feat: cost confirmation tools

Author: gregnr

packages/mcp-server-supabase/src/pricing.ts

@@ -0,0 +1,72 @@
+import {
+  assertSuccess,
+  type ManagementApiClient,
+} from './management-api/index.js';
+
+const PROJECT_COST_MONTHLY = 10;
+const BRANCH_COST_HOURLY = 0.01344;
+
+export type ProjectCost = {
+  type: 'project';
+  recurrence: 'monthly';
+  amount: number;
+};
+
+export type BranchCost = {
+  type: 'branch';
+  recurrence: 'hourly';
+  amount: number;
+};
+
+export type Cost = ProjectCost | BranchCost;
+
+/**
+ * Gets the cost of the next project in an organization.
+ */
+export async function getNextProjectCost(
+  managementApiClient: ManagementApiClient,
+  orgId: string
+): Promise<Cost> {
+  const orgResponse = await managementApiClient.GET(
+    '/v1/organizations/{slug}',
+    {
+      params: {
+        path: {
+          slug: orgId,
+        },
+      },
+    }
+  );
+
+  assertSuccess(orgResponse, 'Failed to fetch organization');
+
+  const projectsResponse = await managementApiClient.GET('/v1/projects');
+
+  assertSuccess(projectsResponse, 'Failed to fetch projects');
+
+  const org = orgResponse.data;
+  const activeProjects = projectsResponse.data.filter(
+    (project) =>
+      project.organization_id === orgId && project.status === 'ACTIVE_HEALTHY'
+  );
+
+  let amount = 0;
+
+  if (org.plan !== 'free') {
+    // If the organization is on a paid plan, the first project is included
+    if (activeProjects.length === 0) {
+      amount = 0;
+    } else {
+      amount = PROJECT_COST_MONTHLY;
+    }
+  }
+
+  return { type: 'project', recurrence: 'monthly', amount };
+}
+
+/**
+ * Gets the cost for a database branch.
+ */
+export function getBranchCost(): Cost {
+  return { type: 'branch', recurrence: 'hourly', amount: BRANCH_COST_HOURLY };
+}

packages/mcp-server-supabase/src/server.ts

@@ -13,12 +13,14 @@ import {
   type ManagementApiClient,
 } from './management-api/index.js';
 import { generatePassword } from './password.js';
+import { getBranchCost, getNextProjectCost, type Cost } from './pricing.js';
 import {
   AWS_REGION_CODES,
   getClosestAwsRegion,
   getCountryCode,
   getCountryCoordinates,
 } from './regions.js';
+import { hashObject } from './util.js';
 
 export type SupabasePlatformOptions = {
   apiUrl?: string;
@@ -120,9 +122,51 @@ export function createSupabaseMcpServer(options: SupabaseMcpServerOptions) {
           return response.data;
         },
       }),
+      get_cost: tool({
+        description:
+          'Gets the cost of creating a new project or branch. Never assume organization as costs can be different for each.',
+        parameters: z.object({
+          type: z.enum(['project', 'branch']),
+          organization_id: z
+            .string()
+            .describe('The organization ID. Always ask the user.'),
+        }),
+        execute: async ({ type, organization_id }) => {
+          function generateResponse(cost: Cost) {
+            return `The new ${type} will cost $${cost.amount} ${cost.recurrence}. You must repeat this to the user and confirm their understanding.`;
+          }
+          switch (type) {
+            case 'project': {
+              const cost = await getNextProjectCost(
+                managementApiClient,
+                organization_id
+              );
+              return generateResponse(cost);
+            }
+            case 'branch': {
+              const cost = getBranchCost();
+              return generateResponse(cost);
+            }
+            default:
+              throw new Error(`Unknown cost type: ${type}`);
+          }
+        },
+      }),
+      confirm_cost: tool({
+        description:
+          'Ask the user to confirm their understanding of the cost of creating a new project or branch. Call `get_cost` first. Returns a unique ID for this confirmation which should be passed to `create_project` or `create_branch`.',
+        parameters: z.object({
+          type: z.enum(['project', 'branch']),
+          recurrence: z.enum(['hourly', 'monthly']),
+          amount: z.number(),
+        }),
+        execute: async (cost) => {
+          return await hashObject(cost);
+        },
+      }),
       create_project: tool({
         description:
-          'Creates a new Supabase project. Always ask the user which organization to create the project in. Each new project can incur additional costs: If on a free org, the user gets 2 projects for free. On a paid org, the user should reference https://supabase.com/pricing. Confirm that the user understands this before creating new projects. The project can take a few minutes to initialize - use `getProject` to check the status.',
+          'Creates a new Supabase project. Always ask the user which organization to create the project in. The project can take a few minutes to initialize - use `get_project` to check the status.',
         parameters: z.object({
           name: z.string().describe('The name of the project'),
           region: z.optional(
@@ -133,8 +177,28 @@ export function createSupabaseMcpServer(options: SupabaseMcpServerOptions) {
               )
           ),
           organization_id: z.string(),
+          confirm_cost_id: z
+            .string()
+            .describe('The cost confirmation ID. Call `confirm_cost` first.'),
         }),
-        execute: async ({ name, region, organization_id }) => {
+        execute: async ({ name, region, organization_id, confirm_cost_id }) => {
+          if (!confirm_cost_id) {
+            throw new Error(
+              'User must confirm understanding of costs before creating a project.'
+            );
+          }
+
+          const cost = await getNextProjectCost(
+            managementApiClient,
+            organization_id
+          );
+          const costHash = await hashObject(cost);
+          if (costHash !== confirm_cost_id) {
+            throw new Error(
+              'Cost confirmation ID does not match the expected cost of creating a project.'
+            );
+          }
+
           const response = await managementApiClient.POST('/v1/projects', {
             body: {
               name,
@@ -320,7 +384,7 @@ export function createSupabaseMcpServer(options: SupabaseMcpServerOptions) {
       }),
       execute_sql: tool({
         description:
-          'Executes raw SQL in the Postgres database. Use `applyMigration` instead for DDL operations.',
+          'Executes raw SQL in the Postgres database. Use `apply_migration` instead for DDL operations.',
         parameters: z.object({
           project_id: z.string(),
           query: z.string().describe('The SQL query to execute'),
@@ -441,15 +505,29 @@ export function createSupabaseMcpServer(options: SupabaseMcpServerOptions) {
       // Experimental features
       create_branch: tool({
         description:
-          'Creates a development branch on a Supabase project. This will apply all migrations from the main project to a fresh branch database. Note that production data will not carry over. The branch will get its own project_id via the resulting project_ref. Use this ID to execute queries and migrations on the branch. Branching is only available on a paid org and each branch will incur additional costs. You must confirm that the user understands these costs before calling this function. Details here: https://supabase.com/docs/guides/deployment/branching#pricing',
+          'Creates a development branch on a Supabase project. This will apply all migrations from the main project to a fresh branch database. Note that production data will not carry over. The branch will get its own project_id via the resulting project_ref. Use this ID to execute queries and migrations on the branch.',
         parameters: z.object({
           project_id: z.string(),
-          name: z
+          name: z.string().describe('Name of the branch to create'),
+          confirm_cost_id: z
             .string()
-            .default('develop')
-            .describe('Name of the branch to create'),
+            .describe('The cost confirmation ID. Call `confirm_cost` first.'),
         }),
-        execute: async ({ project_id, name }) => {
+        execute: async ({ project_id, name, confirm_cost_id }) => {
+          if (!confirm_cost_id) {
+            throw new Error(
+              'User must confirm understanding of costs before creating a branch.'
+            );
+          }
+
+          const cost = getBranchCost();
+          const costHash = await hashObject(cost);
+          if (costHash !== confirm_cost_id) {
+            throw new Error(
+              'Cost confirmation ID does not match the expected cost of creating a branch.'
+            );
+          }
+
           const createBranchResponse = await managementApiClient.POST(
             '/v1/projects/{ref}/branches',
             {
@@ -477,6 +555,7 @@ export function createSupabaseMcpServer(options: SupabaseMcpServerOptions) {
               },
               body: {
                 branch_name: 'main',
+                git_branch: 'main',
               },
             });
 

packages/mcp-server-supabase/src/util.test.ts

@@ -1,5 +1,5 @@
 import { describe, expect, it } from 'vitest';
-import { parseKeyValueList } from './util.js';
+import { hashObject, parseKeyValueList } from './util.js';
 
 describe('parseKeyValueList', () => {
   it('should parse a simple key-value string', () => {
@@ -45,3 +45,56 @@ describe('parseKeyValueList', () => {
     });
   });
 });
+
+describe('hashObject', () => {
+  it('should consistently hash the same object', async () => {
+    const obj = { a: 1, b: 2, c: 3 };
+
+    const hash1 = await hashObject(obj);
+    const hash2 = await hashObject(obj);
+
+    expect(hash1).toBe(hash2);
+  });
+
+  it('should produce the same hash regardless of property order', async () => {
+    const obj1 = { a: 1, b: 2, c: 3 };
+    const obj2 = { c: 3, a: 1, b: 2 };
+
+    const hash1 = await hashObject(obj1);
+    const hash2 = await hashObject(obj2);
+
+    expect(hash1).toBe(hash2);
+  });
+
+  it('should produce different hashes for different objects', async () => {
+    const obj1 = { a: 1, b: 2 };
+    const obj2 = { a: 1, b: 3 };
+
+    const hash1 = await hashObject(obj1);
+    const hash2 = await hashObject(obj2);
+
+    expect(hash1).not.toBe(hash2);
+  });
+
+  it('should handle nested objects', async () => {
+    const obj1 = { a: 1, b: { c: 2 } };
+    const obj2 = { a: 1, b: { c: 3 } };
+
+    const hash1 = await hashObject(obj1);
+    const hash2 = await hashObject(obj2);
+
+    expect(hash1).not.toBe(hash2);
+  });
+
+  it('should handle arrays', async () => {
+    const obj1 = { a: [1, 2, 3] };
+    const obj2 = { a: [1, 2, 4] };
+
+    const hash1 = await hashObject(obj1);
+    const hash2 = await hashObject(obj2);
+
+    console.log('obj1', obj1, hash1);
+
+    expect(hash1).not.toBe(hash2);
+  });
+});

packages/mcp-server-supabase/src/util.ts

@@ -38,3 +38,35 @@ export function parseKeyValueList(data: string): { [key: string]: string } {
       .map(([key, value]) => [key, value ?? '']) // ensure value is not undefined
   );
 }
+
+/**
+ * Creates a unique hash from a JavaScript object.
+ * @param obj - The object to hash
+ * @param length - Optional length to truncate the hash (default: full length)
+ */
+export async function hashObject(
+  obj: Record<string, any>,
+  length?: number
+): Promise<string> {
+  // Sort object keys to ensure consistent output regardless of original key order
+  const str = JSON.stringify(obj, (_, value) => {
+    if (value && typeof value === 'object' && !Array.isArray(value)) {
+      return Object.keys(value)
+        .sort()
+        .reduce<Record<string, any>>((result, key) => {
+          result[key] = value[key];
+          return result;
+        }, {});
+    }
+    return value;
+  });
+
+  const buffer = await crypto.subtle.digest(
+    'SHA-256',
+    new TextEncoder().encode(str)
+  );
+
+  // Convert to base64
+  const base64Hash = btoa(String.fromCharCode(...new Uint8Array(buffer)));
+  return base64Hash.slice(0, length);
+}