improvement(supabase): add Edge Functions tool; correct storage output shapes + harden tools (#5112)

* improvement(supabase): add Edge Functions tool; correct storage output shapes + harden tools

- Add supabase_invoke_function tool (POST/GET/PUT/PATCH/DELETE /functions/v1/{name})
- upsert: support on_conflict; storage upload: support cache-control
- Fix storage copy/move/upload/delete-bucket output properties to match live API
- get_public_url: build URL via directExecution (no spurious network call)
- text_search: validate column identifier
- Strip non-TSDoc section-label comments

* fix(supabase): harden rpc/text_search identifiers; drop unused get_public_url apiKey

- rpc: validate + encode functionName (SSRF/injection parity with vector_search)
- text_search: validate language config interpolated into the PostgREST operator
- get_public_url: remove unused apiKey param + dead auth headers (public endpoint needs no auth)
- create_bucket: tighten output description to match the {name}-only response

* improvement(tavily): mark optional params advanced; fix empty content output

- Mark 29 optional search/extract/crawl/map subBlocks as mode: advanced (keep query/urls/url/apiKey basic)
- Fix search transformResponse: populate content from result.content (was result.snippet, always empty)
- Guard data.results with ?? []; correct country placeholder to a lowercase name
- Rewrite stale TavilySearch/Extract response interfaces; drop dead duplicate interfaces

* fix(supabase): valid Cache-Control directive on upload; clarify functionName description

- storage upload: expand a bare numeric cache-control to `max-age=<n>` (a raw number is not a valid Cache-Control header)
- block: functionName input description now covers RPC, vector search, and Edge Function invoke

* fix(supabase): edge-function error handling + reject array headers

- invoke_function: drop unreachable !response.ok branch (executor throws on non-OK before transformResponse runs and surfaces the error body); document the success-only contract
- invoke_function: ignore non-object (array) headers so JSON arrays can't produce numeric-index header names
- block: reject array/non-object Edge Function headers with a clear error in config.params

* fix(supabase): scope Edge Function method/body/headers to invoke_function

Prevents a stale `method` value (e.g. from the Edge Function field) from leaking
into other operations' params. The tool executor lets `params.method` override a
tool's static verb (tools/utils.ts), so an unscoped value could turn a read into
DELETE/POST against PostgREST. Now method/body/headers are only passed for the
invoke_function operation. Adds a block-level regression test.

* fix(supabase): only parse Edge Function body/headers for invoke_function

Stale or invalid functionBody/functionHeaders left in the block (common when
switching operations) were parsed and validated for every operation, so they
could throw before unrelated tools ran even while hidden. Moved parsing and
validation inside the invoke_function guard; added a regression test.

* fix(supabase): include last_accessed_at as a storage list sort option

The Storage list API accepts last_accessed_at for sortBy; add it to the tool
description and the block dropdown so the surfaced options match the API.

Author: waleedlatif1

apps/sim/app/api/tools/supabase/storage-upload/route.ts

@@ -174,6 +174,13 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       'Content-Type': uploadContentType,
     }
 
+    if (validatedData.cacheControl) {
+      const cacheControl = validatedData.cacheControl.trim()
+      headers['cache-control'] = /^\d+$/.test(cacheControl)
+        ? `max-age=${cacheControl}`
+        : cacheControl
+    }
+
     if (validatedData.upsert) {
       headers['x-upsert'] = 'true'
     }

apps/sim/blocks/blocks/supabase.test.ts

@@ -0,0 +1,75 @@
+/**
+ * @vitest-environment node
+ */
+import { describe, expect, it } from 'vitest'
+import { SupabaseBlock } from '@/blocks/blocks/supabase'
+
+describe('SupabaseBlock', () => {
+  const buildParams = SupabaseBlock.tools.config.params!
+  const selectTool = SupabaseBlock.tools.config.tool!
+
+  it('maps each operation to its tool id', () => {
+    expect(selectTool({ operation: 'query' })).toBe('supabase_query')
+    expect(selectTool({ operation: 'invoke_function' })).toBe('supabase_invoke_function')
+    expect(selectTool({ operation: 'delete' })).toBe('supabase_delete')
+  })
+
+  it('does not leak the Edge Function method onto other operations', () => {
+    // A stale `method` from the Edge Function field must never reach a tool with a
+    // static verb — otherwise the executor would let it override e.g. GET with DELETE.
+    const params = buildParams({
+      operation: 'query',
+      projectId: 'proj',
+      apiKey: 'key',
+      table: 'users',
+      method: 'DELETE',
+    })
+
+    expect(params).not.toHaveProperty('method')
+    expect(params).not.toHaveProperty('body')
+    expect(params).not.toHaveProperty('headers')
+  })
+
+  it('ignores stale invalid Edge Function fields on other operations', () => {
+    // Hidden Edge Function inputs left over from a prior selection must not be
+    // parsed/validated (and must never throw) for unrelated operations.
+    expect(() =>
+      buildParams({
+        operation: 'query',
+        projectId: 'proj',
+        apiKey: 'key',
+        table: 'users',
+        functionBody: '{not valid json',
+        functionHeaders: '["a","b"]',
+      })
+    ).not.toThrow()
+  })
+
+  it('passes method, body, and headers through for invoke_function', () => {
+    const params = buildParams({
+      operation: 'invoke_function',
+      projectId: 'proj',
+      apiKey: 'key',
+      functionName: 'hello-world',
+      method: 'POST',
+      functionBody: '{"name":"world"}',
+      functionHeaders: '{"x-trace":"1"}',
+    })
+
+    expect(params.method).toBe('POST')
+    expect(params.body).toEqual({ name: 'world' })
+    expect(params.headers).toEqual({ 'x-trace': '1' })
+  })
+
+  it('rejects non-object Edge Function headers', () => {
+    expect(() =>
+      buildParams({
+        operation: 'invoke_function',
+        projectId: 'proj',
+        apiKey: 'key',
+        functionName: 'hello-world',
+        functionHeaders: '["a","b"]',
+      })
+    ).toThrow('Edge Function headers must be a JSON object')
+  })
+})