npm - @aliyun-rds/supabase-mcp-server - Versions diffs - 1.0.3 → 1.0.5 - Mend

@aliyun-rds/supabase-mcp-server 1.0.3 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -56,7 +56,8 @@ var SelfhostedSupabaseClient = class _SelfhostedSupabaseClient {
    */
   constructor(options) {
     this.options = options;
-    this.supabase = createClient(options.supabaseUrl, options.supabaseAnonKey, options.supabaseClientOptions);
+    const apiKey = options.supabaseServiceRoleKey || options.supabaseAnonKey;
+    this.supabase = createClient(options.supabaseUrl, apiKey, options.supabaseClientOptions);
     if (!options.supabaseUrl || !options.supabaseAnonKey) {
       throw new Error("Supabase URL and Anon Key are required.");
     }
@@ -246,61 +247,90 @@ var SelfhostedSupabaseClient = class _SelfhostedSupabaseClient {
     }
   }
   // --- Helper/Private Methods (to be implemented) ---
+  /**
+   * Executes SQL using postgres-meta API (/pg/query endpoint)
+   * This is available in Supabase instances and doesn't require direct database connection
+   */
+  async executeSqlViaPostgresMeta(query) {
+    const url = `${this.options.supabaseUrl}/pg/query`;
+    const apiKey = this.options.supabaseServiceRoleKey || this.options.supabaseAnonKey;
+    const response = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "apikey": apiKey
+      },
+      body: JSON.stringify({ query })
+    });
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(`postgres-meta API error: ${response.status} ${errorText}`);
+    }
+    return await response.json();
+  }
   async checkAndCreateRpcFunction() {
     console.error("Checking for public.execute_sql RPC function...");
+    if (!this.options.supabaseServiceRoleKey) {
+      console.error("Cannot check/create 'public.execute_sql': supabaseServiceRoleKey not provided.");
+      this.rpcFunctionExists = false;
+      return;
+    }
     try {
-      const { error } = await this.supabase.rpc("execute_sql", { query: "SELECT 1" });
-      if (!error) {
+      console.error("Checking if execute_sql function exists using postgres-meta API...");
+      const checkQuery = `
+                SELECT EXISTS (
+                    SELECT 1
+                    FROM pg_proc p
+                    JOIN pg_namespace n ON p.pronamespace = n.oid
+                    WHERE n.nspname = 'public'
+                    AND p.proname = 'execute_sql'
+                ) as function_exists;
+            `;
+      const checkResult = await this.executeSqlViaPostgresMeta(checkQuery);
+      if (checkResult && checkResult.length > 0 && checkResult[0].function_exists) {
         console.error("'public.execute_sql' function found.");
         this.rpcFunctionExists = true;
         return;
       }
-      const UNDEFINED_FUNCTION_ERROR_CODE = "42883";
-      const POSTGREST_FUNCTION_NOT_FOUND_CODE = "PGRST202";
-      if (error.code === UNDEFINED_FUNCTION_ERROR_CODE || error.code === POSTGREST_FUNCTION_NOT_FOUND_CODE) {
-        console.error(
-          `'public.execute_sql' function not found (Code: ${error.code}). Attempting creation...`
-        );
-        if (!this.options.supabaseServiceRoleKey) {
-          console.error("Cannot create 'public.execute_sql': supabaseServiceRoleKey not provided.");
-          this.rpcFunctionExists = false;
-          return;
-        }
-        if (!this.options.databaseUrl) {
-          console.error("Cannot create 'public.execute_sql' reliably without databaseUrl for direct connection.");
-          this.rpcFunctionExists = false;
-          return;
-        }
-        try {
-          console.error("Creating 'public.execute_sql' function using direct DB connection...");
-          await this.executeSqlWithPg(_SelfhostedSupabaseClient.CREATE_EXECUTE_SQL_FUNCTION);
-          await this.executeSqlWithPg(_SelfhostedSupabaseClient.GRANT_EXECUTE_SQL_FUNCTION);
-          console.error("'public.execute_sql' function created and permissions granted successfully.");
-          console.error("Notifying PostgREST to reload schema cache...");
-          await this.executeSqlWithPg("NOTIFY pgrst, 'reload schema'");
-          console.error("PostgREST schema reload notification sent.");
-          this.rpcFunctionExists = true;
-        } catch (creationError) {
-          const errorMessage = creationError instanceof Error ? creationError.message : String(creationError);
-          console.error("Failed to create 'public.execute_sql' function or notify PostgREST:", creationError);
+      console.error("'public.execute_sql' function not found. Creating...");
+      try {
+        console.error("Creating 'public.execute_sql' function using postgres-meta API...");
+        await this.executeSqlViaPostgresMeta(_SelfhostedSupabaseClient.CREATE_EXECUTE_SQL_FUNCTION);
+        await this.executeSqlViaPostgresMeta(_SelfhostedSupabaseClient.GRANT_EXECUTE_SQL_FUNCTION);
+        console.error("'public.execute_sql' function created and permissions granted successfully.");
+        console.error("Notifying PostgREST to reload schema cache...");
+        await this.executeSqlViaPostgresMeta("NOTIFY pgrst, 'reload schema'");
+        console.error("PostgREST schema reload notification sent.");
+        this.rpcFunctionExists = true;
+      } catch (postgresMetaError) {
+        console.error("Failed to create function via postgres-meta API:", postgresMetaError);
+        if (this.options.databaseUrl) {
+          try {
+            console.error("Falling back to direct DB connection...");
+            await this.executeSqlWithPg(_SelfhostedSupabaseClient.CREATE_EXECUTE_SQL_FUNCTION);
+            await this.executeSqlWithPg(_SelfhostedSupabaseClient.GRANT_EXECUTE_SQL_FUNCTION);
+            await this.executeSqlWithPg("NOTIFY pgrst, 'reload schema'");
+            console.error("'public.execute_sql' function created via direct DB connection.");
+            this.rpcFunctionExists = true;
+          } catch (pgError) {
+            const errorMessage = pgError instanceof Error ? pgError.message : String(pgError);
+            console.error("Failed to create function via direct DB connection:", pgError);
+            this.rpcFunctionExists = false;
+            console.error("RPC function creation failed. You can manually install using the install_execute_sql_function tool.");
+          }
+        } else {
+          const errorMessage = postgresMetaError instanceof Error ? postgresMetaError.message : String(postgresMetaError);
+          console.error("No fallback available (databaseUrl not provided)");
+          console.error("RPC function creation failed. You can manually install using the install_execute_sql_function tool.");
           this.rpcFunctionExists = false;
-          throw new Error(`Failed to create execute_sql function/notify: ${errorMessage}`);
         }
-      } else {
-        console.error(
-          "Unexpected error checking for 'public.execute_sql' function:",
-          error
-        );
-        this.rpcFunctionExists = false;
-        throw new Error(
-          `Error checking for execute_sql function: ${error.message}`
-        );
       }
     } catch (err) {
       const errorMessage = err instanceof Error ? err.message : String(err);
       console.error("Exception during RPC function check/creation:", err);
+      console.error("RPC function check failed, but continuing initialization...");
+      console.error("You can manually install the execute_sql function using the install_execute_sql_function tool.");
       this.rpcFunctionExists = false;
-      throw new Error(`Exception during RPC function check/creation: ${errorMessage}`);
     }
   }
   // --- Getters ---
@@ -331,6 +361,12 @@ var SelfhostedSupabaseClient = class _SelfhostedSupabaseClient {
   isPgAvailable() {
     return !!this.options.databaseUrl;
   }
+  /**
+   * Checks if the execute_sql RPC function is available.
+   */
+  isRpcAvailable() {
+    return this.rpcFunctionExists;
+  }
 };
 // src/tools/list_tables.ts
@@ -405,32 +441,36 @@ var listTablesTool = {
   // Use explicit types for input and context
   execute: async (input, context) => {
     const client = context.selfhostedClient;
-    const listTablesSql = `
-            SELECT
-                n.nspname as schema,
-                c.relname as name,
-                pgd.description as comment
-            FROM
-                pg_catalog.pg_class c
-            JOIN
-                pg_catalog.pg_namespace n ON n.oid = c.relnamespace
-            LEFT JOIN
-                pg_catalog.pg_description pgd ON pgd.objoid = c.oid AND pgd.objsubid = 0
-            WHERE
-                c.relkind = 'r' -- r = ordinary table
-                AND n.nspname NOT IN ('pg_catalog', 'information_schema', 'pg_toast')
-                AND n.nspname NOT LIKE 'pg_temp_%'
-                AND n.nspname NOT LIKE 'pg_toast_temp_%'
-                 -- Exclude Supabase internal schemas
-                AND n.nspname NOT IN ('auth', 'storage', 'extensions', 'graphql', 'graphql_public', 'pgbouncer', 'realtime', 'supabase_functions', 'supabase_migrations', '_realtime')
-                AND has_schema_privilege(n.oid, 'USAGE')
-                AND has_table_privilege(c.oid, 'SELECT')
-            ORDER BY
-                n.nspname,
-                c.relname
-        `;
-    const result = await executeSqlWithFallback(client, listTablesSql, true);
-    return handleSqlResponse(result, ListTablesOutputSchema);
+    console.error("Listing tables using Supabase REST API introspection...");
+    try {
+      if (client.isPgAvailable() || client.isRpcAvailable()) {
+        const listTablesSql = `
+                    SELECT
+                        table_schema as schema,
+                        table_name as name,
+                        NULL as comment
+                    FROM
+                        information_schema.tables
+                    WHERE
+                        table_type = 'BASE TABLE'
+                        AND table_schema NOT IN ('pg_catalog', 'information_schema', 'pg_toast')
+                        AND table_schema NOT LIKE 'pg_temp_%'
+                        AND table_schema NOT LIKE 'pg_toast_temp_%'
+                        AND table_schema NOT IN ('auth', 'storage', 'extensions', 'graphql', 'graphql_public', 'pgbouncer', 'realtime', 'supabase_functions', 'supabase_migrations', '_realtime')
+                    ORDER BY
+                        table_schema,
+                        table_name
+                `;
+        const result = await executeSqlWithFallback(client, listTablesSql, true);
+        return handleSqlResponse(result, ListTablesOutputSchema);
+      }
+      context.log("Cannot list tables: requires either direct database access (DATABASE_URL) or execute_sql RPC function", "error");
+      throw new Error("Cannot list tables: requires either direct database access (DATABASE_URL) or execute_sql RPC function. Please provide DATABASE_URL or install the execute_sql RPC function in your Supabase instance.");
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      context.log(`Error listing tables: ${errorMessage}`, "error");
+      throw error;
+    }
   }
 };
@@ -538,7 +578,7 @@ var mcpInputSchema4 = {
 };
 var applyMigrationTool = {
   name: "apply_migration",
-  description: "Applies a SQL migration script and records it in the supabase_migrations.schema_migrations table within a transaction.",
+  description: "Applies a SQL migration script and records it in the supabase_migrations.schema_migrations table within a transaction. Requires direct database connection (DATABASE_URL).",
   inputSchema: ApplyMigrationInputSchema,
   mcpInputSchema: mcpInputSchema4,
   outputSchema: ApplyMigrationOutputSchema,
@@ -1105,32 +1145,37 @@ var listAuthUsersTool = {
   execute: async (input, context) => {
     const client = context.selfhostedClient;
     const { limit, offset } = input;
-    if (!client.isPgAvailable()) {
-      context.log("Direct database connection (DATABASE_URL) is required to list auth users.", "error");
-      throw new Error("Direct database connection (DATABASE_URL) is required to list auth users.");
+    console.error("Listing auth users using Supabase Admin API...");
+    try {
+      const { data, error } = await client.supabase.auth.admin.listUsers({
+        page: Math.floor(offset / limit) + 1,
+        perPage: limit
+      });
+      if (error) {
+        context.log(`Error listing users: ${error.message}`, "error");
+        throw new Error(`Failed to list users: ${error.message}`);
+      }
+      if (!data || !data.users) {
+        context.log("No users found or invalid response", "warning");
+        return [];
+      }
+      const users = data.users.map((user) => ({
+        id: user.id,
+        email: user.email || null,
+        role: user.role || null,
+        created_at: user.created_at || null,
+        last_sign_in_at: user.last_sign_in_at || null,
+        raw_app_meta_data: user.app_metadata || null,
+        raw_user_meta_data: user.user_metadata || null
+      }));
+      console.error(`Found ${users.length} users.`);
+      context.log(`Found ${users.length} users.`);
+      return ListAuthUsersOutputSchema.parse(users);
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      context.log(`Error listing users: ${errorMessage}`, "error");
+      throw error;
     }
-    const listUsersSql = `
-            SELECT
-                id,
-                email,
-                role,
-                raw_app_meta_data,
-                raw_user_meta_data,
-                created_at::text, -- Cast timestamp to text for JSON
-                last_sign_in_at::text -- Cast timestamp to text for JSON
-            FROM
-                auth.users
-            ORDER BY
-                created_at DESC
-            LIMIT ${limit}
-            OFFSET ${offset}
-        `;
-    console.error("Attempting to list auth users using direct DB connection...");
-    const result = await client.executeSqlWithPg(listUsersSql);
-    const validatedUsers = handleSqlResponse(result, ListAuthUsersOutputSchema);
-    console.error(`Found ${validatedUsers.length} users.`);
-    context.log(`Found ${validatedUsers.length} users.`);
-    return validatedUsers;
   }
 };
@@ -1171,43 +1216,33 @@ var getAuthUserTool = {
   execute: async (input, context) => {
     const client = context.selfhostedClient;
     const { user_id } = input;
-    if (!client.isPgAvailable()) {
-      context.log("Direct database connection (DATABASE_URL) is required to get auth user details.", "error");
-      throw new Error("Direct database connection (DATABASE_URL) is required to get auth user details.");
-    }
-    const sql = `
-            SELECT
-                id,
-                email,
-                role,
-                raw_app_meta_data,
-                raw_user_meta_data,
-                created_at::text,
-                last_sign_in_at::text
-            FROM auth.users
-            WHERE id = $1
-        `;
-    const params = [user_id];
-    console.error(`Attempting to get auth user ${user_id} using direct DB connection...`);
-    const user = await client.executeTransactionWithPg(async (pgClient) => {
-      const result = await pgClient.query(sql, params);
-      if (result.rows.length === 0) {
-        throw new Error(`User with ID ${user_id} not found.`);
+    console.error(`Getting auth user ${user_id} using Supabase Admin API...`);
+    try {
+      const { data, error } = await client.supabase.auth.admin.getUserById(user_id);
+      if (error) {
+        context.log(`Error getting user: ${error.message}`, "error");
+        throw new Error(`Failed to get user: ${error.message}`);
       }
-      try {
-        const singleUser = AuthUserZodSchema2.parse(result.rows[0]);
-        return singleUser;
-      } catch (validationError) {
-        if (validationError instanceof z16.ZodError) {
-          console.error("Zod validation failed:", validationError.errors);
-          throw new Error(`Output validation failed: ${validationError.errors.map((e) => `${e.path.join(".")}: ${e.message}`).join(", ")}`);
-        }
-        throw validationError;
+      if (!data || !data.user) {
+        throw new Error(`User with ID ${user_id} not found.`);
       }
-    });
-    console.error(`Found user ${user_id}.`);
-    context.log(`Found user ${user_id}.`);
-    return user;
+      const user = {
+        id: data.user.id,
+        email: data.user.email || null,
+        role: data.user.role || null,
+        created_at: data.user.created_at || null,
+        last_sign_in_at: data.user.last_sign_in_at || null,
+        raw_app_meta_data: data.user.app_metadata || null,
+        raw_user_meta_data: data.user.user_metadata || null
+      };
+      console.error(`Found user ${user_id}.`);
+      context.log(`Found user ${user_id}.`);
+      return AuthUserZodSchema2.parse(user);
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      context.log(`Error getting user: ${errorMessage}`, "error");
+      throw error;
+    }
   }
 };
@@ -1233,37 +1268,34 @@ var mcpInputSchema16 = {
 };
 var deleteAuthUserTool = {
   name: "delete_auth_user",
-  description: "Deletes a user from auth.users by their ID. Requires service_role key and direct DB connection.",
+  description: "Deletes a user using Supabase Admin API. Requires service role key.",
   inputSchema: DeleteAuthUserInputSchema,
   mcpInputSchema: mcpInputSchema16,
   outputSchema: DeleteAuthUserOutputSchema,
   execute: async (input, context) => {
     const client = context.selfhostedClient;
     const { user_id } = input;
-    if (!client.isPgAvailable()) {
-      throw new Error("Direct database connection (DATABASE_URL) is required for deleting users but is not configured or available.");
+    if (!client) {
+      throw new Error("Supabase client is not initialized.");
     }
+    context.log(`Deleting user ${user_id} using Supabase Admin API...`, "info");
     try {
-      const result = await client.executeTransactionWithPg(async (pgClient) => {
-        const deleteResult = await pgClient.query(
-          "DELETE FROM auth.users WHERE id = $1",
-          [user_id]
-        );
-        return deleteResult;
-      });
-      if (result.rowCount === 1) {
+      const { error } = await client.supabase.auth.admin.deleteUser(user_id);
+      if (error) {
+        context.log(`Error deleting user: ${error.message}`, "error");
         return {
-          success: true,
-          message: `Successfully deleted user with ID: ${user_id}`
+          success: false,
+          message: `Failed to delete user: ${error.message}`
         };
       }
+      context.log(`User ${user_id} deleted successfully`, "info");
       return {
-        success: false,
-        message: `User with ID ${user_id} not found or could not be deleted.`
+        success: true,
+        message: `Successfully deleted user with ID: ${user_id}`
       };
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : String(error);
-      console.error(`Error deleting user ${user_id}:`, errorMessage);
+      context.log(`Error deleting user ${user_id}: ${errorMessage}`, "error");
       throw new Error(`Failed to delete user ${user_id}: ${errorMessage}`);
     }
   }
@@ -1302,80 +1334,48 @@ var mcpInputSchema17 = {
 };
 var createAuthUserTool = {
   name: "create_auth_user",
-  description: "Creates a new user directly in auth.users. WARNING: Requires plain password, insecure. Use with extreme caution.",
+  description: "Creates a new user using Supabase Admin API. Requires service role key.",
   inputSchema: CreateAuthUserInputSchema,
   mcpInputSchema: mcpInputSchema17,
-  // Ensure defined above
   outputSchema: CreatedAuthUserZodSchema,
   execute: async (input, context) => {
     const client = context.selfhostedClient;
     const { email, password, role, app_metadata, user_metadata } = input;
-    if (!client.isPgAvailable()) {
-      context.log("Direct database connection (DATABASE_URL) is required to create an auth user directly.", "error");
-      throw new Error("Direct database connection (DATABASE_URL) is required to create an auth user directly.");
+    if (!client) {
+      throw new Error("Supabase client is not initialized.");
     }
-    console.warn(`SECURITY WARNING: Creating user ${email} with plain text password via direct DB insert.`);
-    context.log(`Attempting to create user ${email}...`, "warn");
-    const createdUser = await client.executeTransactionWithPg(async (pgClient) => {
-      try {
-        await pgClient.query("SELECT crypt('test', gen_salt('bf'))");
-      } catch (err) {
-        throw new Error("Failed to execute crypt function. Ensure pgcrypto extension is enabled in the database.");
-      }
-      const sql = `
-                INSERT INTO auth.users (
-                    instance_id, email, encrypted_password, role,
-                    raw_app_meta_data, raw_user_meta_data,
-                    aud, email_confirmed_at, confirmation_sent_at -- Set required defaults
-                )
-                VALUES (
-                    COALESCE(current_setting('app.instance_id', TRUE), '00000000-0000-0000-0000-000000000000')::uuid,
-                    $1, crypt($2, gen_salt('bf')),
-                    $3,
-                    $4::jsonb,
-                    $5::jsonb,
-                    'authenticated', now(), now()
-                )
-                RETURNING id, email, role, raw_app_meta_data, raw_user_meta_data, created_at::text, last_sign_in_at::text;
-            `;
-      const params = [
+    context.log(`Creating user ${email} using Supabase Admin API...`, "info");
+    try {
+      const { data, error } = await client.supabase.auth.admin.createUser({
         email,
         password,
-        role || "authenticated",
-        // Default role
-        JSON.stringify(app_metadata || {}),
-        JSON.stringify(user_metadata || {})
-      ];
-      try {
-        const result = await pgClient.query(sql, params);
-        if (result.rows.length === 0) {
-          throw new Error("User creation failed, no user returned after insert.");
-        }
-        return CreatedAuthUserZodSchema.parse(result.rows[0]);
-      } catch (dbError) {
-        let errorMessage = "Unknown database error during user creation";
-        let isUniqueViolation = false;
-        if (typeof dbError === "object" && dbError !== null && "code" in dbError) {
-          if (dbError.code === "23505") {
-            isUniqueViolation = true;
-            errorMessage = `User creation failed: Email '${email}' likely already exists.`;
-          } else if ("message" in dbError && typeof dbError.message === "string") {
-            errorMessage = `Database error (${dbError.code}): ${dbError.message}`;
-          } else {
-            errorMessage = `Database error code: ${dbError.code}`;
-          }
-        } else if (dbError instanceof Error) {
-          errorMessage = `Database error during user creation: ${dbError.message}`;
-        } else {
-          errorMessage = `Database error during user creation: ${String(dbError)}`;
-        }
-        console.error("Error creating user in DB:", dbError);
-        throw new Error(errorMessage);
+        email_confirm: true,
+        // Auto-confirm email
+        user_metadata: user_metadata || {},
+        app_metadata: app_metadata || {}
+      });
+      if (error) {
+        context.log(`Error creating user: ${error.message}`, "error");
+        throw new Error(`Failed to create user: ${error.message}`);
       }
-    });
-    console.error(`Successfully created user ${email} with ID ${createdUser.id}.`);
-    context.log(`Successfully created user ${email} with ID ${createdUser.id}.`);
-    return createdUser;
+      if (!data.user) {
+        throw new Error("User creation succeeded but no user data returned");
+      }
+      context.log(`User ${email} created successfully with ID: ${data.user.id}`, "info");
+      return {
+        id: data.user.id,
+        email: data.user.email || null,
+        role: data.user.role || role || "authenticated",
+        created_at: data.user.created_at || null,
+        last_sign_in_at: data.user.last_sign_in_at || null,
+        raw_app_meta_data: data.user.app_metadata || null,
+        raw_user_meta_data: data.user.user_metadata || null
+      };
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      context.log(`Error creating user: ${errorMessage}`, "error");
+      throw error;
+    }
   }
 };
@@ -1417,95 +1417,63 @@ var mcpInputSchema18 = {
 };
 var updateAuthUserTool = {
   name: "update_auth_user",
-  description: "Updates fields for a user in auth.users. WARNING: Password handling is insecure. Requires service_role key and direct DB connection.",
+  description: "Updates fields for a user using Supabase Admin API. Requires service role key.",
   inputSchema: UpdateAuthUserInputSchema,
   mcpInputSchema: mcpInputSchema18,
-  // Ensure defined
   outputSchema: UpdatedAuthUserZodSchema,
   execute: async (input, context) => {
     const client = context.selfhostedClient;
     const { user_id, email, password, role, app_metadata, user_metadata } = input;
-    if (!client.isPgAvailable()) {
-      context.log("Direct database connection (DATABASE_URL) is required to update auth user details.", "error");
-      throw new Error("Direct database connection (DATABASE_URL) is required to update auth user details.");
-    }
-    const updates = [];
-    const params = [];
-    let paramIndex = 1;
-    if (email !== void 0) {
-      updates.push(`email = $${paramIndex++}`);
-      params.push(email);
-    }
-    if (password !== void 0) {
-      updates.push(`encrypted_password = crypt($${paramIndex++}, gen_salt('bf'))`);
-      params.push(password);
-      console.warn(`SECURITY WARNING: Updating password for user ${user_id} with plain text password via direct DB update.`);
-    }
-    if (role !== void 0) {
-      updates.push(`role = $${paramIndex++}`);
-      params.push(role);
-    }
-    if (app_metadata !== void 0) {
-      updates.push(`raw_app_meta_data = $${paramIndex++}::jsonb`);
-      params.push(JSON.stringify(app_metadata));
-    }
-    if (user_metadata !== void 0) {
-      updates.push(`raw_user_meta_data = $${paramIndex++}::jsonb`);
-      params.push(JSON.stringify(user_metadata));
-    }
-    params.push(user_id);
-    const userIdParamIndex = paramIndex;
-    const sql = `
-            UPDATE auth.users
-            SET ${updates.join(", ")}, updated_at = NOW()
-            WHERE id = $${userIdParamIndex}
-            RETURNING id, email, role, raw_app_meta_data, raw_user_meta_data, created_at::text, updated_at::text, last_sign_in_at::text;
-        `;
-    console.error(`Attempting to update auth user ${user_id}...`);
-    context.log(`Attempting to update auth user ${user_id}...`);
-    const updatedUser = await client.executeTransactionWithPg(async (pgClient) => {
+    if (!client) {
+      throw new Error("Supabase client is not initialized.");
+    }
+    context.log(`Updating user ${user_id} using Supabase Admin API...`, "info");
+    try {
+      const updateAttributes = {};
+      if (email !== void 0) {
+        updateAttributes.email = email;
+      }
       if (password !== void 0) {
-        try {
-          await pgClient.query("SELECT crypt('test', gen_salt('bf'))");
-        } catch (err) {
-          throw new Error("Failed to execute crypt function for password update. Ensure pgcrypto extension is enabled.");
-        }
+        updateAttributes.password = password;
       }
-      try {
-        const result = await pgClient.query(sql, params);
-        if (result.rows.length === 0) {
-          throw new Error(`User update failed: User with ID ${user_id} not found or no rows affected.`);
-        }
-        return UpdatedAuthUserZodSchema.parse(result.rows[0]);
-      } catch (dbError) {
-        let errorMessage = "Unknown database error during user update";
-        let isUniqueViolation = false;
-        if (typeof dbError === "object" && dbError !== null && "code" in dbError) {
-          if (email !== void 0 && dbError.code === "23505") {
-            isUniqueViolation = true;
-            errorMessage = `User update failed: Email '${email}' likely already exists for another user.`;
-          } else if ("message" in dbError && typeof dbError.message === "string") {
-            errorMessage = `Database error (${dbError.code}): ${dbError.message}`;
-          } else {
-            errorMessage = `Database error code: ${dbError.code}`;
-          }
-        } else if (dbError instanceof Error) {
-          errorMessage = `Database error during user update: ${dbError.message}`;
-        } else {
-          errorMessage = `Database error during user update: ${String(dbError)}`;
-        }
-        console.error("Error updating user in DB:", dbError);
-        throw new Error(errorMessage);
+      if (user_metadata !== void 0) {
+        updateAttributes.user_metadata = user_metadata;
       }
-    });
-    console.error(`Successfully updated user ${user_id}.`);
-    context.log(`Successfully updated user ${user_id}.`);
-    return updatedUser;
+      if (app_metadata !== void 0) {
+        updateAttributes.app_metadata = app_metadata;
+      }
+      const { data, error } = await client.supabase.auth.admin.updateUserById(
+        user_id,
+        updateAttributes
+      );
+      if (error) {
+        context.log(`Error updating user: ${error.message}`, "error");
+        throw new Error(`Failed to update user: ${error.message}`);
+      }
+      if (!data.user) {
+        throw new Error("User update succeeded but no user data returned");
+      }
+      context.log(`User ${user_id} updated successfully`, "info");
+      return {
+        id: data.user.id,
+        email: data.user.email || null,
+        role: data.user.role || role || null,
+        created_at: data.user.created_at || null,
+        updated_at: data.user.updated_at || null,
+        last_sign_in_at: data.user.last_sign_in_at || null,
+        raw_app_meta_data: data.user.app_metadata || null,
+        raw_user_meta_data: data.user.user_metadata || null
+      };
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      context.log(`Error updating user ${user_id}: ${errorMessage}`, "error");
+      throw error;
+    }
   }
 };
 // src/index.ts
-import { z as z24 } from "zod";
+import { z as z30 } from "zod";
 // src/tools/list_storage_buckets.ts
 import { z as z20 } from "zod";
@@ -1537,10 +1505,6 @@ var listStorageBucketsTool = {
   execute: async (input, context) => {
     const client = context.selfhostedClient;
     console.error("Listing storage buckets...");
-    if (!client.isPgAvailable()) {
-      context.log("Direct database connection (DATABASE_URL) is required to list storage buckets.", "error");
-      throw new Error("Direct database connection (DATABASE_URL) is required to list storage buckets.");
-    }
     const sql = `
             SELECT
                 id,
@@ -1554,8 +1518,17 @@ var listStorageBucketsTool = {
                 updated_at::text  -- Cast to text
             FROM storage.buckets;
         `;
-    console.error("Attempting to list storage buckets using direct DB connection...");
-    const result = await client.executeSqlWithPg(sql);
+    let result;
+    if (client.isRpcAvailable()) {
+      console.error("Listing storage buckets using execute_sql RPC function...");
+      result = await client.executeSqlViaRpc(sql);
+    } else if (client.isPgAvailable()) {
+      console.error("Listing storage buckets using direct DB connection...");
+      result = await client.executeSqlWithPg(sql);
+    } else {
+      context.log("Cannot list storage buckets: requires either direct database access (DATABASE_URL) or execute_sql RPC function.", "error");
+      throw new Error("Cannot list storage buckets: requires either direct database access (DATABASE_URL) or execute_sql RPC function.");
+    }
     const validatedBuckets = handleSqlResponse(result, ListStorageBucketsOutputSchema);
     console.error(`Found ${validatedBuckets.length} buckets.`);
     context.log(`Found ${validatedBuckets.length} buckets.`);
@@ -1610,43 +1583,43 @@ var listStorageObjectsTool = {
     const client = context.selfhostedClient;
     const { bucket_id, limit, offset, prefix } = input;
     console.error(`Listing objects for bucket ${bucket_id} (Prefix: ${prefix || "N/A"})...`);
-    if (!client.isPgAvailable()) {
-      context.log("Direct database connection (DATABASE_URL) is required to list storage objects.", "error");
-      throw new Error("Direct database connection (DATABASE_URL) is required to list storage objects.");
-    }
-    const objects = await client.executeTransactionWithPg(async (pgClient) => {
-      let sql = `
-                SELECT
-                    id,
-                    name,
-                    bucket_id,
-                    owner,
-                    version,
-                    metadata ->> 'mimetype' AS mimetype,
-                    metadata ->> 'size' AS size, -- Extract size from metadata
-                    metadata,
-                    created_at::text,
-                    updated_at::text,
-                    last_accessed_at::text
-                FROM storage.objects
-                WHERE bucket_id = $1
-            `;
-      const params = [bucket_id];
-      let paramIndex = 2;
-      if (prefix) {
-        sql += ` AND name LIKE $${paramIndex++}`;
-        params.push(`${prefix}%`);
-      }
-      sql += " ORDER BY name ASC NULLS FIRST";
-      sql += ` LIMIT $${paramIndex++}`;
-      params.push(limit);
-      sql += ` OFFSET $${paramIndex++}`;
-      params.push(offset);
-      sql += ";";
-      console.error("Executing parameterized SQL to list storage objects within transaction...");
-      const result = await pgClient.query(sql, params);
-      return handleSqlResponse(result.rows, ListStorageObjectsOutputSchema);
-    });
+    const escapeSqlString = (str) => {
+      return str.replace(/'/g, "''");
+    };
+    let sql = `
+            SELECT
+                id,
+                name,
+                bucket_id,
+                owner,
+                version,
+                metadata ->> 'mimetype' AS mimetype,
+                metadata ->> 'size' AS size,
+                metadata,
+                created_at::text,
+                updated_at::text,
+                last_accessed_at::text
+            FROM storage.objects
+            WHERE bucket_id = '${escapeSqlString(bucket_id)}'
+        `;
+    if (prefix) {
+      sql += ` AND name LIKE '${escapeSqlString(prefix)}%'`;
+    }
+    sql += " ORDER BY name ASC NULLS FIRST";
+    sql += ` LIMIT ${limit}`;
+    sql += ` OFFSET ${offset};`;
+    let result;
+    if (client.isRpcAvailable()) {
+      console.error("Listing storage objects using execute_sql RPC function...");
+      result = await client.executeSqlViaRpc(sql);
+    } else if (client.isPgAvailable()) {
+      console.error("Listing storage objects using direct DB connection...");
+      result = await client.executeSqlWithPg(sql);
+    } else {
+      context.log("Cannot list storage objects: requires either direct database access (DATABASE_URL) or execute_sql RPC function.", "error");
+      throw new Error("Cannot list storage objects: requires either direct database access (DATABASE_URL) or execute_sql RPC function.");
+    }
+    const objects = handleSqlResponse(result, ListStorageObjectsOutputSchema);
     console.error(`Found ${objects.length} objects.`);
     context.log(`Found ${objects.length} objects.`);
     return objects;
@@ -1685,10 +1658,6 @@ var listRealtimePublicationsTool = {
   execute: async (input, context) => {
     const client = context.selfhostedClient;
     console.error("Listing Realtime publications...");
-    if (!client.isPgAvailable()) {
-      context.log("Direct database connection (DATABASE_URL) is required to list publications.", "error");
-      throw new Error("Direct database connection (DATABASE_URL) is required to list publications.");
-    }
     const sql = `
             SELECT
                 oid,
@@ -1702,8 +1671,17 @@ var listRealtimePublicationsTool = {
                 pubviaroot
             FROM pg_catalog.pg_publication;
         `;
-    console.error("Attempting to list publications using direct DB connection...");
-    const result = await client.executeSqlWithPg(sql);
+    let result;
+    if (client.isRpcAvailable()) {
+      console.error("Listing publications using execute_sql RPC function...");
+      result = await client.executeSqlViaRpc(sql);
+    } else if (client.isPgAvailable()) {
+      console.error("Listing publications using direct DB connection...");
+      result = await client.executeSqlWithPg(sql);
+    } else {
+      context.log("Cannot list publications: requires either direct database access (DATABASE_URL) or execute_sql RPC function.", "error");
+      throw new Error("Cannot list publications: requires either direct database access (DATABASE_URL) or execute_sql RPC function.");
+    }
     const validatedPublications = handleSqlResponse(result, ListRealtimePublicationsOutputSchema);
     console.error(`Found ${validatedPublications.length} publications.`);
     context.log(`Found ${validatedPublications.length} publications.`);
@@ -1712,6 +1690,256 @@ var listRealtimePublicationsTool = {
 };
 var list_realtime_publications_default = listRealtimePublicationsTool;
+// src/tools/install_execute_sql_function.ts
+import { z as z23 } from "zod";
+import { zodToJsonSchema } from "zod-to-json-schema";
+var InstallExecuteSqlFunctionInputZodSchema = z23.object({});
+var InstallExecuteSqlFunctionOutputZodSchema = z23.object({
+  success: z23.boolean(),
+  message: z23.string()
+});
+var CREATE_EXECUTE_SQL_FUNCTION = `
+CREATE OR REPLACE FUNCTION public.execute_sql(query text, read_only boolean DEFAULT true)
+RETURNS jsonb
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = public
+AS $$
+DECLARE
+    result jsonb;
+BEGIN
+    -- Execute query and convert result to JSON
+    IF read_only THEN
+        -- Read-only query
+        EXECUTE 'SELECT COALESCE(jsonb_agg(row_to_json(t)), ''[]''::jsonb) FROM (' || query || ') t' INTO result;
+    ELSE
+        -- Write query (INSERT/UPDATE/DELETE)
+        EXECUTE query;
+        result := '[]'::jsonb;
+    END IF;
+    RETURN COALESCE(result, '[]'::jsonb);
+EXCEPTION
+    WHEN OTHERS THEN
+        -- Return error information
+        RETURN jsonb_build_object(
+            'error', SQLERRM,
+            'code', SQLSTATE
+        );
+END;
+$$;
+`;
+var GRANT_EXECUTE_SQL_FUNCTION = `
+GRANT EXECUTE ON FUNCTION public.execute_sql(text, boolean) TO anon, authenticated, service_role;
+`;
+var NOTIFY_POSTGREST = `NOTIFY pgrst, 'reload schema';`;
+async function execute(input, context) {
+  const client = context.selfhostedClient;
+  context.log("Installing execute_sql RPC function...", "info");
+  try {
+    const supabaseUrl = client.getSupabaseUrl();
+    const serviceKey = client.getServiceRoleKey();
+    if (!serviceKey) {
+      throw new Error("Service role key is required to install the execute_sql function");
+    }
+    const postgresMetaUrl = `${supabaseUrl}/pg/query`;
+    context.log("Creating execute_sql function...", "info");
+    const createResponse = await fetch(postgresMetaUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "apikey": serviceKey
+      },
+      body: JSON.stringify({ query: CREATE_EXECUTE_SQL_FUNCTION })
+    });
+    if (!createResponse.ok) {
+      const errorText = await createResponse.text();
+      throw new Error(`Failed to create function: ${createResponse.status} ${errorText}`);
+    }
+    context.log("Granting permissions...", "info");
+    const grantResponse = await fetch(postgresMetaUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "apikey": serviceKey
+      },
+      body: JSON.stringify({ query: GRANT_EXECUTE_SQL_FUNCTION })
+    });
+    if (!grantResponse.ok) {
+      const errorText = await grantResponse.text();
+      throw new Error(`Failed to grant permissions: ${grantResponse.status} ${errorText}`);
+    }
+    context.log("Notifying PostgREST to reload schema...", "info");
+    const notifyResponse = await fetch(postgresMetaUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "apikey": serviceKey
+      },
+      body: JSON.stringify({ query: NOTIFY_POSTGREST })
+    });
+    if (!notifyResponse.ok) {
+      const errorText = await notifyResponse.text();
+      console.error(`Warning: Failed to notify PostgREST: ${notifyResponse.status} ${errorText}`);
+    }
+    context.log("execute_sql function installed successfully!", "info");
+    context.log("You may need to wait a few seconds for PostgREST to reload the schema.", "info");
+    return {
+      success: true,
+      message: "execute_sql function installed successfully. You can now use tools that require SQL execution (list_tables, execute_sql, etc.)."
+    };
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    context.log(`Error installing execute_sql function: ${errorMessage}`, "error");
+    throw new Error(`Failed to install execute_sql function: ${errorMessage}`);
+  }
+}
+var installExecuteSqlFunctionTool = {
+  name: "install_execute_sql_function",
+  description: "Install the execute_sql RPC function in the connected Supabase instance. This function is required for tools that need to execute SQL queries (list_tables, list_extensions, execute_sql, etc.). This tool uses the postgres-meta API and does not require direct database access.",
+  inputSchema: InstallExecuteSqlFunctionInputZodSchema,
+  mcpInputSchema: zodToJsonSchema(InstallExecuteSqlFunctionInputZodSchema),
+  outputSchema: InstallExecuteSqlFunctionOutputZodSchema,
+  execute
+};
+var install_execute_sql_function_default = installExecuteSqlFunctionTool;
+// src/tools/search_docs.ts
+import { z as z24 } from "zod";
+// src/integrations/content-api-client.ts
+var SupabaseDocsApiClient = class {
+  schemaCache = null;
+  graphqlEndpoint;
+  constructor(baseUrl = "https://supabase.com/docs/api/graphql") {
+    this.graphqlEndpoint = baseUrl;
+  }
+  /**
+   * Load the GraphQL schema for Supabase documentation
+   * Results are cached to avoid repeated requests
+   */
+  async loadSchema() {
+    if (this.schemaCache) {
+      console.error("Using cached GraphQL schema");
+      return this.schemaCache;
+    }
+    console.error(`Fetching GraphQL schema from ${this.graphqlEndpoint}...`);
+    try {
+      const response = await fetch(this.graphqlEndpoint, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Accept": "application/json"
+        },
+        body: JSON.stringify({
+          query: "{ schema }"
+        })
+      });
+      if (!response.ok) {
+        throw new Error(`Failed to fetch schema: ${response.status} ${response.statusText}`);
+      }
+      const result = await response.json();
+      if (result.errors) {
+        throw new Error(
+          `GraphQL errors: ${result.errors.map((e) => e.message).join(", ")}`
+        );
+      }
+      if (!result.data || !result.data.schema) {
+        throw new Error("Schema not found in GraphQL response");
+      }
+      this.schemaCache = result.data.schema;
+      console.error("GraphQL schema loaded and cached successfully");
+      return this.schemaCache;
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      console.error(`Error loading GraphQL schema: ${errorMessage}`);
+      throw new Error(`Failed to load Supabase documentation schema: ${errorMessage}`);
+    }
+  }
+  /**
+   * Execute a GraphQL query against Supabase documentation
+   */
+  async query(params) {
+    console.error(`Executing GraphQL query against Supabase docs...`);
+    console.error(`Query string: ${params.query}`);
+    const requestBody = {
+      query: params.query
+    };
+    console.error(`Request body: ${JSON.stringify(requestBody)}`);
+    try {
+      const response = await fetch(this.graphqlEndpoint, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Accept": "application/json"
+        },
+        body: JSON.stringify(requestBody)
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`GraphQL query failed: ${response.status} ${response.statusText} - ${errorText}`);
+      }
+      const result = await response.json();
+      if (result.errors && Array.isArray(result.errors) && result.errors.length > 0) {
+        const errorMessages = result.errors.map((err) => err.message).join(", ");
+        throw new Error(`GraphQL errors: ${errorMessages}`);
+      }
+      console.error("GraphQL query executed successfully");
+      return result;
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      console.error(`Error executing GraphQL query: ${errorMessage}`);
+      throw new Error(`Failed to query Supabase documentation: ${errorMessage}`);
+    }
+  }
+};
+function createContentApiClient(baseUrl) {
+  return new SupabaseDocsApiClient(baseUrl);
+}
+// src/tools/search_docs.ts
+var SearchDocsInputSchema = z24.object({
+  graphql_query: z24.string().describe("GraphQL query string to search Supabase documentation")
+});
+var SearchDocsOutputSchema = z24.any().describe("GraphQL query results from Supabase documentation");
+var mcpInputSchema22 = {
+  type: "object",
+  properties: {
+    graphql_query: {
+      type: "string",
+      description: "GraphQL query string to search Supabase documentation. Must be a valid GraphQL query."
+    }
+  },
+  required: ["graphql_query"]
+};
+var searchDocsTool = {
+  name: "search_docs",
+  description: `Search the Supabase official documentation using GraphQL. Must be a valid GraphQL query.
+You should default to calling this even if you think you already know the answer, since the documentation is always being updated.
+This tool queries the official Supabase documentation to help users understand Supabase features, APIs, and best practices.`,
+  inputSchema: SearchDocsInputSchema,
+  mcpInputSchema: mcpInputSchema22,
+  outputSchema: SearchDocsOutputSchema,
+  execute: async (input, context) => {
+    context.log(`Raw input type: ${typeof input}`, "info");
+    context.log(`Raw input: ${JSON.stringify(input)}`, "info");
+    const { graphql_query } = input;
+    context.log("Searching Supabase documentation...", "info");
+    context.log(`GraphQL query type: ${typeof graphql_query}`, "info");
+    context.log(`GraphQL query: ${graphql_query.substring(0, 100)}...`, "info");
+    try {
+      const contentApiClient = createContentApiClient();
+      const result = await contentApiClient.query({ query: graphql_query });
+      context.log("Documentation search completed successfully", "info");
+      return result;
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      context.log(`Error searching documentation: ${errorMessage}`, "error");
+      throw new Error(`Failed to search Supabase documentation: ${errorMessage}`);
+    }
+  }
+};
 // src/index.ts
 import * as fs from "node:fs";
 import * as path from "node:path";
@@ -1829,16 +2057,16 @@ async function createRagAgentClient(config) {
 }
 // src/integrations/rag-agent-tools.ts
-import { z as z23 } from "zod";
+import { z as z25 } from "zod";
 function wrapRagAgentTool(ragTool, ragClient) {
-  const inputSchema2 = z23.any();
+  const inputSchema2 = z25.any();
   return {
     name: `rag_${ragTool.name}`,
     // Prefix with 'rag_' to avoid naming conflicts
     description: ragTool.description || `RAG Agent tool: ${ragTool.name}`,
     inputSchema: inputSchema2,
     mcpInputSchema: ragTool.inputSchema,
-    outputSchema: z23.any(),
+    outputSchema: z25.any(),
     execute: async (input, context) => {
       context.log(`Calling RAG Agent tool: ${ragTool.name}`, "info");
       try {
@@ -1862,48 +2090,464 @@ function wrapAllRagAgentTools(ragClient) {
   return wrappedTools;
 }
+// src/aliyun/client.ts
+import RdsAiPkg from "@alicloud/rdsai20250507/dist/client.js";
+import * as $RdsAi from "@alicloud/rdsai20250507";
+var RdsAiClient = RdsAiPkg.default || RdsAiPkg;
+var AliyunRdsAiClient = class {
+  client;
+  // RdsAi Client instance
+  config;
+  constructor(config) {
+    this.config = config;
+    const openApiConfig = {
+      accessKeyId: config.accessKeyId,
+      accessKeySecret: config.accessKeySecret,
+      endpoint: config.endpoint || "rdsai.aliyuncs.com"
+    };
+    this.client = new RdsAiClient(openApiConfig);
+  }
+  /**
+   * List all Supabase instances
+   */
+  async listSupabaseInstances(options) {
+    const request = new $RdsAi.DescribeAppInstancesRequest({
+      appType: "supabase",
+      regionId: options?.regionId || this.config.regionId,
+      DBInstanceName: options?.dbInstanceName,
+      pageSize: options?.pageSize || 50,
+      pageNumber: options?.pageNumber || 1
+    });
+    try {
+      const response = await this.client.describeAppInstances(request);
+      if (!response.body) {
+        throw new Error("Empty response from DescribeAppInstances API");
+      }
+      const instances = (response.body.instances || []).map((inst) => ({
+        instanceName: inst.instanceName || inst.instance_name || "",
+        appType: inst.appType || inst.app_type || "supabase",
+        instanceMinorVersion: inst.instanceMinorVersion || inst.instance_minor_version || 0,
+        vSwitchId: inst.VSwitchId || inst.v_switch_id || "",
+        instanceClass: inst.instanceClass || inst.instance_class || "",
+        status: inst.status || "",
+        dbInstanceName: inst.DBInstanceName || inst.db_instance_name || "",
+        regionId: inst.regionId || inst.region_id || "",
+        appName: inst.appName || inst.app_name || "",
+        publicConnectionString: inst.publicConnectionString || inst.public_connection_string || inst.publicUrl || inst.public_url || "",
+        vpcConnectionString: inst.vpcConnectionString || inst.vpc_connection_string || inst.vpcUrl || inst.vpc_url || ""
+      }));
+      return {
+        requestId: response.body.requestId || "",
+        totalCount: response.body.totalCount || 0,
+        maxResults: response.body.maxResults || 0,
+        pageNumber: response.body.pageNumber || 1,
+        pageSize: response.body.pageSize || 0,
+        instances
+      };
+    } catch (error) {
+      console.error("Error calling DescribeAppInstances:", error);
+      throw new Error(`Failed to list Supabase instances: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+  /**
+   * Get authentication information for a specific instance
+   */
+  async getInstanceAuthInfo(instanceName) {
+    const request = new $RdsAi.DescribeInstanceAuthInfoRequest({
+      instanceName
+    });
+    try {
+      const response = await this.client.describeInstanceAuthInfo(request);
+      if (!response.body) {
+        throw new Error("Empty response from DescribeInstanceAuthInfo API");
+      }
+      return {
+        requestId: response.body.requestId || "",
+        instanceName: response.body.instanceName || "",
+        jwtSecret: response.body.jwtSecret || "",
+        apiKeys: {
+          anonKey: response.body.apiKeys?.anonKey || "",
+          serviceKey: response.body.apiKeys?.serviceKey || ""
+        },
+        configList: (response.body.configList || []).map((item) => ({
+          name: item.name || "",
+          value: item.value || ""
+        }))
+      };
+    } catch (error) {
+      console.error("Error calling DescribeInstanceAuthInfo:", error);
+      throw new Error(`Failed to get instance auth info: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+  /**
+   * Get complete credentials for a Supabase instance
+   */
+  async getSupabaseCredentials(instanceName, useVpc = false, regionId) {
+    const queryRegion = regionId || this.config.regionId;
+    const instancesResponse = await this.listSupabaseInstances({
+      regionId: queryRegion
+    });
+    const instance = instancesResponse.instances.find((inst) => inst.instanceName === instanceName);
+    if (!instance) {
+      throw new Error(`Instance ${instanceName} not found. Available instances: ${instancesResponse.instances.map((i) => i.instanceName).join(", ")}`);
+    }
+    const authInfo = await this.getInstanceAuthInfo(instanceName);
+    const connectionString = useVpc ? instance.vpcConnectionString : instance.publicConnectionString;
+    const supabaseUrl = connectionString.startsWith("http") ? connectionString : `http://${connectionString}`;
+    return {
+      instanceName,
+      supabaseUrl,
+      anonKey: authInfo.apiKeys.anonKey,
+      serviceKey: authInfo.apiKeys.serviceKey,
+      jwtSecret: authInfo.jwtSecret,
+      useVpc
+    };
+  }
+};
+function createAliyunClient(config) {
+  return new AliyunRdsAiClient(config);
+}
+// src/tools/aliyun/list_instances.ts
+import { z as z26 } from "zod";
+import { zodToJsonSchema as zodToJsonSchema2 } from "zod-to-json-schema";
+var ListInstancesInputZodSchema = z26.object({
+  region_id: z26.string().optional().describe("Region ID to filter instances (e.g., cn-beijing)"),
+  db_instance_name: z26.string().optional().describe("RDS PostgreSQL database instance ID to filter"),
+  page_size: z26.number().int().min(1).max(50).optional().default(50).describe("Number of results per page (1-50)"),
+  page_number: z26.number().int().min(1).optional().default(1).describe("Page number")
+});
+var InstanceInfoZodSchema = z26.object({
+  instance_name: z26.string(),
+  app_name: z26.string(),
+  status: z26.string(),
+  instance_class: z26.string(),
+  region_id: z26.string(),
+  public_url: z26.string(),
+  vpc_url: z26.string(),
+  db_instance_name: z26.string()
+});
+var ListInstancesOutputZodSchema = z26.object({
+  success: z26.boolean(),
+  total_count: z26.number(),
+  page_number: z26.number(),
+  page_size: z26.number(),
+  instances: z26.array(InstanceInfoZodSchema)
+});
+async function execute2(input, aliyunClient, log) {
+  if (!aliyunClient) {
+    throw new Error("Alibaba Cloud client is not initialized. Please provide --aliyun-ak and --aliyun-sk parameters.");
+  }
+  log("Fetching Supabase instances from Alibaba Cloud...", "info");
+  try {
+    const response = await aliyunClient.listSupabaseInstances({
+      regionId: input.region_id,
+      dbInstanceName: input.db_instance_name,
+      pageSize: input.page_size,
+      pageNumber: input.page_number
+    });
+    const instances = response.instances.map((inst) => ({
+      instance_name: inst.instanceName,
+      app_name: inst.appName,
+      status: inst.status,
+      instance_class: inst.instanceClass,
+      region_id: inst.regionId,
+      public_url: inst.publicConnectionString.startsWith("http") ? inst.publicConnectionString : `http://${inst.publicConnectionString}`,
+      vpc_url: inst.vpcConnectionString.startsWith("http") ? inst.vpcConnectionString : `http://${inst.vpcConnectionString}`,
+      db_instance_name: inst.dbInstanceName
+    }));
+    log(`Found ${instances.length} Supabase instance(s)`, "info");
+    return {
+      success: true,
+      total_count: response.totalCount,
+      page_number: response.pageNumber,
+      page_size: response.pageSize,
+      instances
+    };
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    log(`Error listing instances: ${errorMessage}`, "error");
+    throw error;
+  }
+}
+var listAliyunSupabaseInstancesTool = {
+  name: "list_aliyun_supabase_instances",
+  description: "List all Supabase instances from Alibaba Cloud RDS AI. Returns instance names, status, connection URLs, and other metadata. Use this tool to discover available Supabase instances before connecting.",
+  inputSchema: ListInstancesInputZodSchema,
+  mcpInputSchema: zodToJsonSchema2(ListInstancesInputZodSchema),
+  outputSchema: ListInstancesOutputZodSchema,
+  execute: execute2
+};
+var list_instances_default = listAliyunSupabaseInstancesTool;
+// src/tools/aliyun/connect_instance.ts
+import { z as z27 } from "zod";
+import { zodToJsonSchema as zodToJsonSchema3 } from "zod-to-json-schema";
+var ConnectInstanceInputZodSchema = z27.object({
+  instance_name: z27.string().describe("The instance name (e.g., ra-supabase-8moov5lxba****)"),
+  use_vpc: z27.boolean().optional().default(false).describe("Whether to use VPC connection instead of public connection")
+});
+var ConnectInstanceOutputZodSchema = z27.object({
+  success: z27.boolean(),
+  message: z27.string(),
+  instance_name: z27.string(),
+  supabase_url: z27.string(),
+  connection_type: z27.string()
+});
+async function execute3(input, aliyunClient, createSupabaseClient, setCurrentInstance, log) {
+  if (!aliyunClient) {
+    throw new Error("Alibaba Cloud client is not initialized. Please provide --aliyun-ak and --aliyun-sk parameters.");
+  }
+  log(`Connecting to Supabase instance: ${input.instance_name}...`, "info");
+  try {
+    const credentials = await aliyunClient.getSupabaseCredentials(input.instance_name, input.use_vpc);
+    log(`Retrieved credentials for instance ${input.instance_name}`, "info");
+    log(`Supabase URL: ${credentials.supabaseUrl}`, "info");
+    const supabaseClient = await createSupabaseClient(
+      credentials.supabaseUrl,
+      credentials.anonKey,
+      credentials.serviceKey,
+      credentials.jwtSecret
+    );
+    setCurrentInstance(input.instance_name, supabaseClient);
+    log(`Successfully connected to instance ${input.instance_name}`, "info");
+    return {
+      success: true,
+      message: `Successfully connected to Supabase instance ${input.instance_name}`,
+      instance_name: input.instance_name,
+      supabase_url: credentials.supabaseUrl,
+      connection_type: input.use_vpc ? "VPC" : "Public"
+    };
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    log(`Error connecting to instance: ${errorMessage}`, "error");
+    throw new Error(`Failed to connect to instance ${input.instance_name}: ${errorMessage}`);
+  }
+}
+var connectToSupabaseInstanceTool = {
+  name: "connect_to_supabase_instance",
+  description: "Connect to a specific Supabase instance by instance name. This tool fetches credentials from Alibaba Cloud and establishes a connection. After connecting, you can use all Supabase tools (list_tables, execute_sql, etc.).",
+  inputSchema: ConnectInstanceInputZodSchema,
+  mcpInputSchema: zodToJsonSchema3(ConnectInstanceInputZodSchema),
+  outputSchema: ConnectInstanceOutputZodSchema,
+  execute: execute3
+};
+var connect_instance_default = connectToSupabaseInstanceTool;
+// src/tools/aliyun/get_current_instance.ts
+import { z as z28 } from "zod";
+import { zodToJsonSchema as zodToJsonSchema4 } from "zod-to-json-schema";
+var GetCurrentInstanceInputZodSchema = z28.object({});
+var GetCurrentInstanceOutputZodSchema = z28.object({
+  connected: z28.boolean(),
+  instance_name: z28.string().optional(),
+  message: z28.string()
+});
+async function execute4(input, getCurrentInstanceName, log) {
+  const currentInstance = getCurrentInstanceName();
+  if (currentInstance) {
+    log(`Currently connected to instance: ${currentInstance}`, "info");
+    return {
+      connected: true,
+      instance_name: currentInstance,
+      message: `Connected to Supabase instance: ${currentInstance}`
+    };
+  } else {
+    log("Not connected to any Supabase instance", "info");
+    return {
+      connected: false,
+      message: "Not connected to any Supabase instance. Use connect_to_supabase_instance to connect."
+    };
+  }
+}
+var getCurrentSupabaseInstanceTool = {
+  name: "get_current_supabase_instance",
+  description: "Get information about the currently connected Supabase instance. Returns the instance name if connected, or a message indicating no connection.",
+  inputSchema: GetCurrentInstanceInputZodSchema,
+  mcpInputSchema: zodToJsonSchema4(GetCurrentInstanceInputZodSchema),
+  outputSchema: GetCurrentInstanceOutputZodSchema,
+  execute: execute4
+};
+var get_current_instance_default = getCurrentSupabaseInstanceTool;
+// src/tools/aliyun/disconnect_instance.ts
+import { z as z29 } from "zod";
+import { zodToJsonSchema as zodToJsonSchema5 } from "zod-to-json-schema";
+var DisconnectInstanceInputZodSchema = z29.object({});
+var DisconnectInstanceOutputZodSchema = z29.object({
+  success: z29.boolean(),
+  message: z29.string(),
+  previous_instance: z29.string().optional()
+});
+async function execute5(input, getCurrentInstanceName, clearCurrentInstance, log) {
+  const currentInstance = getCurrentInstanceName();
+  if (!currentInstance) {
+    log("No active connection to disconnect", "info");
+    return {
+      success: false,
+      message: "Not connected to any Supabase instance"
+    };
+  }
+  log(`Disconnecting from instance: ${currentInstance}`, "info");
+  clearCurrentInstance();
+  log("Disconnected successfully", "info");
+  return {
+    success: true,
+    message: `Successfully disconnected from instance ${currentInstance}`,
+    previous_instance: currentInstance
+  };
+}
+var disconnectSupabaseInstanceTool = {
+  name: "disconnect_supabase_instance",
+  description: "Disconnect from the currently connected Supabase instance. After disconnecting, you need to connect to an instance again before using Supabase tools.",
+  inputSchema: DisconnectInstanceInputZodSchema,
+  mcpInputSchema: zodToJsonSchema5(DisconnectInstanceInputZodSchema),
+  outputSchema: DisconnectInstanceOutputZodSchema,
+  execute: execute5
+};
+var disconnect_instance_default = disconnectSupabaseInstanceTool;
 // src/index.ts
 async function main() {
   const program = new Command();
-  program.name("self-hosted-supabase-mcp").description("MCP Server for self-hosted Supabase instances").option("--url <url>", "Supabase project URL", process.env.SUPABASE_URL).option("--anon-key <key>", "Supabase anonymous key", process.env.SUPABASE_ANON_KEY).option("--service-key <key>", "Supabase service role key (optional)", process.env.SUPABASE_SERVICE_ROLE_KEY).option("--db-url <url>", "Direct database connection string (optional, for pg fallback)", process.env.DATABASE_URL).option("--jwt-secret <secret>", "Supabase JWT secret (optional, needed for some tools)", process.env.SUPABASE_AUTH_JWT_SECRET).option("--workspace-path <path>", "Workspace root path (for file operations)", process.cwd()).option("--tools-config <path>", 'Path to a JSON file specifying which tools to enable (e.g., { "enabledTools": ["tool1", "tool2"] }). If omitted, all tools are enabled.').option("--enable-rag-agent", "Enable RAG Agent MCP integration (uses --url host:port and --anon-key as API key)", process.env.ENABLE_RAG_AGENT === "true").parse(process.argv);
+  program.name("self-hosted-supabase-mcp").description("MCP Server for self-hosted Supabase instances").option("--url <url>", "Supabase project URL (legacy mode)", process.env.SUPABASE_URL).option("--anon-key <key>", "Supabase anonymous key (legacy mode)", process.env.SUPABASE_ANON_KEY).option("--service-key <key>", "Supabase service role key (legacy mode, optional)", process.env.SUPABASE_SERVICE_ROLE_KEY).option("--db-url <url>", "Direct database connection string (optional, for pg fallback)", process.env.DATABASE_URL).option("--jwt-secret <secret>", "Supabase JWT secret (legacy mode, optional)", process.env.SUPABASE_AUTH_JWT_SECRET).option("--aliyun-ak <key>", "Alibaba Cloud Access Key ID", process.env.ALIYUN_ACCESS_KEY_ID).option("--aliyun-sk <secret>", "Alibaba Cloud Access Key Secret", process.env.ALIYUN_ACCESS_KEY_SECRET).option("--aliyun-region <region>", "Alibaba Cloud region (optional)", process.env.ALIYUN_REGION).option("--workspace-path <path>", "Workspace root path (for file operations)", process.cwd()).option("--tools-config <path>", 'Path to a JSON file specifying which tools to enable (e.g., { "enabledTools": ["tool1", "tool2"] }). If omitted, all tools are enabled.').option("--enable-rag-agent", "Enable RAG Agent MCP integration (uses --url host:port and --anon-key as API key)", process.env.ENABLE_RAG_AGENT === "true").parse(process.argv);
   const options = program.opts();
-  if (!options.url) {
-    console.error("Error: Supabase URL is required. Use --url or SUPABASE_URL.");
-    throw new Error("Supabase URL is required.");
+  const isAliyunMode = !!(options.aliyunAk && options.aliyunSk);
+  const isLegacyMode = !!(options.url && options.anonKey);
+  if (!isAliyunMode && !isLegacyMode) {
+    console.error("Error: Either Alibaba Cloud credentials (--aliyun-ak, --aliyun-sk) or legacy Supabase credentials (--url, --anon-key) are required.");
+    throw new Error("Missing required credentials.");
   }
-  if (!options.anonKey) {
-    console.error("Error: Supabase Anon Key is required. Use --anon-key or SUPABASE_ANON_KEY.");
-    throw new Error("Supabase Anon Key is required.");
+  if (isAliyunMode && isLegacyMode) {
+    console.error("Warning: Both Alibaba Cloud and legacy credentials provided. Using Alibaba Cloud mode.");
   }
   console.error("Initializing Self-Hosted Supabase MCP Server...");
   try {
-    const selfhostedClient = await SelfhostedSupabaseClient.create({
-      supabaseUrl: options.url,
-      supabaseAnonKey: options.anonKey,
-      supabaseServiceRoleKey: options.serviceKey,
-      databaseUrl: options.dbUrl,
-      jwtSecret: options.jwtSecret
-    });
-    console.error("Supabase client initialized successfully.");
+    let aliyunClient = null;
+    if (isAliyunMode) {
+      console.error("Alibaba Cloud mode enabled, initializing client...");
+      aliyunClient = createAliyunClient({
+        accessKeyId: options.aliyunAk,
+        accessKeySecret: options.aliyunSk,
+        regionId: options.aliyunRegion
+      });
+      console.error("Alibaba Cloud client initialized successfully.");
+    }
+    let selfhostedClient = null;
+    if (isLegacyMode && !isAliyunMode) {
+      selfhostedClient = await SelfhostedSupabaseClient.create({
+        supabaseUrl: options.url,
+        supabaseAnonKey: options.anonKey,
+        supabaseServiceRoleKey: options.serviceKey,
+        databaseUrl: options.dbUrl,
+        jwtSecret: options.jwtSecret
+      });
+      console.error("Supabase client initialized successfully (legacy mode).");
+    }
+    let currentInstanceName = null;
+    let currentSupabaseClient = selfhostedClient;
+    const getCurrentInstanceName = () => currentInstanceName;
+    const setCurrentInstance = (instanceName, client) => {
+      currentInstanceName = instanceName;
+      currentSupabaseClient = client;
+    };
+    const clearCurrentInstance = () => {
+      currentInstanceName = null;
+      currentSupabaseClient = null;
+    };
+    const createSupabaseClientDynamic = async (url, anonKey, serviceKey, jwtSecret) => {
+      return await SelfhostedSupabaseClient.create({
+        supabaseUrl: url,
+        supabaseAnonKey: anonKey,
+        supabaseServiceRoleKey: serviceKey,
+        databaseUrl: options.dbUrl,
+        jwtSecret
+      });
+    };
     let ragAgentClient = null;
-    if (options.enableRagAgent) {
+    const initializeRagAgent = async (supabaseClient) => {
+      if (!options.enableRagAgent) {
+        return null;
+      }
       try {
-        console.error("RAG Agent integration enabled, initializing...");
-        const urlObj = new URL(options.url);
+        console.error("Initializing RAG Agent client...");
+        const urlToUse = supabaseClient.getSupabaseUrl();
+        const anonKeyToUse = supabaseClient.getAnonKey();
+        const urlObj = new URL(urlToUse);
         const host = urlObj.hostname;
         const port = urlObj.port ? parseInt(urlObj.port, 10) : urlObj.protocol === "https:" ? 443 : 80;
-        ragAgentClient = await createRagAgentClient({
+        const client = await createRagAgentClient({
           host,
           port,
-          apiKey: options.anonKey
+          apiKey: anonKeyToUse
         });
         console.error("RAG Agent client initialized successfully.");
+        return client;
       } catch (error) {
         console.error("Failed to initialize RAG Agent client:", error);
         console.error("Continuing without RAG Agent integration...");
+        return null;
       }
+    };
+    if (options.enableRagAgent && isLegacyMode && selfhostedClient) {
+      ragAgentClient = await initializeRagAgent(selfhostedClient);
+    } else if (options.enableRagAgent && isAliyunMode) {
+      console.error("RAG Agent integration enabled.");
+      console.error("RAG Agent tools will be available after connecting to a Supabase instance.");
+    }
+    const wrappedAliyunTools = {};
+    if (isAliyunMode) {
+      wrappedAliyunTools[list_instances_default.name] = {
+        ...list_instances_default,
+        execute: async (input, context) => {
+          return await list_instances_default.execute(
+            input,
+            aliyunClient,
+            context.log
+          );
+        }
+      };
+      wrappedAliyunTools[connect_instance_default.name] = {
+        ...connect_instance_default,
+        execute: async (input, context) => {
+          const result = await connect_instance_default.execute(
+            input,
+            aliyunClient,
+            createSupabaseClientDynamic,
+            setCurrentInstance,
+            context.log
+          );
+          if (result.success && currentSupabaseClient && options.enableRagAgent && !ragAgentClient) {
+            ragAgentClient = await initializeRagAgent(currentSupabaseClient);
+          }
+          return result;
+        }
+      };
+      wrappedAliyunTools[get_current_instance_default.name] = {
+        ...get_current_instance_default,
+        execute: async (input, context) => {
+          return await get_current_instance_default.execute(
+            input,
+            getCurrentInstanceName,
+            context.log
+          );
+        }
+      };
+      wrappedAliyunTools[disconnect_instance_default.name] = {
+        ...disconnect_instance_default,
+        execute: async (input, context) => {
+          return await disconnect_instance_default.execute(
+            input,
+            getCurrentInstanceName,
+            clearCurrentInstance,
+            context.log
+          );
+        }
+      };
     }
     const availableTools = {
+      // Alibaba Cloud tools (if in Aliyun mode)
+      ...wrappedAliyunTools,
       // Cast here assumes tools will implement AppTool structure
       [listTablesTool.name]: listTablesTool,
       [listExtensionsTool.name]: listExtensionsTool,
@@ -1925,12 +2569,45 @@ async function main() {
       [updateAuthUserTool.name]: updateAuthUserTool,
       [list_storage_buckets_default.name]: list_storage_buckets_default,
       [list_storage_objects_default.name]: list_storage_objects_default,
-      [list_realtime_publications_default.name]: list_realtime_publications_default
+      [list_realtime_publications_default.name]: list_realtime_publications_default,
+      [install_execute_sql_function_default.name]: install_execute_sql_function_default,
+      [searchDocsTool.name]: searchDocsTool
     };
-    if (ragAgentClient) {
-      const ragTools = wrapAllRagAgentTools(ragAgentClient);
-      Object.assign(availableTools, ragTools);
-      console.error(`Added ${Object.keys(ragTools).length} RAG Agent tools to available tools.`);
+    if (options.enableRagAgent) {
+      if (ragAgentClient) {
+        const ragTools = wrapAllRagAgentTools(ragAgentClient);
+        Object.assign(availableTools, ragTools);
+        console.error(`Added ${Object.keys(ragTools).length} RAG Agent tools to available tools.`);
+      } else if (isAliyunMode) {
+        const dummyRagTools = await (async () => {
+          try {
+            const tempClient = await createRagAgentClient({
+              host: "localhost",
+              port: 80,
+              apiKey: "dummy"
+            });
+            const tools = wrapAllRagAgentTools(tempClient);
+            await tempClient.close();
+            return tools;
+          } catch (error) {
+            console.error("Warning: Could not create RAG Agent tool schemas:", error);
+            return {};
+          }
+        })();
+        for (const [toolName, tool] of Object.entries(dummyRagTools)) {
+          availableTools[toolName] = {
+            ...tool,
+            execute: async (input, context) => {
+              if (!ragAgentClient) {
+                throw new Error("RAG Agent is not initialized. Please connect to a Supabase instance first using connect_to_supabase_instance tool.");
+              }
+              const ragTools = wrapAllRagAgentTools(ragAgentClient);
+              return await ragTools[toolName].execute(input, context);
+            }
+          };
+        }
+        console.error(`Added ${Object.keys(dummyRagTools).length} RAG Agent tools (will be initialized after connection).`);
+      }
     }
     let registeredTools = { ...availableTools };
     const toolsConfigPath = options.toolsConfig;
@@ -2015,12 +2692,31 @@ async function main() {
         if (typeof tool.execute !== "function") {
           throw new Error(`Tool ${toolName} does not have an execute method.`);
         }
+        if (toolName === "search_docs") {
+          console.error(`[DEBUG] request.params.arguments type: ${typeof request.params.arguments}`);
+          console.error(`[DEBUG] request.params.arguments: ${JSON.stringify(request.params.arguments)}`);
+        }
         let parsedArgs = request.params.arguments;
         if (tool.inputSchema && typeof tool.inputSchema.parse === "function") {
           parsedArgs = tool.inputSchema.parse(request.params.arguments);
+          if (toolName === "search_docs") {
+            console.error(`[DEBUG] parsedArgs after Zod: ${JSON.stringify(parsedArgs)}`);
+          }
+        }
+        const isAliyunManagementTool = [
+          "list_aliyun_supabase_instances",
+          "connect_to_supabase_instance",
+          "get_current_supabase_instance",
+          "disconnect_supabase_instance"
+        ].includes(toolName);
+        if (isAliyunMode && !isAliyunManagementTool && !currentSupabaseClient) {
+          throw new McpError(
+            ErrorCode.InvalidRequest,
+            "Not connected to any Supabase instance. Please use connect_to_supabase_instance tool first."
+          );
         }
         const context = {
-          selfhostedClient,
+          selfhostedClient: currentSupabaseClient,
           workspacePath: options.workspacePath,
           log: (message, level = "info") => {
             console.error(`[${level.toUpperCase()}] ${message}`);
@@ -2038,7 +2734,7 @@ async function main() {
       } catch (error) {
         console.error(`Error executing tool ${toolName}:`, error);
         let errorMessage = `Error executing tool ${toolName}: `;
-        if (error instanceof z24.ZodError) {
+        if (error instanceof z30.ZodError) {
           errorMessage += `Input validation failed: ${error.errors.map((e) => `${e.path.join(".")}: ${e.message}`).join(", ")}`;
         } else if (error instanceof Error) {
           errorMessage += error.message;