fix(supabase): scope Edge Function method/body/headers to invoke_function

Prevents a stale `method` value (e.g. from the Edge Function field) from leaking
into other operations' params. The tool executor lets `params.method` override a
tool's static verb (tools/utils.ts), so an unscoped value could turn a read into
DELETE/POST against PostgREST. Now method/body/headers are only passed for the
invoke_function operation. Adds a block-level regression test.

Author: waleedlatif1

apps/sim/blocks/blocks/supabase.test.ts

@@ -0,0 +1,60 @@
+/**
+ * @vitest-environment node
+ */
+import { describe, expect, it } from 'vitest'
+import { SupabaseBlock } from '@/blocks/blocks/supabase'
+
+describe('SupabaseBlock', () => {
+  const buildParams = SupabaseBlock.tools.config.params!
+  const selectTool = SupabaseBlock.tools.config.tool!
+
+  it('maps each operation to its tool id', () => {
+    expect(selectTool({ operation: 'query' })).toBe('supabase_query')
+    expect(selectTool({ operation: 'invoke_function' })).toBe('supabase_invoke_function')
+    expect(selectTool({ operation: 'delete' })).toBe('supabase_delete')
+  })
+
+  it('does not leak the Edge Function method onto other operations', () => {
+    // A stale `method` from the Edge Function field must never reach a tool with a
+    // static verb — otherwise the executor would let it override e.g. GET with DELETE.
+    const params = buildParams({
+      operation: 'query',
+      projectId: 'proj',
+      apiKey: 'key',
+      table: 'users',
+      method: 'DELETE',
+    })
+
+    expect(params).not.toHaveProperty('method')
+    expect(params).not.toHaveProperty('body')
+    expect(params).not.toHaveProperty('headers')
+  })
+
+  it('passes method, body, and headers through for invoke_function', () => {
+    const params = buildParams({
+      operation: 'invoke_function',
+      projectId: 'proj',
+      apiKey: 'key',
+      functionName: 'hello-world',
+      method: 'POST',
+      functionBody: '{"name":"world"}',
+      functionHeaders: '{"x-trace":"1"}',
+    })
+
+    expect(params.method).toBe('POST')
+    expect(params.body).toEqual({ name: 'world' })
+    expect(params.headers).toEqual({ 'x-trace': '1' })
+  })
+
+  it('rejects non-object Edge Function headers', () => {
+    expect(() =>
+      buildParams({
+        operation: 'invoke_function',
+        projectId: 'proj',
+        apiKey: 'key',
+        functionName: 'hello-world',
+        functionHeaders: '["a","b"]',
+      })
+    ).toThrow('Edge Function headers must be a JSON object')
+  })
+})

apps/sim/blocks/blocks/supabase.ts

@@ -1026,6 +1026,7 @@ Return ONLY the PostgREST filter expression - no explanations, no markdown, no e
           fileData,
           functionBody,
           functionHeaders,
+          method,
           ...rest
         } = params
 
@@ -1169,12 +1170,16 @@ Return ONLY the PostgREST filter expression - no explanations, no markdown, no e
           result.params = parsedRpcParams
         }
 
-        if (parsedFunctionBody !== undefined) {
-          result.body = parsedFunctionBody
-        }
-
-        if (parsedFunctionHeaders !== undefined) {
-          result.headers = parsedFunctionHeaders
+        if (operation === 'invoke_function') {
+          if (method !== undefined) {
+            result.method = method
+          }
+          if (parsedFunctionBody !== undefined) {
+            result.body = parsedFunctionBody
+          }
+          if (parsedFunctionHeaders !== undefined) {
+            result.headers = parsedFunctionHeaders
+          }
         }
 
         if (parsedPaths !== undefined) {