@synapsor/runner 0.1.0-alpha.4 → 0.1.0-alpha.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +211 -43
- package/dist/cli.d.ts.map +1 -1
- package/dist/runner.mjs +912 -90
- package/docs/README.md +32 -54
- package/docs/getting-started-own-database.md +68 -36
- package/docs/http-mcp.md +200 -0
- package/docs/local-mode.md +71 -35
- package/docs/mcp-audit.md +11 -15
- package/docs/mcp-client-setup.md +48 -9
- package/docs/recipes.md +6 -6
- package/docs/security-boundary.md +1 -1
- package/docs/troubleshooting-first-run.md +6 -6
- package/docs/writeback-executors.md +1 -1
- package/examples/openai-agents-http/README.md +55 -0
- package/examples/openai-agents-http/agent.py +90 -0
- package/examples/openai-agents-http/requirements.txt +1 -0
- package/examples/openai-agents-stdio/README.md +62 -0
- package/examples/openai-agents-stdio/agent.py +70 -0
- package/examples/openai-agents-stdio/requirements.txt +1 -0
- package/examples/reference-support-billing-app/README.md +17 -17
- package/package.json +3 -2
- package/docs/MCP_RUNNER_IMPLEMENTATION_PLAN.md +0 -187
- package/docs/architecture.md +0 -65
- package/docs/capability-config.md +0 -180
- package/docs/cloud-mode.md +0 -140
- package/docs/config-migrations.md +0 -67
- package/docs/demo-transcript.md +0 -161
- package/docs/dependency-license-inventory.md +0 -35
- package/docs/first-10-minutes.md +0 -172
- package/docs/licensing.md +0 -38
- package/docs/local-ui.md +0 -163
- package/docs/mcp-efficiency-benchmark.md +0 -84
- package/docs/open-source-feature-inventory.md +0 -254
- package/docs/operations.md +0 -38
- package/docs/own-db-20-minutes.md +0 -185
- package/docs/production-readiness.md +0 -39
- package/docs/protocol.md +0 -90
- package/docs/roadmap.md +0 -13
- package/docs/schema-inspection.md +0 -88
- package/docs/shadow-mode.md +0 -67
- package/docs/telemetry.md +0 -28
- package/docs/threat-model.md +0 -25
- package/docs/trusted-context.md +0 -70
|
@@ -1,88 +0,0 @@
|
|
|
1
|
-
# Schema Inspection
|
|
2
|
-
|
|
3
|
-
`synapsor inspect` reads database metadata so you can choose a
|
|
4
|
-
narrow reviewed capability without writing an entire runner config by hand.
|
|
5
|
-
|
|
6
|
-
Use the public `synapsor ...` runner CLI. From a source checkout, use
|
|
7
|
-
`./bin/synapsor ...` if the global binary is not linked yet.
|
|
8
|
-
|
|
9
|
-
```bash
|
|
10
|
-
npx -y -p @synapsor/runner@alpha synapsor inspect \
|
|
11
|
-
--engine auto \
|
|
12
|
-
--from-env SYNAPSOR_DATABASE_READ_URL \
|
|
13
|
-
--schema public
|
|
14
|
-
```
|
|
15
|
-
|
|
16
|
-
JSON output:
|
|
17
|
-
|
|
18
|
-
```bash
|
|
19
|
-
npx -y -p @synapsor/runner@alpha synapsor inspect \
|
|
20
|
-
--engine mysql \
|
|
21
|
-
--from-env SYNAPSOR_DATABASE_READ_URL \
|
|
22
|
-
--schema app \
|
|
23
|
-
--json
|
|
24
|
-
```
|
|
25
|
-
|
|
26
|
-
## What It Reads
|
|
27
|
-
|
|
28
|
-
The inspector collects metadata only:
|
|
29
|
-
|
|
30
|
-
- engine and server version;
|
|
31
|
-
- current database user;
|
|
32
|
-
- schemas/databases visible to the credential;
|
|
33
|
-
- tables and views;
|
|
34
|
-
- columns, types, nullability, defaults, and generated status;
|
|
35
|
-
- primary keys;
|
|
36
|
-
- unique constraints;
|
|
37
|
-
- foreign keys;
|
|
38
|
-
- index summaries;
|
|
39
|
-
- best-effort table writability from object type;
|
|
40
|
-
- suggested tenant columns;
|
|
41
|
-
- suggested conflict/version columns;
|
|
42
|
-
- suggested sensitive or large/binary fields.
|
|
43
|
-
|
|
44
|
-
It does not sample normal business rows by default.
|
|
45
|
-
|
|
46
|
-
## Suggestions Are Not Authority
|
|
47
|
-
|
|
48
|
-
Tenant, conflict, sensitive-field, and default-visible-column suggestions are
|
|
49
|
-
heuristics. You must review them before generating or serving a capability.
|
|
50
|
-
|
|
51
|
-
Suggested tenant column names include:
|
|
52
|
-
|
|
53
|
-
```text
|
|
54
|
-
tenant_id, account_id, organization_id, org_id, workspace_id, customer_id
|
|
55
|
-
```
|
|
56
|
-
|
|
57
|
-
Suggested conflict/version columns include:
|
|
58
|
-
|
|
59
|
-
```text
|
|
60
|
-
updated_at, modified_at, row_version, version, lock_version, etag
|
|
61
|
-
```
|
|
62
|
-
|
|
63
|
-
Likely sensitive fields include names containing:
|
|
64
|
-
|
|
65
|
-
```text
|
|
66
|
-
password, secret, token, api_key, private_key, session, cookie, ssn,
|
|
67
|
-
credit_card, card_number, cvv, refresh_token, oauth
|
|
68
|
-
```
|
|
69
|
-
|
|
70
|
-
Binary/blob/vector columns are excluded from generated default visible columns.
|
|
71
|
-
|
|
72
|
-
## Safety Behavior
|
|
73
|
-
|
|
74
|
-
- Use a read-only database credential.
|
|
75
|
-
- Pass the connection through an environment variable name, not a command-line
|
|
76
|
-
URL.
|
|
77
|
-
- Inspection opens read-only transactions where supported.
|
|
78
|
-
- Inspection applies statement timeouts.
|
|
79
|
-
- Inspection does not issue DDL or DML.
|
|
80
|
-
- Errors are sanitized to avoid printing connection strings.
|
|
81
|
-
|
|
82
|
-
## Next Step
|
|
83
|
-
|
|
84
|
-
Use the inspection result to create `onboarding-selection.json`, then run:
|
|
85
|
-
|
|
86
|
-
```bash
|
|
87
|
-
npx -y -p @synapsor/runner@alpha synapsor init --spec onboarding-selection.json --non-interactive
|
|
88
|
-
```
|
package/docs/shadow-mode.md
DELETED
|
@@ -1,67 +0,0 @@
|
|
|
1
|
-
# Shadow Mode
|
|
2
|
-
|
|
3
|
-
Shadow mode lets you evaluate autonomy before allowing writes.
|
|
4
|
-
|
|
5
|
-
The model can create proposals and evidence, but the source database is never
|
|
6
|
-
mutated. A human continues doing the real work in the application. You can then
|
|
7
|
-
record what the human actually did and compare it to the agent proposal.
|
|
8
|
-
|
|
9
|
-
Run a shadow config:
|
|
10
|
-
|
|
11
|
-
```json
|
|
12
|
-
{
|
|
13
|
-
"mode": "shadow"
|
|
14
|
-
}
|
|
15
|
-
```
|
|
16
|
-
|
|
17
|
-
List shadow proposals:
|
|
18
|
-
|
|
19
|
-
```bash
|
|
20
|
-
npx -y -p @synapsor/runner@alpha synapsor shadow list --store ./.synapsor/local.db
|
|
21
|
-
```
|
|
22
|
-
|
|
23
|
-
Record the human action:
|
|
24
|
-
|
|
25
|
-
```bash
|
|
26
|
-
cat > human-action.json <<'JSON'
|
|
27
|
-
{
|
|
28
|
-
"late_fee_cents": 0,
|
|
29
|
-
"waiver_reason": "customer requested review"
|
|
30
|
-
}
|
|
31
|
-
JSON
|
|
32
|
-
|
|
33
|
-
npx -y -p @synapsor/runner@alpha synapsor shadow record-human-action wrp_123 \
|
|
34
|
-
--store ./.synapsor/local.db \
|
|
35
|
-
--patch human-action.json \
|
|
36
|
-
--actor human_operator \
|
|
37
|
-
--notes "matched support lead decision"
|
|
38
|
-
```
|
|
39
|
-
|
|
40
|
-
Compare:
|
|
41
|
-
|
|
42
|
-
```bash
|
|
43
|
-
npx -y -p @synapsor/runner@alpha synapsor shadow compare wrp_123 --store ./.synapsor/local.db
|
|
44
|
-
```
|
|
45
|
-
|
|
46
|
-
Report:
|
|
47
|
-
|
|
48
|
-
```bash
|
|
49
|
-
npx -y -p @synapsor/runner@alpha synapsor shadow report --store ./.synapsor/local.db
|
|
50
|
-
```
|
|
51
|
-
|
|
52
|
-
The report counts:
|
|
53
|
-
|
|
54
|
-
- total shadow proposals;
|
|
55
|
-
- proposals with human actions;
|
|
56
|
-
- exact matches;
|
|
57
|
-
- partial matches;
|
|
58
|
-
- mismatches;
|
|
59
|
-
- proposals with no human action yet.
|
|
60
|
-
|
|
61
|
-
Use this path to move gradually:
|
|
62
|
-
|
|
63
|
-
```text
|
|
64
|
-
read-only -> shadow proposals -> human-reviewed commits -> policy-approved commits later
|
|
65
|
-
```
|
|
66
|
-
|
|
67
|
-
This goal does not add policy auto-approval.
|
package/docs/telemetry.md
DELETED
|
@@ -1,28 +0,0 @@
|
|
|
1
|
-
# Telemetry
|
|
2
|
-
|
|
3
|
-
Local mode does not send telemetry to Synapsor Cloud.
|
|
4
|
-
|
|
5
|
-
By default, Synapsor Runner local commands do not upload:
|
|
6
|
-
|
|
7
|
-
- schema metadata;
|
|
8
|
-
- table names;
|
|
9
|
-
- database rows;
|
|
10
|
-
- prompts;
|
|
11
|
-
- proposal contents;
|
|
12
|
-
- credentials or database URLs;
|
|
13
|
-
- usage data.
|
|
14
|
-
|
|
15
|
-
Cloud communication occurs only after an explicit Cloud action, such as
|
|
16
|
-
`synapsor cloud connect`, or when a config uses `mode: "cloud"`.
|
|
17
|
-
|
|
18
|
-
The local MCP server keeps database credentials in the local environment. MCP
|
|
19
|
-
client snippets reference the local command and store path; they must not
|
|
20
|
-
include database URLs or passwords.
|
|
21
|
-
|
|
22
|
-
Cloud mode may exchange documented control-plane metadata for runner
|
|
23
|
-
registration, heartbeats, tool catalogs, proposal/job leases, result reporting,
|
|
24
|
-
and replay/audit workflows. Cloud mode must remain testable and must not upload
|
|
25
|
-
database credentials.
|
|
26
|
-
|
|
27
|
-
If a future feature adds opt-in telemetry, it must be documented, disabled by
|
|
28
|
-
default for local mode, and must not include secrets or row payloads.
|
package/docs/threat-model.md
DELETED
|
@@ -1,25 +0,0 @@
|
|
|
1
|
-
# Threat Model
|
|
2
|
-
|
|
3
|
-
## Boundary
|
|
4
|
-
|
|
5
|
-
Synapsor Runner is the local trusted writeback boundary. The write credential stays in the customer environment. Synapsor Cloud sends approved structured jobs, not database URLs, passwords, raw SQL, prompts, or model confidence.
|
|
6
|
-
|
|
7
|
-
## Threats covered
|
|
8
|
-
|
|
9
|
-
- Compromised or prompt-injected model: runner ignores prompts and accepts only structured approved jobs.
|
|
10
|
-
- Malicious model arguments: target, tenant, allowed columns, conflict guard, and idempotency key come from Synapsor proposal state.
|
|
11
|
-
- Over-broad proposal target: runner requires primary key and tenant guard.
|
|
12
|
-
- Compromised runner token: token is scoped to one source and limited to configured runner permissions such as adapter read/invoke, runner heartbeat, job claim, and result reporting; it does not grant approval or arbitrary SQL authority.
|
|
13
|
-
- Replayed job: receipt table makes applied retries idempotent.
|
|
14
|
-
- Concurrent runners: receipt row and target row are locked inside a transaction.
|
|
15
|
-
- Stale row/version conflict: version-column mismatch returns `conflict`.
|
|
16
|
-
- Tenant mismatch: missing target row under tenant guard returns conflict and does not write.
|
|
17
|
-
- Multi-row impact: affected rows must equal one.
|
|
18
|
-
- Database outage mid-transaction: transaction rolls back and reports failed.
|
|
19
|
-
- Control-plane outage after commit: receipt table allows safe idempotent result retry.
|
|
20
|
-
- Log leakage: default logs redact tokens and database URLs.
|
|
21
|
-
- Dependency compromise: CI, lockfile review, and dependency audit are release gates.
|
|
22
|
-
|
|
23
|
-
## Limitations
|
|
24
|
-
|
|
25
|
-
The current alpha does not support arbitrary SQL, inserts, deletes, DDL, stored procedures, multi-row updates, cross-database transactions, automatic schema changes, or a self-hosted Synapsor control plane.
|
package/docs/trusted-context.md
DELETED
|
@@ -1,70 +0,0 @@
|
|
|
1
|
-
# Trusted Context
|
|
2
|
-
|
|
3
|
-
Trusted context is the data Synapsor Runner uses as authority but does not allow
|
|
4
|
-
the model to choose freely.
|
|
5
|
-
|
|
6
|
-
Examples:
|
|
7
|
-
|
|
8
|
-
- tenant ID;
|
|
9
|
-
- principal/user ID;
|
|
10
|
-
- role;
|
|
11
|
-
- environment or workspace scope.
|
|
12
|
-
|
|
13
|
-
In local mode, the supported provider is environment binding:
|
|
14
|
-
|
|
15
|
-
```json
|
|
16
|
-
{
|
|
17
|
-
"trusted_context": {
|
|
18
|
-
"provider": "environment",
|
|
19
|
-
"values": {
|
|
20
|
-
"tenant_id_env": "SYNAPSOR_TENANT_ID",
|
|
21
|
-
"principal_env": "SYNAPSOR_PRINCIPAL"
|
|
22
|
-
}
|
|
23
|
-
}
|
|
24
|
-
}
|
|
25
|
-
```
|
|
26
|
-
|
|
27
|
-
For larger configs, use named contexts so each capability says which trusted
|
|
28
|
-
binding it uses:
|
|
29
|
-
|
|
30
|
-
```json
|
|
31
|
-
{
|
|
32
|
-
"contexts": {
|
|
33
|
-
"local_support_operator": {
|
|
34
|
-
"provider": "environment",
|
|
35
|
-
"values": {
|
|
36
|
-
"tenant_id_env": "SYNAPSOR_TENANT_ID",
|
|
37
|
-
"principal_env": "SYNAPSOR_PRINCIPAL"
|
|
38
|
-
}
|
|
39
|
-
}
|
|
40
|
-
},
|
|
41
|
-
"capabilities": [
|
|
42
|
-
{
|
|
43
|
-
"name": "support.inspect_ticket",
|
|
44
|
-
"context": "local_support_operator"
|
|
45
|
-
}
|
|
46
|
-
]
|
|
47
|
-
}
|
|
48
|
-
```
|
|
49
|
-
|
|
50
|
-
Backward compatibility: `trusted_context` still works as the global fallback.
|
|
51
|
-
If a capability names `context`, that named context is used for that capability.
|
|
52
|
-
If a capability does not name `context`, the global `trusted_context` is used.
|
|
53
|
-
Config validation fails when a capability references a missing named context.
|
|
54
|
-
|
|
55
|
-
At runtime:
|
|
56
|
-
|
|
57
|
-
```bash
|
|
58
|
-
export SYNAPSOR_TENANT_ID="acme"
|
|
59
|
-
export SYNAPSOR_PRINCIPAL="local_operator"
|
|
60
|
-
```
|
|
61
|
-
|
|
62
|
-
The model may pass business identifiers such as `invoice_id` or `ticket_id`.
|
|
63
|
-
Those identifiers are validated inside the trusted tenant scope.
|
|
64
|
-
|
|
65
|
-
The model must not pass `tenant_id`, principal, role, or authorization scope as
|
|
66
|
-
ordinary authority arguments. If a tool schema appears to require those fields
|
|
67
|
-
from the model, treat it as a bug.
|
|
68
|
-
|
|
69
|
-
Cloud mode may bind trusted context from Cloud runner/session context, but
|
|
70
|
-
database credentials still stay local.
|