Feat/registry updates from main

[JonasJesus42]

Summary by cubic

Switch the registry to a Supabase-backed implementation so the app reads servers from a local mcp_servers table instead of the MCP Registry API. This improves performance and makes pagination predictable.

• New Features

  • Supabase client for list/get/versions, with row-to-API conversion and sanitized search input.
  • mcp_servers DDL (indexes, trigger for updated_at, RLS policies to hide unlisted rows).
  • Sync script to import all servers from the official Registry and upsert to Supabase; computes flags and applies verified overrides; supports FORCE_UPDATE.
  • Metadata enrichment script to generate friendly_name, mesh_description, tags, and categories; includes force/limit helpers.
  • package.json: adds @supabase/supabase-js and scripts (sync:supabase, enrich:ai variants).
  • Tools now query Supabase and use IDs like name@version; GET returns the latest version.

• Migration

  • Set SUPABASE_URL and SUPABASE_ANON_KEY for runtime.
  • Set SUPABASE_SERVICE_ROLE_KEY for the sync script and OPENROUTER_API_KEY for the enrichment script.
  • Populate data: bun run sync:supabase (or sync:supabase:force).
  • If the table is missing, run registry/scripts/create-table.sql in Supabase’s SQL editor.

^{Written for commit 715d3bb. Summary will update on new commits.}

[github-actions]

🚀 Preview Deployments Ready!

Your changes have been deployed to preview environments:

📦 registry

🔗 View Preview

These previews will be automatically updated with new commits to this PR.

---

_{Deployed from commit: 6195c12}

[cubic-dev-ai]

5 issues found across 6 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="registry/server/tools/registry-binding.ts">

<violation number="1" location="registry/server/tools/registry-binding.ts:226">
P2: The `version` parameter defined in `ListInputSchema` is not being used. The destructuring omits `version` entirely, making the documented API parameter non-functional. Either remove `version` from the schema or implement the filtering logic.</violation>

<violation number="2" location="registry/server/tools/registry-binding.ts:296">
P1: The `version` extracted from the server ID is ignored. When users request a specific version (e.g., `&#39;ai.exa/exa@3.1.1&#39;`), they will always receive the latest version instead because `getServerFromSupabase` only queries `is_latest: true`. Either pass the version to the query function or update the API description to clarify that version-specific lookups are not supported.</violation>
</file>

<file name="registry/server/lib/supabase-client.ts">

<violation number="1" location="registry/server/lib/supabase-client.ts:222">
P2: Search parameter is directly interpolated without sanitization. Special characters (commas, periods, parentheses) in the search string could break PostgREST query parsing or cause unintended filter behavior. Consider sanitizing the search input to escape special characters.</violation>

<violation number="2" location="registry/server/lib/supabase-client.ts:356">
P2: Missing `is_latest: true` filter in stats fallback queries. Other functions (`listServers`, `getServer`) consistently filter by `is_latest` to get only the latest version, but these stats queries will count all versions of servers, leading to inflated/inconsistent counts.</violation>
</file>

<file name="registry/scripts/create-table.sql">

<violation number="1" location="registry/scripts/create-table.sql:122">
P1: RLS policy allows public read of unlisted (hidden) items. The `unlisted` column is meant to hide rows when `TRUE`, but `USING (true)` exposes all rows. Consider restricting to visible items only.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

3 issues found across 6 files (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="registry/server/lib/supabase-client.ts">

<violation number="1" location="registry/server/lib/supabase-client.ts:184">
P2: The `sanitizeSearchInput` function is missing the escape for the underscore (`_`) character. In SQL LIKE/ILIKE patterns, `_` is a single-character wildcard (similar to how `%` is a multi-character wildcard). Without escaping it, users can inject single-character wildcards into search queries.</violation>
</file>

<file name="registry/scripts/enrich-with-ai.ts">

<violation number="1" location="registry/scripts/enrich-with-ai.ts:32">
P0: **CRITICAL SECURITY ISSUE**: API key is hardcoded in source code. This key is now exposed in the repository and should be immediately revoked. The key should be read from `process.env.OPENROUTER_API_KEY` as documented in the script header (line 20).</violation>
</file>

<file name="registry/server/tools/registry-binding.ts">

<violation number="1" location="registry/server/tools/registry-binding.ts:72">
P2: Documentation is inaccurate: `COLLECTION_REGISTRY_APP_GET` does NOT support getting specific versions. The `getServer` function always filters by `is_latest: true`, and the parsed version from the ID is ignored. Consider either updating this documentation to reflect actual behavior, or updating the GET implementation to support version queries.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}