@synapsor/runner 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +27 -0
- package/README.md +683 -245
- package/docs/README.md +82 -47
- package/docs/release-notes.md +21 -0
- package/examples/claude-desktop-postgres/Makefile +6 -0
- package/examples/claude-desktop-postgres/README.md +40 -0
- package/examples/cursor-postgres/Makefile +6 -0
- package/examples/cursor-postgres/README.md +30 -0
- package/examples/mysql-refund-agent/Makefile +4 -0
- package/examples/mysql-refund-agent/README.md +36 -0
- package/examples/openai-agents-http/Makefile +6 -0
- package/examples/openai-agents-http/README.md +14 -0
- package/examples/openai-agents-stdio/Makefile +6 -0
- package/examples/openai-agents-stdio/README.md +14 -0
- package/examples/raw-sql-vs-synapsor/Makefile +11 -0
- package/examples/raw-sql-vs-synapsor/README.md +41 -0
- package/examples/support-billing-agent/Makefile +19 -0
- package/examples/support-billing-agent/README.md +89 -0
- package/examples/support-billing-agent/app/README.md +13 -0
- package/examples/support-billing-agent/db/schema.sql +91 -0
- package/examples/support-billing-agent/db/seed.sql +43 -0
- package/examples/support-billing-agent/docker-compose.yml +13 -0
- package/examples/support-billing-agent/scripts/run-demo.sh +15 -0
- package/examples/support-billing-agent/synapsor.runner.json +233 -0
- package/package.json +22 -4
package/README.md
CHANGED
|
@@ -1,11 +1,32 @@
|
|
|
1
1
|
# Synapsor Runner
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
[](https://www.npmjs.com/package/@synapsor/runner)
|
|
4
|
+
[](LICENSE)
|
|
5
|
+
[](https://github.com/synapsor-ai/synapsor-runner/actions/workflows/ci.yml)
|
|
4
6
|
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
or
|
|
7
|
+
Stop giving AI agents `execute_sql()`. Give them reviewed business actions.
|
|
8
|
+
|
|
9
|
+
Synapsor Runner is an Open-source MCP safety layer for Postgres and MySQL. It
|
|
10
|
+
sits between Claude, Cursor, OpenAI Agents SDK, or another MCP client and your
|
|
11
|
+
database so the model can inspect scoped data and propose changes without
|
|
12
|
+
receiving raw SQL, write credentials, approval tools, or commit authority.
|
|
13
|
+
|
|
14
|
+
```text
|
|
15
|
+
Without Synapsor:
|
|
16
|
+
agent -> execute_sql("UPDATE invoices SET late_fee_cents = 0 ...")
|
|
17
|
+
# raw write path, model-controlled scope, easy tenant mistake
|
|
18
|
+
|
|
19
|
+
With Synapsor Runner:
|
|
20
|
+
agent -> billing.propose_late_fee_waiver(invoice_id, reason)
|
|
21
|
+
# proposal only
|
|
22
|
+
human approves -> guarded writeback applies exactly one change
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
Try the no-database quick demo:
|
|
26
|
+
|
|
27
|
+
```bash
|
|
28
|
+
npx @synapsor/runner demo --quick
|
|
29
|
+
```
|
|
9
30
|
|
|
10
31
|
## The Five-Line Model
|
|
11
32
|
|
|
@@ -15,60 +36,6 @@ It can suggest: saved proposals with evidence and exact diffs.
|
|
|
15
36
|
It cannot commit: approval and writeback happen outside the model-facing tool.
|
|
16
37
|
After writeback, Runner keeps receipts and replay so you can inspect what happened.
|
|
17
38
|
|
|
18
|
-
## Four Terms
|
|
19
|
-
|
|
20
|
-
- Capability: a tool you define in config, such as `billing.inspect_invoice`
|
|
21
|
-
or `billing.propose_late_fee_waiver`. The agent only sees capabilities.
|
|
22
|
-
- Proposal: the agent's suggested database-backed change. It is saved, not
|
|
23
|
-
applied.
|
|
24
|
-
- Writeback: the moment an approved proposal actually changes the database.
|
|
25
|
-
- Executor: your app's writeback handler for anything richer than a guarded
|
|
26
|
-
one-row update.
|
|
27
|
-
|
|
28
|
-
You install only `@synapsor/runner`. There is no separate handler package to
|
|
29
|
-
install. A handler is your app's endpoint or script for rich approved writes;
|
|
30
|
-
Runner includes templates and examples to help you build one.
|
|
31
|
-
|
|
32
|
-
## Who Does What
|
|
33
|
-
|
|
34
|
-
You write the config: sources, trusted context, capabilities, visible fields,
|
|
35
|
-
proposal fields, and guards. For rich writes, you also write a small handler.
|
|
36
|
-
|
|
37
|
-
Synapsor Runner serves the MCP tools, stores evidence/proposals/receipts,
|
|
38
|
-
enforces tenant, column, version, and idempotency guards, routes writeback, and
|
|
39
|
-
keeps the replay log. You do not rebuild the safety loop yourself.
|
|
40
|
-
|
|
41
|
-
## The Writeback Rule
|
|
42
|
-
|
|
43
|
-
One-row update to an existing row: Runner can do guarded direct writeback.
|
|
44
|
-
Anything else, such as inserting a row, touching two tables, or emitting an
|
|
45
|
-
event: your app-owned executor does it after approval.
|
|
46
|
-
|
|
47
|
-
## How An External Handler Works
|
|
48
|
-
|
|
49
|
-
Some changes are too rich for Runner's one-row writeback: insert a credit row,
|
|
50
|
-
touch two tables, or emit an event. For those, you run a small endpoint. The
|
|
51
|
-
flow is:
|
|
52
|
-
|
|
53
|
-
```text
|
|
54
|
-
agent proposes
|
|
55
|
-
-> human approves outside MCP
|
|
56
|
-
-> Runner POSTs the approved change to your endpoint
|
|
57
|
-
-> your code writes it in its own transaction and returns a receipt
|
|
58
|
-
```
|
|
59
|
-
|
|
60
|
-
The model never touches this code. You are the last line of defense: Runner
|
|
61
|
-
hands you the tenant, expected row version, and idempotency key, and your
|
|
62
|
-
handler must re-check all three. Skipping those checks reintroduces
|
|
63
|
-
cross-tenant writes, lost updates, or duplicate writes. Start from
|
|
64
|
-
`synapsor-runner handler template ...` instead of hand-rolling the safety checks.
|
|
65
|
-
|
|
66
|
-
## Deliberate Limits
|
|
67
|
-
|
|
68
|
-
Runner does not expose raw SQL, write credentials, approval tools, or commit
|
|
69
|
-
tools to the model. Direct Runner writeback does not do generic `INSERT`,
|
|
70
|
-
`DELETE`, `UPSERT`, DDL, or multi-row SQL. Those are app-owned executor jobs.
|
|
71
|
-
|
|
72
39
|
```text
|
|
73
40
|
AI agent or MCP client
|
|
74
41
|
(Claude, Cursor, OpenAI Agents SDK, LangGraph)
|
|
@@ -97,23 +64,13 @@ Your database stays the source of truth. Synapsor Runner owns the
|
|
|
97
64
|
model-facing boundary: what the agent can read, what it can propose, what
|
|
98
65
|
evidence is saved, and what can later be reviewed or replayed.
|
|
99
66
|
|
|
100
|
-
## What Runner Does
|
|
101
|
-
|
|
102
|
-
When an agent uses Runner:
|
|
103
|
-
|
|
104
|
-
- the model gets reviewed capabilities, not raw database authority;
|
|
105
|
-
- reads produce evidence handles and query audit;
|
|
106
|
-
- writes become proposals, not direct mutations;
|
|
107
|
-
- approval and writeback happen outside the model-facing MCP surface;
|
|
108
|
-
- replay shows what the agent saw, proposed, and what was applied or blocked.
|
|
109
|
-
|
|
110
67
|
## Start Here
|
|
111
68
|
|
|
112
69
|
Run the guided quick demo first. It does not require Docker, a database, a
|
|
113
70
|
config file, an MCP client, or a Synapsor Cloud account.
|
|
114
71
|
|
|
115
72
|
```bash
|
|
116
|
-
npx
|
|
73
|
+
npx @synapsor/runner demo --quick
|
|
117
74
|
```
|
|
118
75
|
|
|
119
76
|
In a terminal, it walks through the safety model step by step. In CI, piped
|
|
@@ -125,41 +82,122 @@ It does not prove database connectivity. It shows the proposal, evidence, and
|
|
|
125
82
|
replay flow without giving the runner a database URL.
|
|
126
83
|
|
|
127
84
|
```bash
|
|
128
|
-
npx
|
|
85
|
+
npx @synapsor/runner demo inspect
|
|
129
86
|
```
|
|
130
87
|
|
|
131
|
-
|
|
132
|
-
`--json` for complete machine-readable records.
|
|
88
|
+
Then choose one path:
|
|
133
89
|
|
|
134
|
-
|
|
90
|
+
```text
|
|
91
|
+
Full disposable proof -> npx -y -p @synapsor/runner synapsor-runner demo
|
|
92
|
+
Inspect MCP risk -> npx -y -p @synapsor/runner synapsor-runner audit --example dangerous-db-mcp
|
|
93
|
+
```
|
|
94
|
+
|
|
95
|
+
## Connect Your Postgres Or MySQL
|
|
96
|
+
|
|
97
|
+
Use a staging or disposable database first:
|
|
135
98
|
|
|
136
99
|
```bash
|
|
137
|
-
|
|
138
|
-
synapsor-runner
|
|
139
|
-
synapsor-runner demo --quick --details
|
|
140
|
-
synapsor-runner demo inspect --npx
|
|
100
|
+
export DATABASE_URL="postgres://readonly:...@localhost:5432/app"
|
|
101
|
+
npx -y -p @synapsor/runner synapsor-runner start --from-env DATABASE_URL
|
|
141
102
|
```
|
|
142
103
|
|
|
143
|
-
|
|
104
|
+
The first-run path is:
|
|
144
105
|
|
|
145
106
|
```text
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
107
|
+
1. Inspect schema and generate a reviewed config with start/init/onboard.
|
|
108
|
+
2. Run tools preview to confirm no raw SQL or write credentials are exposed.
|
|
109
|
+
3. Run smoke call against one generated inspect tool.
|
|
110
|
+
4. Start review mode with up --serve or mcp serve.
|
|
111
|
+
5. Inspect, propose, approve, apply, and replay from the local ledger.
|
|
112
|
+
```
|
|
113
|
+
|
|
114
|
+
Useful commands after setup:
|
|
115
|
+
|
|
116
|
+
```bash
|
|
117
|
+
synapsor-runner tools preview --config ./synapsor.runner.json --store ./.synapsor/local.db
|
|
118
|
+
synapsor-runner smoke call --config ./synapsor.runner.json --store ./.synapsor/local.db
|
|
119
|
+
synapsor-runner up --serve --config ./synapsor.runner.json --store ./.synapsor/local.db
|
|
149
120
|
```
|
|
150
121
|
|
|
151
|
-
|
|
152
|
-
|
|
122
|
+
## What Runner Does
|
|
123
|
+
|
|
124
|
+
When an agent uses Runner:
|
|
125
|
+
|
|
126
|
+
- the model gets reviewed capabilities, not raw database authority;
|
|
127
|
+
- reads produce evidence handles and query audit;
|
|
128
|
+
- writes become proposals, not direct mutations;
|
|
129
|
+
- approval and writeback happen outside the model-facing MCP surface;
|
|
130
|
+
- replay shows what the agent saw, proposed, and what was applied or blocked.
|
|
131
|
+
|
|
132
|
+
## Four Terms
|
|
133
|
+
|
|
134
|
+
- Capability: a tool you define in config, such as `billing.inspect_invoice`
|
|
135
|
+
or `billing.propose_late_fee_waiver`. The agent only sees capabilities.
|
|
136
|
+
- Proposal: the agent's suggested database-backed change. It is saved, not
|
|
137
|
+
applied.
|
|
138
|
+
- Writeback: the moment an approved proposal actually changes the database.
|
|
139
|
+
- Executor: your app's writeback handler for anything richer than a guarded
|
|
140
|
+
one-row update.
|
|
141
|
+
|
|
142
|
+
You install only `@synapsor/runner`. There is no separate handler package to
|
|
143
|
+
install. A handler is your app's endpoint or script for rich approved writes;
|
|
144
|
+
Runner includes templates and examples to help you build one.
|
|
145
|
+
|
|
146
|
+
## Who Does What
|
|
147
|
+
|
|
148
|
+
You write the config: sources, trusted context, capabilities, visible fields,
|
|
149
|
+
proposal fields, and guards. For rich writes, you also write a small handler.
|
|
150
|
+
|
|
151
|
+
Synapsor Runner serves the MCP tools, stores evidence/proposals/receipts,
|
|
152
|
+
enforces tenant, column, version, and idempotency guards, routes writeback, and
|
|
153
|
+
keeps the replay log. You do not rebuild the safety loop yourself.
|
|
154
|
+
|
|
155
|
+
## The Writeback Rule
|
|
156
|
+
|
|
157
|
+
One-row update to an existing row: Runner can do guarded direct writeback.
|
|
158
|
+
Anything else, such as inserting a row, touching two tables, or emitting an
|
|
159
|
+
event: your app-owned executor does it after approval.
|
|
160
|
+
|
|
161
|
+
## How An External Handler Works
|
|
162
|
+
|
|
163
|
+
Some changes are too rich for Runner's one-row writeback: insert a credit row,
|
|
164
|
+
touch two tables, or emit an event. For those, you run a small endpoint. The
|
|
165
|
+
flow is:
|
|
153
166
|
|
|
154
167
|
```text
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
168
|
+
agent proposes
|
|
169
|
+
-> human approves outside MCP
|
|
170
|
+
-> Runner POSTs the approved change to your endpoint
|
|
171
|
+
-> your code writes it in its own transaction and returns a receipt
|
|
172
|
+
```
|
|
173
|
+
|
|
174
|
+
The model never touches this code. You are the last line of defense: Runner
|
|
175
|
+
hands you the tenant, expected row version, and idempotency key, and your
|
|
176
|
+
handler must re-check all three. Skipping those checks reintroduces
|
|
177
|
+
cross-tenant writes, lost updates, or duplicate writes. Start from
|
|
178
|
+
`synapsor-runner handler template ...` instead of hand-rolling the safety checks.
|
|
179
|
+
|
|
180
|
+
## Deliberate Limits
|
|
181
|
+
|
|
182
|
+
Runner does not expose raw SQL, write credentials, approval tools, or commit
|
|
183
|
+
tools to the model. Direct Runner writeback does not do generic `INSERT`,
|
|
184
|
+
`DELETE`, `UPSERT`, DDL, or multi-row SQL. Those are app-owned executor jobs.
|
|
185
|
+
|
|
186
|
+
## Command Name
|
|
187
|
+
|
|
188
|
+
```bash
|
|
189
|
+
npm install -g @synapsor/runner
|
|
190
|
+
synapsor-runner demo --quick
|
|
159
191
|
```
|
|
160
192
|
|
|
161
193
|
`synapsor-runner` is the public command for this OSS runner. `synapsor` is
|
|
162
|
-
reserved for the Synapsor Cloud CLI.
|
|
194
|
+
reserved for the Synapsor Cloud CLI. If you install the package globally, you
|
|
195
|
+
can drop the `npx -y -p @synapsor/runner` prefix.
|
|
196
|
+
|
|
197
|
+
Contributor note: during development, test local changes with
|
|
198
|
+
`./bin/synapsor-runner ...` or a packed tarball. `npx -p @synapsor/runner ...`
|
|
199
|
+
only tests the currently published package, not unpublished local source
|
|
200
|
+
changes.
|
|
163
201
|
|
|
164
202
|
Authoring reference:
|
|
165
203
|
|
|
@@ -171,7 +209,7 @@ Authoring reference:
|
|
|
171
209
|
- [JSON Schema](schemas/synapsor.runner.schema.json): editor validation for
|
|
172
210
|
`synapsor.runner.json`.
|
|
173
211
|
|
|
174
|
-
##
|
|
212
|
+
## Operational Details
|
|
175
213
|
|
|
176
214
|
These are current alpha requirements, not hidden behavior:
|
|
177
215
|
|
|
@@ -206,12 +244,64 @@ These are current alpha requirements, not hidden behavior:
|
|
|
206
244
|
`synapsor-runner doctor --config synapsor.runner.json --check-handlers` to
|
|
207
245
|
check handler env vars and network reachability without applying a proposal.
|
|
208
246
|
|
|
247
|
+
## Run The Full Disposable Demo
|
|
248
|
+
|
|
249
|
+
The full demo requires Docker. It starts a disposable local Postgres-backed app
|
|
250
|
+
and proves the proposal-first write path:
|
|
251
|
+
|
|
252
|
+
```bash
|
|
253
|
+
npx -y -p @synapsor/runner synapsor-runner demo
|
|
254
|
+
```
|
|
255
|
+
|
|
256
|
+
After the demo prints its generated config and store path, run the happy path it
|
|
257
|
+
prints. The shape is:
|
|
258
|
+
|
|
259
|
+
```bash
|
|
260
|
+
synapsor-runner propose billing.propose_late_fee_waiver --sample
|
|
261
|
+
synapsor-runner proposals show latest
|
|
262
|
+
synapsor-runner proposals approve latest --yes
|
|
263
|
+
synapsor-runner apply latest
|
|
264
|
+
synapsor-runner replay show latest
|
|
265
|
+
synapsor-runner replay show latest --details
|
|
266
|
+
```
|
|
267
|
+
|
|
268
|
+
What you should see:
|
|
269
|
+
|
|
270
|
+
```text
|
|
271
|
+
Agent called:
|
|
272
|
+
billing.propose_late_fee_waiver
|
|
273
|
+
|
|
274
|
+
Proposal created:
|
|
275
|
+
invoice.late_fee_cents
|
|
276
|
+
5500 -> 0
|
|
277
|
+
|
|
278
|
+
Source DB changed:
|
|
279
|
+
no
|
|
280
|
+
|
|
281
|
+
Approval:
|
|
282
|
+
required outside MCP
|
|
283
|
+
|
|
284
|
+
After approval:
|
|
285
|
+
guarded writeback applied
|
|
286
|
+
|
|
287
|
+
Replay:
|
|
288
|
+
saved
|
|
289
|
+
```
|
|
290
|
+
|
|
291
|
+
That is the core point: the model can ask for a database-backed business
|
|
292
|
+
change, but durable state changes only after reviewed approval and guarded
|
|
293
|
+
writeback.
|
|
294
|
+
|
|
209
295
|
## Connect Your Own Staging Database
|
|
210
296
|
|
|
211
|
-
|
|
297
|
+
Use this after the quick demo makes sense. Start with staging, a disposable
|
|
298
|
+
database, or a least-privilege view. Do not start with your most sensitive
|
|
299
|
+
production database.
|
|
300
|
+
|
|
301
|
+
Put the read-only connection string in an environment variable:
|
|
212
302
|
|
|
213
303
|
```bash
|
|
214
|
-
export DATABASE_URL="postgresql://readonly_user:password@
|
|
304
|
+
export DATABASE_URL="postgresql://readonly_user:password@host:5432/app?sslmode=require"
|
|
215
305
|
```
|
|
216
306
|
|
|
217
307
|
For disposable dev RDS fixtures only, use `sslmode=no-verify` if your local
|
|
@@ -238,20 +328,6 @@ call immediately and stores the evidence/query audit in the local ledger. If
|
|
|
238
328
|
those env vars are missing, it prints the exact command to run after you set
|
|
239
329
|
them from `.env.example`.
|
|
240
330
|
|
|
241
|
-
The end-to-end shape is:
|
|
242
|
-
|
|
243
|
-
```text
|
|
244
|
-
1. Put your read-only DB URL in DATABASE_URL.
|
|
245
|
-
2. Run start --from-env DATABASE_URL.
|
|
246
|
-
3. Choose one table/view and the safe fields agents may see.
|
|
247
|
-
4. Preview the generated capabilities.
|
|
248
|
-
5. Serve them over MCP to Claude, Cursor, OpenAI Agents SDK, or your app.
|
|
249
|
-
6. For writes, approve a proposal outside MCP before writeback.
|
|
250
|
-
```
|
|
251
|
-
|
|
252
|
-
The generated config is just the safety contract. A small reviewed version
|
|
253
|
-
looks like this:
|
|
254
|
-
|
|
255
331
|
Bring the generated review-mode workspace up with one command:
|
|
256
332
|
|
|
257
333
|
```bash
|
|
@@ -301,6 +377,20 @@ so `config validate` does not warn that direct SQL writeback is disabled.
|
|
|
301
377
|
You can also pass `--answers ./answers.json --yes` for a fully declarative
|
|
302
378
|
setup file.
|
|
303
379
|
|
|
380
|
+
The end-to-end shape is:
|
|
381
|
+
|
|
382
|
+
```text
|
|
383
|
+
1. Put your read-only DB URL in DATABASE_URL.
|
|
384
|
+
2. Run start --from-env DATABASE_URL.
|
|
385
|
+
3. Choose one table/view and the safe fields agents may see.
|
|
386
|
+
4. Preview the generated capabilities.
|
|
387
|
+
5. Serve them over MCP to Claude, Cursor, OpenAI Agents SDK, or your app.
|
|
388
|
+
6. For writes, approve a proposal outside MCP before writeback.
|
|
389
|
+
```
|
|
390
|
+
|
|
391
|
+
The generated config is just the safety contract. A small reviewed version
|
|
392
|
+
looks like this:
|
|
393
|
+
|
|
304
394
|
```json
|
|
305
395
|
{
|
|
306
396
|
"version": 1,
|
|
@@ -371,6 +461,17 @@ The agent sees `billing.inspect_invoice` and
|
|
|
371
461
|
`billing.propose_late_fee_waiver`. It does not see the database URL, writer
|
|
372
462
|
credential, raw SQL, approval command, or commit command.
|
|
373
463
|
|
|
464
|
+
Prefer the step-by-step commands if you want to inspect each stage manually:
|
|
465
|
+
|
|
466
|
+
```bash
|
|
467
|
+
npx -y -p @synapsor/runner synapsor-runner inspect \
|
|
468
|
+
--engine auto \
|
|
469
|
+
--from-env DATABASE_URL \
|
|
470
|
+
--schema public
|
|
471
|
+
|
|
472
|
+
npx -y -p @synapsor/runner synapsor-runner init --wizard --from-env DATABASE_URL --mode read_only
|
|
473
|
+
```
|
|
474
|
+
|
|
374
475
|
The wizard creates this local flow:
|
|
375
476
|
|
|
376
477
|
```text
|
|
@@ -380,45 +481,55 @@ trusted context -> capability -> MCP tool
|
|
|
380
481
|
It asks which table/view backs the context, which tenant/scope column and
|
|
381
482
|
backend session env vars are trusted, which fields are visible, and what
|
|
382
483
|
semantic capability name to expose. Before writing files, it shows a final
|
|
383
|
-
preview and lets you revise visible fields or capability names.
|
|
484
|
+
preview and lets you revise visible fields or capability names. It writes
|
|
485
|
+
`synapsor.runner.json`, `.env.example`, and MCP client snippets. It does not put
|
|
486
|
+
your database URL in the MCP client config.
|
|
487
|
+
|
|
488
|
+
Preview the tools:
|
|
384
489
|
|
|
385
490
|
```bash
|
|
386
|
-
npx -y -p @synapsor/runner synapsor-runner
|
|
387
|
-
--
|
|
388
|
-
--
|
|
389
|
-
--from-env DATABASE_URL \
|
|
390
|
-
--schema public \
|
|
391
|
-
--mode read_only
|
|
491
|
+
npx -y -p @synapsor/runner synapsor-runner tools preview \
|
|
492
|
+
--config ./synapsor.runner.json \
|
|
493
|
+
--store ./.synapsor/local.db
|
|
392
494
|
```
|
|
393
495
|
|
|
394
|
-
|
|
496
|
+
Call one generated tool locally before wiring an MCP client:
|
|
395
497
|
|
|
396
498
|
```bash
|
|
397
|
-
npx -y -p @synapsor/runner synapsor-runner
|
|
499
|
+
npx -y -p @synapsor/runner synapsor-runner smoke call \
|
|
500
|
+
<generated.inspect_tool_name> \
|
|
501
|
+
--input ./.synapsor/smoke-input.json \
|
|
398
502
|
--config ./synapsor.runner.json \
|
|
399
503
|
--store ./.synapsor/local.db
|
|
504
|
+
```
|
|
505
|
+
|
|
506
|
+
`smoke call` uses the same runtime as MCP, records evidence/query audit or a
|
|
507
|
+
proposal in the local store, and then prints the evidence/proposal/replay
|
|
508
|
+
commands to inspect what happened. If you skipped the optional smoke input in
|
|
509
|
+
the wizard, pass one real row id instead:
|
|
400
510
|
|
|
511
|
+
```bash
|
|
401
512
|
npx -y -p @synapsor/runner synapsor-runner smoke call \
|
|
402
513
|
<generated.inspect_tool_name> \
|
|
403
|
-
--
|
|
514
|
+
--json '{"<lookup_arg>":"<real_id>"}' \
|
|
404
515
|
--config ./synapsor.runner.json \
|
|
405
516
|
--store ./.synapsor/local.db
|
|
517
|
+
```
|
|
406
518
|
|
|
519
|
+
Serve the semantic MCP tools locally:
|
|
520
|
+
|
|
521
|
+
```bash
|
|
407
522
|
npx -y -p @synapsor/runner synapsor-runner mcp serve \
|
|
408
523
|
--config ./synapsor.runner.json \
|
|
409
524
|
--store ./.synapsor/local.db
|
|
410
525
|
```
|
|
411
526
|
|
|
412
|
-
|
|
413
|
-
proposal in the local store, and prints the evidence/proposal/replay commands
|
|
414
|
-
to inspect what happened. If you skipped the optional smoke input in the
|
|
415
|
-
wizard, pass `--json '{"<lookup_arg>":"<real_id>"}'` instead.
|
|
416
|
-
|
|
417
|
-
## Two Ways To Run MCP
|
|
527
|
+
## Three Ways To Run MCP
|
|
418
528
|
|
|
419
529
|
Use stdio when the MCP client runs locally and can launch Synapsor Runner. Use
|
|
420
|
-
HTTP when
|
|
421
|
-
|
|
530
|
+
Streamable HTTP when a standard HTTP MCP client connects to a long-running
|
|
531
|
+
Runner process. Use the JSON-RPC bridge only when you want simple POST calls
|
|
532
|
+
from your own app/server wrapper.
|
|
422
533
|
|
|
423
534
|
Local MCP clients:
|
|
424
535
|
|
|
@@ -460,7 +571,8 @@ synapsor-runner up --serve \
|
|
|
460
571
|
--alias-mode openai
|
|
461
572
|
```
|
|
462
573
|
|
|
463
|
-
|
|
574
|
+
The same Streamable HTTP server can also be started through the unified serve
|
|
575
|
+
command:
|
|
464
576
|
|
|
465
577
|
```bash
|
|
466
578
|
synapsor-runner mcp serve \
|
|
@@ -500,86 +612,61 @@ examples/openai-agents-stdio/
|
|
|
500
612
|
examples/openai-agents-http/
|
|
501
613
|
```
|
|
502
614
|
|
|
503
|
-
|
|
504
|
-
guarded writeback with a separate trusted write credential.
|
|
505
|
-
|
|
506
|
-
## Sanity Check The Agent Connection
|
|
507
|
-
|
|
508
|
-
Before asking an agent to solve a real task, confirm it can call a Runner tool:
|
|
509
|
-
|
|
510
|
-
```bash
|
|
511
|
-
synapsor-runner tools preview --config ./synapsor.runner.json --store ./.synapsor/local.db
|
|
512
|
-
```
|
|
513
|
-
|
|
514
|
-
For OpenAI-facing clients:
|
|
515
|
-
|
|
516
|
-
```bash
|
|
517
|
-
synapsor-runner tools preview \
|
|
518
|
-
--config ./synapsor.runner.json \
|
|
519
|
-
--store ./.synapsor/local.db \
|
|
520
|
-
--alias-mode openai
|
|
521
|
-
```
|
|
522
|
-
|
|
523
|
-
Then ask the agent:
|
|
524
|
-
|
|
525
|
-
```text
|
|
526
|
-
Use the Synapsor Runner MCP tool to inspect invoice INV-3001.
|
|
527
|
-
Do not answer from memory.
|
|
528
|
-
Return the tool name called, the evidence handle, and whether raw SQL was available.
|
|
529
|
-
```
|
|
530
|
-
|
|
531
|
-
Expected result: the agent calls a semantic tool, returns an evidence handle or
|
|
532
|
-
local ledger reference, and says raw SQL/write/approval tools were not
|
|
533
|
-
available. If it gives generic advice or unrelated prose without a tool call,
|
|
534
|
-
Runner is not connected yet.
|
|
535
|
-
|
|
536
|
-
The disposable reference app includes proposal-first write examples for:
|
|
615
|
+
Detailed setup: [docs/openai-agents-sdk.md](docs/openai-agents-sdk.md).
|
|
537
616
|
|
|
538
|
-
|
|
539
|
-
|
|
540
|
-
-
|
|
617
|
+
Use `--mode review` only when you are ready to create proposal tools and test
|
|
618
|
+
guarded writeback. Review mode needs an approved write path and a separate
|
|
619
|
+
trusted write credential; the model-facing read URL should stay least
|
|
620
|
+
privilege.
|
|
541
621
|
|
|
542
|
-
|
|
543
|
-
database remains unchanged until approval outside MCP and guarded writeback.
|
|
622
|
+
## Audit Your MCP Database Tools
|
|
544
623
|
|
|
545
|
-
|
|
624
|
+
`synapsor-runner audit` is a static MCP/database risk review. It is useful even before
|
|
625
|
+
you adopt the full runner.
|
|
546
626
|
|
|
547
627
|
```bash
|
|
548
|
-
|
|
628
|
+
synapsor-runner audit --example dangerous-db-mcp
|
|
629
|
+
synapsor-runner audit --example dangerous-db-mcp --format markdown
|
|
630
|
+
synapsor-runner audit ./synapsor.runner.json
|
|
631
|
+
synapsor-runner audit --mcp-config ./claude_desktop_config.json
|
|
632
|
+
synapsor-runner audit --stdio "node ./my-db-mcp-server.js"
|
|
549
633
|
```
|
|
550
634
|
|
|
551
|
-
|
|
635
|
+
The built-in example runs without cloning this repository or downloading an
|
|
636
|
+
examples file. File-based audits still work when you have your own exported MCP
|
|
637
|
+
tool manifest.
|
|
552
638
|
|
|
553
|
-
|
|
554
|
-
binary, `synapsor.runner.json` schema version `1`, result envelope v2, stdio
|
|
555
|
-
MCP, Streamable HTTP MCP, MCP client snippets, proposal/approval/writeback
|
|
556
|
-
inspection commands, direct SQL writeback contract, and app-owned executor
|
|
557
|
-
contract compatible through the `0.1.x` line unless a release note marks a
|
|
558
|
-
deprecation first.
|
|
639
|
+
It looks for patterns such as:
|
|
559
640
|
|
|
560
|
-
|
|
561
|
-
|
|
562
|
-
|
|
563
|
-
|
|
564
|
-
|
|
641
|
+
- arbitrary SQL tools;
|
|
642
|
+
- broad database write tools;
|
|
643
|
+
- model-facing approval/commit tools;
|
|
644
|
+
- missing tenant/principal context;
|
|
645
|
+
- dangerous tool names;
|
|
646
|
+
- unclear parameter schemas;
|
|
647
|
+
- mutation tools without proposal/approval.
|
|
565
648
|
|
|
566
|
-
|
|
567
|
-
writeback:
|
|
649
|
+
Example finding:
|
|
568
650
|
|
|
569
651
|
```text
|
|
570
|
-
|
|
571
|
-
|
|
572
|
-
|
|
573
|
-
|
|
574
|
-
|
|
575
|
-
|
|
576
|
-
|
|
577
|
-
|
|
652
|
+
Risk: high
|
|
653
|
+
|
|
654
|
+
Found:
|
|
655
|
+
- execute_sql appears to expose arbitrary database access.
|
|
656
|
+
- approve_refund appears to let the model approve a durable write.
|
|
657
|
+
- update_customer appears to mutate state without a proposal boundary.
|
|
658
|
+
- No trusted tenant/principal context was detected.
|
|
659
|
+
|
|
660
|
+
Suggested safer shape:
|
|
661
|
+
- billing.inspect_invoice
|
|
662
|
+
- billing.propose_late_fee_waiver
|
|
663
|
+
- approval outside MCP
|
|
664
|
+
- guarded writeback after approval
|
|
665
|
+
|
|
666
|
+
Note:
|
|
667
|
+
This is a static risk review, not a security guarantee.
|
|
578
668
|
```
|
|
579
669
|
|
|
580
|
-
Your Postgres/MySQL database remains the source of truth. The runner stores
|
|
581
|
-
local proposals, evidence, receipts, and replay data in a local SQLite store.
|
|
582
|
-
|
|
583
670
|
## Why Not Just Use A Read-Only Database User?
|
|
584
671
|
|
|
585
672
|
You should use one.
|
|
@@ -606,47 +693,30 @@ Use Synapsor Runner when you also want the agent-facing layer: semantic tools,
|
|
|
606
693
|
trusted context, evidence handles, query audit, local inspection, and
|
|
607
694
|
proposal-first writes.
|
|
608
695
|
|
|
609
|
-
##
|
|
610
|
-
|
|
611
|
-
Run the included MCP efficiency fixture:
|
|
696
|
+
## Find Evidence And Replay
|
|
612
697
|
|
|
613
|
-
|
|
614
|
-
|
|
615
|
-
```
|
|
698
|
+
The commands in this section require this checkout or an alpha package that
|
|
699
|
+
includes the local-ledger CLI surface.
|
|
616
700
|
|
|
617
|
-
|
|
701
|
+
Synapsor Runner writes a local evidence/replay ledger to SQLite. Use it to
|
|
702
|
+
answer questions such as:
|
|
618
703
|
|
|
619
704
|
```text
|
|
620
|
-
|
|
621
|
-
exposed tools: 4
|
|
622
|
-
scripted tool calls: 5
|
|
623
|
-
raw SQL exposed: yes
|
|
624
|
-
approval separated: no
|
|
625
|
-
stale-row conflict checked: no
|
|
626
|
-
|
|
627
|
-
Synapsor Runner semantic path:
|
|
628
|
-
exposed tools: 2
|
|
629
|
-
scripted tool calls: 2
|
|
630
|
-
raw SQL exposed: no
|
|
631
|
-
approval separated: yes
|
|
632
|
-
stale-row conflict checked: yes
|
|
705
|
+
What did the agent see and do for invoice INV-3001?
|
|
633
706
|
```
|
|
634
707
|
|
|
635
|
-
|
|
636
|
-
not a model billing tokenizer and not a universal token-savings claim.
|
|
637
|
-
|
|
638
|
-
## Find Evidence And Replay
|
|
639
|
-
|
|
640
|
-
The commands in this section require this checkout or an alpha package that
|
|
641
|
-
includes the local-ledger CLI surface.
|
|
642
|
-
|
|
643
|
-
The runner stores a local SQLite evidence/replay ledger. Search it without
|
|
644
|
-
relying on `latest`:
|
|
708
|
+
Search the local activity ledger:
|
|
645
709
|
|
|
646
710
|
```bash
|
|
647
711
|
synapsor-runner activity search --tenant acme --object invoice:INV-3001
|
|
712
|
+
synapsor-runner activity search --capability billing.propose_late_fee_waiver --from 2026-06-01 --to 2026-06-23
|
|
648
713
|
synapsor-runner events tail --store ./.synapsor/local.db
|
|
649
714
|
synapsor-runner events webhook --url http://127.0.0.1:8788/synapsor/events --kind proposal_created --store ./.synapsor/local.db
|
|
715
|
+
```
|
|
716
|
+
|
|
717
|
+
Inspect the linked records:
|
|
718
|
+
|
|
719
|
+
```bash
|
|
650
720
|
synapsor-runner proposals list --tenant acme --object invoice:INV-3001 --status approved
|
|
651
721
|
synapsor-runner evidence show ev_...
|
|
652
722
|
synapsor-runner query-audit list --evidence ev_...
|
|
@@ -656,16 +726,17 @@ synapsor-runner replay show --proposal wrp_...
|
|
|
656
726
|
synapsor-runner replay show --replay replay_wrp_...
|
|
657
727
|
```
|
|
658
728
|
|
|
659
|
-
|
|
729
|
+
The default views answer what happened, whether the source DB changed, the
|
|
730
|
+
current status, and the next command to run. Add `--details` when you need
|
|
660
731
|
target URIs, primary keys, proposal hash/version, conflict guards, query
|
|
661
|
-
fingerprints, event timestamps,
|
|
732
|
+
fingerprints, event timestamps, or receipt internals.
|
|
662
733
|
|
|
663
|
-
Export
|
|
734
|
+
Export replay or evidence for review:
|
|
664
735
|
|
|
665
736
|
```bash
|
|
666
|
-
synapsor-runner evidence export ev_... --format markdown --output evidence.md
|
|
667
737
|
synapsor-runner replay export --proposal wrp_... --format json --output replay.json
|
|
668
738
|
synapsor-runner replay export --proposal wrp_... --format markdown --output replay.md
|
|
739
|
+
synapsor-runner evidence export ev_... --format markdown --output evidence.md
|
|
669
740
|
```
|
|
670
741
|
|
|
671
742
|
Create a redacted local diagnostic report:
|
|
@@ -690,16 +761,171 @@ synapsor-runner store reset --store ./.synapsor/local.db --yes
|
|
|
690
761
|
bridges, or app-local notifications. It POSTs one redacted local event envelope
|
|
691
762
|
per lifecycle event; it is not a hosted central ledger.
|
|
692
763
|
|
|
693
|
-
This is local indexed search for local/dev/staging usage. It is not
|
|
694
|
-
|
|
695
|
-
retention.
|
|
764
|
+
This is local indexed search for local/dev/staging usage. It is not a hosted
|
|
765
|
+
central ledger, not RBAC/SSO, not cross-runner search, and not compliance
|
|
766
|
+
retention. Synapsor Cloud is the upgrade path for central searchable audit,
|
|
767
|
+
team governance, retention, and production operations.
|
|
768
|
+
|
|
769
|
+
## Connect Claude, Cursor, Or Another MCP Client
|
|
770
|
+
|
|
771
|
+
Generate a local MCP client snippet:
|
|
772
|
+
|
|
773
|
+
```bash
|
|
774
|
+
synapsor-runner mcp config --config ./synapsor.runner.json --store ./.synapsor/local.db
|
|
775
|
+
```
|
|
776
|
+
|
|
777
|
+
Use a specific client shape when needed:
|
|
778
|
+
|
|
779
|
+
```bash
|
|
780
|
+
synapsor-runner mcp config cursor --config ./synapsor.runner.json --store ./.synapsor/local.db
|
|
781
|
+
synapsor-runner mcp config vscode --config ./synapsor.runner.json --store ./.synapsor/local.db
|
|
782
|
+
synapsor-runner mcp config generic --config ./synapsor.runner.json --store ./.synapsor/local.db
|
|
783
|
+
synapsor-runner mcp client-config --client openai-agents --config ./synapsor.runner.json --store ./.synapsor/local.db
|
|
784
|
+
```
|
|
785
|
+
|
|
786
|
+
The generated config references the local runner command. It does not include:
|
|
787
|
+
|
|
788
|
+
- database URL;
|
|
789
|
+
- database password;
|
|
790
|
+
- write credentials;
|
|
791
|
+
- approval tools;
|
|
792
|
+
- commit/apply tools.
|
|
793
|
+
|
|
794
|
+
## Sanity Check The Agent Connection
|
|
795
|
+
|
|
796
|
+
After you connect Claude, Cursor, OpenAI Agents SDK, or another MCP client, run
|
|
797
|
+
one tiny tool-call test before asking the agent to solve a real task.
|
|
798
|
+
|
|
799
|
+
First preview the tools Runner will expose:
|
|
800
|
+
|
|
801
|
+
```bash
|
|
802
|
+
synapsor-runner tools preview --config ./synapsor.runner.json --store ./.synapsor/local.db
|
|
803
|
+
```
|
|
804
|
+
|
|
805
|
+
For OpenAI-facing clients, preview the model-visible aliases:
|
|
806
|
+
|
|
807
|
+
```bash
|
|
808
|
+
synapsor-runner tools preview \
|
|
809
|
+
--config ./synapsor.runner.json \
|
|
810
|
+
--store ./.synapsor/local.db \
|
|
811
|
+
--alias-mode openai
|
|
812
|
+
```
|
|
813
|
+
|
|
814
|
+
Example:
|
|
815
|
+
|
|
816
|
+
```text
|
|
817
|
+
Exposed to MCP:
|
|
818
|
+
- billing__inspect_invoice -> billing.inspect_invoice
|
|
819
|
+
```
|
|
820
|
+
|
|
821
|
+
Then ask the agent:
|
|
822
|
+
|
|
823
|
+
```text
|
|
824
|
+
Use the Synapsor Runner MCP tool to inspect invoice INV-3001.
|
|
825
|
+
Do not answer from memory.
|
|
826
|
+
Return the tool name called, the evidence handle, and whether raw SQL was available.
|
|
827
|
+
```
|
|
828
|
+
|
|
829
|
+
For your own database, replace `invoice INV-3001` with one real object ID and
|
|
830
|
+
the semantic tool name from `tools preview`.
|
|
831
|
+
|
|
832
|
+
Expected result:
|
|
833
|
+
|
|
834
|
+
- the agent calls a Synapsor Runner tool such as `billing.inspect_invoice`;
|
|
835
|
+
- the response includes an evidence handle or local ledger reference;
|
|
836
|
+
- the agent says raw SQL/write/approval tools were not available.
|
|
837
|
+
|
|
838
|
+
If the agent gives generic advice, a freeform summary, or unrelated planning
|
|
839
|
+
text without a tool call or evidence handle, Runner is not in the loop yet. Fix
|
|
840
|
+
the MCP client config, restart the client, confirm trusted context environment
|
|
841
|
+
variables are set, and rerun `synapsor-runner tools preview`.
|
|
842
|
+
|
|
843
|
+
## What The Model Gets
|
|
844
|
+
|
|
845
|
+
The model gets reviewed semantic capabilities from `synapsor.runner.json`, for
|
|
846
|
+
example:
|
|
847
|
+
|
|
848
|
+
```text
|
|
849
|
+
billing.inspect_invoice
|
|
850
|
+
billing.propose_late_fee_waiver
|
|
851
|
+
support.inspect_ticket
|
|
852
|
+
support.propose_plan_credit
|
|
853
|
+
orders.inspect_order
|
|
854
|
+
orders.propose_status_change
|
|
855
|
+
```
|
|
856
|
+
|
|
857
|
+
These are business tools with trusted scope, visible fields, evidence rules,
|
|
858
|
+
proposal boundaries, and writeback guards.
|
|
859
|
+
|
|
860
|
+
## Fixture Benchmark
|
|
861
|
+
|
|
862
|
+
Run the included MCP efficiency fixture:
|
|
863
|
+
|
|
864
|
+
```bash
|
|
865
|
+
synapsor-runner benchmark mcp-efficiency
|
|
866
|
+
```
|
|
867
|
+
|
|
868
|
+
Current fixture result for the late-fee-waiver workflow:
|
|
869
|
+
|
|
870
|
+
```text
|
|
871
|
+
Generic database MCP reference:
|
|
872
|
+
exposed tools: 4
|
|
873
|
+
scripted tool calls: 5
|
|
874
|
+
raw SQL exposed: yes
|
|
875
|
+
approval separated: no
|
|
876
|
+
stale-row conflict checked: no
|
|
877
|
+
|
|
878
|
+
Synapsor Runner semantic path:
|
|
879
|
+
exposed tools: 2
|
|
880
|
+
scripted tool calls: 2
|
|
881
|
+
raw SQL exposed: no
|
|
882
|
+
approval separated: yes
|
|
883
|
+
stale-row conflict checked: yes
|
|
884
|
+
```
|
|
885
|
+
|
|
886
|
+
The fixture tokenizer is deterministic and repeatable for this repo. It is not
|
|
887
|
+
a model billing tokenizer and not a universal token-savings claim.
|
|
888
|
+
|
|
889
|
+
## Safe Write Examples
|
|
890
|
+
|
|
891
|
+
The disposable reference app includes three proposal-first write shapes:
|
|
892
|
+
|
|
893
|
+
- `billing.propose_late_fee_waiver`: waive a late fee after evidence and review.
|
|
894
|
+
- `support.propose_plan_credit`: propose a bounded customer credit for a support case.
|
|
895
|
+
- `orders.propose_status_change`: move an order through an allowlisted status transition.
|
|
896
|
+
|
|
897
|
+
Each tool creates evidence, a before/after diff, and a local proposal. The
|
|
898
|
+
source database is unchanged until approval outside MCP and guarded writeback.
|
|
899
|
+
|
|
900
|
+
## What The Model Never Gets
|
|
901
|
+
|
|
902
|
+
Synapsor Runner does not expose:
|
|
903
|
+
|
|
904
|
+
```text
|
|
905
|
+
execute_sql
|
|
906
|
+
raw_sql
|
|
907
|
+
query_database
|
|
908
|
+
database URLs
|
|
909
|
+
write credentials
|
|
910
|
+
approval tools
|
|
911
|
+
commit/apply tools
|
|
912
|
+
arbitrary table names
|
|
913
|
+
arbitrary column names
|
|
914
|
+
model-controlled tenant authority
|
|
915
|
+
direct write access
|
|
916
|
+
```
|
|
917
|
+
|
|
918
|
+
Approval and writeback stay outside the model-facing MCP tool surface.
|
|
696
919
|
|
|
697
920
|
## App-Owned Writeback
|
|
698
921
|
|
|
699
|
-
|
|
700
|
-
your application service already owns business writes,
|
|
701
|
-
`http_handler` or `command_handler` executor.
|
|
702
|
-
|
|
922
|
+
Direct guarded DB writeback is useful for local/staging demos and simple
|
|
923
|
+
single-row updates. If your application service already owns business writes,
|
|
924
|
+
configure an `http_handler` or `command_handler` executor instead.
|
|
925
|
+
|
|
926
|
+
The flow stays the same: model-facing MCP creates a proposal, approval happens
|
|
927
|
+
outside MCP, Synapsor Runner sends an approved job to your app handler, and the
|
|
928
|
+
handler returns an applied/conflict/failed receipt for replay.
|
|
703
929
|
|
|
704
930
|
> **Important:** your app handler owns the final business write. Runner creates
|
|
705
931
|
> the proposal and calls your handler only after approval, but your handler must
|
|
@@ -708,10 +934,17 @@ MCP, and the handler returns an applied/conflict/failed receipt for replay.
|
|
|
708
934
|
> error receipts. If you skip those checks, you can reintroduce cross-tenant
|
|
709
935
|
> writes, lost updates, or duplicate writes. Keep handler credentials out of MCP.
|
|
710
936
|
|
|
711
|
-
|
|
712
|
-
|
|
713
|
-
|
|
714
|
-
|
|
937
|
+
Details: [docs/writeback-executors.md](docs/writeback-executors.md). Starter
|
|
938
|
+
handlers live in [examples/app-owned-writeback](examples/app-owned-writeback).
|
|
939
|
+
The runner npm package includes handler templates and the
|
|
940
|
+
`examples/mcp-postgres-billing-app-handler/synapsor-handler.mjs` bundled helper
|
|
941
|
+
shim. These show bearer/HMAC auth, tenant scope, expected-version guards,
|
|
942
|
+
idempotency, transaction rollback, and safe receipts around your business
|
|
943
|
+
effect. There is no separate handler package to install.
|
|
944
|
+
The full Postgres billing example in
|
|
945
|
+
[examples/mcp-postgres-billing-app-handler](examples/mcp-postgres-billing-app-handler)
|
|
946
|
+
shows `billing.propose_account_credit` creating a proposal first, then inserting
|
|
947
|
+
an `account_credits` row through an app-owned HTTP handler after approval.
|
|
715
948
|
You can also generate a starter handler directly:
|
|
716
949
|
|
|
717
950
|
```bash
|
|
@@ -726,16 +959,221 @@ needs permission for that receipt table or an administrator must pre-create and
|
|
|
726
959
|
grant it. Use app-owned handlers when you do not want Runner creating receipt
|
|
727
960
|
tables in your application schema.
|
|
728
961
|
|
|
729
|
-
##
|
|
962
|
+
## Safety Model
|
|
963
|
+
|
|
964
|
+
```text
|
|
965
|
+
MCP client
|
|
966
|
+
-> Synapsor Runner
|
|
967
|
+
-> semantic capability
|
|
968
|
+
-> trusted tenant/principal context
|
|
969
|
+
-> scoped DB read
|
|
970
|
+
-> evidence-backed proposal
|
|
971
|
+
-> approval outside MCP
|
|
972
|
+
-> guarded writeback
|
|
973
|
+
-> receipt and replay
|
|
974
|
+
```
|
|
975
|
+
|
|
976
|
+
Current boundaries:
|
|
977
|
+
|
|
978
|
+
- no generic SQL tools;
|
|
979
|
+
- no model-facing approval or apply tools;
|
|
980
|
+
- tenant/principal scoping is enforced;
|
|
981
|
+
- allowed columns are enforced;
|
|
982
|
+
- primary-key targeting is required;
|
|
983
|
+
- conflict/version guards are available;
|
|
984
|
+
- idempotency keys are used;
|
|
985
|
+
- affected row count is checked;
|
|
986
|
+
- direct DB writeback is limited to guarded single-row `UPDATE`.
|
|
987
|
+
|
|
988
|
+
## Safety Checks It Catches
|
|
989
|
+
|
|
990
|
+
After the happy path, use the demo and tests to inspect failure cases:
|
|
991
|
+
|
|
992
|
+
- stale-row conflict;
|
|
993
|
+
- missing tenant context;
|
|
994
|
+
- disallowed write column;
|
|
995
|
+
- model-facing commit or approval tool;
|
|
996
|
+
- arbitrary SQL tool.
|
|
997
|
+
|
|
998
|
+
The important stale-row case:
|
|
999
|
+
|
|
1000
|
+
```text
|
|
1001
|
+
The row changed after the agent saw it.
|
|
1002
|
+
Result: conflict
|
|
1003
|
+
Source DB changed by Synapsor: no
|
|
1004
|
+
```
|
|
1005
|
+
|
|
1006
|
+
Conflict handling is a safety check, not the first demo payoff.
|
|
1007
|
+
|
|
1008
|
+
## Local Features
|
|
1009
|
+
|
|
1010
|
+
| Feature | Runner version |
|
|
1011
|
+
| --- | --- |
|
|
1012
|
+
| Context bindings | Trusted tenant/principal from env, static dev config, HTTP claims, or cloud session |
|
|
1013
|
+
| Capabilities | Local semantic MCP tools from `synapsor.runner.json` |
|
|
1014
|
+
| Evidence | Local evidence bundles and query audit records |
|
|
1015
|
+
| Proposals | Local before/after change sets |
|
|
1016
|
+
| Approval | Local CLI/UI approval outside MCP |
|
|
1017
|
+
| Writeback | Guarded single-row `UPDATE` for Postgres/MySQL |
|
|
1018
|
+
| Replay | Local replay of proposal, evidence, events, receipts, and query audit |
|
|
1019
|
+
| MCP audit | Static risk review for MCP database tools |
|
|
1020
|
+
|
|
1021
|
+
The runner intentionally does not include full Synapsor Cloud/DBMS features such
|
|
1022
|
+
as workflow DAGs, native branches, time travel, settlement policies, governed
|
|
1023
|
+
memory, RBAC/SSO, hosted evidence ledger, managed runners, CDC, or C++ DBMS
|
|
1024
|
+
internals.
|
|
1025
|
+
|
|
1026
|
+
## Local Runner Vs Synapsor Cloud
|
|
1027
|
+
|
|
1028
|
+
| Need | Synapsor Runner | Synapsor Cloud |
|
|
1029
|
+
| --- | --- | --- |
|
|
1030
|
+
| Local MCP server | Yes | Managed |
|
|
1031
|
+
| Local trusted context bindings | Yes | Org/session integrated |
|
|
1032
|
+
| Local semantic capabilities | Yes | Hosted registry + versioning |
|
|
1033
|
+
| Local evidence/proposal/replay | Yes | Central searchable ledger |
|
|
1034
|
+
| Local approval | CLI/UI | Multi-user approvals |
|
|
1035
|
+
| Writeback | Guarded single-row `UPDATE` | Managed production orchestration |
|
|
1036
|
+
| MCP risk audit | Static/local | Continuous/org-wide |
|
|
1037
|
+
| RBAC/SSO | No | Yes |
|
|
1038
|
+
| Policy packs | No/basic | Yes |
|
|
1039
|
+
| Workflow builder | No | Yes |
|
|
1040
|
+
| Native branches/time travel | No | Yes |
|
|
1041
|
+
| Settlement policies | No | Yes |
|
|
1042
|
+
| Compliance exports | No | Yes |
|
|
1043
|
+
| Production support/SLA | No | Yes |
|
|
1044
|
+
|
|
1045
|
+
The runner is useful by itself for local/staging safety. Synapsor Cloud is for
|
|
1046
|
+
teams, production governance, central audit, managed runners, enterprise
|
|
1047
|
+
controls, and proprietary Synapsor platform features.
|
|
1048
|
+
|
|
1049
|
+
## Current Limitations
|
|
1050
|
+
|
|
1051
|
+
Supported in the current alpha:
|
|
1052
|
+
|
|
1053
|
+
- stdio MCP server;
|
|
1054
|
+
- authenticated HTTP MCP server for app/server deployments;
|
|
1055
|
+
- Postgres/MySQL inspection;
|
|
1056
|
+
- semantic read tools;
|
|
1057
|
+
- evidence-backed proposals;
|
|
1058
|
+
- local approval outside MCP;
|
|
1059
|
+
- guarded single-row `UPDATE`;
|
|
1060
|
+
- local SQLite evidence/proposal/replay store;
|
|
1061
|
+
- tenant, primary-key, allowed-column, idempotency, and conflict guards;
|
|
1062
|
+
- static MCP risk audit.
|
|
1063
|
+
|
|
1064
|
+
Not supported:
|
|
1065
|
+
|
|
1066
|
+
- raw `execute_sql`;
|
|
1067
|
+
- model-generated SQL;
|
|
1068
|
+
- DDL;
|
|
1069
|
+
- INSERT;
|
|
1070
|
+
- DELETE;
|
|
1071
|
+
- UPSERT;
|
|
1072
|
+
- multi-row writes;
|
|
1073
|
+
- stored procedures;
|
|
1074
|
+
- physical branching of external Postgres/MySQL;
|
|
1075
|
+
- full Synapsor workflow DAG execution;
|
|
1076
|
+
- `CREATE AGENT WORKFLOW`;
|
|
1077
|
+
- Synapsor SQL generation;
|
|
1078
|
+
- auto-merge or settlement-policy semantics;
|
|
1079
|
+
- model-callable approval or commit tools;
|
|
1080
|
+
- general prompt-injection prevention;
|
|
1081
|
+
- production SLA or compliance certification.
|
|
1082
|
+
|
|
1083
|
+
Complete limits: [docs/limitations.md](docs/limitations.md).
|
|
1084
|
+
|
|
1085
|
+
Security boundary: [docs/security-boundary.md](docs/security-boundary.md).
|
|
1086
|
+
|
|
1087
|
+
Release notes and stable-tag policy:
|
|
1088
|
+
[docs/release-notes.md](docs/release-notes.md).
|
|
1089
|
+
|
|
1090
|
+
## Stable Compatibility Promise
|
|
1091
|
+
|
|
1092
|
+
Starting with `0.1.0`, Synapsor Runner keeps the following surfaces compatible
|
|
1093
|
+
through the `0.1.x` line unless a release note explicitly marks a deprecation
|
|
1094
|
+
first:
|
|
1095
|
+
|
|
1096
|
+
- the `synapsor-runner` binary name and README quickstart commands;
|
|
1097
|
+
- `synapsor.runner.json` schema version `1` for documented fields;
|
|
1098
|
+
- result envelope v2 for new configs, with the documented v1 opt-out;
|
|
1099
|
+
- stdio MCP and Streamable HTTP MCP command surfaces;
|
|
1100
|
+
- generated MCP client snippets for documented clients;
|
|
1101
|
+
- proposal, approval, guarded writeback, receipt, evidence, query-audit, and
|
|
1102
|
+
replay inspection commands;
|
|
1103
|
+
- direct SQL writeback and app-owned executor contracts documented in this
|
|
1104
|
+
README and `docs/writeback-executors.md`.
|
|
1105
|
+
|
|
1106
|
+
Stable does not mean production SLA, hosted Cloud features, compliance
|
|
1107
|
+
certification, physical Postgres/MySQL branching, generic SQL writeback, or
|
|
1108
|
+
support for undocumented local SQLite internals. Those limits remain explicit
|
|
1109
|
+
in [docs/limitations.md](docs/limitations.md).
|
|
1110
|
+
|
|
1111
|
+
## License
|
|
1112
|
+
|
|
1113
|
+
Synapsor Runner is open source under the Apache License 2.0 (`Apache-2.0`).
|
|
1114
|
+
|
|
1115
|
+
Apache-2.0 applies to this runner repo. It does not grant rights to the
|
|
1116
|
+
Synapsor name, logo, hosted cloud service, or proprietary Synapsor platform
|
|
1117
|
+
features. See [docs/licensing.md](docs/licensing.md) and
|
|
1118
|
+
[TRADEMARKS.md](TRADEMARKS.md).
|
|
1119
|
+
|
|
1120
|
+
Synapsor Cloud, hosted governance, managed runners, advanced policy/workflow
|
|
1121
|
+
engines, enterprise controls, and native Synapsor DBMS/C++ internals remain
|
|
1122
|
+
proprietary.
|
|
1123
|
+
|
|
1124
|
+
## Developer And Contributor Commands
|
|
1125
|
+
|
|
1126
|
+
Public docs use `synapsor-runner`. During source-checkout development, if the
|
|
1127
|
+
global binary is not linked yet, use `./bin/synapsor-runner ...` or
|
|
1128
|
+
`corepack pnpm runner ...`.
|
|
1129
|
+
|
|
1130
|
+
Helper scripts are wrappers and development conveniences, not the main product
|
|
1131
|
+
interface:
|
|
1132
|
+
|
|
1133
|
+
```bash
|
|
1134
|
+
./scripts/try-synapsor.sh
|
|
1135
|
+
./scripts/demo-docker.sh
|
|
1136
|
+
./scripts/open-demo-ui.sh
|
|
1137
|
+
./scripts/use-your-db.sh
|
|
1138
|
+
./scripts/mcp-config.sh
|
|
1139
|
+
```
|
|
1140
|
+
|
|
1141
|
+
Contributor checks:
|
|
1142
|
+
|
|
1143
|
+
```bash
|
|
1144
|
+
corepack pnpm install
|
|
1145
|
+
./scripts/verify-release-gate.sh
|
|
1146
|
+
```
|
|
1147
|
+
|
|
1148
|
+
After a manual alpha publish, verify the public npm package:
|
|
1149
|
+
|
|
1150
|
+
```bash
|
|
1151
|
+
VERIFY_PUBLISHED_ALPHA=1 ./scripts/verify-release-gate.sh 0.1.0-alpha.17
|
|
1152
|
+
```
|
|
1153
|
+
|
|
1154
|
+
After a manual stable publish/promotion, verify `latest`:
|
|
1155
|
+
|
|
1156
|
+
```bash
|
|
1157
|
+
./scripts/verify-published-stable.sh 0.1.0
|
|
1158
|
+
```
|
|
1159
|
+
|
|
1160
|
+
## Repository Map
|
|
730
1161
|
|
|
731
|
-
|
|
732
|
-
|
|
1162
|
+
- `apps/runner`: CLI entrypoint and local UI.
|
|
1163
|
+
- `packages/mcp-server`: stdio/HTTP MCP server and configured tool runtime.
|
|
1164
|
+
- `packages/schema-inspector`: Postgres/MySQL metadata inspection and config generation.
|
|
1165
|
+
- `packages/proposal-store`: local SQLite evidence/proposal/replay store.
|
|
1166
|
+
- `packages/postgres`, `packages/mysql`: guarded writeback adapters.
|
|
1167
|
+
- `packages/worker-core`: shared runner orchestration.
|
|
1168
|
+
- `recipes`: optional starter contracts.
|
|
1169
|
+
- `examples`: disposable local demos and reference app.
|
|
1170
|
+
- `docs`: focused setup, MCP, security, troubleshooting, and limitation docs.
|
|
733
1171
|
|
|
734
|
-
##
|
|
1172
|
+
## Community
|
|
735
1173
|
|
|
736
|
-
|
|
737
|
-
Synapsor DBMS, not a physical branch engine for Postgres/MySQL, and not a
|
|
738
|
-
general MCP security platform.
|
|
1174
|
+
Synapsor Runner is maintained by Synapsor.
|
|
739
1175
|
|
|
740
|
-
|
|
741
|
-
|
|
1176
|
+
- Website: https://synapsor.ai
|
|
1177
|
+
- Docs: https://synapsor.ai/docs
|
|
1178
|
+
- License: Apache License 2.0 (`Apache-2.0`)
|
|
1179
|
+
- Issues: use GitHub Issues
|