@synapsor/runner 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -1,11 +1,32 @@
1
1
  # Synapsor Runner
2
2
 
3
- Safe database tools for AI agents.
3
+ [![npm version](https://img.shields.io/npm/v/@synapsor/runner.svg)](https://www.npmjs.com/package/@synapsor/runner)
4
+ [![license: Apache-2.0](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](LICENSE)
5
+ [![ci](https://github.com/synapsor-ai/synapsor-runner/actions/workflows/ci.yml/badge.svg)](https://github.com/synapsor-ai/synapsor-runner/actions/workflows/ci.yml)
4
6
 
5
- Turn Postgres/MySQL into reviewed MCP capabilities, not raw SQL. Synapsor
6
- Runner lets an MCP agent inspect scoped data and request database-backed
7
- business actions without receiving raw SQL, write credentials, approval tools,
8
- or commit tools.
7
+ Stop giving AI agents `execute_sql()`. Give them reviewed business actions.
8
+
9
+ Synapsor Runner is an Open-source MCP safety layer for Postgres and MySQL. It
10
+ sits between Claude, Cursor, OpenAI Agents SDK, or another MCP client and your
11
+ database so the model can inspect scoped data and propose changes without
12
+ receiving raw SQL, write credentials, approval tools, or commit authority.
13
+
14
+ ```text
15
+ Without Synapsor:
16
+ agent -> execute_sql("UPDATE invoices SET late_fee_cents = 0 ...")
17
+ # raw write path, model-controlled scope, easy tenant mistake
18
+
19
+ With Synapsor Runner:
20
+ agent -> billing.propose_late_fee_waiver(invoice_id, reason)
21
+ # proposal only
22
+ human approves -> guarded writeback applies exactly one change
23
+ ```
24
+
25
+ Try the no-database quick demo:
26
+
27
+ ```bash
28
+ npx @synapsor/runner demo --quick
29
+ ```
9
30
 
10
31
  ## The Five-Line Model
11
32
 
@@ -15,60 +36,6 @@ It can suggest: saved proposals with evidence and exact diffs.
15
36
  It cannot commit: approval and writeback happen outside the model-facing tool.
16
37
  After writeback, Runner keeps receipts and replay so you can inspect what happened.
17
38
 
18
- ## Four Terms
19
-
20
- - Capability: a tool you define in config, such as `billing.inspect_invoice`
21
- or `billing.propose_late_fee_waiver`. The agent only sees capabilities.
22
- - Proposal: the agent's suggested database-backed change. It is saved, not
23
- applied.
24
- - Writeback: the moment an approved proposal actually changes the database.
25
- - Executor: your app's writeback handler for anything richer than a guarded
26
- one-row update.
27
-
28
- You install only `@synapsor/runner`. There is no separate handler package to
29
- install. A handler is your app's endpoint or script for rich approved writes;
30
- Runner includes templates and examples to help you build one.
31
-
32
- ## Who Does What
33
-
34
- You write the config: sources, trusted context, capabilities, visible fields,
35
- proposal fields, and guards. For rich writes, you also write a small handler.
36
-
37
- Synapsor Runner serves the MCP tools, stores evidence/proposals/receipts,
38
- enforces tenant, column, version, and idempotency guards, routes writeback, and
39
- keeps the replay log. You do not rebuild the safety loop yourself.
40
-
41
- ## The Writeback Rule
42
-
43
- One-row update to an existing row: Runner can do guarded direct writeback.
44
- Anything else, such as inserting a row, touching two tables, or emitting an
45
- event: your app-owned executor does it after approval.
46
-
47
- ## How An External Handler Works
48
-
49
- Some changes are too rich for Runner's one-row writeback: insert a credit row,
50
- touch two tables, or emit an event. For those, you run a small endpoint. The
51
- flow is:
52
-
53
- ```text
54
- agent proposes
55
- -> human approves outside MCP
56
- -> Runner POSTs the approved change to your endpoint
57
- -> your code writes it in its own transaction and returns a receipt
58
- ```
59
-
60
- The model never touches this code. You are the last line of defense: Runner
61
- hands you the tenant, expected row version, and idempotency key, and your
62
- handler must re-check all three. Skipping those checks reintroduces
63
- cross-tenant writes, lost updates, or duplicate writes. Start from
64
- `synapsor-runner handler template ...` instead of hand-rolling the safety checks.
65
-
66
- ## Deliberate Limits
67
-
68
- Runner does not expose raw SQL, write credentials, approval tools, or commit
69
- tools to the model. Direct Runner writeback does not do generic `INSERT`,
70
- `DELETE`, `UPSERT`, DDL, or multi-row SQL. Those are app-owned executor jobs.
71
-
72
39
  ```text
73
40
  AI agent or MCP client
74
41
  (Claude, Cursor, OpenAI Agents SDK, LangGraph)
@@ -97,23 +64,13 @@ Your database stays the source of truth. Synapsor Runner owns the
97
64
  model-facing boundary: what the agent can read, what it can propose, what
98
65
  evidence is saved, and what can later be reviewed or replayed.
99
66
 
100
- ## What Runner Does
101
-
102
- When an agent uses Runner:
103
-
104
- - the model gets reviewed capabilities, not raw database authority;
105
- - reads produce evidence handles and query audit;
106
- - writes become proposals, not direct mutations;
107
- - approval and writeback happen outside the model-facing MCP surface;
108
- - replay shows what the agent saw, proposed, and what was applied or blocked.
109
-
110
67
  ## Start Here
111
68
 
112
69
  Run the guided quick demo first. It does not require Docker, a database, a
113
70
  config file, an MCP client, or a Synapsor Cloud account.
114
71
 
115
72
  ```bash
116
- npx -y -p @synapsor/runner synapsor-runner demo --quick
73
+ npx @synapsor/runner demo --quick
117
74
  ```
118
75
 
119
76
  In a terminal, it walks through the safety model step by step. In CI, piped
@@ -125,41 +82,122 @@ It does not prove database connectivity. It shows the proposal, evidence, and
125
82
  replay flow without giving the runner a database URL.
126
83
 
127
84
  ```bash
128
- npx -y -p @synapsor/runner synapsor-runner demo inspect
85
+ npx @synapsor/runner demo inspect
129
86
  ```
130
87
 
131
- Human output is concise by default. Use `--details` for reviewer metadata or
132
- `--json` for complete machine-readable records.
88
+ Then choose one path:
133
89
 
134
- Useful quick-demo modes:
90
+ ```text
91
+ Full disposable proof -> npx -y -p @synapsor/runner synapsor-runner demo
92
+ Inspect MCP risk -> npx -y -p @synapsor/runner synapsor-runner audit --example dangerous-db-mcp
93
+ ```
94
+
95
+ ## Connect Your Postgres Or MySQL
96
+
97
+ Use a staging or disposable database first:
135
98
 
136
99
  ```bash
137
- synapsor-runner demo --quick --guided
138
- synapsor-runner demo --quick --no-interactive
139
- synapsor-runner demo --quick --details
140
- synapsor-runner demo inspect --npx
100
+ export DATABASE_URL="postgres://readonly:...@localhost:5432/app"
101
+ npx -y -p @synapsor/runner synapsor-runner start --from-env DATABASE_URL
141
102
  ```
142
103
 
143
- Then choose one path:
104
+ The first-run path is:
144
105
 
145
106
  ```text
146
- Full disposable proof -> npx -y -p @synapsor/runner synapsor-runner demo
147
- Your own staging DB -> export DATABASE_URL=... then run the inspect command below
148
- MCP risk review -> npx -y -p @synapsor/runner synapsor-runner audit --example dangerous-db-mcp
107
+ 1. Inspect schema and generate a reviewed config with start/init/onboard.
108
+ 2. Run tools preview to confirm no raw SQL or write credentials are exposed.
109
+ 3. Run smoke call against one generated inspect tool.
110
+ 4. Start review mode with up --serve or mcp serve.
111
+ 5. Inspect, propose, approve, apply, and replay from the local ledger.
112
+ ```
113
+
114
+ Useful commands after setup:
115
+
116
+ ```bash
117
+ synapsor-runner tools preview --config ./synapsor.runner.json --store ./.synapsor/local.db
118
+ synapsor-runner smoke call --config ./synapsor.runner.json --store ./.synapsor/local.db
119
+ synapsor-runner up --serve --config ./synapsor.runner.json --store ./.synapsor/local.db
149
120
  ```
150
121
 
151
- For your own database, do this before wiring Claude, Cursor, OpenAI Agents SDK,
152
- or another MCP client:
122
+ ## What Runner Does
123
+
124
+ When an agent uses Runner:
125
+
126
+ - the model gets reviewed capabilities, not raw database authority;
127
+ - reads produce evidence handles and query audit;
128
+ - writes become proposals, not direct mutations;
129
+ - approval and writeback happen outside the model-facing MCP surface;
130
+ - replay shows what the agent saw, proposed, and what was applied or blocked.
131
+
132
+ ## Four Terms
133
+
134
+ - Capability: a tool you define in config, such as `billing.inspect_invoice`
135
+ or `billing.propose_late_fee_waiver`. The agent only sees capabilities.
136
+ - Proposal: the agent's suggested database-backed change. It is saved, not
137
+ applied.
138
+ - Writeback: the moment an approved proposal actually changes the database.
139
+ - Executor: your app's writeback handler for anything richer than a guarded
140
+ one-row update.
141
+
142
+ You install only `@synapsor/runner`. There is no separate handler package to
143
+ install. A handler is your app's endpoint or script for rich approved writes;
144
+ Runner includes templates and examples to help you build one.
145
+
146
+ ## Who Does What
147
+
148
+ You write the config: sources, trusted context, capabilities, visible fields,
149
+ proposal fields, and guards. For rich writes, you also write a small handler.
150
+
151
+ Synapsor Runner serves the MCP tools, stores evidence/proposals/receipts,
152
+ enforces tenant, column, version, and idempotency guards, routes writeback, and
153
+ keeps the replay log. You do not rebuild the safety loop yourself.
154
+
155
+ ## The Writeback Rule
156
+
157
+ One-row update to an existing row: Runner can do guarded direct writeback.
158
+ Anything else, such as inserting a row, touching two tables, or emitting an
159
+ event: your app-owned executor does it after approval.
160
+
161
+ ## How An External Handler Works
162
+
163
+ Some changes are too rich for Runner's one-row writeback: insert a credit row,
164
+ touch two tables, or emit an event. For those, you run a small endpoint. The
165
+ flow is:
153
166
 
154
167
  ```text
155
- 1. Generate the config with start/init/onboard.
156
- 2. Run tools preview to confirm no raw SQL or write credentials are exposed.
157
- 3. Run smoke call against one generated inspect tool.
158
- 4. Only then run up --serve or mcp serve.
168
+ agent proposes
169
+ -> human approves outside MCP
170
+ -> Runner POSTs the approved change to your endpoint
171
+ -> your code writes it in its own transaction and returns a receipt
172
+ ```
173
+
174
+ The model never touches this code. You are the last line of defense: Runner
175
+ hands you the tenant, expected row version, and idempotency key, and your
176
+ handler must re-check all three. Skipping those checks reintroduces
177
+ cross-tenant writes, lost updates, or duplicate writes. Start from
178
+ `synapsor-runner handler template ...` instead of hand-rolling the safety checks.
179
+
180
+ ## Deliberate Limits
181
+
182
+ Runner does not expose raw SQL, write credentials, approval tools, or commit
183
+ tools to the model. Direct Runner writeback does not do generic `INSERT`,
184
+ `DELETE`, `UPSERT`, DDL, or multi-row SQL. Those are app-owned executor jobs.
185
+
186
+ ## Command Name
187
+
188
+ ```bash
189
+ npm install -g @synapsor/runner
190
+ synapsor-runner demo --quick
159
191
  ```
160
192
 
161
193
  `synapsor-runner` is the public command for this OSS runner. `synapsor` is
162
- reserved for the Synapsor Cloud CLI.
194
+ reserved for the Synapsor Cloud CLI. If you install the package globally, you
195
+ can drop the `npx -y -p @synapsor/runner` prefix.
196
+
197
+ Contributor note: during development, test local changes with
198
+ `./bin/synapsor-runner ...` or a packed tarball. `npx -p @synapsor/runner ...`
199
+ only tests the currently published package, not unpublished local source
200
+ changes.
163
201
 
164
202
  Authoring reference:
165
203
 
@@ -171,7 +209,7 @@ Authoring reference:
171
209
  - [JSON Schema](schemas/synapsor.runner.schema.json): editor validation for
172
210
  `synapsor.runner.json`.
173
211
 
174
- ## Current Alpha Details
212
+ ## Operational Details
175
213
 
176
214
  These are current alpha requirements, not hidden behavior:
177
215
 
@@ -206,12 +244,64 @@ These are current alpha requirements, not hidden behavior:
206
244
  `synapsor-runner doctor --config synapsor.runner.json --check-handlers` to
207
245
  check handler env vars and network reachability without applying a proposal.
208
246
 
247
+ ## Run The Full Disposable Demo
248
+
249
+ The full demo requires Docker. It starts a disposable local Postgres-backed app
250
+ and proves the proposal-first write path:
251
+
252
+ ```bash
253
+ npx -y -p @synapsor/runner synapsor-runner demo
254
+ ```
255
+
256
+ After the demo prints its generated config and store path, run the happy path it
257
+ prints. The shape is:
258
+
259
+ ```bash
260
+ synapsor-runner propose billing.propose_late_fee_waiver --sample
261
+ synapsor-runner proposals show latest
262
+ synapsor-runner proposals approve latest --yes
263
+ synapsor-runner apply latest
264
+ synapsor-runner replay show latest
265
+ synapsor-runner replay show latest --details
266
+ ```
267
+
268
+ What you should see:
269
+
270
+ ```text
271
+ Agent called:
272
+ billing.propose_late_fee_waiver
273
+
274
+ Proposal created:
275
+ invoice.late_fee_cents
276
+ 5500 -> 0
277
+
278
+ Source DB changed:
279
+ no
280
+
281
+ Approval:
282
+ required outside MCP
283
+
284
+ After approval:
285
+ guarded writeback applied
286
+
287
+ Replay:
288
+ saved
289
+ ```
290
+
291
+ That is the core point: the model can ask for a database-backed business
292
+ change, but durable state changes only after reviewed approval and guarded
293
+ writeback.
294
+
209
295
  ## Connect Your Own Staging Database
210
296
 
211
- Put a read-only connection string in the environment:
297
+ Use this after the quick demo makes sense. Start with staging, a disposable
298
+ database, or a least-privilege view. Do not start with your most sensitive
299
+ production database.
300
+
301
+ Put the read-only connection string in an environment variable:
212
302
 
213
303
  ```bash
214
- export DATABASE_URL="postgresql://readonly_user:password@localhost:5432/app"
304
+ export DATABASE_URL="postgresql://readonly_user:password@host:5432/app?sslmode=require"
215
305
  ```
216
306
 
217
307
  For disposable dev RDS fixtures only, use `sslmode=no-verify` if your local
@@ -238,20 +328,6 @@ call immediately and stores the evidence/query audit in the local ledger. If
238
328
  those env vars are missing, it prints the exact command to run after you set
239
329
  them from `.env.example`.
240
330
 
241
- The end-to-end shape is:
242
-
243
- ```text
244
- 1. Put your read-only DB URL in DATABASE_URL.
245
- 2. Run start --from-env DATABASE_URL.
246
- 3. Choose one table/view and the safe fields agents may see.
247
- 4. Preview the generated capabilities.
248
- 5. Serve them over MCP to Claude, Cursor, OpenAI Agents SDK, or your app.
249
- 6. For writes, approve a proposal outside MCP before writeback.
250
- ```
251
-
252
- The generated config is just the safety contract. A small reviewed version
253
- looks like this:
254
-
255
331
  Bring the generated review-mode workspace up with one command:
256
332
 
257
333
  ```bash
@@ -301,6 +377,20 @@ so `config validate` does not warn that direct SQL writeback is disabled.
301
377
  You can also pass `--answers ./answers.json --yes` for a fully declarative
302
378
  setup file.
303
379
 
380
+ The end-to-end shape is:
381
+
382
+ ```text
383
+ 1. Put your read-only DB URL in DATABASE_URL.
384
+ 2. Run start --from-env DATABASE_URL.
385
+ 3. Choose one table/view and the safe fields agents may see.
386
+ 4. Preview the generated capabilities.
387
+ 5. Serve them over MCP to Claude, Cursor, OpenAI Agents SDK, or your app.
388
+ 6. For writes, approve a proposal outside MCP before writeback.
389
+ ```
390
+
391
+ The generated config is just the safety contract. A small reviewed version
392
+ looks like this:
393
+
304
394
  ```json
305
395
  {
306
396
  "version": 1,
@@ -371,6 +461,17 @@ The agent sees `billing.inspect_invoice` and
371
461
  `billing.propose_late_fee_waiver`. It does not see the database URL, writer
372
462
  credential, raw SQL, approval command, or commit command.
373
463
 
464
+ Prefer the step-by-step commands if you want to inspect each stage manually:
465
+
466
+ ```bash
467
+ npx -y -p @synapsor/runner synapsor-runner inspect \
468
+ --engine auto \
469
+ --from-env DATABASE_URL \
470
+ --schema public
471
+
472
+ npx -y -p @synapsor/runner synapsor-runner init --wizard --from-env DATABASE_URL --mode read_only
473
+ ```
474
+
374
475
  The wizard creates this local flow:
375
476
 
376
477
  ```text
@@ -380,45 +481,55 @@ trusted context -> capability -> MCP tool
380
481
  It asks which table/view backs the context, which tenant/scope column and
381
482
  backend session env vars are trusted, which fields are visible, and what
382
483
  semantic capability name to expose. Before writing files, it shows a final
383
- preview and lets you revise visible fields or capability names.
484
+ preview and lets you revise visible fields or capability names. It writes
485
+ `synapsor.runner.json`, `.env.example`, and MCP client snippets. It does not put
486
+ your database URL in the MCP client config.
487
+
488
+ Preview the tools:
384
489
 
385
490
  ```bash
386
- npx -y -p @synapsor/runner synapsor-runner init \
387
- --wizard \
388
- --engine auto \
389
- --from-env DATABASE_URL \
390
- --schema public \
391
- --mode read_only
491
+ npx -y -p @synapsor/runner synapsor-runner tools preview \
492
+ --config ./synapsor.runner.json \
493
+ --store ./.synapsor/local.db
392
494
  ```
393
495
 
394
- Preview and serve the semantic tools:
496
+ Call one generated tool locally before wiring an MCP client:
395
497
 
396
498
  ```bash
397
- npx -y -p @synapsor/runner synapsor-runner tools preview \
499
+ npx -y -p @synapsor/runner synapsor-runner smoke call \
500
+ <generated.inspect_tool_name> \
501
+ --input ./.synapsor/smoke-input.json \
398
502
  --config ./synapsor.runner.json \
399
503
  --store ./.synapsor/local.db
504
+ ```
505
+
506
+ `smoke call` uses the same runtime as MCP, records evidence/query audit or a
507
+ proposal in the local store, and then prints the evidence/proposal/replay
508
+ commands to inspect what happened. If you skipped the optional smoke input in
509
+ the wizard, pass one real row id instead:
400
510
 
511
+ ```bash
401
512
  npx -y -p @synapsor/runner synapsor-runner smoke call \
402
513
  <generated.inspect_tool_name> \
403
- --input ./.synapsor/smoke-input.json \
514
+ --json '{"<lookup_arg>":"<real_id>"}' \
404
515
  --config ./synapsor.runner.json \
405
516
  --store ./.synapsor/local.db
517
+ ```
406
518
 
519
+ Serve the semantic MCP tools locally:
520
+
521
+ ```bash
407
522
  npx -y -p @synapsor/runner synapsor-runner mcp serve \
408
523
  --config ./synapsor.runner.json \
409
524
  --store ./.synapsor/local.db
410
525
  ```
411
526
 
412
- `smoke call` uses the same runtime as MCP, records evidence/query audit or a
413
- proposal in the local store, and prints the evidence/proposal/replay commands
414
- to inspect what happened. If you skipped the optional smoke input in the
415
- wizard, pass `--json '{"<lookup_arg>":"<real_id>"}'` instead.
416
-
417
- ## Two Ways To Run MCP
527
+ ## Three Ways To Run MCP
418
528
 
419
529
  Use stdio when the MCP client runs locally and can launch Synapsor Runner. Use
420
- HTTP when your agent service runs as an app/server and connects to a
421
- long-running Runner process.
530
+ Streamable HTTP when a standard HTTP MCP client connects to a long-running
531
+ Runner process. Use the JSON-RPC bridge only when you want simple POST calls
532
+ from your own app/server wrapper.
422
533
 
423
534
  Local MCP clients:
424
535
 
@@ -460,7 +571,8 @@ synapsor-runner up --serve \
460
571
  --alias-mode openai
461
572
  ```
462
573
 
463
- Equivalent unified command:
574
+ The same Streamable HTTP server can also be started through the unified serve
575
+ command:
464
576
 
465
577
  ```bash
466
578
  synapsor-runner mcp serve \
@@ -500,86 +612,61 @@ examples/openai-agents-stdio/
500
612
  examples/openai-agents-http/
501
613
  ```
502
614
 
503
- Use `--mode review` only when you are ready to create proposal tools and test
504
- guarded writeback with a separate trusted write credential.
505
-
506
- ## Sanity Check The Agent Connection
507
-
508
- Before asking an agent to solve a real task, confirm it can call a Runner tool:
509
-
510
- ```bash
511
- synapsor-runner tools preview --config ./synapsor.runner.json --store ./.synapsor/local.db
512
- ```
513
-
514
- For OpenAI-facing clients:
515
-
516
- ```bash
517
- synapsor-runner tools preview \
518
- --config ./synapsor.runner.json \
519
- --store ./.synapsor/local.db \
520
- --alias-mode openai
521
- ```
522
-
523
- Then ask the agent:
524
-
525
- ```text
526
- Use the Synapsor Runner MCP tool to inspect invoice INV-3001.
527
- Do not answer from memory.
528
- Return the tool name called, the evidence handle, and whether raw SQL was available.
529
- ```
530
-
531
- Expected result: the agent calls a semantic tool, returns an evidence handle or
532
- local ledger reference, and says raw SQL/write/approval tools were not
533
- available. If it gives generic advice or unrelated prose without a tool call,
534
- Runner is not connected yet.
535
-
536
- The disposable reference app includes proposal-first write examples for:
615
+ Detailed setup: [docs/openai-agents-sdk.md](docs/openai-agents-sdk.md).
537
616
 
538
- - `billing.propose_late_fee_waiver`
539
- - `support.propose_plan_credit`
540
- - `orders.propose_status_change`
617
+ Use `--mode review` only when you are ready to create proposal tools and test
618
+ guarded writeback. Review mode needs an approved write path and a separate
619
+ trusted write credential; the model-facing read URL should stay least
620
+ privilege.
541
621
 
542
- Each tool creates evidence, a before/after diff, and a proposal. The source
543
- database remains unchanged until approval outside MCP and guarded writeback.
622
+ ## Audit Your MCP Database Tools
544
623
 
545
- For a longer local session, you can install the package globally:
624
+ `synapsor-runner audit` is a static MCP/database risk review. It is useful even before
625
+ you adopt the full runner.
546
626
 
547
627
  ```bash
548
- npm install -g @synapsor/runner
628
+ synapsor-runner audit --example dangerous-db-mcp
629
+ synapsor-runner audit --example dangerous-db-mcp --format markdown
630
+ synapsor-runner audit ./synapsor.runner.json
631
+ synapsor-runner audit --mcp-config ./claude_desktop_config.json
632
+ synapsor-runner audit --stdio "node ./my-db-mcp-server.js"
549
633
  ```
550
634
 
551
- ## Stable Compatibility Promise
635
+ The built-in example runs without cloning this repository or downloading an
636
+ examples file. File-based audits still work when you have your own exported MCP
637
+ tool manifest.
552
638
 
553
- Starting with `0.1.0`, Synapsor Runner keeps the documented `synapsor-runner`
554
- binary, `synapsor.runner.json` schema version `1`, result envelope v2, stdio
555
- MCP, Streamable HTTP MCP, MCP client snippets, proposal/approval/writeback
556
- inspection commands, direct SQL writeback contract, and app-owned executor
557
- contract compatible through the `0.1.x` line unless a release note marks a
558
- deprecation first.
639
+ It looks for patterns such as:
559
640
 
560
- Stable does not mean production SLA, hosted Cloud features, compliance
561
- certification, physical Postgres/MySQL branching, generic SQL writeback, or
562
- support for undocumented local SQLite internals.
563
-
564
- ## Runtime Flow
641
+ - arbitrary SQL tools;
642
+ - broad database write tools;
643
+ - model-facing approval/commit tools;
644
+ - missing tenant/principal context;
645
+ - dangerous tool names;
646
+ - unclear parameter schemas;
647
+ - mutation tools without proposal/approval.
565
648
 
566
- The local runner keeps the model-facing tool call separate from approval and
567
- writeback:
649
+ Example finding:
568
650
 
569
651
  ```text
570
- MCP tool call
571
- -> trusted context
572
- -> scoped read
573
- -> evidence
574
- -> proposal diff
575
- -> approval outside the model
576
- -> guarded writeback
577
- -> receipt/replay
652
+ Risk: high
653
+
654
+ Found:
655
+ - execute_sql appears to expose arbitrary database access.
656
+ - approve_refund appears to let the model approve a durable write.
657
+ - update_customer appears to mutate state without a proposal boundary.
658
+ - No trusted tenant/principal context was detected.
659
+
660
+ Suggested safer shape:
661
+ - billing.inspect_invoice
662
+ - billing.propose_late_fee_waiver
663
+ - approval outside MCP
664
+ - guarded writeback after approval
665
+
666
+ Note:
667
+ This is a static risk review, not a security guarantee.
578
668
  ```
579
669
 
580
- Your Postgres/MySQL database remains the source of truth. The runner stores
581
- local proposals, evidence, receipts, and replay data in a local SQLite store.
582
-
583
670
  ## Why Not Just Use A Read-Only Database User?
584
671
 
585
672
  You should use one.
@@ -606,47 +693,30 @@ Use Synapsor Runner when you also want the agent-facing layer: semantic tools,
606
693
  trusted context, evidence handles, query audit, local inspection, and
607
694
  proposal-first writes.
608
695
 
609
- ## Fixture Benchmark
610
-
611
- Run the included MCP efficiency fixture:
696
+ ## Find Evidence And Replay
612
697
 
613
- ```bash
614
- synapsor-runner benchmark mcp-efficiency
615
- ```
698
+ The commands in this section require this checkout or an alpha package that
699
+ includes the local-ledger CLI surface.
616
700
 
617
- Current fixture result for the late-fee-waiver workflow:
701
+ Synapsor Runner writes a local evidence/replay ledger to SQLite. Use it to
702
+ answer questions such as:
618
703
 
619
704
  ```text
620
- Generic database MCP reference:
621
- exposed tools: 4
622
- scripted tool calls: 5
623
- raw SQL exposed: yes
624
- approval separated: no
625
- stale-row conflict checked: no
626
-
627
- Synapsor Runner semantic path:
628
- exposed tools: 2
629
- scripted tool calls: 2
630
- raw SQL exposed: no
631
- approval separated: yes
632
- stale-row conflict checked: yes
705
+ What did the agent see and do for invoice INV-3001?
633
706
  ```
634
707
 
635
- The fixture tokenizer is deterministic and repeatable for this package. It is
636
- not a model billing tokenizer and not a universal token-savings claim.
637
-
638
- ## Find Evidence And Replay
639
-
640
- The commands in this section require this checkout or an alpha package that
641
- includes the local-ledger CLI surface.
642
-
643
- The runner stores a local SQLite evidence/replay ledger. Search it without
644
- relying on `latest`:
708
+ Search the local activity ledger:
645
709
 
646
710
  ```bash
647
711
  synapsor-runner activity search --tenant acme --object invoice:INV-3001
712
+ synapsor-runner activity search --capability billing.propose_late_fee_waiver --from 2026-06-01 --to 2026-06-23
648
713
  synapsor-runner events tail --store ./.synapsor/local.db
649
714
  synapsor-runner events webhook --url http://127.0.0.1:8788/synapsor/events --kind proposal_created --store ./.synapsor/local.db
715
+ ```
716
+
717
+ Inspect the linked records:
718
+
719
+ ```bash
650
720
  synapsor-runner proposals list --tenant acme --object invoice:INV-3001 --status approved
651
721
  synapsor-runner evidence show ev_...
652
722
  synapsor-runner query-audit list --evidence ev_...
@@ -656,16 +726,17 @@ synapsor-runner replay show --proposal wrp_...
656
726
  synapsor-runner replay show --replay replay_wrp_...
657
727
  ```
658
728
 
659
- Default inspection output is meant for first-run clarity. Add `--details` for
729
+ The default views answer what happened, whether the source DB changed, the
730
+ current status, and the next command to run. Add `--details` when you need
660
731
  target URIs, primary keys, proposal hash/version, conflict guards, query
661
- fingerprints, event timestamps, and receipt internals.
732
+ fingerprints, event timestamps, or receipt internals.
662
733
 
663
- Export captured evidence or proposal replay:
734
+ Export replay or evidence for review:
664
735
 
665
736
  ```bash
666
- synapsor-runner evidence export ev_... --format markdown --output evidence.md
667
737
  synapsor-runner replay export --proposal wrp_... --format json --output replay.json
668
738
  synapsor-runner replay export --proposal wrp_... --format markdown --output replay.md
739
+ synapsor-runner evidence export ev_... --format markdown --output evidence.md
669
740
  ```
670
741
 
671
742
  Create a redacted local diagnostic report:
@@ -690,16 +761,171 @@ synapsor-runner store reset --store ./.synapsor/local.db --yes
690
761
  bridges, or app-local notifications. It POSTs one redacted local event envelope
691
762
  per lifecycle event; it is not a hosted central ledger.
692
763
 
693
- This is local indexed search for local/dev/staging usage. It is not external
694
- database time travel, not cross-runner search, and not hosted compliance
695
- retention.
764
+ This is local indexed search for local/dev/staging usage. It is not a hosted
765
+ central ledger, not RBAC/SSO, not cross-runner search, and not compliance
766
+ retention. Synapsor Cloud is the upgrade path for central searchable audit,
767
+ team governance, retention, and production operations.
768
+
769
+ ## Connect Claude, Cursor, Or Another MCP Client
770
+
771
+ Generate a local MCP client snippet:
772
+
773
+ ```bash
774
+ synapsor-runner mcp config --config ./synapsor.runner.json --store ./.synapsor/local.db
775
+ ```
776
+
777
+ Use a specific client shape when needed:
778
+
779
+ ```bash
780
+ synapsor-runner mcp config cursor --config ./synapsor.runner.json --store ./.synapsor/local.db
781
+ synapsor-runner mcp config vscode --config ./synapsor.runner.json --store ./.synapsor/local.db
782
+ synapsor-runner mcp config generic --config ./synapsor.runner.json --store ./.synapsor/local.db
783
+ synapsor-runner mcp client-config --client openai-agents --config ./synapsor.runner.json --store ./.synapsor/local.db
784
+ ```
785
+
786
+ The generated config references the local runner command. It does not include:
787
+
788
+ - database URL;
789
+ - database password;
790
+ - write credentials;
791
+ - approval tools;
792
+ - commit/apply tools.
793
+
794
+ ## Sanity Check The Agent Connection
795
+
796
+ After you connect Claude, Cursor, OpenAI Agents SDK, or another MCP client, run
797
+ one tiny tool-call test before asking the agent to solve a real task.
798
+
799
+ First preview the tools Runner will expose:
800
+
801
+ ```bash
802
+ synapsor-runner tools preview --config ./synapsor.runner.json --store ./.synapsor/local.db
803
+ ```
804
+
805
+ For OpenAI-facing clients, preview the model-visible aliases:
806
+
807
+ ```bash
808
+ synapsor-runner tools preview \
809
+ --config ./synapsor.runner.json \
810
+ --store ./.synapsor/local.db \
811
+ --alias-mode openai
812
+ ```
813
+
814
+ Example:
815
+
816
+ ```text
817
+ Exposed to MCP:
818
+ - billing__inspect_invoice -> billing.inspect_invoice
819
+ ```
820
+
821
+ Then ask the agent:
822
+
823
+ ```text
824
+ Use the Synapsor Runner MCP tool to inspect invoice INV-3001.
825
+ Do not answer from memory.
826
+ Return the tool name called, the evidence handle, and whether raw SQL was available.
827
+ ```
828
+
829
+ For your own database, replace `invoice INV-3001` with one real object ID and
830
+ the semantic tool name from `tools preview`.
831
+
832
+ Expected result:
833
+
834
+ - the agent calls a Synapsor Runner tool such as `billing.inspect_invoice`;
835
+ - the response includes an evidence handle or local ledger reference;
836
+ - the agent says raw SQL/write/approval tools were not available.
837
+
838
+ If the agent gives generic advice, a freeform summary, or unrelated planning
839
+ text without a tool call or evidence handle, Runner is not in the loop yet. Fix
840
+ the MCP client config, restart the client, confirm trusted context environment
841
+ variables are set, and rerun `synapsor-runner tools preview`.
842
+
843
+ ## What The Model Gets
844
+
845
+ The model gets reviewed semantic capabilities from `synapsor.runner.json`, for
846
+ example:
847
+
848
+ ```text
849
+ billing.inspect_invoice
850
+ billing.propose_late_fee_waiver
851
+ support.inspect_ticket
852
+ support.propose_plan_credit
853
+ orders.inspect_order
854
+ orders.propose_status_change
855
+ ```
856
+
857
+ These are business tools with trusted scope, visible fields, evidence rules,
858
+ proposal boundaries, and writeback guards.
859
+
860
+ ## Fixture Benchmark
861
+
862
+ Run the included MCP efficiency fixture:
863
+
864
+ ```bash
865
+ synapsor-runner benchmark mcp-efficiency
866
+ ```
867
+
868
+ Current fixture result for the late-fee-waiver workflow:
869
+
870
+ ```text
871
+ Generic database MCP reference:
872
+ exposed tools: 4
873
+ scripted tool calls: 5
874
+ raw SQL exposed: yes
875
+ approval separated: no
876
+ stale-row conflict checked: no
877
+
878
+ Synapsor Runner semantic path:
879
+ exposed tools: 2
880
+ scripted tool calls: 2
881
+ raw SQL exposed: no
882
+ approval separated: yes
883
+ stale-row conflict checked: yes
884
+ ```
885
+
886
+ The fixture tokenizer is deterministic and repeatable for this repo. It is not
887
+ a model billing tokenizer and not a universal token-savings claim.
888
+
889
+ ## Safe Write Examples
890
+
891
+ The disposable reference app includes three proposal-first write shapes:
892
+
893
+ - `billing.propose_late_fee_waiver`: waive a late fee after evidence and review.
894
+ - `support.propose_plan_credit`: propose a bounded customer credit for a support case.
895
+ - `orders.propose_status_change`: move an order through an allowlisted status transition.
896
+
897
+ Each tool creates evidence, a before/after diff, and a local proposal. The
898
+ source database is unchanged until approval outside MCP and guarded writeback.
899
+
900
+ ## What The Model Never Gets
901
+
902
+ Synapsor Runner does not expose:
903
+
904
+ ```text
905
+ execute_sql
906
+ raw_sql
907
+ query_database
908
+ database URLs
909
+ write credentials
910
+ approval tools
911
+ commit/apply tools
912
+ arbitrary table names
913
+ arbitrary column names
914
+ model-controlled tenant authority
915
+ direct write access
916
+ ```
917
+
918
+ Approval and writeback stay outside the model-facing MCP tool surface.
696
919
 
697
920
  ## App-Owned Writeback
698
921
 
699
- Use direct guarded DB writeback for simple local/staging single-row updates. If
700
- your application service already owns business writes, configure an
701
- `http_handler` or `command_handler` executor. Approval still happens outside
702
- MCP, and the handler returns an applied/conflict/failed receipt for replay.
922
+ Direct guarded DB writeback is useful for local/staging demos and simple
923
+ single-row updates. If your application service already owns business writes,
924
+ configure an `http_handler` or `command_handler` executor instead.
925
+
926
+ The flow stays the same: model-facing MCP creates a proposal, approval happens
927
+ outside MCP, Synapsor Runner sends an approved job to your app handler, and the
928
+ handler returns an applied/conflict/failed receipt for replay.
703
929
 
704
930
  > **Important:** your app handler owns the final business write. Runner creates
705
931
  > the proposal and calls your handler only after approval, but your handler must
@@ -708,10 +934,17 @@ MCP, and the handler returns an applied/conflict/failed receipt for replay.
708
934
  > error receipts. If you skip those checks, you can reintroduce cross-tenant
709
935
  > writes, lost updates, or duplicate writes. Keep handler credentials out of MCP.
710
936
 
711
- Starter handlers are included under `examples/app-owned-writeback`.
712
- The packaged app-owned billing example also includes a bundled
713
- `synapsor-handler.mjs` helper shim. There is no separate handler package to
714
- install.
937
+ Details: [docs/writeback-executors.md](docs/writeback-executors.md). Starter
938
+ handlers live in [examples/app-owned-writeback](examples/app-owned-writeback).
939
+ The runner npm package includes handler templates and the
940
+ `examples/mcp-postgres-billing-app-handler/synapsor-handler.mjs` bundled helper
941
+ shim. These show bearer/HMAC auth, tenant scope, expected-version guards,
942
+ idempotency, transaction rollback, and safe receipts around your business
943
+ effect. There is no separate handler package to install.
944
+ The full Postgres billing example in
945
+ [examples/mcp-postgres-billing-app-handler](examples/mcp-postgres-billing-app-handler)
946
+ shows `billing.propose_account_credit` creating a proposal first, then inserting
947
+ an `account_credits` row through an app-owned HTTP handler after approval.
715
948
  You can also generate a starter handler directly:
716
949
 
717
950
  ```bash
@@ -726,16 +959,221 @@ needs permission for that receipt table or an administrator must pre-create and
726
959
  grant it. Use app-owned handlers when you do not want Runner creating receipt
727
960
  tables in your application schema.
728
961
 
729
- ## Command Name
962
+ ## Safety Model
963
+
964
+ ```text
965
+ MCP client
966
+ -> Synapsor Runner
967
+ -> semantic capability
968
+ -> trusted tenant/principal context
969
+ -> scoped DB read
970
+ -> evidence-backed proposal
971
+ -> approval outside MCP
972
+ -> guarded writeback
973
+ -> receipt and replay
974
+ ```
975
+
976
+ Current boundaries:
977
+
978
+ - no generic SQL tools;
979
+ - no model-facing approval or apply tools;
980
+ - tenant/principal scoping is enforced;
981
+ - allowed columns are enforced;
982
+ - primary-key targeting is required;
983
+ - conflict/version guards are available;
984
+ - idempotency keys are used;
985
+ - affected row count is checked;
986
+ - direct DB writeback is limited to guarded single-row `UPDATE`.
987
+
988
+ ## Safety Checks It Catches
989
+
990
+ After the happy path, use the demo and tests to inspect failure cases:
991
+
992
+ - stale-row conflict;
993
+ - missing tenant context;
994
+ - disallowed write column;
995
+ - model-facing commit or approval tool;
996
+ - arbitrary SQL tool.
997
+
998
+ The important stale-row case:
999
+
1000
+ ```text
1001
+ The row changed after the agent saw it.
1002
+ Result: conflict
1003
+ Source DB changed by Synapsor: no
1004
+ ```
1005
+
1006
+ Conflict handling is a safety check, not the first demo payoff.
1007
+
1008
+ ## Local Features
1009
+
1010
+ | Feature | Runner version |
1011
+ | --- | --- |
1012
+ | Context bindings | Trusted tenant/principal from env, static dev config, HTTP claims, or cloud session |
1013
+ | Capabilities | Local semantic MCP tools from `synapsor.runner.json` |
1014
+ | Evidence | Local evidence bundles and query audit records |
1015
+ | Proposals | Local before/after change sets |
1016
+ | Approval | Local CLI/UI approval outside MCP |
1017
+ | Writeback | Guarded single-row `UPDATE` for Postgres/MySQL |
1018
+ | Replay | Local replay of proposal, evidence, events, receipts, and query audit |
1019
+ | MCP audit | Static risk review for MCP database tools |
1020
+
1021
+ The runner intentionally does not include full Synapsor Cloud/DBMS features such
1022
+ as workflow DAGs, native branches, time travel, settlement policies, governed
1023
+ memory, RBAC/SSO, hosted evidence ledger, managed runners, CDC, or C++ DBMS
1024
+ internals.
1025
+
1026
+ ## Local Runner Vs Synapsor Cloud
1027
+
1028
+ | Need | Synapsor Runner | Synapsor Cloud |
1029
+ | --- | --- | --- |
1030
+ | Local MCP server | Yes | Managed |
1031
+ | Local trusted context bindings | Yes | Org/session integrated |
1032
+ | Local semantic capabilities | Yes | Hosted registry + versioning |
1033
+ | Local evidence/proposal/replay | Yes | Central searchable ledger |
1034
+ | Local approval | CLI/UI | Multi-user approvals |
1035
+ | Writeback | Guarded single-row `UPDATE` | Managed production orchestration |
1036
+ | MCP risk audit | Static/local | Continuous/org-wide |
1037
+ | RBAC/SSO | No | Yes |
1038
+ | Policy packs | No/basic | Yes |
1039
+ | Workflow builder | No | Yes |
1040
+ | Native branches/time travel | No | Yes |
1041
+ | Settlement policies | No | Yes |
1042
+ | Compliance exports | No | Yes |
1043
+ | Production support/SLA | No | Yes |
1044
+
1045
+ The runner is useful by itself for local/staging safety. Synapsor Cloud is for
1046
+ teams, production governance, central audit, managed runners, enterprise
1047
+ controls, and proprietary Synapsor platform features.
1048
+
1049
+ ## Current Limitations
1050
+
1051
+ Supported in the current alpha:
1052
+
1053
+ - stdio MCP server;
1054
+ - authenticated HTTP MCP server for app/server deployments;
1055
+ - Postgres/MySQL inspection;
1056
+ - semantic read tools;
1057
+ - evidence-backed proposals;
1058
+ - local approval outside MCP;
1059
+ - guarded single-row `UPDATE`;
1060
+ - local SQLite evidence/proposal/replay store;
1061
+ - tenant, primary-key, allowed-column, idempotency, and conflict guards;
1062
+ - static MCP risk audit.
1063
+
1064
+ Not supported:
1065
+
1066
+ - raw `execute_sql`;
1067
+ - model-generated SQL;
1068
+ - DDL;
1069
+ - INSERT;
1070
+ - DELETE;
1071
+ - UPSERT;
1072
+ - multi-row writes;
1073
+ - stored procedures;
1074
+ - physical branching of external Postgres/MySQL;
1075
+ - full Synapsor workflow DAG execution;
1076
+ - `CREATE AGENT WORKFLOW`;
1077
+ - Synapsor SQL generation;
1078
+ - auto-merge or settlement-policy semantics;
1079
+ - model-callable approval or commit tools;
1080
+ - general prompt-injection prevention;
1081
+ - production SLA or compliance certification.
1082
+
1083
+ Complete limits: [docs/limitations.md](docs/limitations.md).
1084
+
1085
+ Security boundary: [docs/security-boundary.md](docs/security-boundary.md).
1086
+
1087
+ Release notes and stable-tag policy:
1088
+ [docs/release-notes.md](docs/release-notes.md).
1089
+
1090
+ ## Stable Compatibility Promise
1091
+
1092
+ Starting with `0.1.0`, Synapsor Runner keeps the following surfaces compatible
1093
+ through the `0.1.x` line unless a release note explicitly marks a deprecation
1094
+ first:
1095
+
1096
+ - the `synapsor-runner` binary name and README quickstart commands;
1097
+ - `synapsor.runner.json` schema version `1` for documented fields;
1098
+ - result envelope v2 for new configs, with the documented v1 opt-out;
1099
+ - stdio MCP and Streamable HTTP MCP command surfaces;
1100
+ - generated MCP client snippets for documented clients;
1101
+ - proposal, approval, guarded writeback, receipt, evidence, query-audit, and
1102
+ replay inspection commands;
1103
+ - direct SQL writeback and app-owned executor contracts documented in this
1104
+ README and `docs/writeback-executors.md`.
1105
+
1106
+ Stable does not mean production SLA, hosted Cloud features, compliance
1107
+ certification, physical Postgres/MySQL branching, generic SQL writeback, or
1108
+ support for undocumented local SQLite internals. Those limits remain explicit
1109
+ in [docs/limitations.md](docs/limitations.md).
1110
+
1111
+ ## License
1112
+
1113
+ Synapsor Runner is open source under the Apache License 2.0 (`Apache-2.0`).
1114
+
1115
+ Apache-2.0 applies to this runner repo. It does not grant rights to the
1116
+ Synapsor name, logo, hosted cloud service, or proprietary Synapsor platform
1117
+ features. See [docs/licensing.md](docs/licensing.md) and
1118
+ [TRADEMARKS.md](TRADEMARKS.md).
1119
+
1120
+ Synapsor Cloud, hosted governance, managed runners, advanced policy/workflow
1121
+ engines, enterprise controls, and native Synapsor DBMS/C++ internals remain
1122
+ proprietary.
1123
+
1124
+ ## Developer And Contributor Commands
1125
+
1126
+ Public docs use `synapsor-runner`. During source-checkout development, if the
1127
+ global binary is not linked yet, use `./bin/synapsor-runner ...` or
1128
+ `corepack pnpm runner ...`.
1129
+
1130
+ Helper scripts are wrappers and development conveniences, not the main product
1131
+ interface:
1132
+
1133
+ ```bash
1134
+ ./scripts/try-synapsor.sh
1135
+ ./scripts/demo-docker.sh
1136
+ ./scripts/open-demo-ui.sh
1137
+ ./scripts/use-your-db.sh
1138
+ ./scripts/mcp-config.sh
1139
+ ```
1140
+
1141
+ Contributor checks:
1142
+
1143
+ ```bash
1144
+ corepack pnpm install
1145
+ ./scripts/verify-release-gate.sh
1146
+ ```
1147
+
1148
+ After a manual alpha publish, verify the public npm package:
1149
+
1150
+ ```bash
1151
+ VERIFY_PUBLISHED_ALPHA=1 ./scripts/verify-release-gate.sh 0.1.0-alpha.17
1152
+ ```
1153
+
1154
+ After a manual stable publish/promotion, verify `latest`:
1155
+
1156
+ ```bash
1157
+ ./scripts/verify-published-stable.sh 0.1.0
1158
+ ```
1159
+
1160
+ ## Repository Map
730
1161
 
731
- This package installs `synapsor-runner` as the OSS runner binary. The `synapsor`
732
- command is reserved for the Synapsor Cloud CLI.
1162
+ - `apps/runner`: CLI entrypoint and local UI.
1163
+ - `packages/mcp-server`: stdio/HTTP MCP server and configured tool runtime.
1164
+ - `packages/schema-inspector`: Postgres/MySQL metadata inspection and config generation.
1165
+ - `packages/proposal-store`: local SQLite evidence/proposal/replay store.
1166
+ - `packages/postgres`, `packages/mysql`: guarded writeback adapters.
1167
+ - `packages/worker-core`: shared runner orchestration.
1168
+ - `recipes`: optional starter contracts.
1169
+ - `examples`: disposable local demos and reference app.
1170
+ - `docs`: focused setup, MCP, security, troubleshooting, and limitation docs.
733
1171
 
734
- ## Scope
1172
+ ## Community
735
1173
 
736
- This package is an alpha local runner. It is not Synapsor Cloud, not the
737
- Synapsor DBMS, not a physical branch engine for Postgres/MySQL, and not a
738
- general MCP security platform.
1174
+ Synapsor Runner is maintained by Synapsor.
739
1175
 
740
- See the full repository README and docs for Docker demos, MCP client setup,
741
- configuration recipes, security boundaries, and release notes.
1176
+ - Website: https://synapsor.ai
1177
+ - Docs: https://synapsor.ai/docs
1178
+ - License: Apache License 2.0 (`Apache-2.0`)
1179
+ - Issues: use GitHub Issues