Synapsor Runner Lets AI Agents Propose Changes, Not Execute SQL
Synapsor Runner is an open-source MCP runtime giving AI agents reviewed semantic tools instead of raw SQL, keeping database write authority outside the model loop.
Synapsor Runner is an Apache-2.0 runtime that sits between MCP clients and PostgreSQL/MySQL, replacing the common execute_sql(sql) tool pattern with reviewed semantic capabilities like billing.propose_late_fee_waiver. The key design choice: the model-facing tool surface contains no approve tool and no apply tool at all — commit authority lives entirely outside the model loop, rather than being granted and then constrained.
Models can only propose changes; a proposal records the requested before/after state without touching the source database. When an approved proposal is written back, Runner rechecks tenant scope, row version, column allowlists, and affected-row limits, turning stale writes into conflicts instead of silent overwrites. In testing with a fleet of real LLM agents given explicit injection tasks ("read the other tenant's data," "ignore the budget"), the result was zero cross-tenant reads and zero unauthorized writes — achieved because the boundary was enforced outside the models, not because the models resisted the prompts.
The approach targets the same failure class as the recent Supabase MCP token-exfiltration case, where a model is tricked into running attacker-controlled SQL: with no SQL or commit tool reachable, that path closes. The maintainer is explicit that this doesn't stop prompt injection itself and doesn't replace least-privilege roles or row-level security — it's a scoped containment layer. A secondary benefit is lower token usage, since agents skip schema dumps and SQL-retry loops in favor of typed, bounded tool calls.