All docs
Docs
API Reference

Synapsor Cloud CLI

Install @synapsor/cli to manage Cloud contracts, credentials, Runner connections, proposal decisions, and audit records without giving Cloud database credentials.

Overview

Use synapsor from @synapsor/cli for Cloud administration, shared human review, and audit. Use synapsor-runner from @synapsor/runner for the local MCP and database enforcement boundary. @synapsor/client remains the application SDK; it is not the Cloud administration package.

The Cloud CLI calls the same versioned control-plane APIs as the web UI. The server remains authoritative for identity, project roles, API-key scopes, paid feature entitlement, immutable contract versions, human approval policy, and audit records.

Cloud never receives your source database URL or write credential through this CLI. A separately scoped Runner token connects a customer-operated Runner, while a human session or scoped service API key authorizes Cloud administration.

Cloud-linked mode is optional. Local-only Runner mode needs no Synapsor account. In cloud-linked mode, Cloud is authoritative for contract activation, human decisions, job leasing, and terminal governance state; the local Runner store remains the durable operational spool and local evidence/replay ledger. The SQLite file is never uploaded.

Credential boundaries

Each credential has one purpose. Authentication never substitutes for role/scope authorization or current product entitlement.

1
Human session

Interactive Cloud administration and proposal decisions, subject to role, recent-auth, quorum, and policy.

2
Service API key

Project-scoped CI automation with explicit scopes; human approval is denied by default.

3
Runner token

Runner machine protocol only: sync, leases, heartbeat, and terminal results. It is rejected by Cloud CLI admin routes.

4
Local DB credential

Read and write URLs stay with the customer-operated Runner and are never sent to Cloud or stored in a contract.

Developer notes

  • Use a human browser/device login for proposal decisions and role-sensitive administration.
  • Use SYNAPSOR_API_KEY or a mode-0600 secret-file reference for CI; never place a secret in a command-line flag.
  • Create Runner tokens separately and never use them as Cloud CLI credentials.
  • A valid credential can still receive payment_required, feature_not_entitled, or project_inactive because auth, authorization, and entitlement are independent.
  • Use --json and --no-interactive for automation, and use caller-supplied idempotency keys for retryable mutations.
  • Cloud V2 is a controlled design-partner beta and does not claim multi-region durability, managed Runner fleet, SSO/SCIM completeness, or enterprise GA.