Synapsor
Log inGet access
All docs
Docs
Getting Started

Connect MySQL

Connect selected MySQL tables/views to Synapsor in read-only live mode with least-privilege credentials and tenant-scoped generated capabilities.

Overview

Start with live-read for MySQL. The public connector path reads selected tables/views on demand through a least-privilege read-only user, stores the connection as a secret reference, stores only safe metadata/fingerprints in normal control-plane records, and records redacted query audit entries.

MySQL databases map to the schema/database selector in the connector. Use --database for inspect/import and prefer safe views when a raw table contains columns an agent should not see.

Add proposal writeback only after the read-only path works and evidence/query audit are reviewed. Treat CDC/mirrored subsets as private preview only, not customer-production supported.

SESSION values come from your backend. ARG values may come from user/model input. Do not let the model invent tenant_id, principal, customer_id, current_order_id, branch_id, proposal_id, run_id, or other trusted scope.

External DB modesExisting DB quickstartMySQL existing DB demo repoCDC glossaryCDC roadmapProposal writeback

Create a read-only user

Create a dedicated MySQL user with SELECT and SHOW VIEW only on the database, tables, or views Synapsor should read.

Use a strong password and rotate it like any other database credential. Do not reuse your application writer account.

MySQL user
CREATE USER 'synapsor_reader'@'%' IDENTIFIED BY 'REPLACE_WITH_STRONG_PASSWORD';

GRANT SELECT, SHOW VIEW
ON shopdb.*
TO 'synapsor_reader'@'%';

FLUSH PRIVILEGES;

Prefer safe views

Views let you expose only the columns and rows the agent workflow needs before Synapsor reads the source.

The connector still enforces imported table mappings, tenant filters, row limits, query timeouts, and column allowlists even when the source is a view.

Safe view pattern
CREATE VIEW shopdb.synapsor_order_context AS
SELECT
  id,
  tenant_id,
  customer_id,
  status,
  total_cents,
  created_at,
  updated_at
FROM shopdb.orders
WHERE status <> 'deleted';

GRANT SELECT, SHOW VIEW
ON shopdb.synapsor_order_context
TO 'synapsor_reader'@'%';

Developer notes

  • Use ssl=require or stronger for remote MySQL sources.
  • Use env:APP_MYSQL_URL so the CLI does not persist the URL in shell history beyond your environment.
  • Inspect before import and explicitly keep out fields suggested for review, such as password_hash, api_token, email, phone, address, and payment fields, unless the workflow truly needs them.
  • Import requires a tenant column unless the table/source is explicitly single-tenant.
  • Blob, binary, and varbinary columns are denied by default unless explicitly reviewed later.
  • Add proposal writeback only after the read-only live-read path is working and reviewed.
  • Treat CDC/mirrored subsets as private preview only. Do not enable CDC for customer production data until signoff is approved.
  • Disable a source immediately if credentials are rotated unexpectedly or the source should no longer be readable.