feat: add minimum OAuth scope hint helpers#240
Open
ViVaLaDaniel wants to merge 1 commit intosupabase-community:mainfrom
Open
feat: add minimum OAuth scope hint helpers#240ViVaLaDaniel wants to merge 1 commit intosupabase-community:mainfrom
ViVaLaDaniel wants to merge 1 commit intosupabase-community:mainfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
createToolAccessHints()andcreateOAuthScopeHints()to derive minimum scope hints fromfeatures,readOnly, andprojectScopedWhy this helps
Issue #239 asks for minimum OAuth scopes based on the active MCP configuration.
While working through this, I found that the hosted OAuth consent flow for
https://mcp.supabase.com/mcpdoes not appear to live entirely inside this OSS repo. This PR therefore focuses on the part that is in-repo and can be made deterministic here: a shared source of truth for tool -> access requirements and helper functions that downstream auth / integration layers can consume.That means this PR does not claim to fully fix the hosted consent screen by itself. Instead, it adds the groundwork needed to do that cleanly without duplicating scope logic elsewhere.
Notes
createOAuthScopeHints()returns only scope families documented in the public Supabase OAuth scope guide by defaultincludeInferred: trueopt-in adds best-effort hints for Management API surfaces that are used by the MCP server but are not clearly listed in the public scope table yetexecute_sqldowngrades todatabase:readinreadOnlymode to match the behavior discussed in list_tables requires database:write permission #152Verification
npm exec --yes pnpm@10.7.0 -- --filter @supabase/mcp-utils buildnpm exec --yes pnpm@10.7.0 -- --filter @supabase/mcp-server-supabase typecheckCI=1 npm exec --yes pnpm@10.7.0 -- --filter @supabase/mcp-server-supabase exec vitest run src/tools/tool-access.test.ts --reporter=basicnpm exec --yes pnpm@10.7.0 -- --filter @supabase/mcp-server-supabase build