MCP database commit safety

MCP connects the agent. Synapsor controls the commit.

MCP standardizes how an AI application discovers and calls tools. Synapsor adds the database-specific commit boundary: reviewed semantic capabilities, trusted tenant and object scope, evidence-backed proposals, approval or deterministic policy, conflict-checked writeback, receipts, and replay.

Without Synapsor

Connect agent to database. Give it a tool. Hope it behaves.

text
Normal MCP database tool
  -> execute_sql or broad update tool
  -> database changes immediately
  • Model-selected SQL or broad parameters
  • Model-controlled tenant or row identifiers
  • Weak approval context
  • Retries without idempotency
  • Audit reconstructed after the fact

With Synapsor

MCP calls a reviewed capability. Synapsor binds trusted context. Reads become evidence. Writes become exact proposals.

text
Synapsor database MCP path
  -> billing.propose_late_fee_waiver
  -> tenant and principal bound by backend
  -> evidence-backed proposal
  -> trusted runner commits only after approval
  • No raw SQL tool in the Synapsor path
  • Tenant and principal bound outside model args
  • Before/after diff and evidence
  • Approval separated from execution
  • Applied/conflict/failed receipt for replay
Commit-safe behavior

MCP tool call equals request authority. Trusted runner equals execution authority.

The model can ask for a database change through a semantic tool. It does not receive write credentials, approval authority, arbitrary table names, or final commit authority.

text
MCP tool call
  -> reviewed semantic capability
  -> trusted context
  -> scoped read
  -> evidence
  -> exact proposed diff
  -> approval or deterministic policy
  -> guarded writeback
  -> applied/conflict/failed receipt
  -> replay
The proof moment

If the row changed after the agent saw it, Synapsor refuses to commit.

Proposal created

The agent proposes waiving an invoice late fee. Synapsor records current row version, evidence, and exact diff.

Row changes out of band

The source database changes before approval. The original proposal is now stale.

Conflict receipt

The trusted runner checks the expected version and returns conflict. No write is applied.

The business state changed after the agent saw it, so Synapsor refused to commit.
Local and Cloud

Start locally. Add Cloud when teams need shared control.

Open-source local runner

  • Local stdio MCP server
  • Semantic Postgres/MySQL capability config
  • Local SQLite proposals, evidence, and replay
  • CLI approval/rejection
  • Guarded writeback in your environment

Synapsor Cloud

  • Team approvals and RBAC
  • Hosted evidence and replay search
  • Managed policies and runner health
  • Multi-project/source governance
  • Controlled-beta support and audit visibility
What Synapsor protects

Database state transitions, not every MCP risk.

  • Model-facing raw SQL exposure in the Synapsor path
  • Trusted tenant, principal, and object scope
  • Proposal-before-write
  • Exact diff, allowed columns, conflict guard, idempotency
  • Terminal receipt and replay
What it does not claim

MCP remains broader than database commit safety.

  • Malicious or compromised MCP host
  • Credential theft outside the runner
  • Unsafe non-Synapsor tools
  • Prompt injection itself
  • Business invariants not represented in the capability or app handler
Next step

Run the local database MCP demo, then connect Cloud when you need team approvals.