode.md +71 -35
  8. package/docs/mcp-audit.md +11 -15
  9. package/docs/mcp-client-setup.md +48 -9
  10. package/docs/recipes.md +6 -6
  11. package/docs/security-boundary.md +1 -1
  12. package/docs/troubleshooting-first-run.md +6 -6
  13. package/docs/writeback-executors.md +1 -1
  14. package/examples/openai-agents-http/README.md +55 -0
  15. package/examples/openai-agents-http/agent.py +90 -0
  16. package/examples/openai-agents-http/requirements.txt +1 -0
  17. package/examples/openai-agents-stdio/README.md +62 -0
  18. package/examples/openai-agents-stdio/agent.py +70 -0
  19. package/examples/openai-agents-stdio/requirements.txt +1 -0
  20. package/examples/reference-support-billing-app/README.md +17 -17
  21. package/package.json +3 -2
  22. package/docs/MCP_RUNNER_IMPLEMENTATION_PLAN.md +0 -187
  23. package/docs/architecture.md +0 -65
  24. package/docs/capability-config.md +0 -180
  25. package/docs/cloud-mode.md +0 -140
  26. package/docs/config-migrations.md +0 -67
  27. package/docs/demo-transcript.md +0 -161
  28. package/docs/dependency-license-inventory.md +0 -35
  29. package/docs/first-10-minutes.md +0 -172
  30. package/docs/licensing.md +0 -38
  31. package/docs/local-ui.md +0 -163
  32. package/docs/mcp-efficiency-benchmark.md +0 -84
  33. package/docs/open-source-feature-inventory.md +0 -254
  34. package/docs/operations.md +0 -38
  35. package/docs/own-db-20-minutes.md +0 -185
  36. package/docs/production-readiness.md +0 -39
  37. package/docs/protocol.md +0 -90
  38. package/docs/roadmap.md +0 -13
  39. package/docs/schema-inspection.md +0 -88
  40. package/docs/shadow-mode.md +0 -67
  41. package/docs/telemetry.md +0 -28
  42. package/docs/threat-model.md +0 -25
  43. package/docs/trusted-context.md +0 -70
package/docs/README.md CHANGED
@@ -1,56 +1,34 @@
1
1
  # Synapsor Runner Docs
2
2
 
3
- Start with the practical paths, not the internals.
4
-
5
- ## Try The Local Trust Loop
6
-
7
- ```bash
8
- ./scripts/try-synapsor.sh
9
- ```
10
-
11
- This runs disposable Postgres/MySQL fixtures and proves the core loop:
12
-
13
- ```text
14
- MCP tool call
15
- -> trusted context
16
- -> scoped read
17
- -> evidence
18
- -> proposal diff
19
- -> approval outside MCP
20
- -> guarded commit or stale-row conflict
21
- -> receipt/replay
22
- ```
23
-
24
- Read: [First 10 Minutes](first-10-minutes.md).
25
-
26
- ## Use Your Own Staging Postgres/MySQL
27
-
28
- ```bash
29
- export DATABASE_URL="<postgres-or-mysql-read-url>"
30
- ./scripts/use-your-db.sh
31
- ```
32
-
33
- This inspects your schema, opens the guided setup, generates
34
- `synapsor.runner.json`, previews the semantic MCP tools, and prints the
35
- `mcp serve` and local UI commands.
36
-
37
- For disposable dev RDS databases with local CA issues:
38
-
39
- ```bash
40
- ./scripts/use-your-db.sh --allow-insecure-ssl
41
- ```
42
-
43
- Use certificate verification with the database CA bundle for real staging or
44
- production-like databases.
45
-
46
- Read: [Connect Your Own Database](getting-started-own-database.md).
47
-
48
- ## Important References
49
-
50
- - [Schema Inspection](schema-inspection.md)
51
- - [MCP Client Setup](mcp-client-setup.md)
52
- - [Capability Config](capability-config.md)
53
- - [Local UI](local-ui.md)
54
- - [Writeback Executors](writeback-executors.md)
55
- - [Security Boundary](security-boundary.md)
56
- - [Current Scope And Limitations](limitations.md)
3
+ Start with the README. Use these docs only when you need the next level of
4
+ detail.
5
+
6
+ ## First Setup
7
+
8
+ - [Connect Your Own Database](getting-started-own-database.md): inspect a
9
+ staging Postgres/MySQL database, generate `synapsor.runner.json`, preview
10
+ semantic tools, and serve them over MCP.
11
+ - [MCP Client Setup](mcp-client-setup.md): connect Claude, Cursor, VS Code, or
12
+ another stdio MCP client.
13
+ - [HTTP MCP](http-mcp.md): run Synapsor Runner as an authenticated HTTP MCP
14
+ service for app/server agents.
15
+
16
+ ## Safety And Operations
17
+
18
+ - [Security Boundary](security-boundary.md): what the model can and cannot see.
19
+ - [Current Limitations](limitations.md): current alpha scope.
20
+ - [Troubleshooting First Run](troubleshooting-first-run.md): common setup
21
+ failures and fixes.
22
+ - [Local Mode](local-mode.md): local store, proposals, approval, replay, and
23
+ writeback flow.
24
+
25
+ ## Features
26
+
27
+ - [MCP Audit](mcp-audit.md): static risk review for database MCP tools.
28
+ - [Recipes](recipes.md): starter business-capability templates.
29
+ - [Writeback Executors](writeback-executors.md): app-owned writeback handlers
30
+ for approved proposals.
31
+
32
+ The public docs intentionally stay small. Historical implementation reports,
33
+ release checklists, and internal planning notes are not part of the public
34
+ getting-started path.
@@ -7,6 +7,11 @@ Do not start with your most sensitive production database. The current alpha
7
7
  runner is a local commit-safety runtime for reviewed single-row business
8
8
  actions, not a production certification.
9
9
 
10
+ If you only ran `synapsor-runner demo --quick`, you have tested the fixture-only
11
+ teaching path and local ledger commands. This page is the real own-database
12
+ path: it inspects your Postgres/MySQL metadata and generates reviewed semantic
13
+ tools from your selections.
14
+
10
15
  ## Fast path
11
16
 
12
17
  Set one read-only database URL and run the wrapper from this repo:
@@ -33,7 +38,7 @@ It does not print your database URL, put the URL in MCP client config, expose
33
38
  credentials.
34
39
 
35
40
  The rest of this page shows the same flow step by step using the public
36
- `synapsor ...` CLI. From a source checkout, use `./bin/synapsor ...` if the
41
+ `synapsor-runner ...` CLI. From a source checkout, use `./bin/synapsor-runner ...` if the
37
42
  global binary is not linked yet.
38
43
 
39
44
  ## 1. Put the read URL in an environment variable
@@ -76,7 +81,7 @@ other trusted database TLS setup.
76
81
  ## 2. Inspect metadata
77
82
 
78
83
  ```bash
79
- npx -y -p @synapsor/runner@alpha synapsor inspect \
84
+ npx -y -p @synapsor/runner@alpha synapsor-runner inspect \
80
85
  --engine auto \
81
86
  --from-env DATABASE_URL \
82
87
  --schema public
@@ -85,13 +90,13 @@ npx -y -p @synapsor/runner@alpha synapsor inspect \
85
90
  For a disposable staging URL, this also works:
86
91
 
87
92
  ```bash
88
- npx -y -p @synapsor/runner@alpha synapsor inspect "$DATABASE_URL" --engine auto --schema public
93
+ npx -y -p @synapsor/runner@alpha synapsor-runner inspect "$DATABASE_URL" --engine auto --schema public
89
94
  ```
90
95
 
91
96
  For automation:
92
97
 
93
98
  ```bash
94
- npx -y -p @synapsor/runner@alpha synapsor inspect \
99
+ npx -y -p @synapsor/runner@alpha synapsor-runner inspect \
95
100
  --engine postgres \
96
101
  --from-env DATABASE_URL \
97
102
  --schema public \
@@ -108,9 +113,9 @@ to your staging table, primary key, tenant key, conflict column, visible fields,
108
113
  allowed write fields, and business limits.
109
114
 
110
115
  ```bash
111
- npx -y -p @synapsor/runner@alpha synapsor recipes list
112
- npx -y -p @synapsor/runner@alpha synapsor recipes show billing.late_fee_waiver
113
- npx -y -p @synapsor/runner@alpha synapsor recipes init billing.late_fee_waiver --output synapsor.runner.json
116
+ npx -y -p @synapsor/runner@alpha synapsor-runner recipes list
117
+ npx -y -p @synapsor/runner@alpha synapsor-runner recipes show billing.late_fee_waiver
118
+ npx -y -p @synapsor/runner@alpha synapsor-runner recipes init billing.late_fee_waiver --output synapsor.runner.json
114
119
  ```
115
120
 
116
121
  Use a recipe when the shape is close. Use the guided wizard or explicit flags
@@ -125,13 +130,20 @@ only the capabilities in your generated `synapsor.runner.json`.
125
130
  In an interactive terminal, run the guided wizard:
126
131
 
127
132
  ```bash
128
- npx -y -p @synapsor/runner@alpha synapsor init --from-env DATABASE_URL --mode read_only --wizard
133
+ npx -y -p @synapsor/runner@alpha synapsor-runner init --from-env DATABASE_URL --mode read_only --wizard
129
134
  ```
130
135
 
131
- The generated capabilities are based on your selections. Synapsor Runner does
132
- not force billing, support, order, or any other built-in domain. You choose the
133
- namespace, object name, lookup argument, visible fields, proposal fields, guards,
134
- and approval role.
136
+ The generated context and capabilities are based on your selections. Synapsor
137
+ Runner does not force billing, support, order, or any other built-in domain.
138
+ The local shape is:
139
+
140
+ ```text
141
+ trusted context -> capability -> MCP tool
142
+ ```
143
+
144
+ You choose the source object, trusted tenant/principal bindings, namespace,
145
+ object name, lookup argument, visible fields, proposal fields, guards, and
146
+ approval role.
135
147
 
136
148
  Start with `read_only` to prove safe database reads first. Use `--mode review`
137
149
  when you are ready to create proposal tools and guarded writeback setup.
@@ -141,9 +153,10 @@ The wizard:
141
153
  - asks for the engine and read URL environment-variable name;
142
154
  - tests read connectivity through schema inspection;
143
155
  - lists discovered schemas and tables/views;
144
- - asks you to confirm primary key, tenant/scope column, conflict/version
145
- column, visible columns, mode, semantic names, trusted context env vars, and
146
- proposal patch mappings;
156
+ - asks which source object backs the local context;
157
+ - asks which tenant/scope column and backend session env vars are trusted;
158
+ - asks you to confirm primary key, conflict/version column, visible columns,
159
+ mode, semantic capability names, and proposal patch mappings;
147
160
  - previews the MCP tools and what is not exposed;
148
161
  - writes the generated config, `.env.example`, and MCP client snippets only
149
162
  after final confirmation.
@@ -161,7 +174,7 @@ If you already know the reviewed table/action, generate config directly from
161
174
  metadata and explicit flags:
162
175
 
163
176
  ```bash
164
- npx -y -p @synapsor/runner@alpha synapsor init \
177
+ npx -y -p @synapsor/runner@alpha synapsor-runner init \
165
178
  --from-env DATABASE_URL \
166
179
  --engine postgres \
167
180
  --schema public \
@@ -180,7 +193,7 @@ npx -y -p @synapsor/runner@alpha synapsor init \
180
193
  Or generate from a saved inspection snapshot without reconnecting:
181
194
 
182
195
  ```bash
183
- npx -y -p @synapsor/runner@alpha synapsor init \
196
+ npx -y -p @synapsor/runner@alpha synapsor-runner init \
184
197
  --inspection-json schema-inspection.json \
185
198
  --table invoices \
186
199
  --namespace billing \
@@ -248,7 +261,7 @@ contain database URLs or passwords.
248
261
  ## 6. Generate runner files
249
262
 
250
263
  ```bash
251
- npx -y -p @synapsor/runner@alpha synapsor init \
264
+ npx -y -p @synapsor/runner@alpha synapsor-runner init \
252
265
  --spec onboarding-selection.json \
253
266
  --non-interactive
254
267
  ```
@@ -268,10 +281,10 @@ files.
268
281
  Generate or refresh MCP client snippets later with:
269
282
 
270
283
  ```bash
271
- npx -y -p @synapsor/runner@alpha synapsor mcp config generic --config ./synapsor.runner.json --store ./.synapsor/local.db
272
- npx -y -p @synapsor/runner@alpha synapsor mcp config claude-desktop --config ./synapsor.runner.json --store ./.synapsor/local.db
273
- npx -y -p @synapsor/runner@alpha synapsor mcp config cursor --config ./synapsor.runner.json --store ./.synapsor/local.db
274
- npx -y -p @synapsor/runner@alpha synapsor tools preview --config ./synapsor.runner.json --store ./.synapsor/local.db
284
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp config generic --config ./synapsor.runner.json --store ./.synapsor/local.db
285
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp config claude-desktop --config ./synapsor.runner.json --store ./.synapsor/local.db
286
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp config cursor --config ./synapsor.runner.json --store ./.synapsor/local.db
287
+ npx -y -p @synapsor/runner@alpha synapsor-runner tools preview --config ./synapsor.runner.json --store ./.synapsor/local.db
275
288
  ```
276
289
 
277
290
  The snippets contain the local command and args. They must not contain database
@@ -280,8 +293,8 @@ URLs, passwords, approval tools, commit tools, or write credentials.
280
293
  ## 7. Validate the config
281
294
 
282
295
  ```bash
283
- npx -y -p @synapsor/runner@alpha synapsor config validate --config synapsor.runner.json
284
- npx -y -p @synapsor/runner@alpha synapsor config show --config synapsor.runner.json --redacted
296
+ npx -y -p @synapsor/runner@alpha synapsor-runner config validate --config synapsor.runner.json
297
+ npx -y -p @synapsor/runner@alpha synapsor-runner config show --config synapsor.runner.json --redacted
285
298
  ```
286
299
 
287
300
  The config stores environment-variable names, not connection-string values.
@@ -289,7 +302,7 @@ The config stores environment-variable names, not connection-string values.
289
302
  Run doctor after setting the referenced environment variables:
290
303
 
291
304
  ```bash
292
- npx -y -p @synapsor/runner@alpha synapsor doctor --config synapsor.runner.json
305
+ npx -y -p @synapsor/runner@alpha synapsor-runner doctor --config synapsor.runner.json
293
306
  ```
294
307
 
295
308
  Doctor validates config shape, trusted context env vars, source env vars,
@@ -297,17 +310,36 @@ read/write credential separation, table/column metadata when the read URL is
297
310
  available, and the semantic MCP tool boundary. Use JSON for automation:
298
311
 
299
312
  ```bash
300
- npx -y -p @synapsor/runner@alpha synapsor doctor --config synapsor.runner.json --json
313
+ npx -y -p @synapsor/runner@alpha synapsor-runner doctor --config synapsor.runner.json --json
301
314
  ```
302
315
 
303
316
  ## 8. Serve semantic MCP tools
304
317
 
318
+ Use stdio when a local MCP client can launch Synapsor Runner:
319
+
320
+ ```bash
321
+ export SYNAPSOR_TENANT_ID="acme"
322
+ export SYNAPSOR_PRINCIPAL="local_operator"
323
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp serve --config ./synapsor.runner.json --store ./.synapsor/local.db
324
+ ```
325
+
326
+ Use HTTP when an app/server agent connects to a long-running Runner process:
327
+
305
328
  ```bash
306
329
  export SYNAPSOR_TENANT_ID="acme"
307
330
  export SYNAPSOR_PRINCIPAL="local_operator"
308
- npx -y -p @synapsor/runner@alpha synapsor mcp serve --config ./synapsor.runner.json --store ./.synapsor/local.db
331
+ export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
332
+
333
+ npx -y -p @synapsor/runner@alpha synapsor-runner mcp serve-http \
334
+ --config ./synapsor.runner.json \
335
+ --store ./.synapsor/local.db \
336
+ --auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
309
337
  ```
310
338
 
339
+ HTTP defaults to `127.0.0.1:8765` and requires bearer auth by default. Use
340
+ private networking/TLS before exposing it beyond localhost. See
341
+ [HTTP MCP](http-mcp.md).
342
+
311
343
  The model-facing MCP server exposes semantic tools such as:
312
344
 
313
345
  ```text
@@ -325,10 +357,10 @@ tools, commit tools, database URLs, write credentials, or tenant authority.
325
357
  Proposal tools leave the source database unchanged. Review locally:
326
358
 
327
359
  ```bash
328
- npx -y -p @synapsor/runner@alpha synapsor proposals list --store ./.synapsor/local.db
329
- npx -y -p @synapsor/runner@alpha synapsor proposals show wrp_123 --store ./.synapsor/local.db
330
- npx -y -p @synapsor/runner@alpha synapsor proposals approve wrp_123 --store ./.synapsor/local.db --actor local_reviewer --yes
331
- npx -y -p @synapsor/runner@alpha synapsor proposals writeback-job wrp_123 --store ./.synapsor/local.db --output job.json
360
+ npx -y -p @synapsor/runner@alpha synapsor-runner proposals list --store ./.synapsor/local.db
361
+ npx -y -p @synapsor/runner@alpha synapsor-runner proposals show wrp_123 --store ./.synapsor/local.db
362
+ npx -y -p @synapsor/runner@alpha synapsor-runner proposals approve wrp_123 --store ./.synapsor/local.db --actor local_reviewer --yes
363
+ npx -y -p @synapsor/runner@alpha synapsor-runner proposals writeback-job wrp_123 --store ./.synapsor/local.db --output job.json
332
364
  ```
333
365
 
334
366
  Apply through the trusted worker path with a separate writer credential:
@@ -337,7 +369,7 @@ Apply through the trusted worker path with a separate writer credential:
337
369
  export SYNAPSOR_DATABASE_WRITE_URL="<postgres-or-mysql-write-url>"
338
370
  SYNAPSOR_ENGINE=postgres \
339
371
  SYNAPSOR_DATABASE_URL="$SYNAPSOR_DATABASE_WRITE_URL" \
340
- npx -y -p @synapsor/runner@alpha synapsor apply --job job.json --config synapsor.runner.json --store ./.synapsor/local.db
372
+ npx -y -p @synapsor/runner@alpha synapsor-runner apply --job job.json --config synapsor.runner.json --store ./.synapsor/local.db
341
373
  ```
342
374
 
343
375
  If your application/API should own the business write, use an `http_handler`
@@ -346,16 +378,16 @@ from environment variables, and the handler receives a structured proposal/job
346
378
  payload, not arbitrary model SQL:
347
379
 
348
380
  ```bash
349
- npx -y -p @synapsor/runner@alpha synapsor apply --proposal wrp_123 --config synapsor.runner.json --store ./.synapsor/local.db
381
+ npx -y -p @synapsor/runner@alpha synapsor-runner apply --proposal wrp_123 --config synapsor.runner.json --store ./.synapsor/local.db
350
382
  ```
351
383
 
352
- See `docs/writeback-executors.md`.
384
+ See [Writeback Executors](writeback-executors.md).
353
385
 
354
386
  Replay afterward:
355
387
 
356
388
  ```bash
357
- npx -y -p @synapsor/runner@alpha synapsor replay show wrp_123 --store ./.synapsor/local.db
358
- npx -y -p @synapsor/runner@alpha synapsor replay export wrp_123 --store ./.synapsor/local.db --output replay.json
389
+ npx -y -p @synapsor/runner@alpha synapsor-runner replay show wrp_123 --store ./.synapsor/local.db
390
+ npx -y -p @synapsor/runner@alpha synapsor-runner replay export wrp_123 --store ./.synapsor/local.db --output replay.json
359
391
  ```
360
392
 
361
393
  ## Boundary
@@ -0,0 +1,200 @@
1
+ # HTTP MCP
2
+
3
+ Use HTTP MCP when an app, server-side agent, container, or Python/Node process
4
+ needs to connect to a long-running Synapsor Runner service.
5
+
6
+ Use stdio MCP when a local MCP client such as Claude Desktop, Cursor, or a
7
+ local agent tool can launch Synapsor Runner directly.
8
+
9
+ ## Start The HTTP Server
10
+
11
+ ```bash
12
+ export SYNAPSOR_RUNNER_HTTP_TOKEN="dev-local-token"
13
+
14
+ synapsor-runner mcp serve-http \
15
+ --host 127.0.0.1 \
16
+ --port 8765 \
17
+ --config ./synapsor.runner.json \
18
+ --store ./.synapsor/local.db \
19
+ --auth-token-env SYNAPSOR_RUNNER_HTTP_TOKEN
20
+ ```
21
+
22
+ Defaults:
23
+
24
+ ```text
25
+ host: 127.0.0.1
26
+ port: 8765
27
+ auth: bearer token required
28
+ cors: disabled
29
+ ```
30
+
31
+ Startup output prints the URL, config path, store path, and token environment
32
+ variable name. It does not print token values or database URLs.
33
+
34
+ ## Health Check
35
+
36
+ ```bash
37
+ curl -i http://127.0.0.1:8765/healthz
38
+ ```
39
+
40
+ The health endpoint is secret-free:
41
+
42
+ ```json
43
+ {
44
+ "ok": true,
45
+ "transport": "http",
46
+ "tools": 1,
47
+ "mode": "read_only"
48
+ }
49
+ ```
50
+
51
+ ## List Tools
52
+
53
+ Unauthorized requests fail:
54
+
55
+ ```bash
56
+ curl -i \
57
+ -H "Content-Type: application/json" \
58
+ -d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' \
59
+ http://127.0.0.1:8765/mcp
60
+ ```
61
+
62
+ Authorized requests include the bearer token:
63
+
64
+ ```bash
65
+ curl -i \
66
+ -H "Authorization: Bearer dev-local-token" \
67
+ -H "Content-Type: application/json" \
68
+ -d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' \
69
+ http://127.0.0.1:8765/mcp
70
+ ```
71
+
72
+ The tool catalog should contain semantic tools such as:
73
+
74
+ ```text
75
+ billing.inspect_invoice
76
+ billing.propose_late_fee_waiver
77
+ ```
78
+
79
+ It should not contain:
80
+
81
+ ```text
82
+ execute_sql
83
+ raw_sql
84
+ approval tools
85
+ commit/apply tools
86
+ database URLs
87
+ write credentials
88
+ model-controlled tenant authority
89
+ arbitrary table or column names
90
+ ```
91
+
92
+ ## Call A Tool
93
+
94
+ ```bash
95
+ curl -i \
96
+ -H "Authorization: Bearer dev-local-token" \
97
+ -H "Content-Type: application/json" \
98
+ -d '{
99
+ "jsonrpc": "2.0",
100
+ "id": 2,
101
+ "method": "tools/call",
102
+ "params": {
103
+ "name": "billing.inspect_invoice",
104
+ "arguments": { "invoice_id": "INV-3001" }
105
+ }
106
+ }' \
107
+ http://127.0.0.1:8765/mcp
108
+ ```
109
+
110
+ The response includes scoped data, trusted context, evidence handles, and
111
+ `source_database_mutated: false`. The agent still does not receive SQL,
112
+ database credentials, or approval/commit authority.
113
+
114
+ ## Read Evidence Or Replay Resources
115
+
116
+ Use `resources/read` with a `synapsor://...` handle returned by a tool call:
117
+
118
+ ```bash
119
+ curl -i \
120
+ -H "Authorization: Bearer dev-local-token" \
121
+ -H "Content-Type: application/json" \
122
+ -d '{
123
+ "jsonrpc": "2.0",
124
+ "id": 3,
125
+ "method": "resources/read",
126
+ "params": { "uri": "synapsor://evidence/ev_..." }
127
+ }' \
128
+ http://127.0.0.1:8765/mcp
129
+ ```
130
+
131
+ ## CORS
132
+
133
+ CORS is disabled by default. If a local browser app needs access during
134
+ development, allow one explicit origin:
135
+
136
+ ```bash
137
+ synapsor-runner mcp serve-http \
138
+ --config ./synapsor.runner.json \
139
+ --store ./.synapsor/local.db \
140
+ --cors-origin http://localhost:3000
141
+ ```
142
+
143
+ Do not use wildcard CORS for a model-facing database tool service.
144
+
145
+ ## Network Exposure
146
+
147
+ Synapsor Runner binds to `127.0.0.1` by default.
148
+
149
+ If you explicitly bind to all interfaces:
150
+
151
+ ```bash
152
+ synapsor-runner mcp serve-http --host 0.0.0.0
153
+ ```
154
+
155
+ the CLI prints a warning. Treat this as a production-like service:
156
+
157
+ - keep bearer auth enabled;
158
+ - use TLS or a trusted reverse proxy;
159
+ - prefer private networking;
160
+ - add rate limits and request-size limits at the edge;
161
+ - do not log request bodies by default;
162
+ - rotate the bearer token if it is exposed.
163
+
164
+ `--dev-no-auth` is accepted only on `localhost` or `127.0.0.1`. It fails closed
165
+ with `--host 0.0.0.0`.
166
+
167
+ ## Trusted Context
168
+
169
+ Tenant and principal values must come from trusted configuration such as
170
+ environment variables or a server-side session. HTTP request arguments cannot
171
+ override trusted fields such as:
172
+
173
+ ```text
174
+ tenant_id
175
+ principal
176
+ principal_id
177
+ project_id
178
+ source_id
179
+ allowed_columns
180
+ approval_identity
181
+ ```
182
+
183
+ Use `read_only` mode first. Proposal/review mode should use a separate trusted
184
+ write path and a separate write credential. The model-facing HTTP MCP endpoint
185
+ must not receive write credentials.
186
+
187
+ ## OpenAI Agents SDK
188
+
189
+ See:
190
+
191
+ ```text
192
+ examples/openai-agents-http/
193
+ examples/openai-agents-stdio/
194
+ ```
195
+
196
+ The stdio example uses the MCP client integration from the OpenAI Agents SDK
197
+ when available. The HTTP example uses a minimal JSON-RPC client wrapped as an
198
+ OpenAI function tool because native HTTP MCP client support can vary by SDK
199
+ version. The boundary is the same: the agent calls a semantic Synapsor tool,
200
+ not raw SQL.