feat: Add MCP elicitation for create project and branch tools

packages/mcp-server-supabase/src/platform/types.ts

@@ -234,10 +234,7 @@ export type DevelopmentOperations = {
 
 export type StorageOperations = {
   getStorageConfig(projectId: string): Promise<StorageConfig>;
-  updateStorageConfig(
-    projectId: string,
-    config: StorageConfig
-  ): Promise<void>;
+  updateStorageConfig(projectId: string, config: StorageConfig): Promise<void>;
   listAllBuckets(projectId: string): Promise<StorageBucket[]>;
 };
 
@@ -249,10 +246,7 @@ export type BranchingOperations = {
   ): Promise<Branch>;
   deleteBranch(branchId: string): Promise<void>;
   mergeBranch(branchId: string): Promise<void>;
-  resetBranch(
-    branchId: string,
-    options: ResetBranchOptions
-  ): Promise<void>;
+  resetBranch(branchId: string, options: ResetBranchOptions): Promise<void>;
   rebaseBranch(branchId: string): Promise<void>;
 };
 

packages/mcp-server-supabase/src/server.ts

@@ -134,7 +134,7 @@ export function createSupabaseMcpServer(options: SupabaseMcpServerOptions) {
       }
 
       if (!projectId && account && enabledFeatures.has('account')) {
-        Object.assign(tools, getAccountTools({ account, readOnly }));
+        Object.assign(tools, getAccountTools({ account, readOnly, server }));
       }
 
       if (database && enabledFeatures.has('database')) {
@@ -144,6 +144,7 @@ export function createSupabaseMcpServer(options: SupabaseMcpServerOptions) {
             database,
             projectId,
             readOnly,
+            server,
           })
         );
       }

packages/mcp-server-supabase/src/tools/account-tools.ts

@@ -1,4 +1,5 @@
-import { tool } from '@supabase/mcp-utils';
+import { tool, type ToolExecuteContext } from '@supabase/mcp-utils';
+import type { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { z } from 'zod';
 import type { AccountOperations } from '../platform/types.js';
 import { type Cost, getBranchCost, getNextProjectCost } from '../pricing.js';
@@ -10,9 +11,14 @@ const SUCCESS_RESPONSE = { success: true };
 export type AccountToolsOptions = {
   account: AccountOperations;
   readOnly?: boolean;
+  server?: Server;
 };
 
-export function getAccountTools({ account, readOnly }: AccountToolsOptions) {
+export function getAccountTools({
+  account,
+  readOnly,
+  server,
+}: AccountToolsOptions) {
   return {
     list_organizations: tool({
       description: 'Lists all organizations that the user is a member of.',
@@ -120,6 +126,7 @@ export function getAccountTools({ account, readOnly }: AccountToolsOptions) {
         idempotentHint: true,
         openWorldHint: false,
       },
+      isSupported: (clientCapabilities) => !clientCapabilities?.elicitation,
       parameters: z.object({
         type: z.enum(['project', 'branch']),
         recurrence: z.enum(['hourly', 'monthly']),
@@ -131,7 +138,7 @@ export function getAccountTools({ account, readOnly }: AccountToolsOptions) {
     }),
     create_project: tool({
       description:
-        'Creates a new Supabase project. Always ask the user which organization to create the project in. The project can take a few minutes to initialize - use `get_project` to check the status.',
+        'Creates a new Supabase project. Always ask the user which organization to create the project in. If there is a cost involved, the user will be asked to confirm before creation. The project can take a few minutes to initialize - use `get_project` to check the status.',
       annotations: {
         title: 'Create project',
         readOnlyHint: false,
@@ -145,31 +152,63 @@ export function getAccountTools({ account, readOnly }: AccountToolsOptions) {
           .enum(AWS_REGION_CODES)
           .describe('The region to create the project in.'),
         organization_id: z.string(),
-        confirm_cost_id: z
-          .string({
-            required_error:
-              'User must confirm understanding of costs before creating a project.',
-          })
-          .describe('The cost confirmation ID. Call `confirm_cost` first.'),
       }),
-      execute: async ({ name, region, organization_id, confirm_cost_id }) => {
+      execute: async ({ name, region, organization_id }, context) => {
         if (readOnly) {
           throw new Error('Cannot create a project in read-only mode.');
         }
 
+        // Calculate cost inline
         const cost = await getNextProjectCost(account, organization_id);
-        const costHash = await hashObject(cost);
-        if (costHash !== confirm_cost_id) {
-          throw new Error(
-            'Cost confirmation ID does not match the expected cost of creating a project.'
-          );
+
+        // Only request confirmation if there's a cost AND server supports elicitation
+        if (cost.amount > 0 && context?.server?.elicitInput) {
+          const costMessage = `$${cost.amount} per ${cost.recurrence}`;
+
+          const result = await context.server.elicitInput({
+            message: `You are about to create project "${name}" in region ${region}.\n\n💰 Cost: ${costMessage}\n\nDo you want to proceed with this billable project?`,
+            requestedSchema: {
+              type: 'object',
+              properties: {
+                confirm: {
+                  type: 'boolean',
+                  title: 'Confirm billable project creation',
+                  description: `I understand this will cost ${costMessage} and want to proceed`,
+                },
+              },
+              required: ['confirm'],
+            },
+          });
+
+          // Handle user response
+          if (result.action === 'decline' || result.action === 'cancel') {
+            throw new Error('Project creation cancelled by user.');
+          }
+
+          if (result.action === 'accept' && !result.content?.confirm) {
+            throw new Error(
+              'You must confirm understanding of the cost to create a billable project.'
+            );
+          }
         }
 
-        return await account.createProject({
+        // Create the project (either free or confirmed)
+        const project = await account.createProject({
           name,
           region,
           organization_id,
         });
+
+        // Return appropriate message based on cost
+        const costInfo =
+          cost.amount > 0
+            ? `Cost: $${cost.amount}/${cost.recurrence}`
+            : 'Cost: Free';
+
+        return {
+          ...project,
+          message: `Project "${name}" created successfully. ${costInfo}`,
+        };
       },
     }),
     pause_project: tool({

packages/mcp-server-supabase/src/tools/branching-tools.ts

@@ -37,25 +37,73 @@ export function getBranchingTools({
           .string()
           .default('develop')
           .describe('Name of the branch to create'),
+        // When the client supports elicitation, we will ask the user to confirm the
+        // branch cost interactively and this parameter is not required. For clients
+        // without elicitation support, this confirmation ID is required.
         confirm_cost_id: z
-          .string({
-            required_error:
-              'User must confirm understanding of costs before creating a branch.',
-          })
-          .describe('The cost confirmation ID. Call `confirm_cost` first.'),
+          .string()
+          .optional()
+          .describe(
+            'The cost confirmation ID. Call `confirm_cost` first if elicitation is not supported.'
+          ),
       }),
       inject: { project_id },
-      execute: async ({ project_id, name, confirm_cost_id }) => {
+      execute: async ({ project_id, name, confirm_cost_id }, context) => {
         if (readOnly) {
           throw new Error('Cannot create a branch in read-only mode.');
         }
 
         const cost = getBranchCost();
-        const costHash = await hashObject(cost);
-        if (costHash !== confirm_cost_id) {
-          throw new Error(
-            'Cost confirmation ID does not match the expected cost of creating a branch.'
-          );
+
+        // If the server and client support elicitation, request explicit confirmation
+        const caps = context?.server?.getClientCapabilities?.();
+        const supportsElicitation = Boolean(caps && (caps as any).elicitation);
+
+        if (
+          cost.amount > 0 &&
+          supportsElicitation &&
+          context?.server?.elicitInput
+        ) {
+          const costMessage = `$${cost.amount} per ${cost.recurrence}`;
+
+          const result = await context.server.elicitInput({
+            message: `You are about to create branch "${name}" on project ${project_id}.\n\n💰 Cost: ${costMessage}\n\nDo you want to proceed with this billable branch?`,
+            requestedSchema: {
+              type: 'object',
+              properties: {
+                confirm: {
+                  type: 'boolean',
+                  title: 'Confirm billable branch creation',
+                  description: `I understand this will cost ${costMessage} and want to proceed`,
+                },
+              },
+              required: ['confirm'],
+            },
+          });
+
+          if (result.action === 'decline' || result.action === 'cancel') {
+            throw new Error('Branch creation cancelled by user.');
+          }
+
+          if (result.action === 'accept' && !result.content?.confirm) {
+            throw new Error(
+              'You must confirm understanding of the cost to create a billable branch.'
+            );
+          }
+        } else {
+          // Fallback path (no elicitation support): require confirm_cost_id
+          if (!confirm_cost_id) {
+            throw new Error(
+              'User must confirm understanding of costs before creating a branch.'
+            );
+          }
+
+          const costHash = await hashObject(cost);
+          if (costHash !== confirm_cost_id) {
+            throw new Error(
+              'Cost confirmation ID does not match the expected cost of creating a branch.'
+            );
+          }
         }
         return await branching.createBranch(project_id, { name });
       },

packages/mcp-server-supabase/src/tools/database-operation-tools.ts

@@ -1,4 +1,5 @@
 import { source } from 'common-tags';
+import type { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { z } from 'zod';
 import { listExtensionsSql, listTablesSql } from '../pg-meta/index.js';
 import {
@@ -14,12 +15,14 @@ export type DatabaseOperationToolsOptions = {
   database: DatabaseOperations;
   projectId?: string;
   readOnly?: boolean;
+  server?: Server;
 };
 
 export function getDatabaseTools({
   database,
   projectId,
   readOnly,
+  server,
 }: DatabaseOperationToolsOptions) {
   const project_id = projectId;
 
@@ -215,6 +218,48 @@ export function getDatabaseTools({
           throw new Error('Cannot apply migration in read-only mode.');
         }
 
+        // Try to request user confirmation via elicitation
+        if (server) {
+          try {
+            const result = (await server.request(
+              {
+                method: 'elicitation/create',
+                params: {
+                  message: `You are about to apply migration "${name}" to project ${project_id}. This will modify your database schema.\n\nPlease review the SQL:\n\n${query}\n\nDo you want to proceed?`,
+                  requestedSchema: {
+                    type: 'object',
+                    properties: {
+                      confirm: {
+                        type: 'boolean',
+                        title: 'Confirm Migration',
+                        description:
+                          'I have reviewed the SQL and approve this migration',
+                      },
+                    },
+                    required: ['confirm'],
+                  },
+                },
+              },
+              // @ts-ignore - elicitation types might not be available
+              { elicitation: true }
+            )) as {
+              action: 'accept' | 'decline' | 'cancel';
+              content?: { confirm?: boolean };
+            };
+
+            // User declined or cancelled
+            if (result.action !== 'accept' || !result.content?.confirm) {
+              throw new Error('Migration cancelled by user');
+            }
+          } catch (error) {
+            // If elicitation fails (client doesn't support it), proceed without confirmation
+            // This maintains backwards compatibility
+            console.warn(
+              'Elicitation not supported by client, proceeding with migration without confirmation'
+            );
+          }
+        }
+
         await database.applyMigration(project_id, {
           name,
           query,

packages/mcp-server-supabase/src/tools/util.ts

@@ -64,6 +64,6 @@ export function injectableTool<
     description,
     annotations,
     parameters: parameters.omit(mask),
-    execute: (args) => execute({ ...args, ...inject }),
+    execute: (args, context) => execute({ ...args, ...inject }, context),
   }) as Tool<z.ZodObject<any, any, any, CleanParams>, Result>;
 }