feat(server/admin): add new admin api router

This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
|
[cloud.google.com/go/cloudsqlconn](https://redirect.github.com/googlecloudplatform/cloud-sql-go-connector)
| `v1.18.0` -> `v1.18.1` |
[![age](https://developer.mend.io/api/mc/badges/age/go/cloud.google.com%2fgo%2fcloudsqlconn/v1.18.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/cloud.google.com%2fgo%2fcloudsqlconn/v1.18.0/v1.18.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>googlecloudplatform/cloud-sql-go-connector
(cloud.google.com/go/cloudsqlconn)</summary>

###
[`v1.18.1`](https://redirect.github.com/GoogleCloudPlatform/cloud-sql-go-connector/releases/tag/v1.18.1)

[Compare
Source](https://redirect.github.com/googlecloudplatform/cloud-sql-go-connector/compare/v1.18.0...v1.18.1)

##### Bug Fixes

- Use a new context for the domain name check loop.
([#&#8203;1007](https://redirect.github.com/GoogleCloudPlatform/cloud-sql-go-connector/issues/1007))
([908d0cf](908d0cf6a6))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/googleapis/genai-toolbox).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS44Mi43IiwidXBkYXRlZEluVmVyIjoiNDEuODIuNyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

.ci/integration.cloudbuild.yaml

@@ -152,25 +152,25 @@ steps:
           bigquery \
           bigquery
 
-  - id: "dataplex"
-    name: golang:1
-    waitFor: ["compile-test-binary"]
-    entrypoint: /bin/bash
-    env:
-      - "GOPATH=/gopath"
-      - "DATAPLEX_PROJECT=$PROJECT_ID"
-      - "SERVICE_ACCOUNT_EMAIL=$SERVICE_ACCOUNT_EMAIL"
-    secretEnv: ["CLIENT_ID"]
-    volumes:
-      - name: "go"
-        path: "/gopath"
-    args:
-      - -c
-      - |
-        .ci/test_with_coverage.sh \
-          "Dataplex" \
-          dataplex \
-          dataplex
+  # - id: "dataplex"
+  #   name: golang:1
+  #   waitFor: ["compile-test-binary"]
+  #   entrypoint: /bin/bash
+  #   env:
+  #     - "GOPATH=/gopath"
+  #     - "DATAPLEX_PROJECT=$PROJECT_ID"
+  #     - "SERVICE_ACCOUNT_EMAIL=$SERVICE_ACCOUNT_EMAIL"
+  #   secretEnv: ["CLIENT_ID"]
+  #   volumes:
+  #     - name: "go"
+  #       path: "/gopath"
+  #   args:
+  #     - -c
+  #     - |
+  #       .ci/test_with_coverage.sh \
+  #         "Dataplex" \
+  #         dataplex \
+  #         dataplex
 
   - id: "postgres"
     name: golang:1
@@ -553,6 +553,73 @@ steps:
           tidb \
           tidbsql tidbexecutesql
 
+  - id: "firebird"
+    name: golang:1
+    waitFor: ["compile-test-binary"]
+    entrypoint: /bin/bash
+    env:
+      - "GOPATH=/gopath"
+      - "FIREBIRD_DATABASE=$_FIREBIRD_DATABASE_NAME"
+      - "FIREBIRD_HOST=$_FIREBIRD_HOST"
+      - "FIREBIRD_PORT=$_FIREBIRD_PORT"
+      - "SERVICE_ACCOUNT_EMAIL=$SERVICE_ACCOUNT_EMAIL"
+    secretEnv: ["CLIENT_ID", "FIREBIRD_USER", "FIREBIRD_PASS"]
+    volumes:
+      - name: "go"
+        path: "/gopath"
+    args:
+      - -c
+      - |
+        .ci/test_with_coverage.sh \
+          "Firebird" \
+          firebird \
+          firebirdsql firebirdexecutesql
+
+  - id: "clickhouse"
+    name : golang:1
+    waitFor: ["compile-test-binary"]
+    entrypoint: /bin/bash
+    env:
+      - "GOPATH=/gopath"
+      - "CLICKHOUSE_DATABASE=$_CLICKHOUSE_DATABASE"
+      - "CLICKHOUSE_PORT=$_CLICKHOUSE_PORT"
+      - "CLICKHOUSE_PROTOCOL=$_CLICKHOUSE_PROTOCOL"
+      - "SERVICE_ACCOUNT_EMAIL=$SERVICE_ACCOUNT_EMAIL"
+    secretEnv: ["CLICKHOUSE_HOST", "CLICKHOUSE_USER", "CLIENT_ID"]
+    volumes:
+      - name: "go"
+        path: "/gopath"
+    args:
+      - -c
+      - |
+        .ci/test_with_coverage.sh \
+          "ClickHouse" \
+          clickhouse \
+          clickhouse
+
+  - id: "trino"
+    name: golang:1
+    waitFor: ["compile-test-binary"]
+    entrypoint: /bin/bash
+    env:
+      - "GOPATH=/gopath"
+      - "TRINO_HOST=$_TRINO_HOST"
+      - "TRINO_PORT=$_TRINO_PORT"
+      - "TRINO_CATALOG=$_TRINO_CATALOG"
+      - "TRINO_SCHEMA=$_TRINO_SCHEMA"
+      - "SERVICE_ACCOUNT_EMAIL=$SERVICE_ACCOUNT_EMAIL"
+    secretEnv: ["CLIENT_ID", "TRINO_USER"]
+    volumes:
+      - name: "go"
+        path: "/gopath"
+    args:
+      - -c
+      - |
+        .ci/test_with_coverage.sh \
+          "Trino" \
+          trino \
+          trinosql trinoexecutesql
+
 availableSecrets:
   secretManager:
     - versionName: projects/$PROJECT_ID/secrets/cloud_sql_pg_user/versions/latest
@@ -615,6 +682,16 @@ availableSecrets:
       env: TIDB_USER
     - versionName: projects/$PROJECT_ID/secrets/tidb_pass/versions/latest
       env: TIDB_PASS
+    - versionName: projects/$PROJECT_ID/secrets/clickhouse_host/versions/latest
+      env: CLICKHOUSE_HOST
+    - versionName: projects/$PROJECT_ID/secrets/clickhouse_user/versions/latest
+      env: CLICKHOUSE_USER
+    - versionName: projects/$PROJECT_ID/secrets/firebird_user/versions/latest
+      env: FIREBIRD_USER
+    - versionName: projects/$PROJECT_ID/secrets/firebird_pass/versions/latest
+      env: FIREBIRD_PASS
+    - versionName: projects/$PROJECT_ID/secrets/trino_user/versions/latest
+      env: TRINO_USER
     - versionName: projects/$PROJECT_ID/secrets/oceanbase_host/versions/latest
       env: OCEANBASE_HOST
     - versionName: projects/$PROJECT_ID/secrets/oceanbase_user/versions/latest
@@ -632,6 +709,7 @@ options:
 
 substitutions:
   _DATABASE_NAME: test_database
+  _FIREBIRD_DATABASE_NAME: /firebird/test_database.fdb
   _REGION: "us-central1"
   _CLOUD_SQL_POSTGRES_INSTANCE: "cloud-sql-pg-testing"
   _ALLOYDB_POSTGRES_CLUSTER: "alloydb-pg-testing"
@@ -655,5 +733,14 @@ substitutions:
   _LOOKER_VERIFY_SSL: "true"
   _TIDB_HOST: 127.0.0.1
   _TIDB_PORT: "4000"
+  _CLICKHOUSE_DATABASE: "default"
+  _CLICKHOUSE_PORT: "8123"
+  _CLICKHOUSE_PROTOCOL: "http"
+  _FIREBIRD_HOST: 127.0.0.1
+  _FIREBIRD_PORT: "3050"
+  _TRINO_HOST: 127.0.0.1
+  _TRINO_PORT: "8080"
+  _TRINO_CATALOG: "memory"
+  _TRINO_SCHEMA: "default"
   _OCEANBASE_PORT: "2883"
   _OCEANBASE_DATABASE: "oceanbase"

.github/blunderbuss.yml

@@ -9,6 +9,10 @@ assign_issues_by:
     - Genesis929
     - shobsi
     - jiaxunwu
+  - labels:
+    - 'product: looker'
+    to:
+    - drstrangelooker
 assign_prs:
   - Yuan325
   - duwenxin99

.github/labels.yaml

@@ -92,3 +92,7 @@
 - name: 'product: bigquery'
   color: 5065c7
   description: 'Product: Assigned to the BigQuery team.'
+# Product Labels
+- name: 'product: looker'
+  color: 5065c7
+  description: 'Product: Assigned to the Looker team.'

.github/workflows/tests.yaml

@@ -16,7 +16,7 @@ name: tests
 on:
   push:
     branches:
-    - 'main'
+      - "main"
   pull_request:
   pull_request_target:
     types: [labeled]
@@ -35,9 +35,9 @@ jobs:
         os: [macos-latest, windows-latest, ubuntu-latest]
       fail-fast: false
     permissions:
-      contents: 'read'
-      issues: 'write'
-      pull-requests: 'write'
+      contents: "read"
+      issues: "write"
+      pull-requests: "write"
     steps:
       - name: Remove PR label
         if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}"
@@ -76,6 +76,8 @@ jobs:
 
       - name: Run tests with coverage
         if: ${{ runner.os == 'Linux' }}
+        env:
+          GOTOOLCHAIN: go1.25.0+auto
         run: |
           source_dir="./internal/sources/*"
           tool_dir="./internal/tools/*"

.gitignore

@@ -20,4 +20,4 @@ node_modules
 
 # executable
 genai-toolbox
-toolbox
+toolbox

.hugo/hugo.toml

@@ -8,6 +8,8 @@ defaultContentLanguageInSubdir = false
 enableGitInfo = true
 enableRobotsTXT = true
 
+ignoreFiles = ["quickstart/shared", "quickstart/python", "quickstart/js", "quickstart/go"]
+
 [languages]
   [languages.en]
     languageName ="English"

.hugo/layouts/shortcodes/ipynb.html

@@ -0,0 +1,47 @@
+{{ $notebookFile := .Get 0 }}
+{{ with .Page.Resources.Get $notebookFile }}
+
+  {{ $content := .Content | transform.Unmarshal }}
+  {{ range $content.cells }}
+
+    {{ if eq .cell_type "markdown" }}
+      <div class="notebook-markdown">
+        {{ $markdown := "" }}
+        {{ range .source }}{{ $markdown = print $markdown . }}{{ end }}
+        {{ $markdown | markdownify }}
+      </div>
+    {{ end }}
+
+    {{ if eq .cell_type "code" }}
+      <div class="notebook-code">
+        {{ $code := "" }}
+        {{ range .source }}{{ $code = print $code . }}{{ end }}
+        {{ highlight $code "python" "" }}
+
+        {{ range .outputs }}
+          <div class="notebook-output">
+            {{ with .text }}
+              <pre class="notebook-stream"><code>{{- range . }}{{ . }}{{ end -}}</code></pre>
+            {{ end }}
+
+            {{ with .data }}
+              {{ with index . "image/png" }}
+                <img src="data:image/png;base64,{{ . }}" alt="Notebook output image">
+              {{ end }}
+              {{ with index . "image/jpeg" }}
+                <img src="data:image/jpeg;base64,{{ . }}" alt="Notebook output image">
+              {{ end }}
+              {{ with index . "text/html" }}
+                {{ $html := "" }}
+                {{ range . }}{{ $html = print $html . }}{{ end }}
+                {{ $html | safeHTML }}
+              {{ end }}
+            {{ end }}
+          </div>
+        {{ end }}
+      </div>
+    {{ end }}
+  {{ end }}
+{{ else }}
+  <p style="color: red;">Error: Notebook '{{ $notebookFile }}' not found in page resources.</p>
+{{ end }}

.hugo/layouts/shortcodes/regionInclude.html

@@ -0,0 +1,49 @@
+{{/*
+  snippet.html
+  Usage:
+    {{< regionInclude "filename.md" "region_name" >}}
+    {{< regionInclude "filename.python" "region_name" "python" >}}
+*/}}
+
+{{ $file := .Get 0 }}
+{{ $region := .Get 1 }}
+{{ $lang := .Get 2 | default "text" }}
+{{ $path := printf "%s%s" .Page.File.Dir $file }}
+
+{{ if or (not $file) (eq $file "") }}
+  {{ errorf "The file parameter (first argument) is required and must be non-empty in %s" .Page.File.Path }}
+{{ end }}
+{{ if or (not $region) (eq $region "") }}
+  {{ errorf "The region parameter (second argument) is required and must be non-empty in %s" .Page.File.Path }}
+{{ end }}
+{{ if not (fileExists $path) }}
+  {{ errorf "File %q not found (referenced in %s)" $path .Page.File.Path }}
+{{ end }}
+
+{{ $content := readFile $path }}
+{{ $start_tag := printf "[START %s]" $region }}
+{{ $end_tag := printf "[END %s]" $region }}
+
+{{ $snippet := "" }}
+{{ $in_snippet := false }}
+{{ range split $content "\n" }}
+  {{ if $in_snippet }}
+    {{ if in . $end_tag }}
+      {{ $in_snippet = false }}
+    {{ else }}
+      {{ $snippet = printf "%s%s\n" $snippet . }}
+    {{ end }}
+  {{ else if in . $start_tag }}
+    {{ $in_snippet = true }}
+  {{ end }}
+{{ end }}
+
+{{ if eq (trim $snippet "") "" }}
+  {{ errorf "Region %q not found or empty in file %s (referenced in %s)" $region $file .Page.File.Path }}
+{{ end }}
+
+{{ if eq $lang "text" }}
+  {{ $snippet | markdownify }}
+{{ else }}
+  {{ highlight (trim $snippet "\n") $lang "" }}
+{{ end }}

CHANGELOG.md

@@ -1,5 +1,36 @@
 # Changelog
 
+## [0.13.0](https://github.com/googleapis/genai-toolbox/compare/v0.12.0...v0.13.0) (2025-08-27)
+
+### ⚠ BREAKING CHANGES
+
+* **prebuilt/alloydb:** Add bearer token support for alloydb-wait-for-operation ([#1183](https://github.com/googleapis/genai-toolbox/issues/1183))
+
+
+### Features
+
+* Add capability to set default for environment variable in config ([#1248](https://github.com/googleapis/genai-toolbox/issues/1248)) ([5bcd52e](https://github.com/googleapis/genai-toolbox/commit/5bcd52e7dcd0773ded723585f4abe29d044e1540))
+* **firebird:** Add Firebird SQL 2.5+ source and tool ([#1011](https://github.com/googleapis/genai-toolbox/issues/1011)) ([4f6b806](https://github.com/googleapis/genai-toolbox/commit/4f6b806de947efc4e12bdb50dff7781aedb7b966))
+* **oceanbase:** Add Oceanbase source and tool  ([#895](https://github.com/googleapis/genai-toolbox/issues/895)) ([6fc4982](https://github.com/googleapis/genai-toolbox/commit/6fc49826d43f46c84028e752ebebddf3d94b3d13))
+* **server/mcp:** Support `ping` mechanism ([#1178](https://github.com/googleapis/genai-toolbox/issues/1178)) ([5dcc66c](https://github.com/googleapis/genai-toolbox/commit/5dcc66c84fa72c75ec50a9ac5198018212ec2979))
+* **server:** Fail-fast on environment variable substitution ([#1177](https://github.com/googleapis/genai-toolbox/issues/1177)) ([212aaba](https://github.com/googleapis/genai-toolbox/commit/212aaba74c8b431de8a5f7b9822a0af4afcaaa0e))
+* **server:** Implement Tool call auth error propagation ([#1235](https://github.com/googleapis/genai-toolbox/issues/1235)) ([b94a021](https://github.com/googleapis/genai-toolbox/commit/b94a021ca11c6637cf8038449483b5e75f2012b3))
+* **sources/bigquery:** Add support for user-credential passthrough  ([#1067](https://github.com/googleapis/genai-toolbox/issues/1067)) ([650e2e2](https://github.com/googleapis/genai-toolbox/commit/650e2e26f51bff75ce66343f64944d0a89a58b69))
+* **tool/looker:** Add support for `description` field in looker tool ([#1199](https://github.com/googleapis/genai-toolbox/issues/1199)) ([97f0dd2](https://github.com/googleapis/genai-toolbox/commit/97f0dd2acf26caf28ecad65abea8779c196a27f1))
+* **tools/bigquery-ask-data-insights:** Add bigquery `ask-data-insights` tool ([#932](https://github.com/googleapis/genai-toolbox/issues/932)) ([7651357](https://github.com/googleapis/genai-toolbox/commit/7651357d424a2b6656d8b6818cebc5c8a86ed053))
+* **tools/bigquery-forecast:** Add bigqueryforecast tool ([#1148](https://github.com/googleapis/genai-toolbox/issues/1148)) ([2ad0ccf](https://github.com/googleapis/genai-toolbox/commit/2ad0ccf83df542340087742468d6762f81eedee6))
+* **tools/firestore-add-documents:** Add firestore-add-documents tool ([#1107](https://github.com/googleapis/genai-toolbox/issues/1107)) ([ee4a70a](https://github.com/googleapis/genai-toolbox/commit/ee4a70a0e82b346b07b5b4c60dfa060da2273f50))
+* **tools/firestore-update-document:** Add firestore-update-document tool ([#1191](https://github.com/googleapis/genai-toolbox/issues/1191)) ([0010123](https://github.com/googleapis/genai-toolbox/commit/00101232a39c70288aac5715649c184858d351e3))
+* **tools/looker:** Control over whether hidden objects are surfaced ([#1222](https://github.com/googleapis/genai-toolbox/issues/1222)) ([bc91559](https://github.com/googleapis/genai-toolbox/commit/bc91559cc4e5b20385b84cc562b624fabf7e47a8))
+* **trino:** Add Trino source and tools ([#948](https://github.com/googleapis/genai-toolbox/issues/948)) ([7dd123b](https://github.com/googleapis/genai-toolbox/commit/7dd123b3d76b8eb2b74b5d960959c1f90684b37e))
+
+
+### Bug Fixes
+
+* **tools/looker:** Lookergetdashboards uses proper Authorized helper func ([#1255](https://github.com/googleapis/genai-toolbox/issues/1255)) ([00866bc](https://github.com/googleapis/genai-toolbox/commit/00866bc7fc33115c547213e60316ae889735fdbb))
+* **tools/mongodb-find-one:** ProjectPayload unmarshaling ([#1167](https://github.com/googleapis/genai-toolbox/issues/1167)) ([8ea6a98](https://github.com/googleapis/genai-toolbox/commit/8ea6a98bd9096ba97722e5f807366887e864004f))
+* **tools/mysql:** Fix encoded text for mysql ([#1161](https://github.com/googleapis/genai-toolbox/issues/1161)) ([a37cfa8](https://github.com/googleapis/genai-toolbox/commit/a37cfa841d151b9995d4fab73cfc5e4d30d2cc57)), closes [#840](https://github.com/googleapis/genai-toolbox/issues/840)
+
 ## [0.12.0](https://github.com/googleapis/genai-toolbox/compare/v0.11.0...v0.12.0) (2025-08-14)
 
 

CONTRIBUTING.md

@@ -116,7 +116,9 @@ tools.
 * **Add a test file** under a new directory `tests/newdb`.
 * **Add pre-defined integration test suites** in the
   `/tests/newdb/newdb_test.go` that are **required** to be run as long as your
-  code contains related features:
+  code contains related features. Please check each test suites for the config
+  defaults, if your source require test suites config updates, please refer to
+  [config option](./tests/option.go):
 
      1. [RunToolGetTest][tool-get]: tests for the `GET` endpoint that returns the
             tool's manifest.
@@ -135,7 +137,7 @@ tools.
             parameters][temp-param-doc]. Only run this test if template
             parameters apply to your tool.
 
-* **Add the new database to the test config** in
+* **Add the new database to the integration test workflow** in
   [integration.cloudbuild.yaml](.ci/integration.cloudbuild.yaml).
 
 [tool-get]:

README.md

@@ -33,12 +33,15 @@ documentation](https://googleapis.github.io/genai-toolbox/).
 - [Getting Started](#getting-started)
   - [Installing the server](#installing-the-server)
   - [Running the server](#running-the-server)
+    - [Homebrew Users](#homebrew-users)
   - [Integrating your application](#integrating-your-application)
 - [Configuration](#configuration)
   - [Sources](#sources)
   - [Tools](#tools)
   - [Toolsets](#toolsets)
 - [Versioning](#versioning)
+  - [Pre-1.0.0 Versioning](#pre-100-versioning)
+  - [Post-1.0.0 Versioning](#post-100-versioning)
 - [Contributing](#contributing)
 - [Community](#community)
 
@@ -114,7 +117,7 @@ To install Toolbox as a binary:
 <!-- {x-release-please-start-version} -->
 ```sh
 # see releases page for other versions
-export VERSION=0.12.0
+export VERSION=0.13.0
 curl -O https://storage.googleapis.com/genai-toolbox/v$VERSION/linux/amd64/toolbox
 chmod +x toolbox
 ```
@@ -127,7 +130,7 @@ You can also install Toolbox as a container:
 
 ```sh
 # see releases page for other versions
-export VERSION=0.12.0
+export VERSION=0.13.0
 docker pull us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:$VERSION
 ```
 
@@ -151,7 +154,7 @@ To install from source, ensure you have the latest version of
 [Go installed](https://go.dev/doc/install), and then run the following command:
 
 ```sh
-go install github.com/googleapis/genai-toolbox@v0.12.0
+go install github.com/googleapis/genai-toolbox@v0.13.0
 ```
 <!-- {x-release-please-end} -->
 
@@ -724,12 +727,26 @@ my_second_toolset = client.load_toolset("my_second_toolset")
 
 ## Versioning
 
-This project uses [semantic versioning](https://semver.org/), including a
-`MAJOR.MINOR.PATCH` version number that increments with:
+This project uses [semantic versioning](https://semver.org/) (`MAJOR.MINOR.PATCH`).
+Since the project is in a pre-release stage (version `0.x.y`), we follow the
+standard conventions for initial  development:
 
-- MAJOR version when we make incompatible API changes
-- MINOR version when we add functionality in a backward compatible manner
-- PATCH version when we make backward compatible bug fixes
+### Pre-1.0.0 Versioning
+While the major version is `0`, the public API should be considered unstable.
+The version will be incremented  as follows:
+
+- **`0.MINOR.PATCH`**: The **MINOR** version is incremented when we add
+  new functionality or make breaking, incompatible API changes.
+- **`0.MINOR.PATCH`**: The **PATCH** version is incremented for
+  backward-compatible bug fixes.
+
+### Post-1.0.0 Versioning
+Once the project reaches a stable `1.0.0` release, the versioning will follow
+the more common convention:
+
+- **`MAJOR.MINOR.PATCH`**: Incremented for incompatible API changes.
+- **`MAJOR.MINOR.PATCH`**: Incremented for new, backward-compatible functionality.
+- **`MAJOR.MINOR.PATCH`**: Incremented for backward-compatible bug fixes.
 
 The public API that this applies to is the CLI associated with Toolbox, the
 interactions with official SDKs, and the definitions in the `tools.yaml` file.

cmd/root.go

@@ -43,6 +43,7 @@ import (
 
 	// Import tool packages for side effect of registration
 	_ "github.com/googleapis/genai-toolbox/internal/tools/alloydbainl"
+	_ "github.com/googleapis/genai-toolbox/internal/tools/bigquery/bigqueryconversationalanalytics"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/bigquery/bigqueryexecutesql"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/bigquery/bigqueryforecast"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/bigquery/bigquerygetdatasetinfo"
@@ -51,17 +52,22 @@ import (
 	_ "github.com/googleapis/genai-toolbox/internal/tools/bigquery/bigquerylisttableids"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/bigquery/bigquerysql"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/bigtable"
+	_ "github.com/googleapis/genai-toolbox/internal/tools/clickhouse/clickhouseexecutesql"
+	_ "github.com/googleapis/genai-toolbox/internal/tools/clickhouse/clickhousesql"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/couchbase"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/dataplex/dataplexlookupentry"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/dataplex/dataplexsearchaspecttypes"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/dataplex/dataplexsearchentries"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/dgraph"
+	_ "github.com/googleapis/genai-toolbox/internal/tools/firebird/firebirdexecutesql"
+	_ "github.com/googleapis/genai-toolbox/internal/tools/firebird/firebirdsql"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/firestore/firestoreadddocuments"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/firestore/firestoredeletedocuments"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/firestore/firestoregetdocuments"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/firestore/firestoregetrules"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/firestore/firestorelistcollections"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/firestore/firestorequerycollection"
+	_ "github.com/googleapis/genai-toolbox/internal/tools/firestore/firestoreupdatedocument"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/firestore/firestorevalidaterules"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/http"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/looker/lookeradddashboardelement"
@@ -105,6 +111,8 @@ import (
 	_ "github.com/googleapis/genai-toolbox/internal/tools/sqlitesql"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/tidb/tidbexecutesql"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/tidb/tidbsql"
+	_ "github.com/googleapis/genai-toolbox/internal/tools/trino/trinoexecutesql"
+	_ "github.com/googleapis/genai-toolbox/internal/tools/trino/trinosql"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/utility/alloydbwaitforoperation"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/utility/wait"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/valkey"
@@ -114,12 +122,14 @@ import (
 	_ "github.com/googleapis/genai-toolbox/internal/sources/alloydbpg"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/bigquery"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/bigtable"
+	_ "github.com/googleapis/genai-toolbox/internal/sources/clickhouse"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/cloudsqlmssql"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/cloudsqlmysql"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/cloudsqlpg"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/couchbase"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/dataplex"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/dgraph"
+	_ "github.com/googleapis/genai-toolbox/internal/sources/firebird"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/firestore"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/http"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/looker"
@@ -133,6 +143,7 @@ import (
 	_ "github.com/googleapis/genai-toolbox/internal/sources/spanner"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/sqlite"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/tidb"
+	_ "github.com/googleapis/genai-toolbox/internal/sources/trino"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/valkey"
 )
 
@@ -231,7 +242,13 @@ func NewCommand(opts ...Option) *Command {
 	flags.BoolVar(&cmd.cfg.TelemetryGCP, "telemetry-gcp", false, "Enable exporting directly to Google Cloud Monitoring.")
 	flags.StringVar(&cmd.cfg.TelemetryOTLP, "telemetry-otlp", "", "Enable exporting using OpenTelemetry Protocol (OTLP) to the specified endpoint (e.g. 'http://127.0.0.1:4318')")
 	flags.StringVar(&cmd.cfg.TelemetryServiceName, "telemetry-service-name", "toolbox", "Sets the value of the service.name resource attribute for telemetry data.")
-	flags.StringVar(&cmd.prebuiltConfig, "prebuilt", "", "Use a prebuilt tool configuration by source type. Cannot be used with --tools-file. Allowed: 'alloydb-postgres-admin', alloydb-postgres', 'bigquery', 'cloud-sql-mysql', 'cloud-sql-postgres', 'cloud-sql-mssql', 'dataplex', 'firestore', 'looker', 'mssql', 'mysql', 'oceanbase', 'postgres', 'spanner', 'spanner-postgres'.")
+
+	// Fetch prebuilt tools sources to customize the help description
+	prebuiltHelp := fmt.Sprintf(
+		"Use a prebuilt tool configuration by source type. Cannot be used with --tools-file. Allowed: '%s'.",
+		strings.Join(prebuiltconfigs.GetPrebuiltSources(), "', '"),
+	)
+	flags.StringVar(&cmd.prebuiltConfig, "prebuilt", "", prebuiltHelp)
 	flags.BoolVar(&cmd.cfg.Stdio, "stdio", false, "Listens via MCP STDIO instead of acting as a remote HTTP server.")
 	flags.BoolVar(&cmd.cfg.DisableReload, "disable-reload", false, "Disables dynamic reloading of tools file.")
 	flags.BoolVar(&cmd.cfg.UI, "ui", false, "Launches the Toolbox UI web server.")
@@ -251,32 +268,40 @@ type ToolsFile struct {
 }
 
 // parseEnv replaces environment variables ${ENV_NAME} with their values.
-func parseEnv(input string) string {
-	re := regexp.MustCompile(`\$\{(\w+)\}`)
+// also support ${ENV_NAME:default_value}.
+func parseEnv(input string) (string, error) {
+	re := regexp.MustCompile(`\$\{(\w+)(:(\w*))?\}`)
 
-	return re.ReplaceAllStringFunc(input, func(match string) string {
+	var err error
+	output := re.ReplaceAllStringFunc(input, func(match string) string {
 		parts := re.FindStringSubmatch(match)
-		if len(parts) < 2 {
-			// technically shouldn't happen
-			return match
-		}
 
 		// extract the variable name
 		variableName := parts[1]
 		if value, found := os.LookupEnv(variableName); found {
 			return value
 		}
-		return match
+		if parts[2] != "" {
+			return parts[3]
+		}
+		err = fmt.Errorf("environment variable not found: %q", variableName)
+		return ""
 	})
+	return output, err
 }
 
 // parseToolsFile parses the provided yaml into appropriate configs.
 func parseToolsFile(ctx context.Context, raw []byte) (ToolsFile, error) {
 	var toolsFile ToolsFile
 	// Replace environment variables if found
-	raw = []byte(parseEnv(string(raw)))
+	output, err := parseEnv(string(raw))
+	if err != nil {
+		return toolsFile, fmt.Errorf("error parsing environment variables: %s", err)
+	}
+	raw = []byte(output)
+
 	// Parse contents
-	err := yaml.UnmarshalContext(ctx, raw, &toolsFile, yaml.Strict())
+	err = yaml.UnmarshalContext(ctx, raw, &toolsFile, yaml.Strict())
 	if err != nil {
 		return toolsFile, err
 	}
@@ -812,7 +837,7 @@ func run(cmd *Command) error {
 		}
 		cmd.logger.InfoContext(ctx, "Server ready to serve!")
 		if cmd.cfg.UI {
-			cmd.logger.InfoContext(ctx, fmt.Sprintf("Toolbox UI is up and running at: http://localhost:%d/ui", cmd.cfg.Port))
+			cmd.logger.InfoContext(ctx, fmt.Sprintf("Toolbox UI is up and running at: http://%s:%d/ui", cmd.cfg.Address, cmd.cfg.Port))
 		}
 
 		go func() {

cmd/root_test.go

@@ -206,6 +206,72 @@ func TestServerConfigFlags(t *testing.T) {
 	}
 }
 
+func TestParseEnv(t *testing.T) {
+	tcs := []struct {
+		desc      string
+		env       map[string]string
+		in        string
+		want      string
+		err       bool
+		errString string
+	}{
+		{
+			desc:      "without default without env",
+			in:        "${FOO}",
+			want:      "",
+			err:       true,
+			errString: `environment variable not found: "FOO"`,
+		},
+		{
+			desc: "without default with env",
+			env: map[string]string{
+				"FOO": "bar",
+			},
+			in:   "${FOO}",
+			want: "bar",
+		},
+		{
+			desc: "with empty default",
+			in:   "${FOO:}",
+			want: "",
+		},
+		{
+			desc: "with default",
+			in:   "${FOO:bar}",
+			want: "bar",
+		},
+		{
+			desc: "with default with env",
+			env: map[string]string{
+				"FOO": "hello",
+			},
+			in:   "${FOO:bar}",
+			want: "hello",
+		},
+	}
+	for _, tc := range tcs {
+		t.Run(tc.desc, func(t *testing.T) {
+			if tc.env != nil {
+				for k, v := range tc.env {
+					t.Setenv(k, v)
+				}
+			}
+			got, err := parseEnv(tc.in)
+			if tc.err {
+				if err == nil {
+					t.Fatalf("expected error not found")
+				}
+				if tc.errString != err.Error() {
+					t.Fatalf("incorrect error string: got %s, want %s", err, tc.errString)
+				}
+			}
+			if tc.want != got {
+				t.Fatalf("unexpected want: got %s, want %s", got, tc.want)
+			}
+		})
+	}
+}
+
 func TestToolFileFlag(t *testing.T) {
 	tcs := []struct {
 		desc string
@@ -820,13 +886,14 @@ func TestParseToolFileWithAuth(t *testing.T) {
 
 func TestEnvVarReplacement(t *testing.T) {
 	ctx, err := testutils.ContextWithNewLogger()
-	os.Setenv("TestHeader", "ACTUAL_HEADER")
-	os.Setenv("API_KEY", "ACTUAL_API_KEY")
-	os.Setenv("clientId", "ACTUAL_CLIENT_ID")
-	os.Setenv("clientId2", "ACTUAL_CLIENT_ID_2")
-	os.Setenv("toolset_name", "ACTUAL_TOOLSET_NAME")
-	os.Setenv("cat_string", "cat")
-	os.Setenv("food_string", "food")
+	t.Setenv("TestHeader", "ACTUAL_HEADER")
+	t.Setenv("API_KEY", "ACTUAL_API_KEY")
+	t.Setenv("clientId", "ACTUAL_CLIENT_ID")
+	t.Setenv("clientId2", "ACTUAL_CLIENT_ID_2")
+	t.Setenv("toolset_name", "ACTUAL_TOOLSET_NAME")
+	t.Setenv("cat_string", "cat")
+	t.Setenv("food_string", "food")
+	t.Setenv("TestHeader", "ACTUAL_HEADER")
 
 	if err != nil {
 		t.Fatalf("unexpected error: %s", err)
@@ -1161,9 +1228,11 @@ func TestSingleEdit(t *testing.T) {
 }
 
 func TestPrebuiltTools(t *testing.T) {
+	// Get prebuilt configs
 	alloydb_admin_config, _ := prebuiltconfigs.Get("alloydb-postgres-admin")
 	alloydb_config, _ := prebuiltconfigs.Get("alloydb-postgres")
 	bigquery_config, _ := prebuiltconfigs.Get("bigquery")
+	clickhouse_config, _ := prebuiltconfigs.Get("clickhouse")
 	cloudsqlpg_config, _ := prebuiltconfigs.Get("cloud-sql-postgres")
 	cloudsqlmysql_config, _ := prebuiltconfigs.Get("cloud-sql-mysql")
 	cloudsqlmssql_config, _ := prebuiltconfigs.Get("cloud-sql-mssql")
@@ -1175,6 +1244,80 @@ func TestPrebuiltTools(t *testing.T) {
 	postgresconfig, _ := prebuiltconfigs.Get("postgres")
 	spanner_config, _ := prebuiltconfigs.Get("spanner")
 	spannerpg_config, _ := prebuiltconfigs.Get("spanner-postgres")
+
+	// Set environment variables
+	t.Setenv("API_KEY", "your_api_key")
+
+	t.Setenv("BIGQUERY_PROJECT", "your_gcp_project_id")
+	t.Setenv("DATAPLEX_PROJECT", "your_gcp_project_id")
+	t.Setenv("FIRESTORE_PROJECT", "your_gcp_project_id")
+	t.Setenv("FIRESTORE_DATABASE", "your_firestore_db_name")
+
+	t.Setenv("SPANNER_PROJECT", "your_gcp_project_id")
+	t.Setenv("SPANNER_INSTANCE", "your_spanner_instance")
+	t.Setenv("SPANNER_DATABASE", "your_spanner_db")
+
+	t.Setenv("ALLOYDB_POSTGRES_PROJECT", "your_gcp_project_id")
+	t.Setenv("ALLOYDB_POSTGRES_REGION", "your_gcp_region")
+	t.Setenv("ALLOYDB_POSTGRES_CLUSTER", "your_alloydb_cluster")
+	t.Setenv("ALLOYDB_POSTGRES_INSTANCE", "your_alloydb_instance")
+	t.Setenv("ALLOYDB_POSTGRES_DATABASE", "your_alloydb_db")
+	t.Setenv("ALLOYDB_POSTGRES_USER", "your_alloydb_user")
+	t.Setenv("ALLOYDB_POSTGRES_PASSWORD", "your_alloydb_password")
+
+	t.Setenv("CLICKHOUSE_PROTOCOL", "your_clickhouse_protocol")
+	t.Setenv("CLICKHOUSE_DATABASE", "your_clickhouse_database")
+	t.Setenv("CLICKHOUSE_PASSWORD", "your_clickhouse_password")
+	t.Setenv("CLICKHOUSE_USER", "your_clickhouse_user")
+	t.Setenv("CLICKHOUSE_HOST", "your_clickhosue_host")
+	t.Setenv("CLICKHOUSE_PORT", "8123")
+
+	t.Setenv("CLOUD_SQL_POSTGRES_PROJECT", "your_pg_project")
+	t.Setenv("CLOUD_SQL_POSTGRES_INSTANCE", "your_pg_instance")
+	t.Setenv("CLOUD_SQL_POSTGRES_DATABASE", "your_pg_db")
+	t.Setenv("CLOUD_SQL_POSTGRES_REGION", "your_pg_region")
+	t.Setenv("CLOUD_SQL_POSTGRES_USER", "your_pg_user")
+	t.Setenv("CLOUD_SQL_POSTGRES_PASS", "your_pg_pass")
+
+	t.Setenv("CLOUD_SQL_MYSQL_PROJECT", "your_gcp_project_id")
+	t.Setenv("CLOUD_SQL_MYSQL_REGION", "your_gcp_region")
+	t.Setenv("CLOUD_SQL_MYSQL_INSTANCE", "your_instance")
+	t.Setenv("CLOUD_SQL_MYSQL_DATABASE", "your_cloudsql_mysql_db")
+	t.Setenv("CLOUD_SQL_MYSQL_USER", "your_cloudsql_mysql_user")
+	t.Setenv("CLOUD_SQL_MYSQL_PASSWORD", "your_cloudsql_mysql_password")
+
+	t.Setenv("CLOUD_SQL_MSSQL_PROJECT", "your_gcp_project_id")
+	t.Setenv("CLOUD_SQL_MSSQL_REGION", "your_gcp_region")
+	t.Setenv("CLOUD_SQL_MSSQL_INSTANCE", "your_cloudsql_mssql_instance")
+	t.Setenv("CLOUD_SQL_MSSQL_DATABASE", "your_cloudsql_mssql_db")
+	t.Setenv("CLOUD_SQL_MSSQL_IP_ADDRESS", "127.0.0.1")
+	t.Setenv("CLOUD_SQL_MSSQL_USER", "your_cloudsql_mssql_user")
+	t.Setenv("CLOUD_SQL_MSSQL_PASSWORD", "your_cloudsql_mssql_password")
+	t.Setenv("CLOUD_SQL_POSTGRES_PASSWORD", "your_cloudsql_pg_password")
+
+	t.Setenv("POSTGRES_HOST", "localhost")
+	t.Setenv("POSTGRES_PORT", "5432")
+	t.Setenv("POSTGRES_DATABASE", "your_postgres_db")
+	t.Setenv("POSTGRES_USER", "your_postgres_user")
+	t.Setenv("POSTGRES_PASSWORD", "your_postgres_password")
+
+	t.Setenv("MYSQL_HOST", "localhost")
+	t.Setenv("MYSQL_PORT", "3306")
+	t.Setenv("MYSQL_DATABASE", "your_mysql_db")
+	t.Setenv("MYSQL_USER", "your_mysql_user")
+	t.Setenv("MYSQL_PASSWORD", "your_mysql_password")
+
+	t.Setenv("MSSQL_HOST", "localhost")
+	t.Setenv("MSSQL_PORT", "1433")
+	t.Setenv("MSSQL_DATABASE", "your_mssql_db")
+	t.Setenv("MSSQL_USER", "your_mssql_user")
+	t.Setenv("MSSQL_PASSWORD", "your_mssql_password")
+
+	t.Setenv("LOOKER_BASE_URL", "https://your_company.looker.com")
+	t.Setenv("LOOKER_CLIENT_ID", "your_looker_client_id")
+	t.Setenv("LOOKER_CLIENT_SECRET", "your_looker_client_secret")
+	t.Setenv("LOOKER_VERIFY_SSL", "true")
+
 	ctx, err := testutils.ContextWithNewLogger()
 	if err != nil {
 		t.Fatalf("unexpected error: %s", err)
@@ -1210,7 +1353,17 @@ func TestPrebuiltTools(t *testing.T) {
 			wantToolset: server.ToolsetConfigs{
 				"bigquery-database-tools": tools.ToolsetConfig{
 					Name:      "bigquery-database-tools",
-					ToolNames: []string{"execute_sql", "forecast", "get_dataset_info", "get_table_info", "list_dataset_ids", "list_table_ids"},
+					ToolNames: []string{"ask_data_insights", "execute_sql", "forecast", "get_dataset_info", "get_table_info", "list_dataset_ids", "list_table_ids"},
+				},
+			},
+		},
+		{
+			name: "clickhouse prebuilt tools",
+			in:   clickhouse_config,
+			wantToolset: server.ToolsetConfigs{
+				"clickhouse-database-tools": tools.ToolsetConfig{
+					Name:      "clickhouse-database-tools",
+					ToolNames: []string{"execute_sql"},
 				},
 			},
 		},
@@ -1260,7 +1413,7 @@ func TestPrebuiltTools(t *testing.T) {
 			wantToolset: server.ToolsetConfigs{
 				"firestore-database-tools": tools.ToolsetConfig{
 					Name:      "firestore-database-tools",
-					ToolNames: []string{"firestore-get-documents", "firestore-add-documents", "firestore-list-collections", "firestore-delete-documents", "firestore-query-collection", "firestore-get-rules", "firestore-validate-rules"},
+					ToolNames: []string{"firestore-get-documents", "firestore-add-documents", "firestore-update-document", "firestore-list-collections", "firestore-delete-documents", "firestore-query-collection", "firestore-get-rules", "firestore-validate-rules"},
 				},
 			},
 		},

cmd/version.txt

@@ -1 +1 @@
-0.12.0
+0.13.0

docs/en/getting-started/colab_quickstart.ipynb

@@ -234,7 +234,7 @@
       },
       "outputs": [],
       "source": [
-        "version = \"0.12.0\" # x-release-please-version\n",
+        "version = \"0.13.0\" # x-release-please-version\n",
         "! curl -O https://storage.googleapis.com/genai-toolbox/v{version}/linux/amd64/toolbox\n",
         "\n",
         "# Make the binary executable\n",

docs/en/getting-started/configure.md

@@ -22,6 +22,11 @@ etc., you could use environment variables instead with the format `${ENV_NAME}`.
   user: ${USER_NAME}
   password: ${PASSWORD}
 ```
+A default value can be specified like `${ENV_NAME:default}`.
+
+```yaml
+  port: ${DB_PORT:3306}
+```
 
 ### Sources
 

docs/en/getting-started/introduction/_index.md

@@ -86,7 +86,7 @@ To install Toolbox as a binary:
 
 ```sh
 # see releases page for other versions
-export VERSION=0.12.0
+export VERSION=0.13.0
 curl -O https://storage.googleapis.com/genai-toolbox/v$VERSION/linux/amd64/toolbox
 chmod +x toolbox
 ```
@@ -97,7 +97,7 @@ You can also install Toolbox as a container:
 
 ```sh
 # see releases page for other versions
-export VERSION=0.12.0
+export VERSION=0.13.0
 docker pull us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:$VERSION
 ```
 
@@ -115,7 +115,7 @@ To install from source, ensure you have the latest version of
 [Go installed](https://go.dev/doc/install), and then run the following command:
 
 ```sh
-go install github.com/googleapis/genai-toolbox@v0.12.0
+go install github.com/googleapis/genai-toolbox@v0.13.0
 ```
 
 {{% /tab %}}

docs/en/getting-started/local_quickstart.md

@@ -18,265 +18,13 @@ This guide assumes you have already done the following:
 1. Installed [PostgreSQL 16+ and the `psql` client][install-postgres].
 
 ### Cloud Setup (Optional)
-
-If you plan to use **Google Cloud’s Vertex AI** with your agent (e.g., using
-`vertexai=True` or a Google GenAI model), follow these one-time setup steps for
-local development:
-
-1. [Install the Google Cloud CLI](https://cloud.google.com/sdk/docs/install)
-1. [Set up Application Default Credentials (ADC)](https://cloud.google.com/docs/authentication/set-up-adc-local-dev-environment)
-1. Set your project and enable Vertex AI
-
-    ```bash
-    gcloud config set project YOUR_PROJECT_ID
-    gcloud services enable aiplatform.googleapis.com
-    ```
-
-[install-python]: https://wiki.python.org/moin/BeginnersGuide/Download
-[install-pip]: https://pip.pypa.io/en/stable/installation/
-[install-venv]: https://packaging.python.org/en/latest/tutorials/installing-packages/#creating-virtual-environments
-[install-postgres]: https://www.postgresql.org/download/
+{{< regionInclude "quickstart/shared/cloud_setup.md" "cloud_setup" >}}
 
 ## Step 1: Set up your database
-
-In this section, we will create a database, insert some data that needs to be
-accessed by our agent, and create a database user for Toolbox to connect with.
-
-1. Connect to postgres using the `psql` command:
-
-    ```bash
-    psql -h 127.0.0.1 -U postgres
-    ```
-
-    Here, `postgres` denotes the default postgres superuser.
-
-    {{< notice info >}}
-
-#### **Having trouble connecting?**
-
-* **Password Prompt:** If you are prompted for a password for the `postgres`
-  user and do not know it (or a blank password doesn't work), your PostgreSQL
-  installation might require a password or a different authentication method.
-* **`FATAL: role "postgres" does not exist`:** This error means the default
-  `postgres` superuser role isn't available under that name on your system.
-* **`Connection refused`:** Ensure your PostgreSQL server is actually running.
-  You can typically check with `sudo systemctl status postgresql` and start it
-  with `sudo systemctl start postgresql` on Linux systems.
-
-<br/>
-
-#### **Common Solution**
-
-For password issues or if the `postgres` role seems inaccessible directly, try
-switching to the `postgres` operating system user first. This user often has
-permission to connect without a password for local connections (this is called
-peer authentication).
-
-```bash
-sudo -i -u postgres
-psql -h 127.0.0.1
-```
-
-Once you are in the `psql` shell using this method, you can proceed with the
-database creation steps below. Afterwards, type `\q` to exit `psql`, and then
-`exit` to return to your normal user shell.
-
-If desired, once connected to `psql` as the `postgres` OS user, you can set a
-password for the `postgres` *database* user using: `ALTER USER postgres WITH
-PASSWORD 'your_chosen_password';`. This would allow direct connection with `-U
-postgres` and a password next time.
-    {{< /notice >}}
-
-1. Create a new database and a new user:
-
-    {{< notice tip >}}
-  For a real application, it's best to follow the principle of least permission
-  and only grant the privileges your application needs.
-    {{< /notice >}}
-
-    ```sql
-      CREATE USER toolbox_user WITH PASSWORD 'my-password';
-
-      CREATE DATABASE toolbox_db;
-      GRANT ALL PRIVILEGES ON DATABASE toolbox_db TO toolbox_user;
-
-      ALTER DATABASE toolbox_db OWNER TO toolbox_user;
-    ```
-
-1. End the database session:
-
-    ```bash
-    \q
-    ```
-
-    (If you used `sudo -i -u postgres` and then `psql`, remember you might also
-    need to type `exit` after `\q` to leave the `postgres` user's shell
-    session.)
-
-1. Connect to your database with your new user:
-
-    ```bash
-    psql -h 127.0.0.1 -U toolbox_user -d toolbox_db
-    ```
-
-1. Create a table using the following command:
-
-    ```sql
-    CREATE TABLE hotels(
-      id            INTEGER NOT NULL PRIMARY KEY,
-      name          VARCHAR NOT NULL,
-      location      VARCHAR NOT NULL,
-      price_tier    VARCHAR NOT NULL,
-      checkin_date  DATE    NOT NULL,
-      checkout_date DATE    NOT NULL,
-      booked        BIT     NOT NULL
-    );
-    ```
-
-1. Insert data into the table.
-
-    ```sql
-    INSERT INTO hotels(id, name, location, price_tier, checkin_date, checkout_date, booked)
-    VALUES
-      (1, 'Hilton Basel', 'Basel', 'Luxury', '2024-04-22', '2024-04-20', B'0'),
-      (2, 'Marriott Zurich', 'Zurich', 'Upscale', '2024-04-14', '2024-04-21', B'0'),
-      (3, 'Hyatt Regency Basel', 'Basel', 'Upper Upscale', '2024-04-02', '2024-04-20', B'0'),
-      (4, 'Radisson Blu Lucerne', 'Lucerne', 'Midscale', '2024-04-24', '2024-04-05', B'0'),
-      (5, 'Best Western Bern', 'Bern', 'Upper Midscale', '2024-04-23', '2024-04-01', B'0'),
-      (6, 'InterContinental Geneva', 'Geneva', 'Luxury', '2024-04-23', '2024-04-28', B'0'),
-      (7, 'Sheraton Zurich', 'Zurich', 'Upper Upscale', '2024-04-27', '2024-04-02', B'0'),
-      (8, 'Holiday Inn Basel', 'Basel', 'Upper Midscale', '2024-04-24', '2024-04-09', B'0'),
-      (9, 'Courtyard Zurich', 'Zurich', 'Upscale', '2024-04-03', '2024-04-13', B'0'),
-      (10, 'Comfort Inn Bern', 'Bern', 'Midscale', '2024-04-04', '2024-04-16', B'0');
-    ```
-
-1. End the database session:
-
-    ```bash
-    \q
-    ```
+{{< regionInclude "quickstart/shared/database_setup.md" "database_setup" >}}
 
 ## Step 2: Install and configure Toolbox
-
-In this section, we will download Toolbox, configure our tools in a
-`tools.yaml`, and then run the Toolbox server.
-
-1. Download the latest version of Toolbox as a binary:
-
-    {{< notice tip >}}
-  Select the
-  [correct binary](https://github.com/googleapis/genai-toolbox/releases)
-  corresponding to your OS and CPU architecture.
-    {{< /notice >}}
-    <!-- {x-release-please-start-version} -->
-    ```bash
-    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/$OS/toolbox
-    ```
-    <!-- {x-release-please-end} -->
-
-1. Make the binary executable:
-
-    ```bash
-    chmod +x toolbox
-    ```
-
-1. Write the following into a `tools.yaml` file. Be sure to update any fields
-   such as `user`, `password`, or `database` that you may have customized in the
-   previous step.
-
-    {{< notice tip >}}
-  In practice, use environment variable replacement with the format ${ENV_NAME}
-  instead of hardcoding your secrets into the configuration file.
-    {{< /notice >}}
-
-    ```yaml
-    sources:
-      my-pg-source:
-        kind: postgres
-        host: 127.0.0.1
-        port: 5432
-        database: toolbox_db
-        user: ${USER_NAME}
-        password: ${PASSWORD}
-    tools:
-      search-hotels-by-name:
-        kind: postgres-sql
-        source: my-pg-source
-        description: Search for hotels based on name.
-        parameters:
-          - name: name
-            type: string
-            description: The name of the hotel.
-        statement: SELECT * FROM hotels WHERE name ILIKE '%' || $1 || '%';
-      search-hotels-by-location:
-        kind: postgres-sql
-        source: my-pg-source
-        description: Search for hotels based on location.
-        parameters:
-          - name: location
-            type: string
-            description: The location of the hotel.
-        statement: SELECT * FROM hotels WHERE location ILIKE '%' || $1 || '%';
-      book-hotel:
-        kind: postgres-sql
-        source: my-pg-source
-        description: >-
-           Book a hotel by its ID. If the hotel is successfully booked, returns a NULL, raises an error if not.
-        parameters:
-          - name: hotel_id
-            type: string
-            description: The ID of the hotel to book.
-        statement: UPDATE hotels SET booked = B'1' WHERE id = $1;
-      update-hotel:
-        kind: postgres-sql
-        source: my-pg-source
-        description: >-
-          Update a hotel's check-in and check-out dates by its ID. Returns a message
-          indicating  whether the hotel was successfully updated or not.
-        parameters:
-          - name: hotel_id
-            type: string
-            description: The ID of the hotel to update.
-          - name: checkin_date
-            type: string
-            description: The new check-in date of the hotel.
-          - name: checkout_date
-            type: string
-            description: The new check-out date of the hotel.
-        statement: >-
-          UPDATE hotels SET checkin_date = CAST($2 as date), checkout_date = CAST($3
-          as date) WHERE id = $1;
-      cancel-hotel:
-        kind: postgres-sql
-        source: my-pg-source
-        description: Cancel a hotel by its ID.
-        parameters:
-          - name: hotel_id
-            type: string
-            description: The ID of the hotel to cancel.
-        statement: UPDATE hotels SET booked = B'0' WHERE id = $1;
-   toolsets:
-      my-toolset:
-        - search-hotels-by-name
-        - search-hotels-by-location
-        - book-hotel
-        - update-hotel
-        - cancel-hotel
-    ```
-
-    For more info on tools, check out the `Resources` section of the docs.
-
-1. Run the Toolbox server, pointing to the `tools.yaml` file created earlier:
-
-    ```bash
-    ./toolbox --tools-file "tools.yaml"
-    ```
-
-    {{< notice note >}}
-    Toolbox enables dynamic reloading by default. To disable, use the
-    `--disable-reload` flag.
-    {{< /notice >}}
+{{< regionInclude "quickstart/shared/configure_toolbox.md" "configure_toolbox" >}}
 
 ## Step 3: Connect your agent to Toolbox
 

docs/en/getting-started/local_quickstart_go.md

@@ -13,266 +13,17 @@ This guide assumes you have already done the following:
 1. Installed [Go (v1.24.2 or higher)].
 1. Installed [PostgreSQL 16+ and the `psql` client][install-postgres].
 
-### Cloud Setup (Optional)
-
-If you plan to use **Google Cloud’s Vertex AI** with your agent (e.g., using
-Gemini or PaLM models), follow these one-time setup steps:
-
-1. [Install the Google Cloud CLI]
-1. [Set up Application Default Credentials (ADC)]
-1. Set your project and enable Vertex AI
-
-    ```bash
-    gcloud config set project YOUR_PROJECT_ID
-    gcloud services enable aiplatform.googleapis.com
-    ```
-
 [Go (v1.24.2 or higher)]: https://go.dev/doc/install
 [install-postgres]: https://www.postgresql.org/download/
-[Install the Google Cloud CLI]: https://cloud.google.com/sdk/docs/install
-[Set up Application Default Credentials (ADC)]:
-    https://cloud.google.com/docs/authentication/set-up-adc-local-dev-environment
+
+### Cloud Setup (Optional)
+{{< regionInclude "quickstart/shared/cloud_setup.md" "cloud_setup" >}}
 
 ## Step 1: Set up your database
-
-In this section, we will create a database, insert some data that needs to be
-accessed by our agent, and create a database user for Toolbox to connect with.
-
-1. Connect to postgres using the `psql` command:
-
-    ```bash
-    psql -h 127.0.0.1 -U postgres
-    ```
-
-    Here, `postgres` denotes the default postgres superuser.
-
-    {{< notice info >}}
-
-#### **Having trouble connecting?**
-
-* **Password Prompt:** If you are prompted for a password for the `postgres`
-  user and do not know it (or a blank password doesn't work), your PostgreSQL
-  installation might require a password or a different authentication method.
-* **`FATAL: role "postgres" does not exist`:** This error means the default
-  `postgres` superuser role isn't available under that name on your system.
-* **`Connection refused`:** Ensure your PostgreSQL server is actually running.
-  You can typically check with `sudo systemctl status postgresql` and start it
-  with `sudo systemctl start postgresql` on Linux systems.
-
-<br/>
-
-#### **Common Solution**
-
-For password issues or if the `postgres` role seems inaccessible directly, try
-switching to the `postgres` operating system user first. This user often has
-permission to connect without a password for local connections (this is called
-peer authentication).
-
-```bash
-sudo -i -u postgres
-psql -h 127.0.0.1
-```
-
-Once you are in the `psql` shell using this method, you can proceed with the
-database creation steps below. Afterwards, type `\q` to exit `psql`, and then
-`exit` to return to your normal user shell.
-
-If desired, once connected to `psql` as the `postgres` OS user, you can set a
-password for the `postgres` *database* user using: `ALTER USER postgres WITH
-PASSWORD 'your_chosen_password';`. This would allow direct connection with `-U
-postgres` and a password next time.
-    {{< /notice >}}
-
-1. Create a new database and a new user:
-
-    {{< notice tip >}}
-  For a real application, it's best to follow the principle of least permission
-  and only grant the privileges your application needs.
-    {{< /notice >}}
-
-    ```sql
-      CREATE USER toolbox_user WITH PASSWORD 'my-password';
-
-      CREATE DATABASE toolbox_db;
-      GRANT ALL PRIVILEGES ON DATABASE toolbox_db TO toolbox_user;
-
-      ALTER DATABASE toolbox_db OWNER TO toolbox_user;
-    ```
-
-1. End the database session:
-
-    ```bash
-    \q
-    ```
-
-    (If you used `sudo -i -u postgres` and then `psql`, remember you might also
-    need to type `exit` after `\q` to leave the `postgres` user's shell
-    session.)
-
-1. Connect to your database with your new user:
-
-    ```bash
-    psql -h 127.0.0.1 -U toolbox_user -d toolbox_db
-    ```
-
-1. Create a table using the following command:
-
-    ```sql
-    CREATE TABLE hotels(
-      id            INTEGER NOT NULL PRIMARY KEY,
-      name          VARCHAR NOT NULL,
-      location      VARCHAR NOT NULL,
-      price_tier    VARCHAR NOT NULL,
-      checkin_date  DATE    NOT NULL,
-      checkout_date DATE    NOT NULL,
-      booked        BIT     NOT NULL
-    );
-    ```
-
-1. Insert data into the table.
-
-    ```sql
-    INSERT INTO hotels(id, name, location, price_tier, checkin_date, checkout_date, booked)
-    VALUES
-      (1, 'Hilton Basel', 'Basel', 'Luxury', '2024-04-22', '2024-04-20', B'0'),
-      (2, 'Marriott Zurich', 'Zurich', 'Upscale', '2024-04-14', '2024-04-21', B'0'),
-      (3, 'Hyatt Regency Basel', 'Basel', 'Upper Upscale', '2024-04-02', '2024-04-20', B'0'),
-      (4, 'Radisson Blu Lucerne', 'Lucerne', 'Midscale', '2024-04-24', '2024-04-05', B'0'),
-      (5, 'Best Western Bern', 'Bern', 'Upper Midscale', '2024-04-23', '2024-04-01', B'0'),
-      (6, 'InterContinental Geneva', 'Geneva', 'Luxury', '2024-04-23', '2024-04-28', B'0'),
-      (7, 'Sheraton Zurich', 'Zurich', 'Upper Upscale', '2024-04-27', '2024-04-02', B'0'),
-      (8, 'Holiday Inn Basel', 'Basel', 'Upper Midscale', '2024-04-24', '2024-04-09', B'0'),
-      (9, 'Courtyard Zurich', 'Zurich', 'Upscale', '2024-04-03', '2024-04-13', B'0'),
-      (10, 'Comfort Inn Bern', 'Bern', 'Midscale', '2024-04-04', '2024-04-16', B'0');
-    ```
-
-1. End the database session:
-
-    ```bash
-    \q
-    ```
+{{< regionInclude "quickstart/shared/database_setup.md" "database_setup" >}}
 
 ## Step 2: Install and configure Toolbox
-
-In this section, we will download Toolbox, configure our tools in a
-`tools.yaml`, and then run the Toolbox server.
-
-1. Download the latest version of Toolbox as a binary:
-
-    {{< notice tip >}}
-  Select the
-  [correct binary](https://github.com/googleapis/genai-toolbox/releases)
-  corresponding to your OS and CPU architecture.
-    {{< /notice >}}
-    <!-- {x-release-please-start-version} -->
-    ```bash
-    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/$OS/toolbox
-    ```
-    <!-- {x-release-please-end} -->
-
-1. Make the binary executable:
-
-    ```bash
-    chmod +x toolbox
-    ```
-
-1. Write the following into a `tools.yaml` file. Be sure to update any fields
-   such as `user`, `password`, or `database` that you may have customized in the
-   previous step.
-
-    {{< notice tip >}}
-  In practice, use environment variable replacement with the format ${ENV_NAME}
-  instead of hardcoding your secrets into the configuration file.
-    {{< /notice >}}
-
-    ```yaml
-    sources:
-      my-pg-source:
-        kind: postgres
-        host: 127.0.0.1
-        port: 5432
-        database: toolbox_db
-        user: ${USER_NAME}
-        password: ${PASSWORD}
-    tools:
-      search-hotels-by-name:
-        kind: postgres-sql
-        source: my-pg-source
-        description: Search for hotels based on name.
-        parameters:
-          - name: name
-            type: string
-            description: The name of the hotel.
-        statement: SELECT * FROM hotels WHERE name ILIKE '%' || $1 || '%';
-      search-hotels-by-location:
-        kind: postgres-sql
-        source: my-pg-source
-        description: Search for hotels based on location.
-        parameters:
-          - name: location
-            type: string
-            description: The location of the hotel.
-        statement: SELECT * FROM hotels WHERE location ILIKE '%' || $1 || '%';
-      book-hotel:
-        kind: postgres-sql
-        source: my-pg-source
-        description: >-
-           Book a hotel by its ID. If the hotel is successfully booked, returns a NULL, raises an error if not.
-        parameters:
-          - name: hotel_id
-            type: string
-            description: The ID of the hotel to book.
-        statement: UPDATE hotels SET booked = B'1' WHERE id = $1;
-      update-hotel:
-        kind: postgres-sql
-        source: my-pg-source
-        description: >-
-          Update a hotel's check-in and check-out dates by its ID. Returns a message
-          indicating  whether the hotel was successfully updated or not.
-        parameters:
-          - name: hotel_id
-            type: string
-            description: The ID of the hotel to update.
-          - name: checkin_date
-            type: string
-            description: The new check-in date of the hotel.
-          - name: checkout_date
-            type: string
-            description: The new check-out date of the hotel.
-        statement: >-
-          UPDATE hotels SET checkin_date = CAST($2 as date), checkout_date = CAST($3
-          as date) WHERE id = $1;
-      cancel-hotel:
-        kind: postgres-sql
-        source: my-pg-source
-        description: Cancel a hotel by its ID.
-        parameters:
-          - name: hotel_id
-            type: string
-            description: The ID of the hotel to cancel.
-        statement: UPDATE hotels SET booked = B'0' WHERE id = $1;
-   toolsets:
-      my-toolset:
-        - search-hotels-by-name
-        - search-hotels-by-location
-        - book-hotel
-        - update-hotel
-        - cancel-hotel
-    ```
-
-    For more info on tools, check out the `Resources` section of the docs.
-
-1. Run the Toolbox server, pointing to the `tools.yaml` file created earlier:
-
-    ```bash
-    ./toolbox --tools-file "tools.yaml"
-    ```
-
-  {{< notice note >}}
-    Toolbox enables dynamic reloading by default. To disable, use the
-    `--disable-reload` flag.
-  {{< /notice >}}
+{{< regionInclude "quickstart/shared/configure_toolbox.md" "configure_toolbox" >}}
 
 ## Step 3: Connect your agent to Toolbox
 
@@ -771,6 +522,7 @@ import (
 	"context"
 	"encoding/json"
 	"log"
+	"fmt
 
 	"github.com/googleapis/mcp-toolbox-sdk-go/core"
 	openai "github.com/openai/openai-go"
@@ -900,7 +652,7 @@ func main() {
 
 		params.Messages = append(params.Messages, openai.AssistantMessage(query))
 
-		println("\n", completion.Choices[0].Message.Content)
+		fmt.println("\n", completion.Choices[0].Message.Content)
 
 	}
 

docs/en/getting-started/local_quickstart_js.md

@@ -3,7 +3,7 @@ title: "JS Quickstart (Local)"
 type: docs
 weight: 3
 description: >
-  How to get started running Toolbox locally with [JavaScript](https://github.com/googleapis/mcp-toolbox-sdk-js), PostgreSQL, and orchestration frameworks such as [LangChain](https://js.langchain.com/docs/introduction/), [GenkitJS](https://genkit.dev/docs/get-started/), and [LlamaIndex](https://ts.llamaindex.ai/).
+  How to get started running Toolbox locally with [JavaScript](https://github.com/googleapis/mcp-toolbox-sdk-js), PostgreSQL, and orchestration frameworks such as [LangChain](https://js.langchain.com/docs/introduction/), [GenkitJS](https://genkit.dev/docs/get-started/),  [LlamaIndex](https://ts.llamaindex.ai/) and [GoogleGenAI](https://github.com/googleapis/js-genai).
 ---
 
 ## Before you begin
@@ -13,265 +13,17 @@ This guide assumes you have already done the following:
 1. Installed [Node.js (v18 or higher)].
 1. Installed [PostgreSQL 16+ and the `psql` client][install-postgres].
 
-### Cloud Setup (Optional)
-
-If you plan to use **Google Cloud’s Vertex AI** with your agent (e.g., using
-Gemini or PaLM models), follow these one-time setup steps:
-
-1. [Install the Google Cloud CLI]
-1. [Set up Application Default Credentials (ADC)]
-1. Set your project and enable Vertex AI
-
-    ```bash
-    gcloud config set project YOUR_PROJECT_ID
-    gcloud services enable aiplatform.googleapis.com
-    ```
-
 [Node.js (v18 or higher)]: https://nodejs.org/
 [install-postgres]: https://www.postgresql.org/download/
-[Install the Google Cloud CLI]: https://cloud.google.com/sdk/docs/install
-[Set up Application Default Credentials (ADC)]:
-    https://cloud.google.com/docs/authentication/set-up-adc-local-dev-environment
+
+### Cloud Setup (Optional)
+{{< regionInclude "quickstart/shared/cloud_setup.md" "cloud_setup" >}}
 
 ## Step 1: Set up your database
-
-In this section, we will create a database, insert some data that needs to be
-accessed by our agent, and create a database user for Toolbox to connect with.
-
-1. Connect to postgres using the `psql` command:
-
-    ```bash
-    psql -h 127.0.0.1 -U postgres
-    ```
-
-    Here, `postgres` denotes the default postgres superuser.
-
-    {{< notice info >}}
-
-#### **Having trouble connecting?**
-
-* **Password Prompt:** If you are prompted for a password for the `postgres`
-  user and do not know it (or a blank password doesn't work), your PostgreSQL
-  installation might require a password or a different authentication method.
-* **`FATAL: role "postgres" does not exist`:** This error means the default
-  `postgres` superuser role isn't available under that name on your system.
-* **`Connection refused`:** Ensure your PostgreSQL server is actually running.
-  You can typically check with `sudo systemctl status postgresql` and start it
-  with `sudo systemctl start postgresql` on Linux systems.
-
-<br/>
-
-#### **Common Solution**
-
-For password issues or if the `postgres` role seems inaccessible directly, try
-switching to the `postgres` operating system user first. This user often has
-permission to connect without a password for local connections (this is called
-peer authentication).
-
-```bash
-sudo -i -u postgres
-psql -h 127.0.0.1
-```
-
-Once you are in the `psql` shell using this method, you can proceed with the
-database creation steps below. Afterwards, type `\q` to exit `psql`, and then
-`exit` to return to your normal user shell.
-
-If desired, once connected to `psql` as the `postgres` OS user, you can set a
-password for the `postgres` *database* user using: `ALTER USER postgres WITH
-PASSWORD 'your_chosen_password';`. This would allow direct connection with `-U
-postgres` and a password next time.
-    {{< /notice >}}
-
-1. Create a new database and a new user:
-
-    {{< notice tip >}}
-  For a real application, it's best to follow the principle of least permission
-  and only grant the privileges your application needs.
-    {{< /notice >}}
-
-    ```sql
-      CREATE USER toolbox_user WITH PASSWORD 'my-password';
-
-      CREATE DATABASE toolbox_db;
-      GRANT ALL PRIVILEGES ON DATABASE toolbox_db TO toolbox_user;
-
-      ALTER DATABASE toolbox_db OWNER TO toolbox_user;
-    ```
-
-1. End the database session:
-
-    ```bash
-    \q
-    ```
-
-    (If you used `sudo -i -u postgres` and then `psql`, remember you might also
-    need to type `exit` after `\q` to leave the `postgres` user's shell
-    session.)
-
-1. Connect to your database with your new user:
-
-    ```bash
-    psql -h 127.0.0.1 -U toolbox_user -d toolbox_db
-    ```
-
-1. Create a table using the following command:
-
-    ```sql
-    CREATE TABLE hotels(
-      id            INTEGER NOT NULL PRIMARY KEY,
-      name          VARCHAR NOT NULL,
-      location      VARCHAR NOT NULL,
-      price_tier    VARCHAR NOT NULL,
-      checkin_date  DATE    NOT NULL,
-      checkout_date DATE    NOT NULL,
-      booked        BIT     NOT NULL
-    );
-    ```
-
-1. Insert data into the table.
-
-    ```sql
-    INSERT INTO hotels(id, name, location, price_tier, checkin_date, checkout_date, booked)
-    VALUES
-      (1, 'Hilton Basel', 'Basel', 'Luxury', '2024-04-22', '2024-04-20', B'0'),
-      (2, 'Marriott Zurich', 'Zurich', 'Upscale', '2024-04-14', '2024-04-21', B'0'),
-      (3, 'Hyatt Regency Basel', 'Basel', 'Upper Upscale', '2024-04-02', '2024-04-20', B'0'),
-      (4, 'Radisson Blu Lucerne', 'Lucerne', 'Midscale', '2024-04-24', '2024-04-05', B'0'),
-      (5, 'Best Western Bern', 'Bern', 'Upper Midscale', '2024-04-23', '2024-04-01', B'0'),
-      (6, 'InterContinental Geneva', 'Geneva', 'Luxury', '2024-04-23', '2024-04-28', B'0'),
-      (7, 'Sheraton Zurich', 'Zurich', 'Upper Upscale', '2024-04-27', '2024-04-02', B'0'),
-      (8, 'Holiday Inn Basel', 'Basel', 'Upper Midscale', '2024-04-24', '2024-04-09', B'0'),
-      (9, 'Courtyard Zurich', 'Zurich', 'Upscale', '2024-04-03', '2024-04-13', B'0'),
-      (10, 'Comfort Inn Bern', 'Bern', 'Midscale', '2024-04-04', '2024-04-16', B'0');
-    ```
-
-1. End the database session:
-
-    ```bash
-    \q
-    ```
+{{< regionInclude "quickstart/shared/database_setup.md" "database_setup" >}}
 
 ## Step 2: Install and configure Toolbox
-
-In this section, we will download Toolbox, configure our tools in a
-`tools.yaml`, and then run the Toolbox server.
-
-1. Download the latest version of Toolbox as a binary:
-
-    {{< notice tip >}}
-  Select the
-  [correct binary](https://github.com/googleapis/genai-toolbox/releases)
-  corresponding to your OS and CPU architecture.
-    {{< /notice >}}
-    <!-- {x-release-please-start-version} -->
-    ```bash
-    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/$OS/toolbox
-    ```
-    <!-- {x-release-please-end} -->
-
-1. Make the binary executable:
-
-    ```bash
-    chmod +x toolbox
-    ```
-
-1. Write the following into a `tools.yaml` file. Be sure to update any fields
-   such as `user`, `password`, or `database` that you may have customized in the
-   previous step.
-
-    {{< notice tip >}}
-  In practice, use environment variable replacement with the format ${ENV_NAME}
-  instead of hardcoding your secrets into the configuration file.
-    {{< /notice >}}
-
-    ```yaml
-    sources:
-      my-pg-source:
-        kind: postgres
-        host: 127.0.0.1
-        port: 5432
-        database: toolbox_db
-        user: ${USER_NAME}
-        password: ${PASSWORD}
-    tools:
-      search-hotels-by-name:
-        kind: postgres-sql
-        source: my-pg-source
-        description: Search for hotels based on name.
-        parameters:
-          - name: name
-            type: string
-            description: The name of the hotel.
-        statement: SELECT * FROM hotels WHERE name ILIKE '%' || $1 || '%';
-      search-hotels-by-location:
-        kind: postgres-sql
-        source: my-pg-source
-        description: Search for hotels based on location.
-        parameters:
-          - name: location
-            type: string
-            description: The location of the hotel.
-        statement: SELECT * FROM hotels WHERE location ILIKE '%' || $1 || '%';
-      book-hotel:
-        kind: postgres-sql
-        source: my-pg-source
-        description: >-
-           Book a hotel by its ID. If the hotel is successfully booked, returns a NULL, raises an error if not.
-        parameters:
-          - name: hotel_id
-            type: string
-            description: The ID of the hotel to book.
-        statement: UPDATE hotels SET booked = B'1' WHERE id = $1;
-      update-hotel:
-        kind: postgres-sql
-        source: my-pg-source
-        description: >-
-          Update a hotel's check-in and check-out dates by its ID. Returns a message
-          indicating  whether the hotel was successfully updated or not.
-        parameters:
-          - name: hotel_id
-            type: string
-            description: The ID of the hotel to update.
-          - name: checkin_date
-            type: string
-            description: The new check-in date of the hotel.
-          - name: checkout_date
-            type: string
-            description: The new check-out date of the hotel.
-        statement: >-
-          UPDATE hotels SET checkin_date = CAST($2 as date), checkout_date = CAST($3
-          as date) WHERE id = $1;
-      cancel-hotel:
-        kind: postgres-sql
-        source: my-pg-source
-        description: Cancel a hotel by its ID.
-        parameters:
-          - name: hotel_id
-            type: string
-            description: The ID of the hotel to cancel.
-        statement: UPDATE hotels SET booked = B'0' WHERE id = $1;
-   toolsets:
-      my-toolset:
-        - search-hotels-by-name
-        - search-hotels-by-location
-        - book-hotel
-        - update-hotel
-        - cancel-hotel
-    ```
-
-    For more info on tools, check out the `Resources` section of the docs.
-
-1. Run the Toolbox server, pointing to the `tools.yaml` file created earlier:
-
-    ```bash
-    ./toolbox --tools-file "tools.yaml"
-    ```
-
-  {{< notice note >}}
-    Toolbox enables dynamic reloading by default. To disable, use the `--disable-reload` flag.
-  {{< /notice >}}
+{{< regionInclude "quickstart/shared/configure_toolbox.md" "configure_toolbox" >}}
 
 ## Step 3: Connect your agent to Toolbox
 
@@ -302,6 +54,9 @@ npm install genkit @genkit-ai/googleai
 {{< tab header="LlamaIndex" lang="bash" >}}
 npm install llamaindex @llamaindex/google @llamaindex/workflow
 {{< /tab >}}
+{{< tab header="GoogleGenAI" lang="bash" >}}
+npm install @google/genai 
+{{< /tab >}}
 {{< /tabpane >}}
 
 1. Create a new file named `hotelAgent.js` and copy the following code to create an agent:
@@ -565,6 +320,130 @@ main();
 
 {{< /tab >}}
 
+{{< tab header="GoogleGenAI" lang="js" >}}
+import { GoogleGenAI } from "@google/genai";
+import { ToolboxClient } from "@toolbox-sdk/core";
+
+
+const TOOLBOX_URL = "http://127.0.0.1:5000"; // Update if needed
+const GOOGLE_API_KEY = 'enter your api here'; // Replace it with your API key
+
+const prompt = `
+You're a helpful hotel assistant. You handle hotel searching, booking, and
+cancellations. When the user searches for a hotel, you MUST use the available tools to find information. Mention its name, id,
+location and price tier. Always mention hotel id while performing any
+searches. This is very important for any operations. For any bookings or
+cancellations, please provide the appropriate confirmation. Be sure to
+update checkin or checkout dates if mentioned by the user.
+Don't ask for confirmations from the user.
+`;
+
+const queries = [
+  "Find hotels in Basel with Basel in its name.",
+  "Can you book the Hilton Basel for me?",
+  "Oh wait, this is too expensive. Please cancel it and book the Hyatt Regency instead.",
+  "My check in dates would be from April 10, 2024 to April 19, 2024.",
+];
+
+function mapZodTypeToOpenAPIType(zodTypeName) {
+
+    console.log(zodTypeName)
+    const typeMap = {
+        'ZodString': 'string',
+        'ZodNumber': 'number',
+        'ZodBoolean': 'boolean',
+        'ZodArray': 'array',
+        'ZodObject': 'object',
+    };
+    return typeMap[zodTypeName] || 'string';
+}
+
+async function runApplication() {
+   
+    const toolboxClient = new ToolboxClient(TOOLBOX_URL); 
+    const toolboxTools = await toolboxClient.loadToolset("my-toolset");
+    
+    const geminiTools = [{
+        functionDeclarations: toolboxTools.map(tool => {
+            
+            const schema = tool.getParamSchema();
+            const properties = {};
+            const required = [];
+
+         
+            for (const [key, param] of Object.entries(schema.shape)) {
+                properties[key] = {
+                        type: mapZodTypeToOpenAPIType(param.constructor.name),
+                        description: param.description || '',
+                    };
+                required.push(key)
+                }
+            
+            return {
+                name: tool.getName(),
+                description: tool.getDescription(),
+                parameters: { type: 'object', properties, required },
+            };
+        })
+    }];
+
+
+    const genAI = new GoogleGenAI({ apiKey: GOOGLE_API_KEY });
+    
+    const chat = genAI.chats.create({
+        model: "gemini-2.5-flash",
+        config: {
+            systemInstruction: prompt,
+            tools: geminiTools,
+        }
+    });
+
+    for (const query of queries) {
+        
+        let currentResult = await chat.sendMessage({ message: query });
+        
+        let finalResponseGiven = false
+        while (!finalResponseGiven) {
+            
+            const response = currentResult;
+            const functionCalls = response.functionCalls || [];
+
+            if (functionCalls.length === 0) {
+                console.log(response.text)
+                finalResponseGiven = true;
+            } else {
+                const toolResponses = [];
+                for (const call of functionCalls) {
+                    const toolName = call.name
+                    const toolToExecute = toolboxTools.find(t => t.getName() === toolName);
+                    
+                    if (toolToExecute) {
+                        try {
+                            const functionResult = await toolToExecute(call.args);
+                            toolResponses.push({
+                                functionResponse: { name: call.name, response: { result: functionResult } }
+                            });
+                        } catch (e) {
+                            console.error(`Error executing tool '${toolName}':`, e);
+                            toolResponses.push({
+                                functionResponse: { name: call.name, response: { error: e.message } }
+                            });
+                        }
+                    }
+                }
+                
+                currentResult = await chat.sendMessage({ message: toolResponses });
+            }
+        }
+        
+    }
+}
+
+runApplication()
+  .catch(console.error)
+  .finally(() => console.log("\nApplication finished."));
+{{< /tab >}}
+
 {{< /tabpane >}}
 
 1. Run your agent, and observe the results:

docs/en/getting-started/mcp_quickstart/_index.md

@@ -105,7 +105,7 @@ In this section, we will download Toolbox, configure our tools in a
     <!-- {x-release-please-start-version} -->
     ```bash
     export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/$OS/toolbox
     ```
     <!-- {x-release-please-end} -->
 

docs/en/getting-started/quickstart/shared/cloud_setup.md

@@ -0,0 +1,20 @@
+<!-- This file has been used in local_quickstart.md, local_quickstart_go.md & local_quickstart_js.md -->
+<!-- [START cloud_setup] -->
+If you plan to use **Google Cloud’s Vertex AI** with your agent (e.g., using
+`vertexai=True` or a Google GenAI model), follow these one-time setup steps for
+local development:
+
+1. [Install the Google Cloud CLI](https://cloud.google.com/sdk/docs/install)
+1. [Set up Application Default Credentials (ADC)](https://cloud.google.com/docs/authentication/set-up-adc-local-dev-environment)
+1. Set your project and enable Vertex AI
+
+    ```bash
+    gcloud config set project YOUR_PROJECT_ID
+    gcloud services enable aiplatform.googleapis.com
+    ```
+
+[install-python]: https://wiki.python.org/moin/BeginnersGuide/Download
+[install-pip]: https://pip.pypa.io/en/stable/installation/
+[install-venv]: https://packaging.python.org/en/latest/tutorials/installing-packages/#creating-virtual-environments
+[install-postgres]: https://www.postgresql.org/download/
+<!-- [END cloud_setup] -->

docs/en/getting-started/quickstart/shared/configure_toolbox.md

@@ -0,0 +1,122 @@
+<!-- This file has been used in local_quickstart.md, local_quickstart_go.md & local_quickstart_js.md -->
+<!-- [START configure_toolbox] -->
+In this section, we will download Toolbox, configure our tools in a
+`tools.yaml`, and then run the Toolbox server.
+
+1. Download the latest version of Toolbox as a binary:
+
+    {{< notice tip >}}
+  Select the
+  [correct binary](https://github.com/googleapis/genai-toolbox/releases)
+  corresponding to your OS and CPU architecture.
+    {{< /notice >}}
+    <!-- {x-release-please-start-version} -->
+    ```bash
+    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/$OS/toolbox
+    ```
+    <!-- {x-release-please-end} -->
+
+1. Make the binary executable:
+
+    ```bash
+    chmod +x toolbox
+    ```
+
+1. Write the following into a `tools.yaml` file. Be sure to update any fields
+   such as `user`, `password`, or `database` that you may have customized in the
+   previous step.
+
+    {{< notice tip >}}
+  In practice, use environment variable replacement with the format ${ENV_NAME}
+  instead of hardcoding your secrets into the configuration file.
+    {{< /notice >}}
+
+    ```yaml
+    sources:
+      my-pg-source:
+        kind: postgres
+        host: 127.0.0.1
+        port: 5432
+        database: toolbox_db
+        user: ${USER_NAME}
+        password: ${PASSWORD}
+    tools:
+      search-hotels-by-name:
+        kind: postgres-sql
+        source: my-pg-source
+        description: Search for hotels based on name.
+        parameters:
+          - name: name
+            type: string
+            description: The name of the hotel.
+        statement: SELECT * FROM hotels WHERE name ILIKE '%' || $1 || '%';
+      search-hotels-by-location:
+        kind: postgres-sql
+        source: my-pg-source
+        description: Search for hotels based on location.
+        parameters:
+          - name: location
+            type: string
+            description: The location of the hotel.
+        statement: SELECT * FROM hotels WHERE location ILIKE '%' || $1 || '%';
+      book-hotel:
+        kind: postgres-sql
+        source: my-pg-source
+        description: >-
+           Book a hotel by its ID. If the hotel is successfully booked, returns a NULL, raises an error if not.
+        parameters:
+          - name: hotel_id
+            type: string
+            description: The ID of the hotel to book.
+        statement: UPDATE hotels SET booked = B'1' WHERE id = $1;
+      update-hotel:
+        kind: postgres-sql
+        source: my-pg-source
+        description: >-
+          Update a hotel's check-in and check-out dates by its ID. Returns a message
+          indicating  whether the hotel was successfully updated or not.
+        parameters:
+          - name: hotel_id
+            type: string
+            description: The ID of the hotel to update.
+          - name: checkin_date
+            type: string
+            description: The new check-in date of the hotel.
+          - name: checkout_date
+            type: string
+            description: The new check-out date of the hotel.
+        statement: >-
+          UPDATE hotels SET checkin_date = CAST($2 as date), checkout_date = CAST($3
+          as date) WHERE id = $1;
+      cancel-hotel:
+        kind: postgres-sql
+        source: my-pg-source
+        description: Cancel a hotel by its ID.
+        parameters:
+          - name: hotel_id
+            type: string
+            description: The ID of the hotel to cancel.
+        statement: UPDATE hotels SET booked = B'0' WHERE id = $1;
+   toolsets:
+      my-toolset:
+        - search-hotels-by-name
+        - search-hotels-by-location
+        - book-hotel
+        - update-hotel
+        - cancel-hotel
+    ```
+
+    For more info on tools, check out the `Resources` section of the docs.
+
+1. Run the Toolbox server, pointing to the `tools.yaml` file created earlier:
+
+    ```bash
+    ./toolbox --tools-file "tools.yaml"
+    ```
+
+    {{< notice note >}}
+    Toolbox enables dynamic reloading by default. To disable, use the
+    `--disable-reload` flag.
+    {{< /notice >}}
+<!-- [END configure_toolbox] -->

docs/en/getting-started/quickstart/shared/database_setup.md

@@ -0,0 +1,119 @@
+<!-- This file has been used in local_quickstart.md, local_quickstart_go.md & local_quickstart_js.md -->
+<!-- [START database_setup] -->
+In this section, we will create a database, insert some data that needs to be
+accessed by our agent, and create a database user for Toolbox to connect with.
+
+1. Connect to postgres using the `psql` command:
+
+    ```bash
+    psql -h 127.0.0.1 -U postgres
+    ```
+
+    Here, `postgres` denotes the default postgres superuser.
+
+    {{< notice info >}}
+
+#### **Having trouble connecting?**
+
+* **Password Prompt:** If you are prompted for a password for the `postgres`
+  user and do not know it (or a blank password doesn't work), your PostgreSQL
+  installation might require a password or a different authentication method.
+* **`FATAL: role "postgres" does not exist`:** This error means the default
+  `postgres` superuser role isn't available under that name on your system.
+* **`Connection refused`:** Ensure your PostgreSQL server is actually running.
+  You can typically check with `sudo systemctl status postgresql` and start it
+  with `sudo systemctl start postgresql` on Linux systems.
+
+<br/>
+
+#### **Common Solution**
+
+For password issues or if the `postgres` role seems inaccessible directly, try
+switching to the `postgres` operating system user first. This user often has
+permission to connect without a password for local connections (this is called
+peer authentication).
+
+```bash
+sudo -i -u postgres
+psql -h 127.0.0.1
+```
+
+Once you are in the `psql` shell using this method, you can proceed with the
+database creation steps below. Afterwards, type `\q` to exit `psql`, and then
+`exit` to return to your normal user shell.
+
+If desired, once connected to `psql` as the `postgres` OS user, you can set a
+password for the `postgres` *database* user using: `ALTER USER postgres WITH
+PASSWORD 'your_chosen_password';`. This would allow direct connection with `-U
+postgres` and a password next time.
+    {{< /notice >}}
+
+1. Create a new database and a new user:
+
+    {{< notice tip >}}
+  For a real application, it's best to follow the principle of least permission
+  and only grant the privileges your application needs.
+    {{< /notice >}}
+
+    ```sql
+      CREATE USER toolbox_user WITH PASSWORD 'my-password';
+
+      CREATE DATABASE toolbox_db;
+      GRANT ALL PRIVILEGES ON DATABASE toolbox_db TO toolbox_user;
+
+      ALTER DATABASE toolbox_db OWNER TO toolbox_user;
+    ```
+
+1. End the database session:
+
+    ```bash
+    \q
+    ```
+
+    (If you used `sudo -i -u postgres` and then `psql`, remember you might also
+    need to type `exit` after `\q` to leave the `postgres` user's shell
+    session.)
+
+1. Connect to your database with your new user:
+
+    ```bash
+    psql -h 127.0.0.1 -U toolbox_user -d toolbox_db
+    ```
+
+1. Create a table using the following command:
+
+    ```sql
+    CREATE TABLE hotels(
+      id            INTEGER NOT NULL PRIMARY KEY,
+      name          VARCHAR NOT NULL,
+      location      VARCHAR NOT NULL,
+      price_tier    VARCHAR NOT NULL,
+      checkin_date  DATE    NOT NULL,
+      checkout_date DATE    NOT NULL,
+      booked        BIT     NOT NULL
+    );
+    ```
+
+1. Insert data into the table.
+
+    ```sql
+    INSERT INTO hotels(id, name, location, price_tier, checkin_date, checkout_date, booked)
+    VALUES
+      (1, 'Hilton Basel', 'Basel', 'Luxury', '2024-04-22', '2024-04-20', B'0'),
+      (2, 'Marriott Zurich', 'Zurich', 'Upscale', '2024-04-14', '2024-04-21', B'0'),
+      (3, 'Hyatt Regency Basel', 'Basel', 'Upper Upscale', '2024-04-02', '2024-04-20', B'0'),
+      (4, 'Radisson Blu Lucerne', 'Lucerne', 'Midscale', '2024-04-24', '2024-04-05', B'0'),
+      (5, 'Best Western Bern', 'Bern', 'Upper Midscale', '2024-04-23', '2024-04-01', B'0'),
+      (6, 'InterContinental Geneva', 'Geneva', 'Luxury', '2024-04-23', '2024-04-28', B'0'),
+      (7, 'Sheraton Zurich', 'Zurich', 'Upper Upscale', '2024-04-27', '2024-04-02', B'0'),
+      (8, 'Holiday Inn Basel', 'Basel', 'Upper Midscale', '2024-04-24', '2024-04-09', B'0'),
+      (9, 'Courtyard Zurich', 'Zurich', 'Upscale', '2024-04-03', '2024-04-13', B'0'),
+      (10, 'Comfort Inn Bern', 'Bern', 'Midscale', '2024-04-04', '2024-04-16', B'0');
+    ```
+
+1. End the database session:
+
+    ```bash
+    \q
+    ```
+<!-- [END database_setup] -->

docs/en/how-to/connect-ide/firestore_mcp.md

@@ -62,19 +62,19 @@ to expose your developer assistant tools to a Firestore instance:
    <!-- {x-release-please-start-version} -->
    {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/linux/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/darwin/arm64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/darwin/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/windows/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/windows/amd64/toolbox
 {{< /tab >}}
 {{< /tabpane >}}
     <!-- {x-release-please-end} -->

docs/en/how-to/connect-ide/looker_mcp.md

@@ -11,6 +11,7 @@ an open protocol for connecting Large Language Models (LLMs) to data sources
 like Postgres. This guide covers how to use [MCP Toolbox for Databases][toolbox]
 to expose your developer assistant tools to a Looker instance:
 
+* [Gemini-CLI][gemini-cli]
 * [Cursor][cursor]
 * [Windsurf][windsurf] (Codium)
 * [Visual Studio Code][vscode] (Copilot)
@@ -19,6 +20,7 @@ to expose your developer assistant tools to a Looker instance:
 * [Claude code][claudecode]
 
 [toolbox]: https://github.com/googleapis/genai-toolbox
+[gemini-cli]: #configure-your-mcp-client
 [cursor]: #configure-your-mcp-client
 [windsurf]: #configure-your-mcp-client
 [vscode]: #configure-your-mcp-client
@@ -46,19 +48,19 @@ to expose your developer assistant tools to a Looker instance:
    <!-- {x-release-please-start-version} -->
 {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/linux/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/darwin/arm64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/darwin/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
     <!-- {x-release-please-end} -->
@@ -78,6 +80,36 @@ curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/windows/amd64/toolb
 ## Configure your MCP Client
 
 {{< tabpane text=true >}}
+{{% tab header="Gemini-CLI" lang="en" %}}
+
+1. Install [Gemini-CLI](https://github.com/google-gemini/gemini-cli#install-globally-with-npm).
+1. Create a directory `.gemini` in your home directory if it doesn't exist.
+1. Create the file `.gemini/settings.json` if it doesn't exist.
+1. Add the following configuration, or add the mcpServers stanza if you already
+   have a `settings.json` with content. Replace the path to the toolbox
+   executable and the environment variables with your values, and save:
+
+    ```json
+    {
+      "mcpServers": {
+        "looker-toolbox": {
+          "command": "./PATH/TO/toolbox",
+          "args": ["--stdio", "--prebuilt", "looker"],
+          "env": {
+            "LOOKER_BASE_URL": "https://looker.example.com",
+            "LOOKER_CLIENT_ID": "",
+            "LOOKER_CLIENT_SECRET": "",
+            "LOOKER_VERIFY_SSL": "true"
+          }
+        }
+      }
+    }
+    ```
+
+1. Start Gemini-CLI with the `gemini` command and use the command `/mcp` to see
+   the configured MCP tools.
+{{% /tab %}}
+
 {{% tab header="Claude code" lang="en" %}}
 
 1. Install [Claude
@@ -269,6 +301,9 @@ The following tools are available to the LLM:
 1. **get_looks**: Return the saved Looks that match a title or description
 1. **run_look**: Run a saved Look and return the data
 1. **make_look**: Create a saved Look in Looker and return the URL
+1. **get_dashboards**: Return the saved dashboards that match a title or description
+1. **make_dashboard**: Create a saved dashboard in Looker and return the URL
+1. **add_dashboard_element**: Add a tile to a dashboard
 
 {{< notice note >}}
 Prebuilt tools are pre-1.0, so expect some tool changes between versions. LLMs

docs/en/how-to/connect-ide/mssql_mcp.md

@@ -37,19 +37,19 @@ description: "Connect your IDE to SQL Server using Toolbox."
    <!-- {x-release-please-start-version} -->
    {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/linux/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/darwin/arm64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/darwin/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
     <!-- {x-release-please-end} -->

docs/en/how-to/connect-ide/mysql_mcp.md

@@ -37,19 +37,19 @@ description: "Connect your IDE to MySQL using Toolbox."
    <!-- {x-release-please-start-version} -->
    {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/linux/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/darwin/arm64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/darwin/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
     <!-- {x-release-please-end} -->

docs/en/how-to/connect-ide/postgres_mcp.md

@@ -17,6 +17,8 @@ to expose your developer assistant tools to a Postgres instance:
 * [Cline][cline]  (VS Code extension)
 * [Claude desktop][claudedesktop]
 * [Claude code][claudecode]
+* [Gemini CLI][geminicli]
+* [Gemini Code Assist][geminicodeassist]
 
 [toolbox]: https://github.com/googleapis/genai-toolbox
 [cursor]: #configure-your-mcp-client
@@ -25,6 +27,8 @@ to expose your developer assistant tools to a Postgres instance:
 [cline]: #configure-your-mcp-client
 [claudedesktop]: #configure-your-mcp-client
 [claudecode]: #configure-your-mcp-client
+[geminicli]: #configure-your-mcp-client
+[geminicodeassist]: #configure-your-mcp-client
 
 {{< notice tip >}}
 This guide can be used with [AlloyDB
@@ -52,19 +56,19 @@ Omni](https://cloud.google.com/alloydb/omni/current/docs/overview).
    <!-- {x-release-please-start-version} -->
    {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/linux/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/darwin/arm64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/darwin/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
     <!-- {x-release-please-end} -->
@@ -259,6 +263,57 @@ curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/windows/amd64/toolb
     ```
 
 {{% /tab %}}
+
+{{% tab header="Gemini CLI" lang="en" %}}
+
+1.  Install the [Gemini CLI](https://github.com/google-gemini/gemini-cli?tab=readme-ov-file#quickstart).
+1.  In your working directory, create a folder named `.gemini`. Within it, create a `settings.json` file.
+1.  Add the following configuration, replace the environment variables with your values, and then save:
+
+    ```json
+    {
+      "mcpServers": {
+        "postgres": {
+          "command": "./PATH/TO/toolbox",
+          "args": ["--prebuilt","postgres","--stdio"],
+          "env": {
+            "POSTGRES_HOST": "",
+            "POSTGRES_PORT": "",
+            "POSTGRES_DATABASE": "",
+            "POSTGRES_USER": "",
+            "POSTGRES_PASSWORD": ""
+          }
+        }
+      }
+    }
+    ```
+{{% /tab %}}
+
+{{% tab header="Gemini Code Assist" lang="en" %}}
+
+1.  Install the [Gemini Code Assist](https://marketplace.visualstudio.com/items?itemName=Google.geminicodeassist) extension in Visual Studio Code.
+1.  Enable Agent Mode in Gemini Code Assist chat.
+1.  In your working directory, create a folder named `.gemini`. Within it, create a `settings.json` file.
+1.  Add the following configuration, replace the environment variables with your values, and then save:
+
+    ```json
+    {
+      "mcpServers": {
+        "postgres": {
+          "command": "./PATH/TO/toolbox",
+          "args": ["--prebuilt","postgres","--stdio"],
+          "env": {
+            "POSTGRES_HOST": "",
+            "POSTGRES_PORT": "",
+            "POSTGRES_DATABASE": "",
+            "POSTGRES_USER": "",
+            "POSTGRES_PASSWORD": ""
+          }
+        }
+      }
+    }
+    ```
+{{% /tab %}}
 {{< /tabpane >}}
 
 ## Use Tools

docs/en/how-to/deploy_toolbox.md

@@ -103,6 +103,14 @@ section.
     ```bash
     export IMAGE=us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:latest
     ```
+{{< notice note >}}  
+**The `$PORT` Environment Variable**  
+Google Cloud Run dictates the port your application must listen on by setting the
+`$PORT` environment variable inside your container. This value defaults to
+**8080**. Your application's `--port` argument **must** be set to listen on this
+port. If there is a mismatch, the container will fail to start and the
+deployment will time out.  
+{{< /notice >}}
 
 1. Deploy Toolbox to Cloud Run using the following command:
 
@@ -197,3 +205,22 @@ func main() {
 
 
 Now, you can use this client to connect to the deployed Cloud Run instance!
+
+## Troubleshooting
+
+{{< notice note >}}  
+For any deployment or runtime error, the best first step is to check the logs for your service in the Google Cloud Console's Cloud Run section. They often contain the specific error message needed to diagnose the problem.  
+{{< /notice >}}
+
+* **Deployment Fails with "Container failed to start":** This is almost always
+    caused by a port mismatch. Ensure your container's `--port` argument is set to
+    `8080` to match the `$PORT` environment variable provided by Cloud Run.
+
+* **Client Receives Permission Denied Error (401 or 403):** If your client application (e.g., your local SDK) gets a `401 Unauthorized` or `403 Forbidden` error when trying to call your Cloud Run service, it means the client is not properly authenticated as an invoker.
+    * Ensure the user or service account calling the service has the **Cloud Run Invoker** (`roles/run.invoker`) IAM role.
+    * If running locally, make sure your Application Default Credentials are set up correctly by running `gcloud auth application-default login`.
+
+* **Service Fails to Access Secrets (in logs):** If your application starts but the logs show errors like "permission denied" when trying to access Secret Manager, it means the Toolbox service account is missing permissions.
+    * Ensure the `toolbox-identity` service account has the **Secret Manager Secret Accessor** (`roles/secretmanager.secretAccessor`) IAM role.
+
+

docs/en/reference/_index.md

@@ -0,0 +1,8 @@
+---
+title: "Reference"
+type: docs
+weight: 7
+description: >
+  This section contains reference documentation.
+---
+

docs/en/reference/cli.md

@@ -0,0 +1,75 @@
+---
+title: "CLI"
+type: docs
+weight: 1
+description: >
+  This page describes the `toolbox` command-line options.
+---
+
+## Reference
+
+| Flag (Short) | Flag (Long) | Description | Default |
+|---|---|---|---|
+| `-a` | `--address` | Address of the interface the server will listen on. | `127.0.0.1` |
+| | `--disable-reload` | Disables dynamic reloading of tools file. | |
+| `-h` | `--help` | help for toolbox | |
+| | `--log-level` | Specify the minimum level logged. Allowed: 'DEBUG', 'INFO', 'WARN', 'ERROR'. | `info` |
+| | `--logging-format` | Specify logging format to use. Allowed: 'standard' or 'JSON'. | `standard` |
+| `-p` | `--port` | Port the server will listen on. | `5000` |
+| | `--prebuilt` | Use a prebuilt tool configuration by source type. Cannot be used with --tools-file. See [Prebuilt Tools Reference](prebuilt-tools.md) for allowed values. | |
+| | `--stdio` | Listens via MCP STDIO instead of acting as a remote HTTP server. | |
+| | `--telemetry-gcp` | Enable exporting directly to Google Cloud Monitoring. | |
+| | `--telemetry-otlp` | Enable exporting using OpenTelemetry Protocol (OTLP) to the specified endpoint (e.g. 'http://127.0.0.1:4318') | |
+| | `--telemetry-service-name` | Sets the value of the service.name resource attribute for telemetry data. | `toolbox` |
+| | `--tools-file` | File path specifying the tool configuration. Cannot be used with --prebuilt, --tools-files, or --tools-folder. | |
+| | `--tools-files` | Multiple file paths specifying tool configurations. Files will be merged. Cannot be used with --prebuilt, --tools-file, or --tools-folder. | |
+| | `--tools-folder` | Directory path containing YAML tool configuration files. All .yaml and .yml files in the directory will be loaded and merged. Cannot be used with --prebuilt, --tools-file, or --tools-files. | |
+| | `--ui` | Launches the Toolbox UI web server. | |
+| `-v` | `--version` | version for toolbox | |
+
+## Examples
+
+### Transport Configuration
+
+**Server Settings:**
+- `--address`, `-a`: Server listening address (default: "127.0.0.1")
+- `--port`, `-p`: Server listening port (default: 5000)
+
+**STDIO:**
+- `--stdio`: Run in MCP STDIO mode instead of HTTP server
+
+#### Usage Examples
+
+```bash
+# Basic server with custom port configuration
+./toolbox --tools-file "tools.yaml" --port 8080
+```
+
+### Tool Configuration Sources
+
+The CLI supports multiple mutually exclusive ways to specify tool configurations:
+
+**Single File:** (default)
+- `--tools-file`: Path to a single YAML configuration file (default: `tools.yaml`)
+
+**Multiple Files:**
+- `--tools-files`: Comma-separated list of YAML files to merge
+
+**Directory:**
+- `--tools-folder`: Directory containing YAML files to load and merge
+
+**Prebuilt Configurations:**
+- `--prebuilt`: Use predefined configurations for specific database types (e.g., 'bigquery', 'postgres', 'spanner'). See [Prebuilt Tools Reference](prebuilt-tools.md) for allowed values.
+
+{{< notice tip >}}
+The CLI enforces mutual exclusivity between configuration source flags, preventing simultaneous use of `--prebuilt` with file-based options, and ensuring only one of `--tools-file`, `--tools-files`, or `--tools-folder` is used at a time.
+{{< /notice >}}
+
+### Hot Reload
+
+Toolbox enables dynamic reloading by default. To disable, use the
+`--disable-reload` flag.
+
+### Toolbox UI
+
+To launch Toolbox's interactive UI, use the `--ui` flag. This allows you to test tools and toolsets with features such as authorized parameters. To learn more, visit [Toolbox UI](../how-to/toolbox-ui/index.md).

docs/en/reference/prebuilt-tools.md

@@ -0,0 +1,263 @@
+---
+title: "Prebuilt Tools"
+type: docs
+weight: 1
+description: >
+    This page lists all the prebuilt tools available.
+---
+
+Prebuilt tools are reusable, pre-packaged toolsets that are designed to extend the capabilities of agents. These tools are built to be generic and adaptable, allowing developers to interact with and take action on databases.
+
+See guides, [Connect from your IDE](../how-to/connect-ide/_index.md), for details on how to connect your AI tools (IDEs) to databases via Toolbox and MCP.
+
+## AlloyDB Postgres
+
+*   `--prebuilt` value: `alloydb-postgres`
+*   **Environment Variables:**
+    *   `ALLOYDB_POSTGRES_PROJECT`: The GCP project ID.
+    *   `ALLOYDB_POSTGRES_REGION`: The region of your AlloyDB instance.
+    *   `ALLOYDB_POSTGRES_CLUSTER`: The ID of your AlloyDB cluster.
+    *   `ALLOYDB_POSTGRES_INSTANCE`: The ID of your AlloyDB instance.
+    *   `ALLOYDB_POSTGRES_DATABASE`: The name of the database to connect to.
+    *   `ALLOYDB_POSTGRES_USER`: The database username.
+    *   `ALLOYDB_POSTGRES_PASSWORD`: The password for the database user.
+*   **Permissions:**
+    *   **AlloyDB Client** (`roles/alloydb.client`) to connect to the instance.
+    *   Database-level permissions (e.g., `SELECT`, `INSERT`) are required to execute queries.
+*   **Tools:**
+    *   `execute_sql`: Executes a SQL query.
+    *   `list_tables`: Lists tables in the database.
+
+## AlloyDB Postgres Admin
+
+* `--prebuilt` value: `alloydb-postgres-admin`
+*   **Environment Variables:**
+    *   `API_KEY`: Your API key for the AlloyDB API.
+*   **Permissions:**
+    *   **AlloyDB Admin** (`roles/alloydb.admin`) IAM role is required on the project.
+*   **Tools:**
+    *   `alloydb-create-cluster`: Creates a new AlloyDB cluster.
+    *   `alloydb-operations-get`: Polls the operations API to track the status of long-running operations.
+    *   `alloydb-create-instance`: Creates a new AlloyDB instance within a cluster.
+    *   `alloydb-list-clusters`: Lists all AlloyDB clusters in a project.
+    *   `alloydb-list-instances`: Lists all instances within an AlloyDB cluster.
+    *   `alloydb-list-users`: Lists all database users within an AlloyDB cluster.
+    *   `alloydb-create-user`: Creates a new database user in an AlloyDB cluster.
+
+## BigQuery
+
+*   `--prebuilt` value: `bigquery`
+*   **Environment Variables:**
+    *   `BIGQUERY_PROJECT`: The GCP project ID.
+*   **Permissions:**
+    *   **BigQuery User** (`roles/bigquery.user`) to execute queries and view metadata.
+    *   **BigQuery Metadata Viewer** (`roles/bigquery.metadataViewer`) to view all datasets.
+    *   **BigQuery Data Editor** (`roles/bigquery.dataEditor`) to create or modify datasets and tables.
+    *   **Gemini for Google Cloud** (`roles/cloudaicompanion.user`) to use the conversational analytics API.
+*   **Tools:**
+    *   `ask_data_insights`: Use this tool to perform data analysis, get insights, or answer complex questions about the contents of specific BigQuery tables. For more information on required roles, API setup, and IAM configuration, see the setup and authentication section of the [Conversational Analytics API documentation](https://cloud.google.com/gemini/docs/conversational-analytics-api/overview).
+    *   `execute_sql`: Executes a SQL statement.
+    *   `forecast`: Use this tool to forecast time series data.
+    *   `get_dataset_info`: Gets dataset metadata.
+    *   `get_table_info`: Gets table metadata.
+    *   `list_dataset_ids`: Lists datasets.
+    *   `list_table_ids`: Lists tables.
+
+## Cloud SQL for MySQL
+
+*   `--prebuilt` value: `cloud-sql-mysql`
+*   **Environment Variables:**
+    *   `CLOUD_SQL_MYSQL_PROJECT`: The GCP project ID.
+    *   `CLOUD_SQL_MYSQL_REGION`: The region of your Cloud SQL instance.
+    *   `CLOUD_SQL_MYSQL_INSTANCE`: The ID of your Cloud SQL instance.
+    *   `CLOUD_SQL_MYSQL_DATABASE`: The name of the database to connect to.
+    *   `CLOUD_SQL_MYSQL_USER`: The database username.
+    *   `CLOUD_SQL_MYSQL_PASSWORD`: The password for the database user.
+*   **Permissions:**
+    *   **Cloud SQL Client** (`roles/cloudsql.client`) to connect to the instance.
+    *   Database-level permissions (e.g., `SELECT`, `INSERT`) are required to execute queries.
+*   **Tools:**
+    *   `execute_sql`: Executes a SQL query.
+    *   `list_tables`: Lists tables in the database.
+
+## Cloud SQL for PostgreSQL
+
+*   `--prebuilt` value: `cloud-sql-postgres`
+*   **Environment Variables:**
+    *   `CLOUD_SQL_POSTGRES_PROJECT`: The GCP project ID.
+    *   `CLOUD_SQL_POSTGRES_REGION`: The region of your Cloud SQL instance.
+    *   `CLOUD_SQL_POSTGRES_INSTANCE`: The ID of your Cloud SQL instance.
+    *   `CLOUD_SQL_POSTGRES_DATABASE`: The name of the database to connect to.
+    *   `CLOUD_SQL_POSTGRES_USER`: The database username.
+    *   `CLOUD_SQL_POSTGRES_PASSWORD`: The password for the database user.
+*   **Permissions:**
+    *   **Cloud SQL Client** (`roles/cloudsql.client`) to connect to the instance.
+    *   Database-level permissions (e.g., `SELECT`, `INSERT`) are required to execute queries.
+*   **Tools:**
+    *   `execute_sql`: Executes a SQL query.
+    *   `list_tables`: Lists tables in the database.
+
+## Cloud SQL for SQL Server
+
+*   `--prebuilt` value: `cloud-sql-mssql`
+*   **Environment Variables:**
+    *   `CLOUD_SQL_MSSQL_PROJECT`: The GCP project ID.
+    *   `CLOUD_SQL_MSSQL_REGION`: The region of your Cloud SQL instance.
+    *   `CLOUD_SQL_MSSQL_INSTANCE`: The ID of your Cloud SQL instance.
+    *   `CLOUD_SQL_MSSQL_DATABASE`: The name of the database to connect to.
+    *   `CLOUD_SQL_MSSQL_IP_ADDRESS`: The IP address of the Cloud SQL instance.
+    *   `CLOUD_SQL_MSSQL_USER`: The database username.
+    *   `CLOUD_SQL_MSSQL_PASSWORD`: The password for the database user.
+*   **Permissions:**
+    *   **Cloud SQL Client** (`roles/cloudsql.client`) to connect to the instance.
+    *   Database-level permissions (e.g., `SELECT`, `INSERT`) are required to execute queries.
+*   **Tools:**
+    *   `execute_sql`: Executes a SQL query.
+    *   `list_tables`: Lists tables in the database.
+
+## Dataplex
+
+*   `--prebuilt` value: `dataplex`
+*   **Environment Variables:**
+    *   `DATAPLEX_PROJECT`: The GCP project ID.
+*   **Permissions:**
+    *   **Dataplex Reader** (`roles/dataplex.viewer`) to search and look up entries.
+    *   **Dataplex Editor** (`roles/dataplex.editor`) to modify entries.
+*   **Tools:**
+    *   `dataplex_search_entries`: Searches for entries in Dataplex Catalog.
+    *   `dataplex_lookup_entry`: Retrieves a specific entry from Dataplex Catalog.
+    *   `dataplex_search_aspect_types`: Finds aspect types relevant to the query.
+
+## Firestore
+
+*   `--prebuilt` value: `firestore`
+*   **Environment Variables:**
+    *   `FIRESTORE_PROJECT`: The GCP project ID.
+    *   `FIRESTORE_DATABASE`: The Firestore database ID.
+*   **Permissions:**
+    *   **Cloud Datastore User** (`roles/datastore.user`) to get documents, list collections, and query collections.
+    *   **Firebase Rules Viewer** (`roles/firebaserules.viewer`) to get and validate Firestore rules.
+*   **Tools:**
+    *   `firestore-get-documents`: Gets multiple documents from Firestore by their paths.
+    *   `firestore-list-collections`: Lists Firestore collections for a given parent path.
+    *   `firestore-delete-documents`: Deletes multiple documents from Firestore.
+    *   `firestore-query-collection`: Retrieves one or more Firestore documents from a collection.
+    *   `firestore-get-rules`: Retrieves the active Firestore security rules.
+    *   `firestore-validate-rules`: Checks the provided Firestore Rules source for syntax and validation errors.
+
+## Looker
+
+*   `--prebuilt` value: `looker`
+*   **Environment Variables:**
+    *   `LOOKER_BASE_URL`: The URL of your Looker instance.
+    *   `LOOKER_CLIENT_ID`: The client ID for the Looker API.
+    *   `LOOKER_CLIENT_SECRET`: The client secret for the Looker API.
+    *   `LOOKER_VERIFY_SSL`: Whether to verify SSL certificates.
+*   **Permissions:**
+    *   A Looker account with permissions to access the desired models, explores, and data is required.
+*   **Tools:**
+    *   `get_models`: Retrieves the list of LookML models.
+    *   `get_explores`: Retrieves the list of explores in a model.
+    *   `get_dimensions`: Retrieves the list of dimensions in an explore.
+    *   `get_measures`: Retrieves the list of measures in an explore.
+    *   `get_filters`: Retrieves the list of filters in an explore.
+    *   `get_parameters`: Retrieves the list of parameters in an explore.
+    *   `query`: Runs a query against the LookML model.
+    *   `query_sql`: Generates the SQL for a query.
+    *   `query_url`: Generates a URL for a query in Looker.
+    *   `get_looks`: Searches for saved looks.
+    *   `run_look`: Runs the query associated with a look.
+    *   `make_look`: Creates a new look.
+    *   `get_dashboards`: Searches for saved dashboards.
+    *   `make_dashboard`: Creates a new dashboard.
+    *   `add_dashboard_element`: Adds a tile to a dashboard.
+
+## Microsoft SQL Server
+
+*   `--prebuilt` value: `mssql`
+*   **Environment Variables:**
+    *   `MSSQL_HOST`: The hostname or IP address of the SQL Server instance.
+    *   `MSSQL_PORT`: The port number for the SQL Server instance.
+    *   `MSSQL_DATABASE`: The name of the database to connect to.
+    *   `MSSQL_USER`: The database username.
+    *   `MSSQL_PASSWORD`: The password for the database user.
+*   **Permissions:**
+    *   Database-level permissions (e.g., `SELECT`, `INSERT`) are required to execute queries.
+*   **Tools:**
+    *   `execute_sql`: Executes a SQL query.
+    *   `list_tables`: Lists tables in the database.
+
+## MySQL
+
+*   `--prebuilt` value: `mysql`
+*   **Environment Variables:**
+    *   `MYSQL_HOST`: The hostname or IP address of the MySQL server.
+    *   `MYSQL_PORT`: The port number for the MySQL server.
+    *   `MYSQL_DATABASE`: The name of the database to connect to.
+    *   `MYSQL_USER`: The database username.
+    *   `MYSQL_PASSWORD`: The password for the database user.
+*   **Permissions:**
+    *   Database-level permissions (e.g., `SELECT`, `INSERT`) are required to execute queries.
+*   **Tools:**
+    *   `execute_sql`: Executes a SQL query.
+    *   `list_tables`: Lists tables in the database.
+
+## OceanBase
+
+*   `--prebuilt` value: `oceanbase`
+*   **Environment Variables:**
+    *   `OCEANBASE_HOST`: The hostname or IP address of the OceanBase server.
+    *   `OCEANBASE_PORT`: The port number for the OceanBase server.
+    *   `OCEANBASE_DATABASE`: The name of the database to connect to.
+    *   `OCEANBASE_USER`: The database username.
+    *   `OCEANBASE_PASSWORD`: The password for the database user.
+*   **Permissions:**
+    *   Database-level permissions (e.g., `SELECT`, `INSERT`) are required to execute queries.
+*   **Tools:**
+    *   `execute_sql`: Executes a SQL query.
+    *   `list_tables`: Lists tables in the database.
+
+## PostgreSQL
+
+*   `--prebuilt` value: `postgres`
+*   **Environment Variables:**
+    *   `POSTGRES_HOST`: The hostname or IP address of the PostgreSQL server.
+    *   `POSTGRES_PORT`: The port number for the PostgreSQL server.
+    *   `POSTGRES_DATABASE`: The name of the database to connect to.
+    *   `POSTGRES_USER`: The database username.
+    *   `POSTGRES_PASSWORD`: The password for the database user.
+*   **Permissions:**
+    *   Database-level permissions (e.g., `SELECT`, `INSERT`) are required to execute queries.
+*   **Tools:**
+    *   `execute_sql`: Executes a SQL query.
+    *   `list_tables`: Lists tables in the database.
+
+## Spanner (GoogleSQL dialect)
+
+*   `--prebuilt` value: `spanner`
+*   **Environment Variables:**
+    *   `SPANNER_PROJECT`: The GCP project ID.
+    *   `SPANNER_INSTANCE`: The Spanner instance ID.
+    *   `SPANNER_DATABASE`: The Spanner database ID.
+*   **Permissions:**
+    *   **Cloud Spanner Database Reader** (`roles/spanner.databaseReader`) to execute DQL queries and list tables.
+    *   **Cloud Spanner Database User** (`roles/spanner.databaseUser`) to execute DML queries.
+*   **Tools:**
+    *   `execute_sql`: Executes a DML SQL query.
+    *   `execute_sql_dql`: Executes a DQL SQL query.
+    *   `list_tables`: Lists tables in the database.
+
+## Spanner (PostgreSQL dialect)
+
+*   `--prebuilt` value: `spanner-postgres`
+*   **Environment Variables:**
+    *   `SPANNER_PROJECT`: The GCP project ID.
+    *   `SPANNER_INSTANCE`: The Spanner instance ID.
+    *   `SPANNER_DATABASE`: The Spanner database ID.
+*   **Permissions:**
+    *   **Cloud Spanner Database Reader** (`roles/spanner.databaseReader`) to execute DQL queries and list tables.
+    *   **Cloud Spanner Database User** (`roles/spanner.databaseUser`) to execute DML queries.
+*   **Tools:**
+    *   `execute_sql`: Executes a DML SQL query using the PostgreSQL interface for Spanner.
+    *   `execute_sql_dql`: Executes a DQL SQL query using the PostgreSQL interface for Spanner.
+    *   `list_tables`: Lists tables in the database.

docs/en/resources/sources/bigquery.md

@@ -65,23 +65,40 @@ Connect your IDE to BigQuery using Toolbox.
 
 BigQuery uses [Identity and Access Management (IAM)][iam-overview] to control
 user and group access to BigQuery resources like projects, datasets, and tables.
-Toolbox will use your [Application Default Credentials (ADC)][adc] to authorize
-and authenticate when interacting with [BigQuery][bigquery-docs].
 
-In addition to [setting the ADC for your server][set-adc], you need to ensure
-the IAM identity has been given the correct IAM permissions for the queries
-you intend to run. Common roles include `roles/bigquery.user` (which includes
-permissions to run jobs and read data) or `roles/bigquery.dataViewer`. See
-[Introduction to BigQuery IAM][grant-permissions] for more information on
-applying IAM permissions and roles to an identity.
+### Authentication via Application Default Credentials (ADC)
+
+By **default**, Toolbox will use your [Application Default Credentials (ADC)][adc] to authorize and authenticate when interacting with [BigQuery][bigquery-docs].
+
+When using this method, you need to ensure the IAM identity associated with your
+ADC (such as a service account) has the correct permissions for the queries you
+intend to run. Common roles include `roles/bigquery.user` (which includes
+permissions to run jobs and read data) or `roles/bigbigquery.dataViewer`.
+Follow this [guide][set-adc] to set up your ADC.
+
+### Authentication via User's OAuth Access Token
+
+If the `useClientOAuth` parameter is set to `true`, Toolbox will instead use the
+OAuth access token for authentication. This token is parsed from the
+`Authorization` header passed in with the tool invocation request. This method
+allows Toolbox to make queries to [BigQuery][bigquery-docs] on behalf of the
+client or the end-user.
+
+When using this on-behalf-of authentication, you must ensure that the
+identity used has been granted the correct IAM permissions. Currently,
+this option is only supported by the following BigQuery tools:
+
+- [`bigquery-sql`](../tools/bigquery/bigquery-sql.md)  
+  Run SQL queries directly against BigQuery datasets.
 
 [iam-overview]: https://cloud.google.com/bigquery/docs/access-control
 [adc]: https://cloud.google.com/docs/authentication#adc
 [set-adc]: https://cloud.google.com/docs/authentication/provide-credentials-adc
-[grant-permissions]: https://cloud.google.com/bigquery/docs/access-control
 
 ## Example
 
+Initialize a BigQuery source that uses ADC:
+
 ```yaml
 sources:
   my-bigquery-source:
@@ -89,10 +106,21 @@ sources:
     project: "my-project-id"
 ```
 
+Initialize a BigQuery source that uses the client's access token:
+
+```yaml
+sources:
+  my-bigquery-client-auth-source:
+    kind: "bigquery"
+    project: "my-project-id"
+    useClientOAuth: true
+```
+
 ## Reference
 
-| **field** | **type** | **required** | **description**                                                               |
-|-----------|:--------:|:------------:|-------------------------------------------------------------------------------|
-| kind      |  string  |     true     | Must be "bigquery".                                                           |
-| project   |  string  |     true     | Id of the GCP project that the cluster was created in (e.g. "my-project-id"). |
-| location  |  string  |    false     | Specifies the location (e.g., 'us', 'asia-northeast1') in which to run the query job. This location must match the location of any tables referenced in the query. The default behavior is for it to be executed in the US multi-region |
+| **field**      | **type** | **required** | **description**                                                                                                                                                                                                                         |
+|----------------|:--------:|:------------:|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| kind           |  string  |     true     | Must be "bigquery".                                                                                                                                                                                                                     |
+| project        |  string  |     true     | Id of the GCP project that the cluster was created in (e.g. "my-project-id").                                                                                                                                                           |
+| location       |  string  |    false     | Specifies the location (e.g., 'us', 'asia-northeast1') in which to run the query job. This location must match the location of any tables referenced in the query. The default behavior is for it to be executed in the US multi-region |
+| useClientOAuth |   bool   |    false     | If true, forwards the client's OAuth access token from the "Authorization" header to downstream queries.                                                                                                                                |

docs/en/resources/sources/clickhouse.md

@@ -0,0 +1,91 @@
+---
+title: "ClickHouse"
+type: docs
+weight: 1
+description: >
+  ClickHouse is an open-source, OLTP database.
+
+---
+
+## About
+
+[ClickHouse][clickhouse-docs] is a fast, open-source, column-oriented database 
+
+[clickhouse-docs]: https://clickhouse.com/docs
+
+## Available Tools
+
+- [`clickhouse-execute-sql`](../tools/clickhouse/clickhouse-execute-sql.md)  
+  Execute parameterized SQL queries in ClickHouse with query logging.
+
+- [`clickhouse-sql`](../tools/clickhouse/clickhouse-sql.md)  
+  Execute SQL queries as prepared statements in ClickHouse.
+
+
+## Requirements
+
+### Database User
+
+This source uses standard ClickHouse authentication. You will need to [create a
+ClickHouse user][clickhouse-users] (or with [ClickHouse Cloud][clickhouse-cloud]) to connect to the database with. The user
+should have appropriate permissions for the operations you plan to perform.
+
+[clickhouse-cloud]: https://clickhouse.com/docs/getting-started/quick-start/cloud#connect-with-your-app
+[clickhouse-users]: https://clickhouse.com/docs/en/sql-reference/statements/create/user
+
+### Network Access
+
+ClickHouse supports multiple protocols:
+
+- **HTTPS protocol** (default port 8443) - Secure HTTP access (default)
+- **HTTP protocol** (default port 8123) - Good for web-based access
+
+## Example
+
+### Secure Connection Example
+
+```yaml
+sources:
+    secure-clickhouse-source:
+        kind: clickhouse
+        host: clickhouse.example.com
+        port: "8443"
+        database: analytics
+        user: ${CLICKHOUSE_USER}
+        password: ${CLICKHOUSE_PASSWORD}
+        protocol: https
+        secure: true
+```
+
+### HTTP Protocol Example
+
+```yaml
+sources:
+    http-clickhouse-source:
+        kind: clickhouse
+        host: localhost
+        port: "8123"
+        database: logs
+        user: ${CLICKHOUSE_USER}
+        password: ${CLICKHOUSE_PASSWORD}
+        protocol: http
+        secure: false
+```
+
+{{< notice tip >}}
+Use environment variable replacement with the format ${ENV_NAME}
+instead of hardcoding your secrets into the configuration file.
+{{< /notice >}}
+
+## Reference
+
+| **field**   | **type** | **required** | **description**                                                                    |
+|-------------|:--------:|:------------:|------------------------------------------------------------------------------------|
+| kind        |  string  |     true     | Must be "clickhouse".                                                              |
+| host        |  string  |     true     | IP address or hostname to connect to (e.g. "127.0.0.1" or "clickhouse.example.com") |
+| port        |  string  |     true     | Port to connect to (e.g. "8443" for HTTPS, "8123" for HTTP)                     |
+| database    |  string  |     true     | Name of the ClickHouse database to connect to (e.g. "my_database").              |
+| user        |  string  |     true     | Name of the ClickHouse user to connect as (e.g. "analytics_user").               |
+| password    |  string  |    false     | Password of the ClickHouse user (e.g. "my-password").                             |
+| protocol    |  string  |    false     | Connection protocol: "https" (default) or "http".                      |
+| secure      |  boolean |    false     | Whether to use a secure connection (TLS). Default: false.                         |

docs/en/resources/sources/couchbase.md

@@ -22,13 +22,17 @@ allowing tools to execute SQL queries against it.
 sources:
     my-couchbase-instance:
         kind: couchbase
-        connectionString: couchbase://localhost:8091
+        connectionString: couchbase://localhost
         bucket: travel-sample
         scope: inventory
         username: Administrator
         password: password
 ```
 
+{{< notice note >}}
+For more details about alternate addresses and custom ports refer to [Managing Connections](https://docs.couchbase.com/java-sdk/current/howtos/managing-connections.html).
+{{< /notice >}}
+
 ## Reference
 
 | **field**            | **type** | **required** | **description**                                         |

docs/en/resources/sources/firebird.md

@@ -0,0 +1,59 @@
+---
+title: "Firebird"
+type: docs
+weight: 1
+description: >
+  Firebird is a powerful, cross-platform, and open-source relational database.
+
+---
+
+## About
+
+[Firebird][fb-docs] is a relational database management system offering many ANSI SQL standard features that runs on Linux, Windows, and a variety of Unix platforms. It is known for its small footprint, powerful features, and easy maintenance.
+
+[fb-docs]: https://firebirdsql.org/
+
+## Available Tools
+
+- [`firebird-sql`](../tools/firebird/firebird-sql.md)  
+  Execute SQL queries as prepared statements in Firebird.
+
+- [`firebird-execute-sql`](../tools/firebird/firebird-execute-sql.md)  
+  Run parameterized SQL statements in Firebird.
+
+## Requirements
+
+### Database User
+
+This source uses standard authentication. You will need to [create a Firebird user][fb-users] to login to the database with.
+
+[fb-users]: https://firebirdsql.org/refdocs/langrefupd25-sql-create-user.html
+
+## Example
+
+```yaml
+sources:
+    my_firebird_db:
+        kind: firebird
+        host: "localhost"
+        port: 3050
+        database: "/path/to/your/database.fdb"
+        user: ${FIREBIRD_USER}
+        password: ${FIREBIRD_PASS}
+```
+
+{{< notice tip >}}
+Use environment variable replacement with the format ${ENV_NAME}
+instead of hardcoding your secrets into the configuration file.
+{{< /notice >}}
+
+## Reference
+
+| **field** | **type** | **required** | **description**                                                        |
+|-----------|:--------:|:------------:|------------------------------------------------------------------------|
+| kind      |  string  |     true     | Must be "firebird".                                                    |
+| host      |  string  |     true     | IP address to connect to (e.g. "127.0.0.1")                            |
+| port      |  string  |     true     | Port to connect to (e.g. "3050")                                       |
+| database  |  string  |     true     | Path to the Firebird database file (e.g. "/var/lib/firebird/data/test.fdb"). |
+| user      |  string  |     true     | Name of the Firebird user to connect as (e.g. "SYSDBA").               |
+| password  |  string  |     true     | Password of the Firebird user (e.g. "masterkey").                      |

docs/en/resources/sources/looker.md

@@ -56,11 +56,14 @@ instead of hardcoding your secrets into the configuration file.
 
 ## Reference
 
-| **field**     | **type** | **required** | **description**                                                                           |
-| ------------- | :------: | :----------: | ----------------------------------------------------------------------------------------- |
-| kind          |  string  |     true     | Must be "looker".                                                                         |
-| base_url      |  string  |     true     | The URL of your Looker server with no trailing /).                                        |
-| client_id     |  string  |     true     | The client id assigned by Looker.                                                         |
-| client_secret |  string  |     true     | The client secret assigned by Looker.                                                     |
-| verify_ssl    |  string  |     true     | Whether to check the ssl certificate of the server.                                       |
-| timeout       |  string  |    false     | Maximum time to wait for query execution (e.g. "30s", "2m"). By default, 120s is applied. |
+| **field**            | **type** | **required** | **description**                                                                           |
+| -------------------- | :------: | :----------: | ----------------------------------------------------------------------------------------- |
+| kind                 |  string  |     true     | Must be "looker".                                                                         |
+| base_url             |  string  |     true     | The URL of your Looker server with no trailing /).                                        |
+| client_id            |  string  |     true     | The client id assigned by Looker.                                                         |
+| client_secret        |  string  |     true     | The client secret assigned by Looker.                                                     |
+| verify_ssl           |  string  |     true     | Whether to check the ssl certificate of the server.                                       |
+| timeout              |  string  |    false     | Maximum time to wait for query execution (e.g. "30s", "2m"). By default, 120s is applied. |
+| show_hidden_models   |  string  |    false     | Show or hide hidden models. (default: true)                                               |
+| show_hidden_explores |  string  |    false     | Show or hide hidden explores. (default: true)                                             |
+| show_hidden_fields   |  string  |    false     | Show or hide hidden fields. (default: true)                                               |

docs/en/resources/sources/mongodb.md

@@ -21,6 +21,7 @@ sources:
     my-mongodb:
         kind: mongodb
         uri: "mongodb+srv://username:password@host.mongodb.net"       
+
 ```
 
 ## Reference
@@ -29,4 +30,3 @@ sources:
 |-----------|:--------:|:------------:|-------------------------------------------------------------------|
 | kind      |  string  |     true     | Must be "mongodb".                                                |
 | uri       |  string  |     true     | connection string to connect to MongoDB                           |
-| database  |  string  |     true     | Name of the mongodb database to connect to (e.g. "sample_mflix"). |

docs/en/resources/sources/trino.md

@@ -0,0 +1,62 @@
+---
+title: "Trino"
+type: docs
+weight: 1
+description: >
+  Trino is a distributed SQL query engine for big data analytics.
+---
+
+## About
+
+[Trino][trino-docs] is a distributed SQL query engine designed for fast analytic queries against data of any size. It allows you to query data where it lives, including Hive, Cassandra, relational databases or even proprietary data stores.
+
+[trino-docs]: https://trino.io/docs/
+
+## Available Tools
+
+- [`trino-sql`](../tools/trino/trino-sql.md)  
+  Execute parameterized SQL queries against Trino.
+
+- [`trino-execute-sql`](../tools/trino/trino-execute-sql.md)  
+  Execute arbitrary SQL queries against Trino.
+
+## Requirements
+
+### Trino Cluster
+
+You need access to a running Trino cluster with appropriate user permissions for the catalogs and schemas you want to query.
+
+## Example
+
+```yaml
+sources:
+    my-trino-source:
+    kind: trino
+    host: trino.example.com
+    port: "8080"
+    user: ${TRINO_USER}  # Optional for anonymous access
+    password: ${TRINO_PASSWORD}  # Optional
+    catalog: hive
+    schema: default
+```
+
+{{< notice tip >}}
+Use environment variable replacement with the format ${ENV_NAME}
+instead of hardcoding your secrets into the configuration file.
+{{< /notice >}}
+
+## Reference
+
+|  **field**  |      **type**      | **required** | **description**                                                        |
+|-------------|:------------------:|:------------:|------------------------------------------------------------------------|
+| kind        |       string       |     true     | Must be "trino".                                                       |
+| host        |       string       |     true     | Trino coordinator hostname (e.g. "trino.example.com")                 |
+| port        |       string       |     true     | Trino coordinator port (e.g. "8080", "8443")                          |
+| user        |       string       |     false    | Username for authentication (e.g. "analyst"). Optional for anonymous access. |
+| password    |       string       |     false    | Password for basic authentication                                      |
+| catalog     |       string       |     true     | Default catalog to use for queries (e.g. "hive")                      |
+| schema      |       string       |     true     | Default schema to use for queries (e.g. "default")                    |
+| queryTimeout|       string       |     false    | Query timeout duration (e.g. "30m", "1h")                             |
+| accessToken |       string       |     false    | JWT access token for authentication                                    |
+| kerberosEnabled | boolean        |     false    | Enable Kerberos authentication (default: false)                       |
+| sslEnabled  |       boolean      |     false    | Enable SSL/TLS (default: false)                                       |

docs/en/resources/tools/bigquery/bigquery-conversational-analytics.md

@@ -0,0 +1,54 @@
+---
+title: "bigquery-conversational-analytics"
+type: docs
+weight: 1
+description: > 
+  A "bigquery-conversational-analytics" tool allows conversational interaction with a BigQuery source.
+aliases:
+- /resources/tools/bigquery-conversational-analytics
+---
+
+## About
+
+A `bigquery-conversational-analytics` tool allows you to ask questions about your data in natural language. 
+
+This function takes a user's question (which can include conversational history for context) 
+and references to specific BigQuery tables, and sends them to a stateless conversational API.
+
+The API uses a GenAI agent to understand the question, generate and execute SQL queries 
+and Python code, and formulate an answer. This function returns a detailed, sequential 
+log of this entire process, which includes any generated SQL or Python code, the data 
+retrieved, and the final text answer.
+
+**Note**: This tool requires additional setup in your project. Please refer to the 
+official [Conversational Analytics API documentation](https://cloud.google.com/gemini/docs/conversational-analytics-api/overview)
+for instructions.
+
+It's compatible with the following sources:
+
+- [bigquery](../sources/bigquery.md)
+
+The tool takes the following input parameters:
+
+*   `user_query_with_context`: The user's question, potentially including conversation history and system instructions for context.
+*   `table_references`: A JSON string of a list of BigQuery tables to use as context. Each object in the list must contain `projectId`, `datasetId`, and `tableId`. Example: `'[{"projectId": "my-gcp-project", "datasetId": "my_dataset", "tableId": "my_table"}]'`
+
+## Example
+
+```yaml
+tools:
+  ask_data_insights:
+    kind: bigquery-conversational-analytics
+    source: my-bigquery-source
+    description: |
+      Use this tool to perform data analysis, get insights, or answer complex 
+      questions about the contents of specific BigQuery tables.
+```
+
+## Reference
+| **field**   |                  **type**                  | **required** | **description**                                                                                  |
+|-------------|:------------------------------------------:|:------------:|--------------------------------------------------------------------------------------------------|
+| kind        |                   string                   |     true     | Must be "bigquery-conversational-analytics".                                                     |
+| source      |                   string                   |     true     | Name of the source for chat.                                                    |
+| description |                   string                   |     true     | Description of the tool 
+that is passed to the LLM.                                               |

docs/en/resources/tools/clickhouse/_index.md

@@ -0,0 +1,7 @@
+---
+title: "ClickHouse"
+type: docs
+weight: 1
+description: >
+  Tools for interacting with ClickHouse databases and tables.
+---

docs/en/resources/tools/clickhouse/clickhouse-execute-sql.md

@@ -0,0 +1,46 @@
+---
+title: "clickhouse-execute-sql"
+type: docs
+weight: 1
+description: >
+  A "clickhouse-execute-sql" tool executes a SQL statement against a ClickHouse
+  database.
+aliases:
+- /resources/tools/clickhouse-execute-sql
+---
+
+## About
+
+A `clickhouse-execute-sql` tool executes a SQL statement against a ClickHouse
+database. It's compatible with the [clickhouse](../../sources/clickhouse.md) source.
+
+`clickhouse-execute-sql` takes one input parameter `sql` and runs the SQL
+statement against the specified `source`. This tool includes query logging
+capabilities for monitoring and debugging purposes.
+
+> **Note:** This tool is intended for developer assistant workflows with
+> human-in-the-loop and shouldn't be used for production agents.
+
+## Example
+
+```yaml
+tools:
+  execute_sql_tool:
+    kind: clickhouse-execute-sql
+    source: my-clickhouse-instance
+    description: Use this tool to execute SQL statements against ClickHouse.
+```
+
+## Parameters
+
+| **parameter** | **type** | **required** | **description**                                    |
+|---------------|:--------:|:------------:|----------------------------------------------------|
+| sql           |  string  |     true     | The SQL statement to execute against the database |
+
+## Reference
+
+| **field**   | **type** | **required** | **description**                                         |
+|-------------|:--------:|:------------:|---------------------------------------------------------|
+| kind        |  string  |     true     | Must be "clickhouse-execute-sql".                      |
+| source      |  string  |     true     | Name of the ClickHouse source to execute SQL against.  |
+| description |  string  |     true     | Description of the tool that is passed to the LLM.     |

docs/en/resources/tools/clickhouse/clickhouse-sql.md

@@ -0,0 +1,81 @@
+---
+title: "clickhouse-sql"
+type: docs
+weight: 2
+description: >
+  A "clickhouse-sql" tool executes SQL queries as prepared statements in ClickHouse.
+aliases:
+- /resources/tools/clickhouse-sql
+---
+
+## About
+
+A `clickhouse-sql` tool executes SQL queries as prepared statements against a 
+ClickHouse database. It's compatible with the [clickhouse](../../sources/clickhouse.md) source.
+
+This tool supports both template parameters (for SQL statement customization) 
+and regular parameters (for prepared statement values), providing flexible 
+query execution capabilities.
+
+## Example
+
+```yaml
+tools:
+  my_analytics_query:
+    kind: clickhouse-sql
+    source: my-clickhouse-instance
+    description: Get user analytics for a specific date range
+    statement: |
+      SELECT 
+        user_id,
+        count(*) as event_count,
+        max(timestamp) as last_event
+      FROM events 
+      WHERE date >= ? AND date <= ?
+      GROUP BY user_id
+      ORDER BY event_count DESC
+      LIMIT ?
+    parameters:
+      - name: start_date
+        description: Start date for the query (YYYY-MM-DD format)
+      - name: end_date  
+        description: End date for the query (YYYY-MM-DD format)
+      - name: limit
+        description: Maximum number of results to return
+```
+
+## Template Parameters Example
+
+```yaml
+tools:
+  flexible_table_query:
+    kind: clickhouse-sql
+    source: my-clickhouse-instance
+    description: Query any table with flexible columns
+    statement: |
+      SELECT {{columns}}
+      FROM {{table_name}}
+      WHERE created_date >= ?
+      LIMIT ?
+    templateParameters:
+      - name: columns
+        description: Comma-separated list of columns to select
+      - name: table_name
+        description: Name of the table to query
+    parameters:
+      - name: start_date
+        description: Start date filter
+      - name: limit
+        description: Maximum number of results
+```
+
+## Reference
+
+| **field**          | **type**           | **required** | **description**                                           |
+|--------------------|:------------------:|:------------:|-----------------------------------------------------------|
+| kind               | string             | true         | Must be "clickhouse-sql".                                |
+| source             | string             | true         | Name of the ClickHouse source to execute SQL against.    |
+| description        | string             | true         | Description of the tool that is passed to the LLM.       |
+| statement          | string             | true         | The SQL statement template to execute.                    |
+| parameters         | array of Parameter | false        | Parameters for prepared statement values.                 |
+| templateParameters | array of Parameter | false        | Parameters for SQL statement template customization.     |

docs/en/resources/tools/firebird/_index.md

@@ -0,0 +1,7 @@
+---
+title: "Firebird"
+type: docs
+weight: 1
+description: > 
+  Tools that work with Firebird Sources.
+---

docs/en/resources/tools/firebird/firebird-execute-sql.md

@@ -0,0 +1,41 @@
+---
+title: "firebird-execute-sql"
+type: docs
+weight: 1
+description: > 
+  A "firebird-execute-sql" tool executes a SQL statement against a Firebird
+  database.
+aliases:
+- /resources/tools/firebird-execute-sql
+---
+
+## About
+
+A `firebird-execute-sql` tool executes a SQL statement against a Firebird
+database. It's compatible with the following source:
+
+- [firebird](../sources/firebird.md)
+
+`firebird-execute-sql` takes one input parameter `sql` and runs the sql
+statement against the `source`.
+
+> **Note:** This tool is intended for developer assistant workflows with
+> human-in-the-loop and shouldn't be used for production agents.
+
+## Example
+
+```yaml
+tools:
+  execute_sql_tool:
+    kind: firebird-execute-sql
+    source: my_firebird_db
+    description: Use this tool to execute a SQL statement against the Firebird database.
+```
+
+## Reference
+
+| **field**   |                  **type**                  | **required** | **description**                                                                                  |
+|-------------|:------------------------------------------:|:------------:|--------------------------------------------------------------------------------------------------|
+| kind        |                   string                   |     true     | Must be "firebird-execute-sql".                                                                  |
+| source      |                   string                   |     true     | Name of the source the SQL should execute on.                                                    |
+| description |                   string                   |     true     | Description of the tool that is passed to the LLM.                                               |

docs/en/resources/tools/firebird/firebird-sql.md

@@ -0,0 +1,135 @@
+---
+title: "firebird-sql"
+type: docs
+weight: 1
+description: > 
+  A "firebird-sql" tool executes a pre-defined SQL statement against a Firebird
+  database.
+aliases:
+- /resources/tools/firebird-sql
+---
+
+## About
+
+A `firebird-sql` tool executes a pre-defined SQL statement against a Firebird
+database. It's compatible with the following source:
+
+- [firebird](../sources/firebird.md)
+
+The specified SQL statement is executed as a [prepared statement][fb-prepare],
+and supports both positional parameters (`?`) and named parameters (`:param_name`).
+Parameters will be inserted according to their position or name. If template 
+parameters are included, they will be resolved before the execution of the 
+prepared statement.
+
+[fb-prepare]: https://firebirdsql.org/refdocs/langrefupd25-psql-execstat.html
+
+## Example
+
+> **Note:** This tool uses parameterized queries to prevent SQL injections.
+> Query parameters can be used as substitutes for arbitrary expressions.
+> Parameters cannot be used as substitutes for identifiers, column names, table
+> names, or other parts of the query.
+
+```yaml
+tools:
+  search_flights_by_number:
+    kind: firebird-sql
+    source: my_firebird_db
+    statement: |
+      SELECT * FROM flights
+      WHERE airline = ?
+      AND flight_number = ?
+      LIMIT 10
+    description: |
+      Use this tool to get information for a specific flight.
+      Takes an airline code and flight number and returns info on the flight.
+      Do NOT use this tool with a flight id. Do NOT guess an airline code or flight number.
+      A airline code is a code for an airline service consisting of two-character
+      airline designator and followed by flight number, which is 1 to 4 digit number.
+      For example, if given CY 0123, the airline is "CY", and flight_number is "123".
+      Another example for this is DL 1234, the airline is "DL", and flight_number is "1234".
+      If the tool returns more than one option choose the date closes to today.
+      Example:
+      {{
+          "airline": "CY",
+          "flight_number": "888",
+      }}
+      Example:
+      {{
+          "airline": "DL",
+          "flight_number": "1234",
+      }}
+    parameters:
+      - name: airline
+        type: string
+        description: Airline unique 2 letter identifier
+      - name: flight_number
+        type: string
+        description: 1 to 4 digit number
+```
+
+### Example with Named Parameters
+
+```yaml
+tools:
+  search_flights_by_airline:
+    kind: firebird-sql
+    source: my_firebird_db
+    statement: |
+      SELECT * FROM flights
+      WHERE airline = :airline
+      AND departure_date >= :start_date
+      AND departure_date <= :end_date
+      ORDER BY departure_date
+    description: |
+      Search for flights by airline within a date range using named parameters.
+    parameters:
+      - name: airline
+        type: string
+        description: Airline unique 2 letter identifier
+      - name: start_date
+        type: string
+        description: Start date in YYYY-MM-DD format
+      - name: end_date
+        type: string
+        description: End date in YYYY-MM-DD format
+```
+
+### Example with Template Parameters
+
+> **Note:** This tool allows direct modifications to the SQL statement,
+> including identifiers, column names, and table names. **This makes it more
+> vulnerable to SQL injections**. Using basic parameters only (see above) is
+> recommended for performance and safety reasons. For more details, please check
+> [templateParameters](_index#template-parameters).
+
+```yaml
+tools:
+  list_table:
+    kind: firebird-sql
+    source: my_firebird_db
+    statement: |
+      SELECT * FROM {{.tableName}}
+    description: |
+      Use this tool to list all information from a specific table.
+      Example:
+      {{
+          "tableName": "flights",
+      }}
+    templateParameters:
+      - name: tableName
+        type: string
+        description: Table to select from
+```
+
+## Reference
+
+| **field**           |                  **type**                                 | **required** | **description**                                                                                                                            |
+|---------------------|:---------------------------------------------------------:|:------------:|--------------------------------------------------------------------------------------------------------------------------------------------|
+| kind                |                   string                                  |     true     | Must be "firebird-sql".                                                                                                                    |
+| source              |                   string                                  |     true     | Name of the source the SQL should execute on.                                                                                              |
+| description         |                   string                                  |     true     | Description of the tool that is passed to the LLM.                                                                                         |
+| statement           |                   string                                  |     true     | SQL statement to execute on.                                                                                                               |
+| parameters          | [parameters](_index#specifying-parameters)                |    false     | List of [parameters](_index#specifying-parameters) that will be inserted into the SQL statement.                                           |
+| templateParameters  |  [templateParameters](_index#template-parameters)         |    false     | List of [templateParameters](_index#template-parameters) that will be inserted into the SQL statement before executing prepared statement. |

docs/en/resources/tools/firestore/firestore-update-document.md

@@ -0,0 +1,327 @@
+---
+title: "firestore-update-document"
+type: docs
+weight: 1
+description: >
+  A "firestore-update-document" tool updates an existing document in Firestore.
+aliases:
+- /resources/tools/firestore-update-document
+---
+## Description
+
+The `firestore-update-document` tool allows you to update existing documents in Firestore. It supports all Firestore data types using Firestore's native JSON format. The tool can perform both full document updates (replacing all fields) or selective field updates using an update mask. When using an update mask, fields referenced in the mask but not present in the document data will be deleted from the document, following Firestore's native behavior.
+
+## Parameters
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `documentPath` | string | Yes | The path of the document which needs to be updated |
+| `documentData` | map | Yes | The data to update in the document. Must use [Firestore's native JSON format](https://cloud.google.com/firestore/docs/reference/rest/Shared.Types/ArrayValue#Value) with typed values |
+| `updateMask` | array | No | The selective fields to update. If not provided, all fields in documentData will be updated. When provided, only the specified fields will be updated. Fields referenced in the mask but not present in documentData will be deleted from the document |
+| `returnData` | boolean | No | If set to true, the output will include the data of the updated document. Defaults to false to help avoid overloading the context |
+
+## Output
+
+The tool returns a map containing:
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `documentPath` | string | The full path of the updated document |
+| `updateTime` | string | The timestamp when the document was updated |
+| `documentData` | map | The current data of the document after the update (only included when `returnData` is true) |
+
+## Data Type Format
+
+The tool requires Firestore's native JSON format for document data. Each field must be wrapped with its type indicator:
+
+### Basic Types
+- **String**: `{"stringValue": "your string"}`
+- **Integer**: `{"integerValue": "123"}` or `{"integerValue": 123}`
+- **Double**: `{"doubleValue": 123.45}`
+- **Boolean**: `{"booleanValue": true}`
+- **Null**: `{"nullValue": null}`
+- **Bytes**: `{"bytesValue": "base64EncodedString"}`
+- **Timestamp**: `{"timestampValue": "2025-01-07T10:00:00Z"}` (RFC3339 format)
+
+### Complex Types
+- **GeoPoint**: `{"geoPointValue": {"latitude": 34.052235, "longitude": -118.243683}}`
+- **Array**: `{"arrayValue": {"values": [{"stringValue": "item1"}, {"integerValue": "2"}]}}`
+- **Map**: `{"mapValue": {"fields": {"key1": {"stringValue": "value1"}, "key2": {"booleanValue": true}}}}`
+- **Reference**: `{"referenceValue": "collection/document"}`
+
+## Update Modes
+
+### Full Document Update (Merge All)
+
+When `updateMask` is not provided, the tool performs a merge operation that updates all fields specified in `documentData` while preserving other existing fields in the document.
+
+### Selective Field Update
+
+When `updateMask` is provided, only the fields listed in the mask are updated. This allows for precise control over which fields are modified, added, or deleted. To delete a field, include it in the `updateMask` but omit it from `documentData`.
+
+## Reference
+
+| **field**   |     **type**   | **required** | **description**                                          |
+|-------------|:--------------:|:------------:|----------------------------------------------------------|
+| kind        |     string     |     true     | Must be "firestore-update-document".                     |
+| source      |     string     |     true     | Name of the Firestore source to update documents in.     |
+| description |     string     |     true     | Description of the tool that is passed to the LLM.       |
+
+
+## Examples
+
+### Basic Document Update (Full Merge)
+
+```yaml
+tools:
+  update-user-doc:
+    kind: firestore-update-document
+    source: my-firestore
+    description: Update a user document
+```
+Usage:
+```json
+{
+  "documentPath": "users/user123",
+  "documentData": {
+    "name": {
+      "stringValue": "Jane Doe"
+    },
+    "lastUpdated": {
+      "timestampValue": "2025-01-15T10:30:00Z"
+    },
+    "status": {
+      "stringValue": "active"
+    },
+    "score": {
+      "integerValue": "150"
+    }
+  }
+}
+```
+
+### Selective Field Update with Update Mask
+
+```json
+{
+  "documentPath": "users/user123",
+  "documentData": {
+    "email": {
+      "stringValue": "newemail@example.com"
+    },
+    "profile": {
+      "mapValue": {
+        "fields": {
+          "bio": {
+            "stringValue": "Updated bio text"
+          },
+          "avatar": {
+            "stringValue": "https://example.com/new-avatar.jpg"
+          }
+        }
+      }
+    }
+  },
+  "updateMask": ["email", "profile.bio", "profile.avatar"]
+}
+```
+
+### Update with Field Deletion
+
+To delete fields, include them in the `updateMask` but omit them from `documentData`:
+
+```json
+{
+  "documentPath": "users/user123",
+  "documentData": {
+    "name": {
+      "stringValue": "John Smith"
+    }
+  },
+  "updateMask": ["name", "temporaryField", "obsoleteData"],
+  "returnData": true
+}
+```
+
+In this example:
+- `name` will be updated to "John Smith"
+- `temporaryField` and `obsoleteData` will be deleted from the document (they are in the mask but not in the data)
+
+### Complex Update with Nested Data
+
+```json
+{
+  "documentPath": "companies/company456",
+  "documentData": {
+    "metadata": {
+      "mapValue": {
+        "fields": {
+          "lastModified": {
+            "timestampValue": "2025-01-15T14:30:00Z"
+          },
+          "modifiedBy": {
+            "stringValue": "admin@company.com"
+          }
+        }
+      }
+    },
+    "locations": {
+      "arrayValue": {
+        "values": [
+          {
+            "mapValue": {
+              "fields": {
+                "city": {
+                  "stringValue": "San Francisco"
+                },
+                "coordinates": {
+                  "geoPointValue": {
+                    "latitude": 37.7749,
+                    "longitude": -122.4194
+                  }
+                }
+              }
+            }
+          },
+          {
+            "mapValue": {
+              "fields": {
+                "city": {
+                  "stringValue": "New York"
+                },
+                "coordinates": {
+                  "geoPointValue": {
+                    "latitude": 40.7128,
+                    "longitude": -74.0060
+                  }
+                }
+              }
+            }
+          }
+        ]
+      }
+    },
+    "revenue": {
+      "doubleValue": 5678901.23
+    }
+  },
+  "updateMask": ["metadata", "locations", "revenue"]
+}
+```
+
+### Update with All Data Types
+
+```json
+{
+  "documentPath": "test-documents/doc789",
+  "documentData": {
+    "stringField": {
+      "stringValue": "Updated string"
+    },
+    "integerField": {
+      "integerValue": "999"
+    },
+    "doubleField": {
+      "doubleValue": 2.71828
+    },
+    "booleanField": {
+      "booleanValue": false
+    },
+    "nullField": {
+      "nullValue": null
+    },
+    "timestampField": {
+      "timestampValue": "2025-01-15T16:45:00Z"
+    },
+    "geoPointField": {
+      "geoPointValue": {
+        "latitude": 51.5074,
+        "longitude": -0.1278
+      }
+    },
+    "bytesField": {
+      "bytesValue": "VXBkYXRlZCBkYXRh"
+    },
+    "arrayField": {
+      "arrayValue": {
+        "values": [
+          {
+            "stringValue": "updated1"
+          },
+          {
+            "integerValue": "200"
+          },
+          {
+            "booleanValue": true
+          }
+        ]
+      }
+    },
+    "mapField": {
+      "mapValue": {
+        "fields": {
+          "nestedString": {
+            "stringValue": "updated nested value"
+          },
+          "nestedNumber": {
+            "doubleValue": 88.88
+          }
+        }
+      }
+    },
+    "referenceField": {
+      "referenceValue": "users/updatedUser"
+    }
+  },
+  "returnData": true
+}
+```
+
+## Authentication
+
+The tool can be configured to require authentication:
+
+```yaml
+tools:
+  secure-update-doc:
+    kind: firestore-update-document
+    source: prod-firestore
+    description: Update documents with authentication required
+    authRequired:
+      - google-oauth
+      - api-key
+```
+## Error Handling
+Common errors include:
+- Document not found (when using update with a non-existent document)
+- Invalid document path
+- Missing or invalid document data
+- Permission denied (if Firestore security rules block the operation)
+- Invalid data type conversions
+
+## Best Practices
+1. **Use update masks for precision**: When you only need to update specific fields, use the `updateMask` parameter to avoid unintended changes
+2. **Always use typed values**: Every field must be wrapped with its appropriate type indicator (e.g., `{"stringValue": "text"}`)
+3. **Integer values can be strings**: The tool accepts integer values as strings (e.g., `{"integerValue": "1500"}`)
+4. **Use returnData sparingly**: Only set to true when you need to verify the exact data after the update
+5. **Validate data before sending**: Ensure your data matches Firestore's native JSON format
+6. **Handle timestamps properly**: Use RFC3339 format for timestamp strings
+7. **Base64 encode binary data**: Binary data must be base64 encoded in the `bytesValue` field
+8. **Consider security rules**: Ensure your Firestore security rules allow document updates
+9. **Delete fields using update mask**: To delete fields, include them in the `updateMask` but omit them from `documentData`
+10. **Test with non-production data first**: Always test your updates on non-critical documents first
+
+## Differences from Add Documents
+
+- **Purpose**: Updates existing documents vs. creating new ones
+- **Document must exist**: For standard updates (though not using updateMask will create if missing with given document id)
+- **Update mask support**: Allows selective field updates
+- **Field deletion**: Supports removing specific fields by including them in the mask but not in the data
+- **Returns updateTime**: Instead of createTime
+
+## Related Tools
+
+- [`firestore-add-documents`](firestore-add-documents.md) - Add new documents to Firestore
+- [`firestore-get-documents`](firestore-get-documents.md) - Retrieve documents by their paths
+- [`firestore-query-collection`](firestore-query-collection.md) - Query documents in a collection
+- [`firestore-delete-documents`](firestore-delete-documents.md) - Delete documents from Firestore

docs/en/resources/tools/looker/looker-get-dimensions.md

@@ -35,6 +35,20 @@ tools:
           explore_name looked up from get_explores.
 ```
 
+The response is a json array with the following elements:
+
+```json
+{
+  "name": "field name",
+  "description": "field description",
+  "type": "field type",
+  "label": "field label",
+  "label_short": "field short label",
+  "tags": ["tags", ...],
+  "synonyms": ["synonyms", ...]
+}
+```
+
 ## Reference
 
 | **field**   |                  **type**                  | **required** | **description**                                                                                  |

docs/en/resources/tools/looker/looker-get-filters.md

@@ -35,6 +35,21 @@ tools:
           explore_name looked up from get_explores.
 ```
 
+The response is a json array with the following elements:
+
+```json
+{
+  "name": "field name",
+  "description": "field description",
+  "type": "field type",
+  "label": "field label",
+  "label_short": "field short label",
+  "tags": ["tags", ...],
+  "synonyms": ["synonyms", ...]
+}
+```
+
+
 ## Reference
 
 | **field**   |                  **type**                  | **required** | **description**                                                                                  |

docs/en/resources/tools/looker/looker-get-measures.md

@@ -35,6 +35,21 @@ tools:
           explore_name looked up from get_explores.
 ```
 
+The response is a json array with the following elements:
+
+```json
+{
+  "name": "field name",
+  "description": "field description",
+  "type": "field type",
+  "label": "field label",
+  "label_short": "field short label",
+  "tags": ["tags", ...],
+  "synonyms": ["synonyms", ...]
+}
+```
+
+
 ## Reference
 
 | **field**   |                  **type**                  | **required** | **description**                                                                                  |

docs/en/resources/tools/looker/looker-get-parameters.md

@@ -35,6 +35,21 @@ tools:
           explore_name looked up from get_explores.
 ```
 
+The response is a json array with the following elements:
+
+```json
+{
+  "name": "field name",
+  "description": "field description",
+  "type": "field type",
+  "label": "field label",
+  "label_short": "field short label",
+  "tags": ["tags", ...],
+  "synonyms": ["synonyms", ...]
+}
+```
+
+
 ## Reference
 
 | **field**   |                  **type**                  | **required** | **description**                                                                                  |

docs/en/resources/tools/trino/_index.md

@@ -0,0 +1,7 @@
+---
+title: "Trino"
+type: docs
+weight: 1
+description: > 
+  Tools that work with Trino Sources, such as distributed SQL query engine.
+---

docs/en/resources/tools/trino/trino-execute-sql.md

@@ -0,0 +1,41 @@
+---
+title: "trino-execute-sql"
+type: docs
+weight: 1
+description: >
+  A "trino-execute-sql" tool executes a SQL statement against a Trino
+  database.
+aliases:
+- /resources/tools/trino-execute-sql
+---
+
+## About
+
+A `trino-execute-sql` tool executes a SQL statement against a Trino
+database. It's compatible with any of the following sources:
+
+- [trino](../../sources/trino.md)
+
+`trino-execute-sql` takes one input parameter `sql` and run the sql
+statement against the `source`.
+
+> **Note:** This tool is intended for developer assistant workflows with
+> human-in-the-loop and shouldn't be used for production agents.
+
+## Example
+
+```yaml
+tools:
+ execute_sql_tool:
+    kind: trino-execute-sql
+    source: my-trino-instance
+    description: Use this tool to execute sql statement.
+```
+
+## Reference
+
+| **field**   |                  **type**                  | **required** | **description**                                                                                  |
+|-------------|:------------------------------------------:|:------------:|--------------------------------------------------------------------------------------------------|
+| kind        |                   string                   |     true     | Must be "trino-execute-sql".                                                                     |
+| source      |                   string                   |     true     | Name of the source the SQL should execute on.                                                    |
+| description |                   string                   |     true     | Description of the tool that is passed to the LLM.                                               |

docs/en/resources/tools/trino/trino-sql.md

@@ -0,0 +1,108 @@
+---
+title: "trino-sql"
+type: docs
+weight: 1
+description: >
+  A "trino-sql" tool executes a pre-defined SQL statement against a Trino
+  database.
+aliases:
+- /resources/tools/trino-sql
+---
+
+## About
+
+A `trino-sql` tool executes a pre-defined SQL statement against a Trino
+database. It's compatible with any of the following sources:
+
+- [trino](../../sources/trino.md)
+
+The specified SQL statement is executed as a [prepared statement][trino-prepare],
+and specified parameters will be inserted according to their position: e.g. `$1`
+will be the first parameter specified, `$2` will be the second parameter, and so
+on. If template parameters are included, they will be resolved before execution
+of the prepared statement.
+
+[trino-prepare]: https://trino.io/docs/current/sql/prepare.html
+
+## Example
+
+> **Note:** This tool uses parameterized queries to prevent SQL injections.
+> Query parameters can be used as substitutes for arbitrary expressions.
+> Parameters cannot be used as substitutes for identifiers, column names, table
+> names, or other parts of the query.
+
+```yaml
+tools:
+ search_orders_by_region:
+    kind: trino-sql
+    source: my-trino-instance
+    statement: |
+      SELECT * FROM hive.sales.orders
+      WHERE region = $1
+      AND order_date >= DATE($2)
+      LIMIT 10
+    description: |
+      Use this tool to get information for orders in a specific region.
+      Takes a region code and date and returns info on the orders.
+      Do NOT use this tool with an order id. Do NOT guess a region code or date.
+      A region code is a code for a geographic region consisting of two-character
+      region designator and followed by optional subregion.
+      For example, if given US-WEST, the region is "US-WEST".
+      Another example for this is EU-CENTRAL, the region is "EU-CENTRAL".
+      If the tool returns more than one option choose the date closest to today.
+      Example:
+      {{
+          "region": "US-WEST",
+          "order_date": "2024-01-01",
+      }}
+      Example:
+      {{
+          "region": "EU-CENTRAL",
+          "order_date": "2024-01-15",
+      }}
+    parameters:
+      - name: region
+        type: string
+        description: Region unique identifier
+      - name: order_date
+        type: string
+        description: Order date in YYYY-MM-DD format
+```
+
+### Example with Template Parameters
+
+> **Note:** This tool allows direct modifications to the SQL statement,
+> including identifiers, column names, and table names. **This makes it more
+> vulnerable to SQL injections**. Using basic parameters only (see above) is
+> recommended for performance and safety reasons. For more details, please check
+> [templateParameters](..#template-parameters).
+
+```yaml
+tools:
+ list_table:
+    kind: trino-sql
+    source: my-trino-instance
+    statement: |
+      SELECT * FROM {{.tableName}}
+    description: |
+      Use this tool to list all information from a specific table.
+      Example:
+      {{
+          "tableName": "hive.sales.orders",
+      }}
+    templateParameters:
+      - name: tableName
+        type: string
+        description: Table to select from
+```
+
+## Reference
+
+| **field**           |                  **type**                                 | **required** | **description**                                                                                                                            |
+|---------------------|:---------------------------------------------------------:|:------------:|--------------------------------------------------------------------------------------------------------------------------------------------|
+| kind                |                   string                                  |     true     | Must be "trino-sql".                                                                                                                       |
+| source              |                   string                                  |     true     | Name of the source the SQL should execute on.                                                                                              |
+| description         |                   string                                  |     true     | Description of the tool that is passed to the LLM.                                                                                         |
+| statement           |                   string                                  |     true     | SQL statement to execute on.                                                                                                               |
+| parameters          | [parameters](../#specifying-parameters)                |    false     | List of [parameters](../#specifying-parameters) that will be inserted into the SQL statement.                                           |
+| templateParameters  |  [templateParameters](..#template-parameters)         |    false     | List of [templateParameters](..#template-parameters) that will be inserted into the SQL statement before executing prepared statement. |

docs/en/resources/tools/utility/alloydbwaitforoperation.md

@@ -16,21 +16,17 @@ This tool is intended for developer assistant workflows with human-in-the-loop
 and shouldn't be used for production agents.
 {{< /notice >}}
 
+{{< notice info >}}
+This tool does not have a `source` and authenticates using the environment's
+[Application Default Credentials](https://cloud.google.com/docs/authentication/application-default-credentials).
+{{< /notice >}}
+
 ## Example
 
 ```yaml
-sources:
-  alloydb-api-source:
-    kind: http
-    baseUrl: https://alloydb.googleapis.com
-    headers:
-      Authorization: Bearer ${API_KEY}
-      Content-Type: application/json
-
 tools:
   alloydb-operations-get:
     kind: alloydb-wait-for-operation
-    source: alloydb-api-source
     description: "This will poll on operations API until the operation is done. For checking operation status we need projectId, locationID and operationId. Once instance is created give follow up steps on how to use the variables to bring data plane MCP server up in local and remote setup."
     delay: 1s
     maxDelay: 4m
@@ -43,7 +39,6 @@ tools:
 | **field**   | **type** | **required** | **description**                                                                                                  |
 | ----------- | :------: | :----------: | ---------------------------------------------------------------------------------------------------------------- |
 | kind        |  string  |     true     | Must be "alloydb-wait-for-operation".                                                                            |
-| source      |  string  |     true     | Name of the source the HTTP request should be sent to.                                                           |
 | description |  string  |    true      | A description of the tool.                                                                                       |
 | delay       | duration |    false     | The initial delay between polling requests (e.g., `3s`). Defaults to 3 seconds.                                  |
 | maxDelay    | duration |    false     | The maximum delay between polling requests (e.g., `4m`). Defaults to 4 minutes.                                  |

docs/en/samples/alloydb/_index.md

@@ -1,340 +1,7 @@
 ---
 title: "AlloyDB"
 type: docs
-weight: 2
+weight: 1
 description: >
-  How to get started running Toolbox with MCP Inspector and AlloyDB as the source.
+  How to get started with Toolbox using AlloyDB.
 ---
-
-## Overview
-
-[Model Context Protocol](https://modelcontextprotocol.io) is an open protocol
-that standardizes how applications provide context to LLMs. Check out this page
-on how to [connect to Toolbox via MCP](../../how-to/connect_via_mcp.md).
-
-## Before you begin
-
-This guide assumes you have already done the following:
-
-1.  [Create a AlloyDB cluster and instance](https://cloud.google.com/alloydb/docs/cluster-create) with a database and user.
-1. Connect to the instance using [AlloyDB Studio](https://cloud.google.com/alloydb/docs/manage-data-using-studio), [`psql` command-line tool](https://www.postgresql.org/download/), or any other PostgreSQL client.
-
-2.  Enable the `pgvector` and `google_ml_integration` [extensions](https://cloud.google.com/alloydb/docs/ai). These are required for Semantic Search and Natural Language to SQL tools. Run the following SQL commands:
-
-    ```sql
-    CREATE EXTENSION IF NOT EXISTS "vector";
-    CREATE EXTENSION IF NOT EXISTS "google_ml_integration";
-    CREATE EXTENSION IF NOT EXISTS alloydb_ai_nl cascade;
-    CREATE EXTENSION IF NOT EXISTS parameterized_views;
-    ```
-
-## Step 1: Set up your AlloyDB database
-
-In this section, we will create the necessary tables and functions in your AlloyDB instance.
-
-1.  Create tables using the following commands:
-
-    ```sql
-    CREATE TABLE products (
-      product_id SERIAL PRIMARY KEY,
-      name VARCHAR(255) NOT NULL,
-      description TEXT,
-      price DECIMAL(10, 2) NOT NULL,
-      category_id INT,
-      embedding vector(3072) -- Vector size for model(gemini-embedding-001)
-    );
-
-    CREATE TABLE customers (
-      customer_id SERIAL PRIMARY KEY,
-      name VARCHAR(255) NOT NULL,
-      email VARCHAR(255) UNIQUE NOT NULL
-    );
-
-    CREATE TABLE cart (
-      cart_id SERIAL PRIMARY KEY,
-      customer_id INT UNIQUE NOT NULL,
-      created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
-      FOREIGN KEY (customer_id) REFERENCES customers(customer_id)
-    );
-
-    CREATE TABLE cart_items (
-      cart_item_id SERIAL PRIMARY KEY,
-      cart_id INT NOT NULL,
-      product_id INT NOT NULL,
-      quantity INT NOT NULL,
-      price DECIMAL(10, 2) NOT NULL,
-      FOREIGN KEY (cart_id) REFERENCES cart(cart_id),
-      FOREIGN KEY (product_id) REFERENCES products(product_id)
-    );
-
-    CREATE TABLE categories (
-      category_id SERIAL PRIMARY KEY,
-      name VARCHAR(255) NOT NULL
-    );
-    ```
-
-2.  Insert sample data into the tables:
-
-    ```sql
-    INSERT INTO categories (category_id, name) VALUES
-    (1, 'Flowers'),
-    (2, 'Vases');
-
-    INSERT INTO products (product_id, name, description, price, category_id, embedding) VALUES
-    (1, 'Rose', 'A beautiful red rose', 2.50, 1, embedding('gemini-embedding-001', 'A beautiful red rose')),
-    (2, 'Tulip', 'A colorful tulip', 1.50, 1, embedding('gemini-embedding-001', 'A colorful tulip')),
-    (3, 'Glass Vase', 'A transparent glass vase', 10.00, 2, embedding('gemini-embedding-001', 'A transparent glass vase')),
-    (4, 'Ceramic Vase', 'A handmade ceramic vase', 15.00, 2, embedding('gemini-embedding-001', 'A handmade ceramic vase'));
-
-    INSERT INTO customers (customer_id, name, email) VALUES
-    (1, 'John Doe', 'john.doe@example.com'),
-    (2, 'Jane Smith', 'jane.smith@example.com');
-
-    INSERT INTO cart (cart_id, customer_id) VALUES
-    (1, 1),
-    (2, 2);
-
-    INSERT INTO cart_items (cart_id, product_id, quantity, price) VALUES
-    (1, 1, 2, 2.50),
-    (1, 3, 1, 10.00),
-    (2, 2, 5, 1.50);
-    ```
-
-## Step 2: Install Toolbox
-
-In this section, we will download and install the Toolbox binary.
-
-1. Download the latest version of Toolbox as a binary:
-
-    {{< notice tip >}}
-   Select the
-   [correct binary](https://github.com/googleapis/genai-toolbox/releases)
-   corresponding to your OS and CPU architecture.
-    {{< /notice >}}
-    <!-- {x-release-please-start-version} -->
-    ```bash
-    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    export VERSION="0.12.0"
-    curl -O https://storage.googleapis.com/genai-toolbox/v$VERSION/$OS/toolbox
-    ```
-    <!-- {x-release-please-end} -->
-
-1. Make the binary executable:
-
-    ```bash
-    chmod +x toolbox
-    ```
-
-## Step 3: Configure the tools
-
-Create a `tools.yaml` file and add the following content. You must replace the placeholders with your actual AlloyDB configuration.
-
-First, define the data source for your tools. This tells Toolbox how to connect to your AlloyDB instance.
-
-```yaml
-sources:
-  alloydb-pg-source:
-    kind: alloydb-postgres
-    project: YOUR_PROJECT_ID
-    region: YOUR_REGION
-    cluster: YOUR_CLUSTER
-    instance: YOUR_INSTANCE
-    database: YOUR_DATABASE
-    user: YOUR_USER
-    password: YOUR_PASSWORD
-```
-
-Next, define the tools the agent can use. We will categorize them into three types:
-
-### 1. Structured Queries Tools
-
-These tools execute predefined SQL statements. They are ideal for common, structured queries like managing a shopping cart. Add the following to your `tools.yaml` file:
-
-```yaml
-tools:
-
-  access-cart-information:
-    kind: postgres-sql
-    source: alloydb-pg-source
-    description: >-
-      List items in customer cart.
-      Use this tool to list items in a customer cart. This tool requires the cart ID.
-    parameters:
-      - name: cart_id
-        type: integer
-        description: The id of the cart.
-    statement: |
-      SELECT
-        p.name AS product_name,
-        ci.quantity,
-        ci.price AS item_price,
-        (ci.quantity * ci.price) AS total_item_price,
-        c.created_at AS cart_created_at,
-        ci.product_id AS product_id
-      FROM
-        cart_items ci JOIN cart c ON ci.cart_id = c.cart_id
-        JOIN products p ON ci.product_id = p.product_id
-      WHERE
-        c.cart_id = $1;
-
-  add-to-cart:
-    kind: postgres-sql
-    source: alloydb-pg-source
-    description: >-
-      Add items to customer cart using the product ID and product prices from the product list.
-      Use this tool to add items to a customer cart.
-      This tool requires the cart ID, product ID, quantity, and price.
-    parameters:
-      - name: cart_id
-        type: integer
-        description: The id of the cart.
-      - name: product_id
-        type: integer
-        description: The id of the product.
-      - name: quantity
-        type: integer
-        description: The quantity of items to add.
-      - name: price
-        type: float
-        description: The price of items to add.
-    statement: |
-      INSERT INTO
-        cart_items (cart_id, product_id, quantity, price)
-      VALUES($1,$2,$3,$4);
-
-  delete-from-cart:
-    kind: postgres-sql
-    source: alloydb-pg-source
-    description: >-
-      Remove products from customer cart.
-      Use this tool to remove products from a customer cart.
-      This tool requires the cart ID and product ID.
-    parameters:
-      - name: cart_id
-        type: integer
-        description: The id of the cart.
-      - name: product_id
-        type: integer
-        description: The id of the product.
-    statement: |
-      DELETE FROM
-        cart_items
-      WHERE
-        cart_id = $1 AND product_id = $2;
-```
-
-### 2. Semantic Search Tools
-
-These tools use vector embeddings to find the most relevant results based on the meaning of a user's query, rather than just keywords. Append the following tools to the `tools` section in your `tools.yaml`:
-
-```yaml
-  search-product-recommendations:
-    kind: postgres-sql
-    source: alloydb-pg-source
-    description: >-
-      Search for products based on user needs.
-      Use this tool to search for products. This tool requires the user's needs.
-    parameters:
-      - name: query
-        type: string
-        description: The product characteristics
-    statement: |
-      SELECT
-        product_id,
-        name,
-        description,
-        ROUND(CAST(price AS numeric), 2) as price
-      FROM
-        products
-      ORDER BY
-        embedding('gemini-embedding-001', $1)::vector <=> embedding
-      LIMIT 5;
-```
-
-### 3. Natural Language to SQL (NL2SQL) Tools
-
-1. Create a [natural language configuration](https://cloud.google.com/alloydb/docs/ai/use-natural-language-generate-sql-queries#create-config) for your AlloyDB cluster.
-
-    {{< notice tip >}}Before using NL2SQL tools,
-    you must first install the `alloydb_ai_nl` extension and
-    create the [semantic layer](https://cloud.google.com/alloydb/docs/ai/natural-language-overview) under a configuration named `flower_shop`.
-    {{< /notice >}}
-
-2. Configure your NL2SQL tool to use your configuration. These tools translate natural language questions into SQL queries, allowing users to interact with the database conversationally. Append the following tool to the `tools` section:
-
-```yaml
-  ask-questions-about-products:
-    kind: alloydb-ai-nl
-    source: alloydb-pg-source
-    nlConfig: flower_shop
-    description: >-
-      Ask questions related to products or brands.
-      Use this tool to ask questions about products or brands.
-      Always SELECT the IDs of objects when generating queries.
-```
-
-Finally, group the tools into a `toolset` to make them available to the model. Add the following to the end of your `tools.yaml` file:
-
-```yaml
-toolsets:
-  flower_shop:
-    - access-cart-information
-    - search-product-recommendations
-    - ask-questions-about-products
-    - add-to-cart
-    - delete-from-cart
-```
-
-For more info on tools, check out the
-[Tools](../../resources/tools/) section.
-
-## Step 4: Run the Toolbox server
-
-Run the Toolbox server, pointing to the `tools.yaml` file created earlier:
-
-```bash
-./toolbox --tools-file "tools.yaml"
-```
-
-## Step 5: Connect to MCP Inspector
-
-1. Run the MCP Inspector:
-
-    ```bash
-    npx @modelcontextprotocol/inspector
-    ```
-
-1. Type `y` when it asks to install the inspector package.
-
-1. It should show the following when the MCP Inspector is up and running (please take note of `<YOUR_SESSION_TOKEN>`):
-
-    ```bash
-    Starting MCP inspector...
-    ⚙️ Proxy server listening on localhost:6277
-    🔑 Session token: <YOUR_SESSION_TOKEN>
-       Use this token to authenticate requests or set DANGEROUSLY_OMIT_AUTH=true to disable auth
-
-    🚀 MCP Inspector is up and running at:
-       http://localhost:6274/?MCP_PROXY_AUTH_TOKEN=<YOUR_SESSION_TOKEN>
-    ```
-
-1. Open the above link in your browser.
-
-1. For `Transport Type`, select `Streamable HTTP`.
-
-1. For `URL`, type in `http://127.0.0.1:5000/mcp`.
-
-1. For `Configuration` -> `Proxy Session Token`, make sure `<YOUR_SESSION_TOKEN>` is present.
-
-1. Click Connect.
-
-1. Select `List Tools`, you will see a list of tools configured in `tools.yaml`.
-
-1. Test out your tools here!
-
-## What's next
-
-- Learn more about [MCP Inspector](../../how-to/connect_via_mcp.md).
-- Learn more about [Toolbox Resources](../../resources/).
-- Learn more about [Toolbox How-to guides](../../how-to/).
-

docs/en/samples/alloydb/ai-nl/index.md

@@ -0,0 +1,9 @@
+---
+title: "Getting started with alloydb-ai-nl tool"
+type: docs
+weight: 30
+description: >
+  An end to end tutorial for building an ADK agent using the AlloyDB AI NL tool.
+---
+
+{{< ipynb "alloydb_ai_nl.ipynb" >}}

docs/en/samples/alloydb/mcp_quickstart.md

@@ -0,0 +1,339 @@
+---
+title: "Quickstart (MCP with AlloyDB)"
+type: docs
+weight: 1
+description: >
+  How to get started running Toolbox with MCP Inspector and AlloyDB as the source.
+---
+
+## Overview
+
+[Model Context Protocol](https://modelcontextprotocol.io) is an open protocol
+that standardizes how applications provide context to LLMs. Check out this page
+on how to [connect to Toolbox via MCP](../../how-to/connect_via_mcp.md).
+
+## Before you begin
+
+This guide assumes you have already done the following:
+
+1.  [Create a AlloyDB cluster and instance](https://cloud.google.com/alloydb/docs/cluster-create) with a database and user.
+1. Connect to the instance using [AlloyDB Studio](https://cloud.google.com/alloydb/docs/manage-data-using-studio), [`psql` command-line tool](https://www.postgresql.org/download/), or any other PostgreSQL client.
+
+2.  Enable the `pgvector` and `google_ml_integration` [extensions](https://cloud.google.com/alloydb/docs/ai). These are required for Semantic Search and Natural Language to SQL tools. Run the following SQL commands:
+
+    ```sql
+    CREATE EXTENSION IF NOT EXISTS "vector";
+    CREATE EXTENSION IF NOT EXISTS "google_ml_integration";
+    CREATE EXTENSION IF NOT EXISTS alloydb_ai_nl cascade;
+    CREATE EXTENSION IF NOT EXISTS parameterized_views;
+    ```
+
+## Step 1: Set up your AlloyDB database
+
+In this section, we will create the necessary tables and functions in your AlloyDB instance.
+
+1.  Create tables using the following commands:
+
+    ```sql
+    CREATE TABLE products (
+      product_id SERIAL PRIMARY KEY,
+      name VARCHAR(255) NOT NULL,
+      description TEXT,
+      price DECIMAL(10, 2) NOT NULL,
+      category_id INT,
+      embedding vector(3072) -- Vector size for model(gemini-embedding-001)
+    );
+
+    CREATE TABLE customers (
+      customer_id SERIAL PRIMARY KEY,
+      name VARCHAR(255) NOT NULL,
+      email VARCHAR(255) UNIQUE NOT NULL
+    );
+
+    CREATE TABLE cart (
+      cart_id SERIAL PRIMARY KEY,
+      customer_id INT UNIQUE NOT NULL,
+      created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+      FOREIGN KEY (customer_id) REFERENCES customers(customer_id)
+    );
+
+    CREATE TABLE cart_items (
+      cart_item_id SERIAL PRIMARY KEY,
+      cart_id INT NOT NULL,
+      product_id INT NOT NULL,
+      quantity INT NOT NULL,
+      price DECIMAL(10, 2) NOT NULL,
+      FOREIGN KEY (cart_id) REFERENCES cart(cart_id),
+      FOREIGN KEY (product_id) REFERENCES products(product_id)
+    );
+
+    CREATE TABLE categories (
+      category_id SERIAL PRIMARY KEY,
+      name VARCHAR(255) NOT NULL
+    );
+    ```
+
+2.  Insert sample data into the tables:
+
+    ```sql
+    INSERT INTO categories (category_id, name) VALUES
+    (1, 'Flowers'),
+    (2, 'Vases');
+
+    INSERT INTO products (product_id, name, description, price, category_id, embedding) VALUES
+    (1, 'Rose', 'A beautiful red rose', 2.50, 1, embedding('gemini-embedding-001', 'A beautiful red rose')),
+    (2, 'Tulip', 'A colorful tulip', 1.50, 1, embedding('gemini-embedding-001', 'A colorful tulip')),
+    (3, 'Glass Vase', 'A transparent glass vase', 10.00, 2, embedding('gemini-embedding-001', 'A transparent glass vase')),
+    (4, 'Ceramic Vase', 'A handmade ceramic vase', 15.00, 2, embedding('gemini-embedding-001', 'A handmade ceramic vase'));
+
+    INSERT INTO customers (customer_id, name, email) VALUES
+    (1, 'John Doe', 'john.doe@example.com'),
+    (2, 'Jane Smith', 'jane.smith@example.com');
+
+    INSERT INTO cart (cart_id, customer_id) VALUES
+    (1, 1),
+    (2, 2);
+
+    INSERT INTO cart_items (cart_id, product_id, quantity, price) VALUES
+    (1, 1, 2, 2.50),
+    (1, 3, 1, 10.00),
+    (2, 2, 5, 1.50);
+    ```
+
+## Step 2: Install Toolbox
+
+In this section, we will download and install the Toolbox binary.
+
+1. Download the latest version of Toolbox as a binary:
+
+    {{< notice tip >}}
+   Select the
+   [correct binary](https://github.com/googleapis/genai-toolbox/releases)
+   corresponding to your OS and CPU architecture.
+    {{< /notice >}}
+    <!-- {x-release-please-start-version} -->
+    ```bash
+    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
+    export VERSION="0.11.0"
+    curl -O https://storage.googleapis.com/genai-toolbox/v$VERSION/$OS/toolbox
+    ```
+    <!-- {x-release-please-end} -->
+
+1. Make the binary executable:
+
+    ```bash
+    chmod +x toolbox
+    ```
+
+## Step 3: Configure the tools
+
+Create a `tools.yaml` file and add the following content. You must replace the placeholders with your actual AlloyDB configuration.
+
+First, define the data source for your tools. This tells Toolbox how to connect to your AlloyDB instance.
+
+```yaml
+sources:
+  alloydb-pg-source:
+    kind: alloydb-postgres
+    project: YOUR_PROJECT_ID
+    region: YOUR_REGION
+    cluster: YOUR_CLUSTER
+    instance: YOUR_INSTANCE
+    database: YOUR_DATABASE
+    user: YOUR_USER
+    password: YOUR_PASSWORD
+```
+
+Next, define the tools the agent can use. We will categorize them into three types:
+
+### 1. Structured Queries Tools
+
+These tools execute predefined SQL statements. They are ideal for common, structured queries like managing a shopping cart. Add the following to your `tools.yaml` file:
+
+```yaml
+tools:
+
+  access-cart-information:
+    kind: postgres-sql
+    source: alloydb-pg-source
+    description: >-
+      List items in customer cart.
+      Use this tool to list items in a customer cart. This tool requires the cart ID.
+    parameters:
+      - name: cart_id
+        type: integer
+        description: The id of the cart.
+    statement: |
+      SELECT
+        p.name AS product_name,
+        ci.quantity,
+        ci.price AS item_price,
+        (ci.quantity * ci.price) AS total_item_price,
+        c.created_at AS cart_created_at,
+        ci.product_id AS product_id
+      FROM
+        cart_items ci JOIN cart c ON ci.cart_id = c.cart_id
+        JOIN products p ON ci.product_id = p.product_id
+      WHERE
+        c.cart_id = $1;
+
+  add-to-cart:
+    kind: postgres-sql
+    source: alloydb-pg-source
+    description: >-
+      Add items to customer cart using the product ID and product prices from the product list.
+      Use this tool to add items to a customer cart.
+      This tool requires the cart ID, product ID, quantity, and price.
+    parameters:
+      - name: cart_id
+        type: integer
+        description: The id of the cart.
+      - name: product_id
+        type: integer
+        description: The id of the product.
+      - name: quantity
+        type: integer
+        description: The quantity of items to add.
+      - name: price
+        type: float
+        description: The price of items to add.
+    statement: |
+      INSERT INTO
+        cart_items (cart_id, product_id, quantity, price)
+      VALUES($1,$2,$3,$4);
+
+  delete-from-cart:
+    kind: postgres-sql
+    source: alloydb-pg-source
+    description: >-
+      Remove products from customer cart.
+      Use this tool to remove products from a customer cart.
+      This tool requires the cart ID and product ID.
+    parameters:
+      - name: cart_id
+        type: integer
+        description: The id of the cart.
+      - name: product_id
+        type: integer
+        description: The id of the product.
+    statement: |
+      DELETE FROM
+        cart_items
+      WHERE
+        cart_id = $1 AND product_id = $2;
+```
+
+### 2. Semantic Search Tools
+
+These tools use vector embeddings to find the most relevant results based on the meaning of a user's query, rather than just keywords. Append the following tools to the `tools` section in your `tools.yaml`:
+
+```yaml
+  search-product-recommendations:
+    kind: postgres-sql
+    source: alloydb-pg-source
+    description: >-
+      Search for products based on user needs.
+      Use this tool to search for products. This tool requires the user's needs.
+    parameters:
+      - name: query
+        type: string
+        description: The product characteristics
+    statement: |
+      SELECT
+        product_id,
+        name,
+        description,
+        ROUND(CAST(price AS numeric), 2) as price
+      FROM
+        products
+      ORDER BY
+        embedding('gemini-embedding-001', $1)::vector <=> embedding
+      LIMIT 5;
+```
+
+### 3. Natural Language to SQL (NL2SQL) Tools
+
+1. Create a [natural language configuration](https://cloud.google.com/alloydb/docs/ai/use-natural-language-generate-sql-queries#create-config) for your AlloyDB cluster.
+
+    {{< notice tip >}}Before using NL2SQL tools,
+    you must first install the `alloydb_ai_nl` extension and
+    create the [semantic layer](https://cloud.google.com/alloydb/docs/ai/natural-language-overview) under a configuration named `flower_shop`.
+    {{< /notice >}}
+
+2. Configure your NL2SQL tool to use your configuration. These tools translate natural language questions into SQL queries, allowing users to interact with the database conversationally. Append the following tool to the `tools` section:
+
+```yaml
+  ask-questions-about-products:
+    kind: alloydb-ai-nl
+    source: alloydb-pg-source
+    nlConfig: flower_shop
+    description: >-
+      Ask questions related to products or brands.
+      Use this tool to ask questions about products or brands.
+      Always SELECT the IDs of objects when generating queries.
+```
+
+Finally, group the tools into a `toolset` to make them available to the model. Add the following to the end of your `tools.yaml` file:
+
+```yaml
+toolsets:
+  flower_shop:
+    - access-cart-information
+    - search-product-recommendations
+    - ask-questions-about-products
+    - add-to-cart
+    - delete-from-cart
+```
+
+For more info on tools, check out the
+[Tools](../../resources/tools/) section.
+
+## Step 4: Run the Toolbox server
+
+Run the Toolbox server, pointing to the `tools.yaml` file created earlier:
+
+```bash
+./toolbox --tools-file "tools.yaml"
+```
+
+## Step 5: Connect to MCP Inspector
+
+1. Run the MCP Inspector:
+
+    ```bash
+    npx @modelcontextprotocol/inspector
+    ```
+
+1. Type `y` when it asks to install the inspector package.
+
+1. It should show the following when the MCP Inspector is up and running (please take note of `<YOUR_SESSION_TOKEN>`):
+
+    ```bash
+    Starting MCP inspector...
+    ⚙️ Proxy server listening on localhost:6277
+    🔑 Session token: <YOUR_SESSION_TOKEN>
+       Use this token to authenticate requests or set DANGEROUSLY_OMIT_AUTH=true to disable auth
+
+    🚀 MCP Inspector is up and running at:
+       http://localhost:6274/?MCP_PROXY_AUTH_TOKEN=<YOUR_SESSION_TOKEN>
+    ```
+
+1. Open the above link in your browser.
+
+1. For `Transport Type`, select `Streamable HTTP`.
+
+1. For `URL`, type in `http://127.0.0.1:5000/mcp`.
+
+1. For `Configuration` -> `Proxy Session Token`, make sure `<YOUR_SESSION_TOKEN>` is present.
+
+1. Click Connect.
+
+1. Select `List Tools`, you will see a list of tools configured in `tools.yaml`.
+
+1. Test out your tools here!
+
+## What's next
+
+- Learn more about [MCP Inspector](../../how-to/connect_via_mcp.md).
+- Learn more about [Toolbox Resources](../../resources/).
+- Learn more about [Toolbox How-to guides](../../how-to/).

docs/en/samples/bigquery/colab_quickstart_bigquery.ipynb

@@ -220,7 +220,7 @@
       },
       "outputs": [],
       "source": [
-        "version = \"0.12.0\" # x-release-please-version\n",
+        "version = \"0.13.0\" # x-release-please-version\n",
         "! curl -O https://storage.googleapis.com/genai-toolbox/v{version}/linux/amd64/toolbox\n",
         "\n",
         "# Make the binary executable\n",

docs/en/samples/bigquery/local_quickstart.md

@@ -179,7 +179,7 @@ to use BigQuery, and then run the Toolbox server.
     <!-- {x-release-please-start-version} -->
     ```bash
     export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/$OS/toolbox
     ```
     <!-- {x-release-please-end} -->
 

docs/en/samples/bigquery/mcp_quickstart/_index.md

@@ -98,7 +98,7 @@ In this section, we will download Toolbox, configure our tools in a
     <!-- {x-release-please-start-version} -->
     ```bash
     export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/$OS/toolbox
     ```
     <!-- {x-release-please-end} -->
 

docs/en/samples/looker/looker_gemini.md

@@ -34,7 +34,7 @@ In this section, we will download Toolbox and run the Toolbox server.
     <!-- {x-release-please-start-version} -->
     ```bash
     export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.13.0/$OS/toolbox
     ```
     <!-- {x-release-please-end} -->
 

go.mod

@@ -1,24 +1,25 @@
 module github.com/googleapis/genai-toolbox
 
-go 1.24
+go 1.24.0
 
-toolchain go1.24.6
+toolchain go1.25.0
 
 require (
 	cloud.google.com/go/alloydbconn v1.15.5
 	cloud.google.com/go/bigquery v1.69.0
 	cloud.google.com/go/bigtable v1.38.0
-	cloud.google.com/go/cloudsqlconn v1.18.0
+	cloud.google.com/go/cloudsqlconn v1.18.1
 	cloud.google.com/go/dataplex v1.26.0
 	cloud.google.com/go/firestore v1.18.0
 	cloud.google.com/go/spanner v1.84.1
+	github.com/ClickHouse/clickhouse-go/v2 v2.36.0
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/trace v1.29.0
 	github.com/cenkalti/backoff/v5 v5.0.3
-	github.com/couchbase/gocb/v2 v2.10.1
+	github.com/couchbase/gocb/v2 v2.11.0
 	github.com/couchbase/tools-common/http v1.0.9
 	github.com/fsnotify/fsnotify v1.9.0
-	github.com/go-chi/chi/v5 v5.2.2
+	github.com/go-chi/chi/v5 v5.2.3
 	github.com/go-chi/httplog/v2 v2.1.1
 	github.com/go-chi/render v1.0.3
 	github.com/go-goquery/goquery v1.0.1
@@ -30,11 +31,13 @@ require (
 	github.com/jackc/pgx/v5 v5.7.5
 	github.com/json-iterator/go v1.1.12
 	github.com/looker-open-source/sdk-codegen/go v0.25.10
-	github.com/microsoft/go-mssqldb v1.9.2
+	github.com/microsoft/go-mssqldb v1.9.3
+	github.com/nakagami/firebirdsql v0.9.15
 	github.com/neo4j/neo4j-go-driver/v5 v5.28.2
 	github.com/redis/go-redis/v9 v9.12.1
 	github.com/spf13/cobra v1.9.1
 	github.com/thlib/go-timezone-local v0.0.7
+	github.com/trinodb/trino-go-client v0.328.0
 	github.com/valkey-io/valkey-go v1.0.64
 	go.mongodb.org/mongo-driver v1.17.4
 	go.opentelemetry.io/contrib/propagators/autoprop v0.62.0
@@ -46,22 +49,30 @@ require (
 	go.opentelemetry.io/otel/sdk/metric v1.37.0
 	go.opentelemetry.io/otel/trace v1.37.0
 	golang.org/x/oauth2 v0.30.0
-	google.golang.org/api v0.247.0
-	google.golang.org/genproto v0.0.0-20250603155806-513f23925822
+	google.golang.org/api v0.248.0
+	google.golang.org/genproto v0.0.0-20250826171959-ef028d996bc1
 	modernc.org/sqlite v1.38.2
 )
 
 require (
+	github.com/ClickHouse/ch-go v0.66.0 // indirect
+	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
+	github.com/go-faster/city v1.0.1 // indirect
+	github.com/go-faster/errors v0.7.1 // indirect
+	github.com/paulmach/orb v0.11.1 // indirect
+	github.com/segmentio/asm v1.2.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
 	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
 	gonum.org/v1/gonum v0.16.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
 require (
 	cel.dev/expr v0.24.0 // indirect
 	cloud.google.com/go v0.121.4 // indirect
 	cloud.google.com/go/alloydb v1.18.0 // indirect
-	cloud.google.com/go/auth v0.16.4 // indirect
+	cloud.google.com/go/auth v0.16.5 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.8.0 // indirect
 	cloud.google.com/go/iam v1.5.2 // indirect
@@ -77,7 +88,7 @@ require (
 	github.com/apache/arrow/go/v15 v15.0.2 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect
-	github.com/couchbase/gocbcore/v10 v10.7.1 // indirect
+	github.com/couchbase/gocbcore/v10 v10.8.0 // indirect
 	github.com/couchbase/gocbcoreps v0.1.3 // indirect
 	github.com/couchbase/goprotostellar v1.0.2 // indirect
 	github.com/couchbase/tools-common/errors v1.0.0 // indirect
@@ -105,10 +116,18 @@ require (
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 // indirect
+	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
+	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
+	github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
+	github.com/jcmturner/gofork v1.7.6 // indirect
+	github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
+	github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect
+	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
+	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.11 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
@@ -116,7 +135,9 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/montanaflynn/stats v0.7.1 // indirect
+	github.com/nakagami/chacha20 v0.1.0 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
+	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
@@ -128,10 +149,11 @@ require (
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
 	github.com/zeebo/errs v1.4.0 // indirect
 	github.com/zeebo/xxh3 v1.0.2 // indirect
+	gitlab.com/nyarla/go-crypt v0.0.0-20160106005555-d9a5dc2b789b // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/detectors/gcp v1.36.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.62.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
 	go.opentelemetry.io/contrib/propagators/aws v1.37.0 // indirect
 	go.opentelemetry.io/contrib/propagators/b3 v1.37.0 // indirect
@@ -150,10 +172,10 @@ require (
 	golang.org/x/time v0.12.0 // indirect
 	golang.org/x/tools v0.35.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c // indirect
 	google.golang.org/grpc v1.74.2 // indirect
-	google.golang.org/protobuf v1.36.7 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	modernc.org/libc v1.66.3 // indirect
 	modernc.org/mathutil v1.7.1 // indirect

go.sum

@@ -105,8 +105,8 @@ cloud.google.com/go/assuredworkloads v1.7.0/go.mod h1:z/736/oNmtGAyU47reJgGN+KVo
 cloud.google.com/go/assuredworkloads v1.8.0/go.mod h1:AsX2cqyNCOvEQC8RMPnoc0yEarXQk6WEKkxYfL6kGIo=
 cloud.google.com/go/assuredworkloads v1.9.0/go.mod h1:kFuI1P78bplYtT77Tb1hi0FMxM0vVpRC7VVoJC3ZoT0=
 cloud.google.com/go/assuredworkloads v1.10.0/go.mod h1:kwdUQuXcedVdsIaKgKTp9t0UJkE5+PAVNhdQm4ZVq2E=
-cloud.google.com/go/auth v0.16.4 h1:fXOAIQmkApVvcIn7Pc2+5J8QTMVbUGLscnSVNl11su8=
-cloud.google.com/go/auth v0.16.4/go.mod h1:j10ncYwjX/g3cdX7GpEzsdM+d+ZNsXAbb6qXA7p1Y5M=
+cloud.google.com/go/auth v0.16.5 h1:mFWNQ2FEVWAliEQWpAdH80omXFokmrnbDhUS9cBywsI=
+cloud.google.com/go/auth v0.16.5/go.mod h1:utzRfHMP+Vv0mpOkTRQoWD2q3BatTOoWbA7gCc2dUhQ=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/automl v1.5.0/go.mod h1:34EjfoFGMZ5sgJ9EoLsRtdPSNZLcfflJR39VbVNS2M0=
@@ -167,8 +167,8 @@ cloud.google.com/go/cloudbuild v1.9.0/go.mod h1:qK1d7s4QlO0VwfYn5YuClDGg2hfmLZEb
 cloud.google.com/go/clouddms v1.3.0/go.mod h1:oK6XsCDdW4Ib3jCCBugx+gVjevp2TMXFtgxvPSee3OM=
 cloud.google.com/go/clouddms v1.4.0/go.mod h1:Eh7sUGCC+aKry14O1NRljhjyrr0NFC0G2cjwX0cByRk=
 cloud.google.com/go/clouddms v1.5.0/go.mod h1:QSxQnhikCLUw13iAbffF2CZxAER3xDGNHjsTAkQJcQA=
-cloud.google.com/go/cloudsqlconn v1.18.0 h1:mP6TY/7I+nrnIh6vmbWCRJPxpFBZSL6AZhW6HaYC/OI=
-cloud.google.com/go/cloudsqlconn v1.18.0/go.mod h1:58bxZZ17Mz5D83ddMT8x6w56yKpcmVXyaOwGWkzGcMw=
+cloud.google.com/go/cloudsqlconn v1.18.1 h1:IIvs7QJ8eqKUUHSon13Joie9oH7/i7MJwNzBLG+FrhM=
+cloud.google.com/go/cloudsqlconn v1.18.1/go.mod h1:58bxZZ17Mz5D83ddMT8x6w56yKpcmVXyaOwGWkzGcMw=
 cloud.google.com/go/cloudtasks v1.5.0/go.mod h1:fD92REy1x5woxkKEkLdvavGnPJGEn8Uic9nWuLzqCpY=
 cloud.google.com/go/cloudtasks v1.6.0/go.mod h1:C6Io+sxuke9/KNRkbQpihnW93SWDU3uXt92nu85HkYI=
 cloud.google.com/go/cloudtasks v1.7.0/go.mod h1:ImsfdYWwlWNJbdgPIIGJWC+gemEGTBK/SunNQQNCAb4=
@@ -632,6 +632,8 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS
 cloud.google.com/go/workflows v1.8.0/go.mod h1:ysGhmEajwZxGn1OhGOGKsTXc5PyxOc0vfKf5Af+to4M=
 cloud.google.com/go/workflows v1.9.0/go.mod h1:ZGkj1aFIOd9c8Gerkjjq7OW7I5+l6cSvT3ujaO/WwSA=
 cloud.google.com/go/workflows v1.10.0/go.mod h1:fZ8LmRmZQWacon9UCX1r/g/DfAXx5VcPALq2CxzdePw=
+dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
+dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
@@ -647,10 +649,16 @@ github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 h1:Wgf5rZb
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1/go.mod h1:xxCBG/f/4Vbmh2XQJBsOmNdxWUY5j/s27jujKPbQf14=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 h1:bFWuoEKg+gImo7pvkiQEFAc8ocibADgXeiLAxWhWmkI=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1/go.mod h1:Vih/3yc6yac2JzU4hzpaDupBJP0Flaia9rXXrU8xyww=
+github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
+github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 h1:oygO0locgZJe7PpYPXT5A29ZkwJaPqcva7BVeemZOZs=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/ClickHouse/ch-go v0.66.0 h1:hLslxxAVb2PHpbHr4n0d6aP8CEIpUYGMVT1Yj/Q5Img=
+github.com/ClickHouse/ch-go v0.66.0/go.mod h1:noiHWyLMJAZ5wYuq3R/K0TcRhrNA8h7o1AqHX0klEhM=
+github.com/ClickHouse/clickhouse-go/v2 v2.36.0 h1:FJ03h8VdmBUhvR9nQEu5jRLdfG0c/HSxUjiNdOxRQww=
+github.com/ClickHouse/clickhouse-go/v2 v2.36.0/go.mod h1:aijX64fKD1hAWu/zqWEmiGk7wRE8ZnpN0M3UvjsZG3I=
 github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3 h1:2afWGsMzkIcN8Qm4mgPJKZWyroE5QBszMiDMYEBrnfw=
 github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3/go.mod h1:dppbR7CwXD4pgtV9t3wD1812RaLDcBjtblcDF5f1vI0=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 h1:ErKg/3iS1AKcTkf3yixlZ54f9U1rljCkQyEXWUnIUxc=
@@ -664,9 +672,15 @@ github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0 h1:Ron4zCA/yk6U7WOBXhTJcDpsUBG9npumK6xw2auFltQ=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0/go.mod h1:cSgYe11MCNYunTnRXrKiR/tHc0eoKjICUuWpNZoVCOo=
 github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw=
+github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/PuerkitoBio/goquery v1.10.3 h1:pFYcNSqHxBD06Fpj/KsbStFRsgRATgnf3LeXiUkhzPo=
 github.com/PuerkitoBio/goquery v1.10.3/go.mod h1:tMUX0zDMHXYlAQk6p35XxQMqMweEKB7iK7iLNd4RH4Y=
+github.com/ahmetb/dlog v0.0.0-20170105205344-4fb5f8204f26 h1:3YVZUqkoev4mL+aCwVOSWV4M7pN+NURHL38Z2zq5JKA=
+github.com/ahmetb/dlog v0.0.0-20170105205344-4fb5f8204f26/go.mod h1:ymXt5bw5uSNu4jveerFxE0vNYxF8ncqbptntMaFMg3k=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/ajstarks/deck v0.0.0-20200831202436-30c9fc6549a9/go.mod h1:JynElWSGnm/4RlzPXRlREEwqTHAN3T56Bv2ITsFT3gY=
@@ -674,6 +688,8 @@ github.com/ajstarks/deck/generate v0.0.0-20210309230005-c3f852c02e19/go.mod h1:T
 github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw=
 github.com/ajstarks/svgo v0.0.0-20211024235047-1546f124cd8b/go.mod h1:1KcenG0jGWcpt8ov532z81sp/kMMUG485J2InIOyADM=
 github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
+github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
 github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kktS1LM=
 github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
@@ -682,6 +698,44 @@ github.com/apache/arrow/go/v11 v11.0.0/go.mod h1:Eg5OsL5H+e299f7u5ssuXsuHQVEGC4x
 github.com/apache/arrow/go/v15 v15.0.2 h1:60IliRbiyTWCWjERBCkO1W4Qun9svcYoZrSLcyOsMLE=
 github.com/apache/arrow/go/v15 v15.0.2/go.mod h1:DGXsR3ajT524njufqf95822i+KTh+yea1jass9YXgjA=
 github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2FXSqgU=
+github.com/aws/aws-sdk-go v1.55.6 h1:cSg4pvZ3m8dgYcgqB97MrcdjUmZ1BeMYKUxMMB89IPk=
+github.com/aws/aws-sdk-go v1.55.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
+github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM=
+github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 h1:zAybnyUQXIZ5mok5Jqwlf58/TFE7uvd3IAsa1aF9cXs=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10/go.mod h1:qqvMj6gHLR/EXWZw4ZbqlPbQUyenf4h82UQUlKc+l14=
+github.com/aws/aws-sdk-go-v2/config v1.29.12 h1:Y/2a+jLPrPbHpFkpAAYkVEtJmxORlXoo5k2g1fa2sUo=
+github.com/aws/aws-sdk-go-v2/config v1.29.12/go.mod h1:xse1YTjmORlb/6fhkWi8qJh3cvZi4JoVNhc+NbJt4kI=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.65 h1:q+nV2yYegofO/SUXruT+pn4KxkxmaQ++1B/QedcKBFM=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.65/go.mod h1:4zyjAuGOdikpNYiSGpsGz8hLGmUzlY8pc8r9QQ/RXYQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34 h1:ZNTqv4nIdE/DiBfUUfXcLZ/Spcuz+RjeziUtNJackkM=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34/go.mod h1:zf7Vcd1ViW7cPqYWEHLHJkS50X0JS2IKz9Cgaj6ugrs=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.0 h1:lguz0bmOoGzozP9XfRJR1QIayEYo+2vP/No3OfLF0pU=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.0/go.mod h1:iu6FSzgt+M2/x3Dk8zhycdIcHjEFb36IS8HVUVFoMg0=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15 h1:moLQUoVq91LiqT1nbvzDukyqAlCv89ZmwaHw/ZFlFZg=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15/go.mod h1:ZH34PJUc8ApjBIfgQCFvkWcUDBtl/WTD+uiYHjd8igA=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.79.0 h1:OIw2nryEApESTYI5deCZGcq4Gvz8DBAt4tJlNyg3v5o=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.79.0/go.mod h1:U5SNqwhXB3Xe6F47kXvWihPl/ilGaEDe8HD/50Z9wxc=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.2 h1:pdgODsAhGo4dvzC3JAG5Ce0PX8kWXrTZGx+jxADD+5E=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.2/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.0 h1:90uX0veLKcdHVfvxhkWUQSCi5VabtwMLFutYiRke4oo=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.0/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 h1:PZV5W8yk4OtH1JAuhV2PXwwO9v5G5Aoj+eMCn4T+1Kc=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.17/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4=
+github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
+github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
@@ -689,6 +743,8 @@ github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
 github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
 github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
 github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@@ -718,10 +774,12 @@ github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 h1:aQ3y1lwWyqYPiWZThqv1aFbZMiM9vblcSArJRf2Irls=
 github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
-github.com/couchbase/gocb/v2 v2.10.1 h1:5r1jngGxw3dTZdtq6Xmjq3pdU6hOwRvynvbVIp58T64=
-github.com/couchbase/gocb/v2 v2.10.1/go.mod h1:GGEJuYjrfnPHCQLcxTcIco+Puy63PS2p8QQd8FRw66I=
-github.com/couchbase/gocbcore/v10 v10.7.1 h1:6jsNDtqyfoQ8Xg6kv99rzccc3CrHbp7FjeY+ahWXTF4=
-github.com/couchbase/gocbcore/v10 v10.7.1/go.mod h1:Q8JWVenMCEOuRgrDQKApHbzzPif38HzefGgRVe9apAI=
+github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8=
+github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ=
+github.com/couchbase/gocb/v2 v2.11.0 h1:OVB+KlVeXlKVtziKx/LWZT7DClLsoQHQFrI4wan5Ijc=
+github.com/couchbase/gocb/v2 v2.11.0/go.mod h1:Y+lODSgyVzDSaf0Sy8sIzIa0RTAw3vlZUsjY6+FUq9Y=
+github.com/couchbase/gocbcore/v10 v10.8.0 h1:zDcJyYqOirFyC8T/aVvNL4N9oj6GI4qtaBuTGGWCDb4=
+github.com/couchbase/gocbcore/v10 v10.8.0/go.mod h1:OWKfU9R5Nm5V3QZBtfdZl5qCfgxtxTqOgXiNr4pn9/c=
 github.com/couchbase/gocbcoreps v0.1.3 h1:fILaKGCjxFIeCgAUG8FGmRDSpdrRggohOMKEgO9CUpg=
 github.com/couchbase/gocbcoreps v0.1.3/go.mod h1:hBFpDNPnRno6HH5cRXExhqXYRmTsFJlFHQx7vztcXPk=
 github.com/couchbase/goprotostellar v1.0.2 h1:yoPbAL9sCtcyZ5e/DcU5PRMOEFaJrF9awXYu3VPfGls=
@@ -742,6 +800,14 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
+github.com/docker/cli v26.1.4+incompatible h1:I8PHdc0MtxEADqYJZvhBrW9bo8gawKwwenxRM7/rLu8=
+github.com/docker/cli v26.1.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/docker v28.2.2+incompatible h1:CjwRSksz8Yo4+RmQ339Dp/D2tGO5JxwYeqtMOEe0LDw=
+github.com/docker/docker v28.2.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
+github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
@@ -773,17 +839,23 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
 github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
 github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-chi/chi/v5 v5.2.2 h1:CMwsvRVTbXVytCk1Wd72Zy1LAsAh9GxMmSNWLHCG618=
-github.com/go-chi/chi/v5 v5.2.2/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
+github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
+github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-chi/httplog/v2 v2.1.1 h1:ojojiu4PIaoeJ/qAO4GWUxJqvYUTobeo7zmuHQJAxRk=
 github.com/go-chi/httplog/v2 v2.1.1/go.mod h1:/XXdxicJsp4BA5fapgIC3VuTD+z0Z/VzukoB3VDc1YE=
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
 github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
+github.com/go-faster/city v1.0.1 h1:4WAxSZ3V2Ws4QRDrscLEDcibJY8uf41H6AhXDrNDcGw=
+github.com/go-faster/city v1.0.1/go.mod h1:jKcUJId49qdW3L1qKHH/3wPeUstCVpVSXTM6vO3VcTw=
+github.com/go-faster/errors v0.7.1 h1:MkJTnDoEdi9pDabt1dpWf7AA8/BaSYZqibYyhZ20AYg=
+github.com/go-faster/errors v0.7.1/go.mod h1:5ySTjWFiphBs07IKuiL69nxdfd5+fzh1u7FPGZP2quo=
 github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g=
 github.com/go-fonts/latin-modern v0.2.0/go.mod h1:rQVLdDMK+mK1xscDwsqM5J8U2jrRa3T0ecnM9pNujks=
 github.com/go-fonts/liberation v0.1.1/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY=
@@ -823,6 +895,7 @@ github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
 github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
 github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
@@ -870,6 +943,7 @@ github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiu
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v1.0.0 h1:Oy607GVXHs7RtbggtPBnr2RmDArIsAefDwvrdWvRhGs=
@@ -928,6 +1002,8 @@ github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
 github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -954,6 +1030,10 @@ github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81
 github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=
 github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4=
 github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
+github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
+github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI=
@@ -963,6 +1043,9 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4Zs
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 h1:X5VWvz21y3gzm9Nw/kaUeku/1+uBhcekkmy4IkffJww=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1/go.mod h1:Zanoh4+gvIgluNqcfMVTJueD4wSS5hT7zTt4Mrutd90=
+github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
+github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
@@ -992,16 +1075,31 @@ github.com/jackc/puddle v1.3.0 h1:eHK/5clGOatcjX3oWGBO/MpxpbHzSwud5EWTSCI+MX0=
 github.com/jackc/puddle v1.3.0/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
+github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
+github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
+github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
+github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
+github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
+github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
+github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
+github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
+github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
+github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
+github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jung-kurt/gofpdf v1.0.0/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
 github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
+github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 h1:iQTw/8FWTuc7uiaSepXwyf3o52HaUYcV+Tu66S3F5GA=
+github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0/go.mod h1:1NbS8ALrpOvjt0rHPNLyCIeMtbizbir8U//inJ+zuB8=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/asmfmt v1.3.2/go.mod h1:AG8TuvYojzulgDAMCnYn50l/5QV3Bs/tp6j0HLHbNSE=
+github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
 github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
@@ -1013,8 +1111,11 @@ github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
@@ -1030,27 +1131,51 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-sqlite3 v1.14.14/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
-github.com/microsoft/go-mssqldb v1.9.2 h1:nY8TmFMQOHpm2qVWo6y4I2mAmVdZqlGiMGAYt64Ibbs=
-github.com/microsoft/go-mssqldb v1.9.2/go.mod h1:GBbW9ASTiDC+mpgWDGKdm3FnFLTUsLYN3iFL90lQ+PA=
+github.com/microsoft/go-mssqldb v1.9.3 h1:hy4p+LDC8LIGvI3JATnLVmBOLMJbmn5X400mr5j0lPs=
+github.com/microsoft/go-mssqldb v1.9.3/go.mod h1:GBbW9ASTiDC+mpgWDGKdm3FnFLTUsLYN3iFL90lQ+PA=
 github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY=
 github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8IeTMnF8JTXieKnO4Z6JCsikNEzj0DwauVzE=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
+github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
 github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE=
 github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
+github.com/nakagami/chacha20 v0.1.0 h1:2fbf5KeVUw7oRpAe6/A7DqvBJLYYu0ka5WstFbnkEVo=
+github.com/nakagami/chacha20 v0.1.0/go.mod h1:xpoujepNFA7MvYLvX5xKHzlOHimDrLI9Ll8zfOJ0l2E=
+github.com/nakagami/firebirdsql v0.9.15 h1:Mf05jaFI8+kjy6sBstsAu76zOkJ44AGd6cpApWNrp/0=
+github.com/nakagami/firebirdsql v0.9.15/go.mod h1:bZKRs3rpHAjJgXAoc9YiPobTz3R22i41Zjo+llIS2B0=
 github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
 github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/neo4j/neo4j-go-driver/v5 v5.28.2 h1:uG7nMK0zS/a/iSWMZgCIY40SfYzWBc6uSrMONhiIS0U=
 github.com/neo4j/neo4j-go-driver/v5 v5.28.2/go.mod h1:Vff8OwT7QpLm7L2yYr85XNWe9Rbqlbeb9asNXJTHO4k=
 github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8=
 github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+github.com/opencontainers/runc v1.1.13 h1:98S2srgG9vw0zWcDpFMn5TRrh8kLxa/5OFUstuUhmRs=
+github.com/opencontainers/runc v1.1.13/go.mod h1:R016aXacfp/gwQBYw2FDGa9m+n6atbLWrYY8hNMT/sA=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
+github.com/ory/dockertest/v3 v3.11.0 h1:OiHcxKAvSDUwsEVh2BjxQQc/5EHz9n0va9awCtNGuyA=
+github.com/ory/dockertest/v3 v3.11.0/go.mod h1:VIPxS1gwT9NpPOrfD3rACs8Y9Z7yhzO4SB194iUDnUI=
+github.com/paulmach/orb v0.11.1 h1:3koVegMC4X/WeiXYz9iswopaTwMem53NzTJuTF20JzU=
+github.com/paulmach/orb v0.11.1/go.mod h1:5mULz1xQfs3bmQm63QEJA6lNGujuRafwA5S/EnuLaLU=
+github.com/paulmach/protoscan v0.2.1/go.mod h1:SpcSwydNLrxUGSDvXvO0P7g7AuhJ7lcKfDlhJCDw2gY=
 github.com/phpdave11/gofpdf v1.4.2/go.mod h1:zpO6xFn9yxo3YLyMvW8HcKWVdbNqgIfOOp2dXMnm1mY=
 github.com/phpdave11/gofpdi v1.0.12/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
 github.com/phpdave11/gofpdi v1.0.13/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
+github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=
+github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU=
 github.com/pierrec/lz4/v4 v4.1.22/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
@@ -1058,6 +1183,7 @@ github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmd
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
@@ -1078,10 +1204,18 @@ github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6L
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfFZQK844Gfx8o5WFuvpxWRwnSoipWe/p622j1v06w=
 github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZKsJ8yyVxGRWYNEm9oFB8ieLgKFnamEyDmSA0BRk=
+github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
+github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
+github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
+github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
 github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
@@ -1112,14 +1246,28 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/thlib/go-timezone-local v0.0.7 h1:fX8zd3aJydqLlTs/TrROrIIdztzsdFV23OzOQx31jII=
 github.com/thlib/go-timezone-local v0.0.7/go.mod h1:/Tnicc6m/lsJE0irFMA0LfIwTBo4QP7A8IfyIv4zZKI=
+github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
+github.com/trinodb/trino-go-client v0.328.0 h1:X6hrGGysA3nvyVcz8kJbBS98srLNTNsnNYwRkMC1atA=
+github.com/trinodb/trino-go-client v0.328.0/go.mod h1:e/nck9W6hy+9bbyZEpXKFlNsufn3lQGpUgDL1d5f1FI=
 github.com/valkey-io/valkey-go v1.0.64 h1:3u4+b6D6zs9JQs254TLy4LqitCMHHr9XorP9GGk7XY4=
 github.com/valkey-io/valkey-go v1.0.64/go.mod h1:bHmwjIEOrGq/ubOJfh5uMRs7Xj6mV3mQ/ZXUbmqpjqY=
 github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
+github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g=
 github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY=
 github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4=
+github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8=
 github.com/xdg-go/stringprep v1.0.4 h1:XLI/Ng3O1Atzq0oBs3TWm+5ZVgkq2aqdlvP9JtoZ6c8=
 github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
+github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
+github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
+github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
+github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA=
 github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
 github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -1135,6 +1283,9 @@ github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM=
 github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
 github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
 github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
+gitlab.com/nyarla/go-crypt v0.0.0-20160106005555-d9a5dc2b789b h1:7gd+rd8P3bqcn/96gOZa3F5dpJr/vEiDQYlNb/y2uNs=
+gitlab.com/nyarla/go-crypt v0.0.0-20160106005555-d9a5dc2b789b/go.mod h1:T3BPAOm2cqquPa0MKWeNkmOM5RQsRhkrwMWonFMN7fE=
+go.mongodb.org/mongo-driver v1.11.4/go.mod h1:PTSz5yu21bkT/wXpkS7WR5f0ddqw5quethTUn9WM+2g=
 go.mongodb.org/mongo-driver v1.17.4 h1:jUorfmVzljjr0FLzYQsGP8cgN/qzzxlY9Vh0C9KFXVw=
 go.mongodb.org/mongo-driver v1.17.4/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
@@ -1150,8 +1301,8 @@ go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJyS
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/detectors/gcp v1.36.0 h1:F7q2tNlCaHY9nMKHR6XH9/qkp8FktLnIcy6jJNyOCQw=
 go.opentelemetry.io/contrib/detectors/gcp v1.36.0/go.mod h1:IbBN8uAIIx734PTonTPxAxnjc2pQTxWNkwfstZ+6H2k=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.62.0 h1:rbRJ8BBoVMsQShESYZ0FkvcITu8X8QNwJogcLUmDNNw=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.62.0/go.mod h1:ru6KHrNtNHxM4nD/vd6QrLVWgKhxPYgblq4VAtNawTQ=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY=
 go.opentelemetry.io/contrib/propagators/autoprop v0.62.0 h1:1+EHlhAe/tukctfePZRrDruB9vn7MdwyC+rf36nUSPM=
@@ -1204,6 +1355,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
@@ -1312,6 +1465,7 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
@@ -1667,8 +1821,8 @@ google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/
 google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI=
 google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0=
 google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg=
-google.golang.org/api v0.247.0 h1:tSd/e0QrUlLsrwMKmkbQhYVa109qIintOls2Wh6bngc=
-google.golang.org/api v0.247.0/go.mod h1:r1qZOPmxXffXg6xS5uhx16Fa/UFY8QU/K4bfKrnvovM=
+google.golang.org/api v0.248.0 h1:hUotakSkcwGdYUqzCRc5yGYsg4wXxpkKlW5ryVqvC1Y=
+google.golang.org/api v0.248.0/go.mod h1:yAFUAF56Li7IuIQbTFoLwXTCI6XCFKueOlS7S9e4F9k=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -1809,12 +1963,12 @@ google.golang.org/genproto v0.0.0-20230323212658-478b75c54725/go.mod h1:UUQDJDOl
 google.golang.org/genproto v0.0.0-20230330154414-c0448cd141ea/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
 google.golang.org/genproto v0.0.0-20230331144136-dcfb400f0633/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
 google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU=
-google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
-google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s=
-google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0 h1:0UOBWO4dC+e51ui0NFKSPbkHHiQ4TmrEfEZMLDyRmY8=
-google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0/go.mod h1:8ytArBbtOy2xfht+y2fqKd5DRDJRUQhqbyEnQ4bDChs=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a h1:tPE/Kp+x9dMSwUm/uM0JKK0IfdiJkwAbSMSeZBXXJXc=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a/go.mod h1:gw1tLEfykwDz2ET4a12jcXt4couGAm7IwsVaTy0Sflo=
+google.golang.org/genproto v0.0.0-20250826171959-ef028d996bc1 h1:Nm5SEGIguOIBDXs5rhfz2aKwEVWlgwC58UcmEnLDc8Y=
+google.golang.org/genproto v0.0.0-20250826171959-ef028d996bc1/go.mod h1:Jz9LrroM7Mcm+a0QrLh4UpZ1B/WhjIbqwEcUf4y08nQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c h1:AtEkQdl5b6zsybXcbz00j1LwNodDuH6hVifIaNqk7NQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c/go.mod h1:ea2MjsO70ssTfCjiwHgI0ZFqcw45Ksuk2ckf9G468GA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c h1:qXWI/sQtv5UKboZ/zUk7h+mrf/lXORyI+n9DKDAusdg=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c/go.mod h1:gw1tLEfykwDz2ET4a12jcXt4couGAm7IwsVaTy0Sflo=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -1876,10 +2030,11 @@ google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.36.7 h1:IgrO7UwFQGJdRNXH/sQux4R1Dj1WAKcLElzeeRaXV2A=
-google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/ini.v1 v1.61.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
@@ -1888,6 +2043,8 @@ gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

internal/prebuiltconfigs/prebuiltconfigs.go

@@ -39,6 +39,11 @@ func init() {
 	}
 }
 
+// Getter for the prebuiltToolsSources
+func GetPrebuiltSources() []string {
+	return prebuiltToolsSources
+}
+
 // Get prebuilt tools for a source
 func Get(prebuiltSourceConfig string) ([]byte, error) {
 	content, ok := prebuiltToolYAMLs[prebuiltSourceConfig]

internal/prebuiltconfigs/prebuiltconfigs_test.go

@@ -20,25 +20,38 @@ import (
 	"github.com/google/go-cmp/cmp"
 )
 
+var expectedToolSources = []string{
+	"alloydb-postgres-admin",
+	"alloydb-postgres",
+	"bigquery",
+	"clickhouse",
+	"cloud-sql-mssql",
+	"cloud-sql-mysql",
+	"cloud-sql-postgres",
+	"dataplex",
+	"firestore",
+	"looker",
+	"mssql",
+	"mysql",
+	"oceanbase",
+	"postgres",
+	"spanner-postgres",
+	"spanner",
+}
+
+func TestGetPrebuiltSources(t *testing.T) {
+	t.Run("Test Get Prebuilt Sources", func(t *testing.T) {
+		sources := GetPrebuiltSources()
+		if diff := cmp.Diff(expectedToolSources, sources); diff != "" {
+			t.Fatalf("incorrect sources parse: diff %v", diff)
+		}
+
+	})
+}
+
 func TestLoadPrebuiltToolYAMLs(t *testing.T) {
 	test_name := "test load prebuilt configs"
-	expectedKeys := []string{
-		"alloydb-postgres-admin",
-		"alloydb-postgres",
-		"bigquery",
-		"cloud-sql-mssql",
-		"cloud-sql-mysql",
-		"cloud-sql-postgres",
-		"dataplex",
-		"firestore",
-		"looker",
-		"mssql",
-		"mysql",
-		"oceanbase",
-		"postgres",
-		"spanner-postgres",
-		"spanner",
-	}
+	expectedKeys := expectedToolSources
 	t.Run(test_name, func(t *testing.T) {
 		configsMap, keys, err := loadPrebuiltToolYAMLs()
 		if err != nil {
@@ -73,6 +86,7 @@ func TestGetPrebuiltTool(t *testing.T) {
 	alloydb_admin_config, _ := Get("alloydb-postgres-admin")
 	alloydb_config, _ := Get("alloydb-postgres")
 	bigquery_config, _ := Get("bigquery")
+	clickhouse_config, _ := Get("clickhouse")
 	cloudsqlpg_config, _ := Get("cloud-sql-postgres")
 	cloudsqlmysql_config, _ := Get("cloud-sql-mysql")
 	cloudsqlmssql_config, _ := Get("cloud-sql-mssql")
@@ -93,6 +107,9 @@ func TestGetPrebuiltTool(t *testing.T) {
 	if len(bigquery_config) <= 0 {
 		t.Fatalf("unexpected error: could not fetch bigquery prebuilt tools yaml")
 	}
+	if len(clickhouse_config) <= 0 {
+		t.Fatalf("unexpected error: could not fetch clickhouse prebuilt tools yaml")
+	}
 	if len(cloudsqlpg_config) <= 0 {
 		t.Fatalf("unexpected error: could not fetch cloud sql pg prebuilt tools yaml")
 	}

internal/prebuiltconfigs/tools/alloydb-postgres-admin.yaml

@@ -50,7 +50,6 @@ tools:
         description: "The name for the initial superuser. If not provided, it defaults to 'postgres'. The initial database will always be named 'postgres'."
   alloydb-operations-get:
     kind: alloydb-wait-for-operation
-    source: alloydb-api-source
     description: "This will poll on operations API until the operation is done. For checking operation status we need projectId, locationID and operationId. Once instance is created give follow up steps on how to use the variables to bring data plane MCP server up in local and remote setup."
     delay: 1s
     maxDelay: 4m

internal/prebuiltconfigs/tools/bigquery.yaml

@@ -4,6 +4,14 @@ sources:
     project: ${BIGQUERY_PROJECT}
 
 tools:
+  ask_data_insights:
+    kind: bigquery-conversational-analytics
+    source: bigquery-source
+    description: |
+      Use this tool to perform data analysis, get insights,
+      or answer complex questions about the contents of specific
+      BigQuery tables.
+
   execute_sql:
     kind: bigquery-execute-sql
     source: bigquery-source
@@ -36,6 +44,7 @@ tools:
 
 toolsets:
   bigquery-database-tools:
+    - ask_data_insights
     - execute_sql
     - forecast
     - get_dataset_info

internal/prebuiltconfigs/tools/clickhouse.yaml

@@ -0,0 +1,19 @@
+sources:
+  clickhouse-source:
+    kind: clickhouse
+    host: ${CLICKHOUSE_HOST}
+    port: ${CLICKHOUSE_PORT}
+    user: ${CLICKHOUSE_USER}
+    password: ${CLICKHOUSE_PASSWORD}
+    database: ${CLICKHOUSE_DATABASE}
+    protocol: ${CLICKHOUSE_PROTOCOL}
+
+tools:
+  execute_sql:
+    kind: clickhouse-execute-sql
+    source: clickhouse-source
+    description: Use this tool to execute SQL.
+
+toolsets:
+  clickhouse-database-tools:
+    - execute_sql

internal/prebuiltconfigs/tools/firestore.yaml

@@ -21,6 +21,18 @@ tools:
       5. Handle timestamps properly: Use RFC3339 format for timestamp strings
       6. Base64 encode binary data: Binary data must be base64 encoded in the bytesValue field
       7. Consider security rules: Ensure your Firestore security rules allow document creation in the target collection
+  firestore-update-document:
+    kind: firestore-update-document
+    source: firestore-source
+    description: |
+     Updates an existing document in Firestore. Supports both full document updates and selective field updates using an update mask. Please follow the best practices:
+      1. Use update masks for precision: When you only need to update specific fields, use the updateMask parameter to avoid unintended changes
+      2. Always use typed values in the documentData: Every field must be wrapped with its appropriate type indicator (e.g., {"stringValue": "text"})
+      3. Delete fields using update mask: To delete fields, include them in the updateMask but omit them from documentData
+      4. Integer values can be strings: The tool accepts integer values as strings (e.g., {"integerValue": "1500"})
+      5. Use returnData sparingly: Only set to true when you need to verify the exact data after the update
+      6. Handle timestamps properly: Use RFC3339 format for timestamp strings
+      7. Consider security rules: Ensure your Firestore security rules allow document updates
   firestore-list-collections:
     kind: firestore-list-collections
     source: firestore-source
@@ -48,6 +60,7 @@ toolsets:
   firestore-database-tools:
     - firestore-get-documents
     - firestore-add-documents
+    - firestore-update-document
     - firestore-list-collections
     - firestore-delete-documents
     - firestore-query-collection

internal/prebuiltconfigs/tools/looker.yaml

@@ -4,8 +4,11 @@ sources:
         base_url: ${LOOKER_BASE_URL}
         client_id: ${LOOKER_CLIENT_ID}
         client_secret: ${LOOKER_CLIENT_SECRET}
-        verify_ssl: ${LOOKER_VERIFY_SSL}
+        verify_ssl: ${LOOKER_VERIFY_SSL:true}
         timeout: 600s
+        show_hidden_models: ${LOOKER_SHOW_HIDDEN_MODELS:true}
+        show_hidden_explores: ${LOOKER_SHOW_HIDDEN_EXPLORES:true}
+        show_hidden_fields: ${LOOKER_SHOW_HIDDEN_FIELDS:true}
 
 tools:
     get_models:
@@ -88,7 +91,8 @@ tools:
           Filters are provided as a map of {"field.id": "condition",
           "field.id2": "condition2", ...}. Do not put the field.id in
           quotes. Filter expressions can be found at
-          https://cloud.google.com/looker/docs/filter-expressions.
+          https://cloud.google.com/looker/docs/filter-expressions. There
+          is one mistake in that, however, Use `not null` instead of `-NULL`.
 
           Sorts can be specified like [ "field.id desc 0" ].
 
@@ -215,6 +219,7 @@ tools:
 
           ### Pie / Donut
 
+          *   Pie charts must have exactly one dimension and one numerical measure.
           *   `type`: Must be `looker_pie`.
           *   `value_labels`: Where to display values (`'legend'`, `'labels'`).
           *   `label_type`: The format of data labels (`'labPer'`, `'labVal'`, `'lab'`, `'val'`, `'per'`).

internal/server/admin.go

@@ -0,0 +1,32 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package server
+
+import (
+	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi/v5/middleware"
+	"github.com/go-chi/render"
+)
+
+// adminRouter creates a router that represents the routes under /admin
+func adminRouter(s *Server) (chi.Router, error) {
+	r := chi.NewRouter()
+
+	r.Use(middleware.AllowContentType("application/json"))
+	r.Use(middleware.StripSlashes)
+	r.Use(render.SetContentType(render.ContentTypeJSON))
+
+	return r, nil
+}

internal/server/api.go

@@ -16,8 +16,10 @@ package server
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
@@ -165,6 +167,20 @@ func toolInvokeHandler(s *Server, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Extract OAuth access token from the "Authorization" header (currently for
+	// BigQuery end-user credentials usage only)
+	accessToken := tools.AccessToken(r.Header.Get("Authorization"))
+
+	// Check if this specific tool requires the standard authorization header
+	if tool.RequiresClientAuthorization() {
+		if accessToken == "" {
+			err = fmt.Errorf("tool requires client authorization but access token is missing from the request header")
+			s.logger.DebugContext(ctx, err.Error())
+			_ = render.Render(w, r, newErrResponse(err, http.StatusUnauthorized))
+			return
+		}
+	}
+
 	// Tool authentication
 	// claimsFromAuth maps the name of the authservice to the claims retrieved from it.
 	claimsFromAuth := make(map[string]map[string]any)
@@ -210,6 +226,12 @@ func toolInvokeHandler(s *Server, w http.ResponseWriter, r *http.Request) {
 
 	params, err := tool.ParseParams(data, claimsFromAuth)
 	if err != nil {
+		// If auth error, return 401
+		if errors.Is(err, tools.ErrUnauthorized) {
+			s.logger.DebugContext(ctx, fmt.Sprintf("error parsing authenticated parameters from ID token: %s", err))
+			_ = render.Render(w, r, newErrResponse(err, http.StatusUnauthorized))
+			return
+		}
 		err = fmt.Errorf("provided parameters were invalid: %w", err)
 		s.logger.DebugContext(ctx, err.Error())
 		_ = render.Render(w, r, newErrResponse(err, http.StatusBadRequest))
@@ -217,8 +239,34 @@ func toolInvokeHandler(s *Server, w http.ResponseWriter, r *http.Request) {
 	}
 	s.logger.DebugContext(ctx, fmt.Sprintf("invocation params: %s", params))
 
-	res, err := tool.Invoke(ctx, params)
+	res, err := tool.Invoke(ctx, params, accessToken)
+
+	// Determine what error to return to the users.
 	if err != nil {
+		errStr := err.Error()
+		var statusCode int
+
+		// Upstream API auth error propagation
+		switch {
+		case strings.Contains(errStr, "Error 401"):
+			statusCode = http.StatusUnauthorized
+		case strings.Contains(errStr, "Error 403"):
+			statusCode = http.StatusForbidden
+		}
+
+		if statusCode == http.StatusUnauthorized || statusCode == http.StatusForbidden {
+			if tool.RequiresClientAuthorization() {
+				// Propagate the original 401/403 error.
+				s.logger.DebugContext(ctx, fmt.Sprintf("error invoking tool. Client credentials lack authorization to the source: %v", err))
+				_ = render.Render(w, r, newErrResponse(err, statusCode))
+				return
+			}
+			// ADC lacking permission or credentials configuration error.
+			internalErr := fmt.Errorf("unexpected auth error occured during Tool invocation: %w", err)
+			s.logger.ErrorContext(ctx, internalErr.Error())
+			_ = render.Render(w, r, newErrResponse(internalErr, http.StatusInternalServerError))
+			return
+		}
 		err = fmt.Errorf("error while invoking tool: %w", err)
 		s.logger.DebugContext(ctx, err.Error())
 		_ = render.Render(w, r, newErrResponse(err, http.StatusBadRequest))

internal/server/api_test.go

@@ -212,7 +212,7 @@ func TestToolGetEndpoint(t *testing.T) {
 }
 
 func TestToolInvokeEndpoint(t *testing.T) {
-	mockTools := []MockTool{tool1, tool2}
+	mockTools := []MockTool{tool1, tool2, tool4, tool5}
 	toolsMap, toolsets := setUpResources(t, mockTools)
 	r, shutdown := setUpServer(t, "api", toolsMap, toolsets)
 	defer shutdown()
@@ -247,6 +247,20 @@ func TestToolInvokeEndpoint(t *testing.T) {
 			want:        "",
 			isErr:       true,
 		},
+		{
+			name:        "tool4",
+			toolName:    tool4.Name,
+			requestBody: bytes.NewBuffer([]byte(`{}`)),
+			want:        "",
+			isErr:       true,
+		},
+		{
+			name:        "tool5",
+			toolName:    tool5.Name,
+			requestBody: bytes.NewBuffer([]byte(`{}`)),
+			want:        "",
+			isErr:       true,
+		},
 	}
 
 	for _, tc := range testCases {

internal/server/common_test.go

@@ -36,13 +36,15 @@ var _ tools.Tool = &MockTool{}
 
 // MockTool is used to mock tools in tests
 type MockTool struct {
-	Name        string
-	Description string
-	Params      []tools.Parameter
-	manifest    tools.Manifest
+	Name                         string
+	Description                  string
+	Params                       []tools.Parameter
+	manifest                     tools.Manifest
+	unauthorized                 bool
+	requiresClientAuthrorization bool
 }
 
-func (t MockTool) Invoke(context.Context, tools.ParamValues) (any, error) {
+func (t MockTool) Invoke(context.Context, tools.ParamValues, tools.AccessToken) (any, error) {
 	mock := []any{t.Name}
 	return mock, nil
 }
@@ -59,8 +61,15 @@ func (t MockTool) Manifest() tools.Manifest {
 	}
 	return tools.Manifest{Description: t.Description, Parameters: pMs}
 }
+
 func (t MockTool) Authorized(verifiedAuthServices []string) bool {
-	return true
+	// defaulted to true
+	return !t.unauthorized
+}
+
+func (t MockTool) RequiresClientAuthorization() bool {
+	// defaulted to false
+	return t.requiresClientAuthrorization
 }
 
 func (t MockTool) McpManifest() tools.McpManifest {
@@ -107,6 +116,18 @@ var tool3 = MockTool{
 	},
 }
 
+var tool4 = MockTool{
+	Name:         "unauthorized_tool",
+	Params:       []tools.Parameter{},
+	unauthorized: true,
+}
+
+var tool5 = MockTool{
+	Name:                         "require_client_auth_tool",
+	Params:                       []tools.Parameter{},
+	requiresClientAuthrorization: true,
+}
+
 // setUpResources setups resources to test against
 func setUpResources(t *testing.T, mockTools []MockTool) (map[string]tools.Tool, map[string]tools.Toolset) {
 	toolsMap := make(map[string]tools.Tool)

internal/server/config.go

@@ -218,6 +218,11 @@ func (c *ToolConfigs) UnmarshalYAML(ctx context.Context, unmarshal func(interfac
 			return fmt.Errorf("unable to unmarshal %q: %w", name, err)
 		}
 
+		// `authRequired` and `useClientOAuth` cannot be specified together
+		if v["authRequired"] != nil && v["useClientOAuth"] == true {
+			return fmt.Errorf("`authRequired` and `useClientOAuth` are mutually exclusive. Choose only one authentication method")
+		}
+
 		// Make `authRequired` an empty list instead of nil for Tool manifest
 		if v["authRequired"] == nil {
 			v["authRequired"] = []string{}

internal/server/mcp.go

@@ -19,9 +19,11 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
+	"strings"
 	"sync"
 	"time"
 
@@ -34,6 +36,7 @@ import (
 	mcputil "github.com/googleapis/genai-toolbox/internal/server/mcp/util"
 	v20241105 "github.com/googleapis/genai-toolbox/internal/server/mcp/v20241105"
 	v20250326 "github.com/googleapis/genai-toolbox/internal/server/mcp/v20250326"
+	"github.com/googleapis/genai-toolbox/internal/tools"
 	"github.com/googleapis/genai-toolbox/internal/util"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/codes"
@@ -141,7 +144,7 @@ func (s *stdioSession) readInputStream(ctx context.Context) error {
 			}
 			return err
 		}
-		v, res, err := processMcpMessage(ctx, []byte(line), s.server, s.protocol, "")
+		v, res, err := processMcpMessage(ctx, []byte(line), s.server, s.protocol, "", nil)
 		if err != nil {
 			// errors during the processing of message will generate a valid MCP Error response.
 			// server can continue to run.
@@ -329,6 +332,8 @@ func methodNotAllowed(s *Server, w http.ResponseWriter, r *http.Request) {
 
 // httpHandler handles all mcp messages.
 func httpHandler(s *Server, w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
 	ctx, span := s.instrumentation.Tracer.Start(r.Context(), "toolbox/server/mcp")
 	r = r.WithContext(ctx)
 	ctx = util.WithLogger(r.Context(), s.logger)
@@ -401,7 +406,11 @@ func httpHandler(s *Server, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	v, res, err := processMcpMessage(ctx, body, s, protocolVersion, toolsetName)
+	v, res, err := processMcpMessage(ctx, body, s, protocolVersion, toolsetName, r.Header)
+	if err != nil {
+		s.logger.DebugContext(ctx, fmt.Errorf("error processing message: %w", err).Error())
+	}
+
 	// notifications will return empty string
 	if res == nil {
 		// Notifications do not expect a response
@@ -409,9 +418,6 @@ func httpHandler(s *Server, w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusAccepted)
 		return
 	}
-	if err != nil {
-		s.logger.DebugContext(ctx, err.Error())
-	}
 
 	// for v20250326, add the `Mcp-Session-Id` header
 	if v == v20250326.PROTOCOL_VERSION {
@@ -431,13 +437,29 @@ func httpHandler(s *Server, w http.ResponseWriter, r *http.Request) {
 			s.logger.DebugContext(ctx, "unable to add to event queue")
 		}
 	}
+	if rpcResponse, ok := res.(jsonrpc.JSONRPCError); ok {
+		code := rpcResponse.Error.Code
+		switch code {
+		case jsonrpc.INTERNAL_ERROR:
+			w.WriteHeader(http.StatusInternalServerError)
+		case jsonrpc.INVALID_REQUEST:
+			errStr := err.Error()
+			if errors.Is(err, tools.ErrUnauthorized) {
+				w.WriteHeader(http.StatusUnauthorized)
+			} else if strings.Contains(errStr, "Error 401") {
+				w.WriteHeader(http.StatusUnauthorized)
+			} else if strings.Contains(errStr, "Error 403") {
+				w.WriteHeader(http.StatusForbidden)
+			}
+		}
+	}
 
 	// send HTTP response
 	render.JSON(w, r, res)
 }
 
 // processMcpMessage process the messages received from clients
-func processMcpMessage(ctx context.Context, body []byte, s *Server, protocolVersion string, toolsetName string) (string, any, error) {
+func processMcpMessage(ctx context.Context, body []byte, s *Server, protocolVersion string, toolsetName string, header http.Header) (string, any, error) {
 	logger, err := util.LoggerFromContext(ctx)
 	if err != nil {
 		return "", jsonrpc.NewError("", jsonrpc.INTERNAL_ERROR, err.Error(), nil), err
@@ -492,7 +514,7 @@ func processMcpMessage(ctx context.Context, body []byte, s *Server, protocolVers
 			err = fmt.Errorf("toolset does not exist")
 			return "", jsonrpc.NewError(baseMessage.Id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
 		}
-		res, err := mcp.ProcessMethod(ctx, protocolVersion, baseMessage.Id, baseMessage.Method, toolset, s.ResourceMgr.GetToolsMap(), body)
+		res, err := mcp.ProcessMethod(ctx, protocolVersion, baseMessage.Id, baseMessage.Method, toolset, s.ResourceMgr.GetToolsMap(), s.ResourceMgr.GetAuthServiceMap(), body, header)
 		return "", res, err
 	}
 }

internal/server/mcp/jsonrpc/jsonrpc_test.go

@@ -0,0 +1,39 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package jsonrpc
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestNewError(t *testing.T) {
+	var id interface{} = "foo"
+	code := 111
+	message := "foo bar"
+	want := JSONRPCError{
+		Jsonrpc: "2.0",
+		Id:      "foo",
+		Error: Error{
+			Code:    111,
+			Message: "foo bar",
+		},
+	}
+
+	got := NewError(id, code, message, nil)
+	if !reflect.DeepEqual(want, got) {
+		t.Fatalf("unexpected error: got %+v, want %+v", got, want)
+	}
+}

internal/server/mcp/mcp.go

@@ -18,8 +18,10 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net/http"
 	"slices"
 
+	"github.com/googleapis/genai-toolbox/internal/auth"
 	"github.com/googleapis/genai-toolbox/internal/server/mcp/jsonrpc"
 	mcputil "github.com/googleapis/genai-toolbox/internal/server/mcp/util"
 	v20241105 "github.com/googleapis/genai-toolbox/internal/server/mcp/v20241105"
@@ -93,14 +95,14 @@ func NotificationHandler(ctx context.Context, body []byte) error {
 
 // ProcessMethod returns a response for the request.
 // This is the Operation phase of the lifecycle for MCP client-server connections.
-func ProcessMethod(ctx context.Context, mcpVersion string, id jsonrpc.RequestId, method string, toolset tools.Toolset, tools map[string]tools.Tool, body []byte) (any, error) {
+func ProcessMethod(ctx context.Context, mcpVersion string, id jsonrpc.RequestId, method string, toolset tools.Toolset, tools map[string]tools.Tool, authServices map[string]auth.AuthService, body []byte, header http.Header) (any, error) {
 	switch mcpVersion {
 	case v20250618.PROTOCOL_VERSION:
-		return v20250618.ProcessMethod(ctx, id, method, toolset, tools, body)
+		return v20250618.ProcessMethod(ctx, id, method, toolset, tools, authServices, body, header)
 	case v20250326.PROTOCOL_VERSION:
-		return v20250326.ProcessMethod(ctx, id, method, toolset, tools, body)
+		return v20250326.ProcessMethod(ctx, id, method, toolset, tools, authServices, body, header)
 	default:
-		return v20241105.ProcessMethod(ctx, id, method, toolset, tools, body)
+		return v20241105.ProcessMethod(ctx, id, method, toolset, tools, authServices, body, header)
 	}
 }
 

internal/server/mcp/util/lifecycle.go

@@ -14,7 +14,9 @@
 
 package util
 
-import "github.com/googleapis/genai-toolbox/internal/server/mcp/jsonrpc"
+import (
+	"github.com/googleapis/genai-toolbox/internal/server/mcp/jsonrpc"
+)
 
 const (
 	// SERVER_NAME is the server name used in Implementation.

internal/server/mcp/v20241105/method.go

@@ -18,26 +18,41 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"net/http"
+	"strings"
 
+	"github.com/googleapis/genai-toolbox/internal/auth"
 	"github.com/googleapis/genai-toolbox/internal/server/mcp/jsonrpc"
 	"github.com/googleapis/genai-toolbox/internal/tools"
 	"github.com/googleapis/genai-toolbox/internal/util"
 )
 
 // ProcessMethod returns a response for the request.
-func ProcessMethod(ctx context.Context, id jsonrpc.RequestId, method string, toolset tools.Toolset, tools map[string]tools.Tool, body []byte) (any, error) {
+func ProcessMethod(ctx context.Context, id jsonrpc.RequestId, method string, toolset tools.Toolset, tools map[string]tools.Tool, authServices map[string]auth.AuthService, body []byte, header http.Header) (any, error) {
 	switch method {
+	case PING:
+		return pingHandler(id)
 	case TOOLS_LIST:
 		return toolsListHandler(id, toolset, body)
 	case TOOLS_CALL:
-		return toolsCallHandler(ctx, id, tools, body)
+		return toolsCallHandler(ctx, id, tools, authServices, body, header)
 	default:
 		err := fmt.Errorf("invalid method %s", method)
 		return jsonrpc.NewError(id, jsonrpc.METHOD_NOT_FOUND, err.Error(), nil), err
 	}
 }
 
+// pingHandler handles the "ping" method by returning an empty response.
+func pingHandler(id jsonrpc.RequestId) (any, error) {
+	return jsonrpc.JSONRPCResponse{
+		Jsonrpc: jsonrpc.JSONRPC_VERSION,
+		Id:      id,
+		Result:  struct{}{},
+	}, nil
+}
+
 func toolsListHandler(id jsonrpc.RequestId, toolset tools.Toolset, body []byte) (any, error) {
 	var req ListToolsRequest
 	if err := json.Unmarshal(body, &req); err != nil {
@@ -56,7 +71,7 @@ func toolsListHandler(id jsonrpc.RequestId, toolset tools.Toolset, body []byte)
 }
 
 // toolsCallHandler generate a response for tools call.
-func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[string]tools.Tool, body []byte) (any, error) {
+func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, toolsMap map[string]tools.Tool, authServices map[string]auth.AuthService, body []byte, header http.Header) (any, error) {
 	// retrieve logger from context
 	logger, err := util.LoggerFromContext(ctx)
 	if err != nil {
@@ -72,12 +87,22 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[strin
 	toolName := req.Params.Name
 	toolArgument := req.Params.Arguments
 	logger.DebugContext(ctx, fmt.Sprintf("tool name: %s", toolName))
-	tool, ok := tools[toolName]
+	tool, ok := toolsMap[toolName]
 	if !ok {
 		err = fmt.Errorf("invalid tool name: tool with name %q does not exist", toolName)
 		return jsonrpc.NewError(id, jsonrpc.INVALID_PARAMS, err.Error(), nil), err
 	}
 
+	// Get access token
+	accessToken := tools.AccessToken(header.Get("Authorization"))
+
+	// Check if this specific tool requires the standard authorization header
+	if tool.RequiresClientAuthorization() {
+		if accessToken == "" {
+			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, "missing access token in the 'Authorization' header", nil), tools.ErrUnauthorized
+		}
+	}
+
 	// marshal arguments and decode it using decodeJSON instead to prevent loss between floats/int.
 	aMarshal, err := json.Marshal(toolArgument)
 	if err != nil {
@@ -91,10 +116,42 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[strin
 		return jsonrpc.NewError(id, jsonrpc.INTERNAL_ERROR, err.Error(), nil), err
 	}
 
+	// Tool authentication
 	// claimsFromAuth maps the name of the authservice to the claims retrieved from it.
-	// Since MCP doesn't support auth, an empty map will be use every time.
 	claimsFromAuth := make(map[string]map[string]any)
 
+	// if using stdio, header will be nil and auth will not be supported
+	if header != nil {
+		for _, aS := range authServices {
+			claims, err := aS.GetClaimsFromHeader(ctx, header)
+			if err != nil {
+				logger.DebugContext(ctx, err.Error())
+				continue
+			}
+			if claims == nil {
+				// authService not present in header
+				continue
+			}
+			claimsFromAuth[aS.GetName()] = claims
+		}
+	}
+
+	// Tool authorization check
+	verifiedAuthServices := make([]string, len(claimsFromAuth))
+	i := 0
+	for k := range claimsFromAuth {
+		verifiedAuthServices[i] = k
+		i++
+	}
+
+	// Check if any of the specified auth services is verified
+	isAuthorized := tool.Authorized(verifiedAuthServices)
+	if !isAuthorized {
+		err = fmt.Errorf("unauthorized Tool call: Please make sure your specify correct auth headers: %w", tools.ErrUnauthorized)
+		return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+	}
+	logger.DebugContext(ctx, "tool invocation authorized")
+
 	params, err := tool.ParseParams(data, claimsFromAuth)
 	if err != nil {
 		err = fmt.Errorf("provided parameters were invalid: %w", err)
@@ -102,14 +159,24 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[strin
 	}
 	logger.DebugContext(ctx, fmt.Sprintf("invocation params: %s", params))
 
-	if !tool.Authorized([]string{}) {
-		err = fmt.Errorf("unauthorized Tool call: `authRequired` is set for the target Tool")
-		return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
-	}
-
 	// run tool invocation and generate response.
-	results, err := tool.Invoke(ctx, params)
+	results, err := tool.Invoke(ctx, params, accessToken)
 	if err != nil {
+		errStr := err.Error()
+		// Missing authService tokens.
+		if errors.Is(err, tools.ErrUnauthorized) {
+			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+		}
+		// Upstream auth error
+		if strings.Contains(errStr, "Error 401") || strings.Contains(errStr, "Error 403") {
+			if tool.RequiresClientAuthorization() {
+				// Error with client credentials should pass down to the client
+				return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+			}
+			// Auth error with ADC should raise internal 500 error
+			return jsonrpc.NewError(id, jsonrpc.INTERNAL_ERROR, err.Error(), nil), err
+		}
+
 		text := TextContent{
 			Type: "text",
 			Text: err.Error(),

internal/server/mcp/v20241105/types.go

@@ -27,6 +27,7 @@ const PROTOCOL_VERSION = "2024-11-05"
 
 // methods that are supported.
 const (
+	PING       = "ping"
 	TOOLS_LIST = "tools/list"
 	TOOLS_CALL = "tools/call"
 )

internal/server/mcp/v20250326/method.go

@@ -18,26 +18,41 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"net/http"
+	"strings"
 
+	"github.com/googleapis/genai-toolbox/internal/auth"
 	"github.com/googleapis/genai-toolbox/internal/server/mcp/jsonrpc"
 	"github.com/googleapis/genai-toolbox/internal/tools"
 	"github.com/googleapis/genai-toolbox/internal/util"
 )
 
 // ProcessMethod returns a response for the request.
-func ProcessMethod(ctx context.Context, id jsonrpc.RequestId, method string, toolset tools.Toolset, tools map[string]tools.Tool, body []byte) (any, error) {
+func ProcessMethod(ctx context.Context, id jsonrpc.RequestId, method string, toolset tools.Toolset, tools map[string]tools.Tool, authServices map[string]auth.AuthService, body []byte, header http.Header) (any, error) {
 	switch method {
+	case PING:
+		return pingHandler(id)
 	case TOOLS_LIST:
 		return toolsListHandler(id, toolset, body)
 	case TOOLS_CALL:
-		return toolsCallHandler(ctx, id, tools, body)
+		return toolsCallHandler(ctx, id, tools, authServices, body, header)
 	default:
 		err := fmt.Errorf("invalid method %s", method)
 		return jsonrpc.NewError(id, jsonrpc.METHOD_NOT_FOUND, err.Error(), nil), err
 	}
 }
 
+// pingHandler handles the "ping" method by returning an empty response.
+func pingHandler(id jsonrpc.RequestId) (any, error) {
+	return jsonrpc.JSONRPCResponse{
+		Jsonrpc: jsonrpc.JSONRPC_VERSION,
+		Id:      id,
+		Result:  struct{}{},
+	}, nil
+}
+
 func toolsListHandler(id jsonrpc.RequestId, toolset tools.Toolset, body []byte) (any, error) {
 	var req ListToolsRequest
 	if err := json.Unmarshal(body, &req); err != nil {
@@ -56,7 +71,7 @@ func toolsListHandler(id jsonrpc.RequestId, toolset tools.Toolset, body []byte)
 }
 
 // toolsCallHandler generate a response for tools call.
-func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[string]tools.Tool, body []byte) (any, error) {
+func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, toolsMap map[string]tools.Tool, authServices map[string]auth.AuthService, body []byte, header http.Header) (any, error) {
 	// retrieve logger from context
 	logger, err := util.LoggerFromContext(ctx)
 	if err != nil {
@@ -72,12 +87,22 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[strin
 	toolName := req.Params.Name
 	toolArgument := req.Params.Arguments
 	logger.DebugContext(ctx, fmt.Sprintf("tool name: %s", toolName))
-	tool, ok := tools[toolName]
+	tool, ok := toolsMap[toolName]
 	if !ok {
 		err = fmt.Errorf("invalid tool name: tool with name %q does not exist", toolName)
 		return jsonrpc.NewError(id, jsonrpc.INVALID_PARAMS, err.Error(), nil), err
 	}
 
+	// Get access token
+	accessToken := tools.AccessToken(header.Get("Authorization"))
+
+	// Check if this specific tool requires the standard authorization header
+	if tool.RequiresClientAuthorization() {
+		if accessToken == "" {
+			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, "missing access token in the 'Authorization' header", nil), tools.ErrUnauthorized
+		}
+	}
+
 	// marshal arguments and decode it using decodeJSON instead to prevent loss between floats/int.
 	aMarshal, err := json.Marshal(toolArgument)
 	if err != nil {
@@ -91,10 +116,42 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[strin
 		return jsonrpc.NewError(id, jsonrpc.INTERNAL_ERROR, err.Error(), nil), err
 	}
 
+	// Tool authentication
 	// claimsFromAuth maps the name of the authservice to the claims retrieved from it.
-	// Since MCP doesn't support auth, an empty map will be use every time.
 	claimsFromAuth := make(map[string]map[string]any)
 
+	// if using stdio, header will be nil and auth will not be supported
+	if header != nil {
+		for _, aS := range authServices {
+			claims, err := aS.GetClaimsFromHeader(ctx, header)
+			if err != nil {
+				logger.DebugContext(ctx, err.Error())
+				continue
+			}
+			if claims == nil {
+				// authService not present in header
+				continue
+			}
+			claimsFromAuth[aS.GetName()] = claims
+		}
+	}
+
+	// Tool authorization check
+	verifiedAuthServices := make([]string, len(claimsFromAuth))
+	i := 0
+	for k := range claimsFromAuth {
+		verifiedAuthServices[i] = k
+		i++
+	}
+
+	// Check if any of the specified auth services is verified
+	isAuthorized := tool.Authorized(verifiedAuthServices)
+	if !isAuthorized {
+		err = fmt.Errorf("unauthorized Tool call: Please make sure your specify correct auth headers: %w", tools.ErrUnauthorized)
+		return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+	}
+	logger.DebugContext(ctx, "tool invocation authorized")
+
 	params, err := tool.ParseParams(data, claimsFromAuth)
 	if err != nil {
 		err = fmt.Errorf("provided parameters were invalid: %w", err)
@@ -102,14 +159,23 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[strin
 	}
 	logger.DebugContext(ctx, fmt.Sprintf("invocation params: %s", params))
 
-	if !tool.Authorized([]string{}) {
-		err = fmt.Errorf("unauthorized Tool call: `authRequired` is set for the target Tool")
-		return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
-	}
-
 	// run tool invocation and generate response.
-	results, err := tool.Invoke(ctx, params)
+	results, err := tool.Invoke(ctx, params, accessToken)
 	if err != nil {
+		errStr := err.Error()
+		// Missing authService tokens.
+		if errors.Is(err, tools.ErrUnauthorized) {
+			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+		}
+		// Upstream auth error
+		if strings.Contains(errStr, "Error 401") || strings.Contains(errStr, "Error 403") {
+			if tool.RequiresClientAuthorization() {
+				// Error with client credentials should pass down to the client
+				return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+			}
+			// Auth error with ADC should raise internal 500 error
+			return jsonrpc.NewError(id, jsonrpc.INTERNAL_ERROR, err.Error(), nil), err
+		}
 		text := TextContent{
 			Type: "text",
 			Text: err.Error(),

internal/server/mcp/v20250326/types.go

@@ -27,6 +27,7 @@ const PROTOCOL_VERSION = "2025-03-26"
 
 // methods that are supported.
 const (
+	PING       = "ping"
 	TOOLS_LIST = "tools/list"
 	TOOLS_CALL = "tools/call"
 )

internal/server/mcp/v20250618/method.go

@@ -18,26 +18,41 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"net/http"
+	"strings"
 
+	"github.com/googleapis/genai-toolbox/internal/auth"
 	"github.com/googleapis/genai-toolbox/internal/server/mcp/jsonrpc"
 	"github.com/googleapis/genai-toolbox/internal/tools"
 	"github.com/googleapis/genai-toolbox/internal/util"
 )
 
 // ProcessMethod returns a response for the request.
-func ProcessMethod(ctx context.Context, id jsonrpc.RequestId, method string, toolset tools.Toolset, tools map[string]tools.Tool, body []byte) (any, error) {
+func ProcessMethod(ctx context.Context, id jsonrpc.RequestId, method string, toolset tools.Toolset, tools map[string]tools.Tool, authServices map[string]auth.AuthService, body []byte, header http.Header) (any, error) {
 	switch method {
+	case PING:
+		return pingHandler(id)
 	case TOOLS_LIST:
 		return toolsListHandler(id, toolset, body)
 	case TOOLS_CALL:
-		return toolsCallHandler(ctx, id, tools, body)
+		return toolsCallHandler(ctx, id, tools, authServices, body, header)
 	default:
 		err := fmt.Errorf("invalid method %s", method)
 		return jsonrpc.NewError(id, jsonrpc.METHOD_NOT_FOUND, err.Error(), nil), err
 	}
 }
 
+// pingHandler handles the "ping" method by returning an empty response.
+func pingHandler(id jsonrpc.RequestId) (any, error) {
+	return jsonrpc.JSONRPCResponse{
+		Jsonrpc: jsonrpc.JSONRPC_VERSION,
+		Id:      id,
+		Result:  struct{}{},
+	}, nil
+}
+
 func toolsListHandler(id jsonrpc.RequestId, toolset tools.Toolset, body []byte) (any, error) {
 	var req ListToolsRequest
 	if err := json.Unmarshal(body, &req); err != nil {
@@ -56,7 +71,7 @@ func toolsListHandler(id jsonrpc.RequestId, toolset tools.Toolset, body []byte)
 }
 
 // toolsCallHandler generate a response for tools call.
-func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[string]tools.Tool, body []byte) (any, error) {
+func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, toolsMap map[string]tools.Tool, authServices map[string]auth.AuthService, body []byte, header http.Header) (any, error) {
 	// retrieve logger from context
 	logger, err := util.LoggerFromContext(ctx)
 	if err != nil {
@@ -72,12 +87,22 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[strin
 	toolName := req.Params.Name
 	toolArgument := req.Params.Arguments
 	logger.DebugContext(ctx, fmt.Sprintf("tool name: %s", toolName))
-	tool, ok := tools[toolName]
+	tool, ok := toolsMap[toolName]
 	if !ok {
 		err = fmt.Errorf("invalid tool name: tool with name %q does not exist", toolName)
 		return jsonrpc.NewError(id, jsonrpc.INVALID_PARAMS, err.Error(), nil), err
 	}
 
+	// Get access token
+	accessToken := tools.AccessToken(header.Get("Authorization"))
+
+	// Check if this specific tool requires the standard authorization header
+	if tool.RequiresClientAuthorization() {
+		if accessToken == "" {
+			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, "missing access token in the 'Authorization' header", nil), tools.ErrUnauthorized
+		}
+	}
+
 	// marshal arguments and decode it using decodeJSON instead to prevent loss between floats/int.
 	aMarshal, err := json.Marshal(toolArgument)
 	if err != nil {
@@ -91,10 +116,42 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[strin
 		return jsonrpc.NewError(id, jsonrpc.INTERNAL_ERROR, err.Error(), nil), err
 	}
 
+	// Tool authentication
 	// claimsFromAuth maps the name of the authservice to the claims retrieved from it.
-	// Since MCP doesn't support auth, an empty map will be use every time.
 	claimsFromAuth := make(map[string]map[string]any)
 
+	// if using stdio, header will be nil and auth will not be supported
+	if header != nil {
+		for _, aS := range authServices {
+			claims, err := aS.GetClaimsFromHeader(ctx, header)
+			if err != nil {
+				logger.DebugContext(ctx, err.Error())
+				continue
+			}
+			if claims == nil {
+				// authService not present in header
+				continue
+			}
+			claimsFromAuth[aS.GetName()] = claims
+		}
+	}
+
+	// Tool authorization check
+	verifiedAuthServices := make([]string, len(claimsFromAuth))
+	i := 0
+	for k := range claimsFromAuth {
+		verifiedAuthServices[i] = k
+		i++
+	}
+
+	// Check if any of the specified auth services is verified
+	isAuthorized := tool.Authorized(verifiedAuthServices)
+	if !isAuthorized {
+		err = fmt.Errorf("unauthorized Tool call: Please make sure your specify correct auth headers: %w", tools.ErrUnauthorized)
+		return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+	}
+	logger.DebugContext(ctx, "tool invocation authorized")
+
 	params, err := tool.ParseParams(data, claimsFromAuth)
 	if err != nil {
 		err = fmt.Errorf("provided parameters were invalid: %w", err)
@@ -102,14 +159,23 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[strin
 	}
 	logger.DebugContext(ctx, fmt.Sprintf("invocation params: %s", params))
 
-	if !tool.Authorized([]string{}) {
-		err = fmt.Errorf("unauthorized Tool call: `authRequired` is set for the target Tool")
-		return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
-	}
-
 	// run tool invocation and generate response.
-	results, err := tool.Invoke(ctx, params)
+	results, err := tool.Invoke(ctx, params, accessToken)
 	if err != nil {
+		errStr := err.Error()
+		// Missing authService tokens.
+		if errors.Is(err, tools.ErrUnauthorized) {
+			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+		}
+		// Upstream auth error
+		if strings.Contains(errStr, "Error 401") || strings.Contains(errStr, "Error 403") {
+			if tool.RequiresClientAuthorization() {
+				// Error with client credentials should pass down to the client
+				return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+			}
+			// Auth error with ADC should raise internal 500 error
+			return jsonrpc.NewError(id, jsonrpc.INTERNAL_ERROR, err.Error(), nil), err
+		}
 		text := TextContent{
 			Type: "text",
 			Text: err.Error(),

internal/server/mcp/v20250618/types.go

@@ -27,6 +27,7 @@ const PROTOCOL_VERSION = "2025-06-18"
 
 // methods that are supported.
 const (
+	PING       = "ping"
 	TOOLS_LIST = "tools/list"
 	TOOLS_CALL = "tools/call"
 )

internal/server/mcp_test.go

@@ -39,7 +39,7 @@ const protocolVersion20250326 = "2025-03-26"
 const protocolVersion20250618 = "2025-06-18"
 const serverName = "Toolbox"
 
-var tool1InputSchema = map[string]any{
+var basicInputSchema = map[string]any{
 	"type":       "object",
 	"properties": map[string]any{},
 	"required":   []any{},
@@ -67,7 +67,7 @@ var tool3InputSchema = map[string]any{
 }
 
 func TestMcpEndpointWithoutInitialized(t *testing.T) {
-	mockTools := []MockTool{tool1, tool2, tool3}
+	mockTools := []MockTool{tool1, tool2, tool3, tool4, tool5}
 	toolsMap, toolsets := setUpResources(t, mockTools)
 	r, shutdown := setUpServer(t, "mcp", toolsMap, toolsets)
 	defer shutdown()
@@ -81,6 +81,23 @@ func TestMcpEndpointWithoutInitialized(t *testing.T) {
 		body  jsonrpc.JSONRPCRequest
 		want  map[string]any
 	}{
+		{
+			name: "ping",
+			url:  "/",
+			body: jsonrpc.JSONRPCRequest{
+				Jsonrpc: jsonrpcVersion,
+				Id:      "ping-test-123",
+				Request: jsonrpc.Request{
+					Method: "ping",
+				},
+			},
+			isErr: false,
+			want: map[string]any{
+				"jsonrpc": "2.0",
+				"id":      "ping-test-123",
+				"result":  map[string]any{},
+			},
+		},
 		{
 			name: "tools/list",
 			url:  "/",
@@ -99,7 +116,7 @@ func TestMcpEndpointWithoutInitialized(t *testing.T) {
 					"tools": []any{
 						map[string]any{
 							"name":        "no_params",
-							"inputSchema": tool1InputSchema,
+							"inputSchema": basicInputSchema,
 						},
 						map[string]any{
 							"name":        "some_params",
@@ -110,6 +127,14 @@ func TestMcpEndpointWithoutInitialized(t *testing.T) {
 							"description": "some description",
 							"inputSchema": tool3InputSchema,
 						},
+						map[string]any{
+							"name":        "unauthorized_tool",
+							"inputSchema": basicInputSchema,
+						},
+						map[string]any{
+							"name":        "require_client_auth_tool",
+							"inputSchema": basicInputSchema,
+						},
 					},
 				},
 			},
@@ -152,6 +177,76 @@ func TestMcpEndpointWithoutInitialized(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "call tool1 unauthorized tool",
+			url:  "/",
+			body: jsonrpc.JSONRPCRequest{
+				Jsonrpc: jsonrpcVersion,
+				Id:      "tools-call-tool1",
+				Request: jsonrpc.Request{
+					Method: "tools/call",
+				},
+				Params: map[string]any{
+					"name": "no_params",
+				},
+			},
+			want: map[string]any{
+				"jsonrpc": "2.0",
+				"id":      "tools-call-tool1",
+				"result": map[string]any{
+					"content": []any{
+						map[string]any{
+							"type": "text",
+							"text": `"no_params"`,
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "call tool4 unauthorized tool",
+			url:  "/",
+			body: jsonrpc.JSONRPCRequest{
+				Jsonrpc: jsonrpcVersion,
+				Id:      "tools-call-tool4",
+				Request: jsonrpc.Request{
+					Method: "tools/call",
+				},
+				Params: map[string]any{
+					"name": "unauthorized_tool",
+				},
+			},
+			want: map[string]any{
+				"jsonrpc": "2.0",
+				"id":      "tools-call-tool4",
+				"error": map[string]any{
+					"code":    -32600.0,
+					"message": "unauthorized Tool call: Please make sure your specify correct auth headers: unauthorized",
+				},
+			},
+		},
+		{
+			name: "call tool5 unauthorized tool",
+			url:  "/",
+			body: jsonrpc.JSONRPCRequest{
+				Jsonrpc: jsonrpcVersion,
+				Id:      "tools-call-tool5",
+				Request: jsonrpc.Request{
+					Method: "tools/call",
+				},
+				Params: map[string]any{
+					"name": "require_client_auth_tool",
+				},
+			},
+			want: map[string]any{
+				"jsonrpc": "2.0",
+				"id":      "tools-call-tool5",
+				"error": map[string]any{
+					"code":    -32600.0,
+					"message": "missing access token in the 'Authorization' header",
+				},
+			},
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -241,7 +336,7 @@ func runInitializeLifecycle(t *testing.T, ts *httptest.Server, protocolVersion s
 }
 
 func TestMcpEndpoint(t *testing.T) {
-	mockTools := []MockTool{tool1, tool2, tool3}
+	mockTools := []MockTool{tool1, tool2, tool3, tool4, tool5}
 	toolsMap, toolsets := setUpResources(t, mockTools)
 	r, shutdown := setUpServer(t, "mcp", toolsMap, toolsets)
 	defer shutdown()
@@ -317,11 +412,12 @@ func TestMcpEndpoint(t *testing.T) {
 			}
 
 			testCases := []struct {
-				name  string
-				url   string
-				isErr bool
-				body  any
-				want  map[string]any
+				name           string
+				url            string
+				isErr          bool
+				body           any
+				wantStatusCode int
+				want           map[string]any
 			}{
 				{
 					name: "basic notification",
@@ -332,6 +428,24 @@ func TestMcpEndpoint(t *testing.T) {
 							Method: "notification",
 						},
 					},
+					wantStatusCode: http.StatusAccepted,
+				},
+				{
+					name: "ping",
+					url:  "/",
+					body: jsonrpc.JSONRPCRequest{
+						Jsonrpc: jsonrpcVersion,
+						Id:      "ping-test-123",
+						Request: jsonrpc.Request{
+							Method: "ping",
+						},
+					},
+					wantStatusCode: http.StatusOK,
+					want: map[string]any{
+						"jsonrpc": "2.0",
+						"id":      "ping-test-123",
+						"result":  map[string]any{},
+					},
 				},
 				{
 					name: "tools/list",
@@ -343,6 +457,7 @@ func TestMcpEndpoint(t *testing.T) {
 							Method: "tools/list",
 						},
 					},
+					wantStatusCode: http.StatusOK,
 					want: map[string]any{
 						"jsonrpc": "2.0",
 						"id":      "tools-list",
@@ -350,7 +465,7 @@ func TestMcpEndpoint(t *testing.T) {
 							"tools": []any{
 								map[string]any{
 									"name":        "no_params",
-									"inputSchema": tool1InputSchema,
+									"inputSchema": basicInputSchema,
 								},
 								map[string]any{
 									"name":        "some_params",
@@ -361,6 +476,14 @@ func TestMcpEndpoint(t *testing.T) {
 									"description": "some description",
 									"inputSchema": tool3InputSchema,
 								},
+								map[string]any{
+									"name":        "unauthorized_tool",
+									"inputSchema": basicInputSchema,
+								},
+								map[string]any{
+									"name":        "require_client_auth_tool",
+									"inputSchema": basicInputSchema,
+								},
 							},
 						},
 					},
@@ -375,6 +498,7 @@ func TestMcpEndpoint(t *testing.T) {
 							Method: "tools/list",
 						},
 					},
+					wantStatusCode: http.StatusOK,
 					want: map[string]any{
 						"jsonrpc": "2.0",
 						"id":      "tools-list-tool1",
@@ -382,7 +506,7 @@ func TestMcpEndpoint(t *testing.T) {
 							"tools": []any{
 								map[string]any{
 									"name":        "no_params",
-									"inputSchema": tool1InputSchema,
+									"inputSchema": basicInputSchema,
 								},
 							},
 						},
@@ -399,6 +523,7 @@ func TestMcpEndpoint(t *testing.T) {
 							Method: "tools/list",
 						},
 					},
+					wantStatusCode: http.StatusOK,
 					want: map[string]any{
 						"jsonrpc": "2.0",
 						"id":      "tools-list-invalid-toolset",
@@ -417,6 +542,7 @@ func TestMcpEndpoint(t *testing.T) {
 						Id:      "missing-method",
 						Request: jsonrpc.Request{},
 					},
+					wantStatusCode: http.StatusOK,
 					want: map[string]any{
 						"jsonrpc": "2.0",
 						"id":      "missing-method",
@@ -437,6 +563,7 @@ func TestMcpEndpoint(t *testing.T) {
 							Method: "foo",
 						},
 					},
+					wantStatusCode: http.StatusOK,
 					want: map[string]any{
 						"jsonrpc": "2.0",
 						"id":      "invalid-method",
@@ -457,6 +584,7 @@ func TestMcpEndpoint(t *testing.T) {
 							Method: "foo",
 						},
 					},
+					wantStatusCode: http.StatusOK,
 					want: map[string]any{
 						"jsonrpc": "2.0",
 						"id":      "invalid-jsonrpc-version",
@@ -486,6 +614,7 @@ func TestMcpEndpoint(t *testing.T) {
 							},
 						},
 					},
+					wantStatusCode: http.StatusOK,
 					want: map[string]any{
 						"jsonrpc": "2.0",
 						"error": map[string]any{
@@ -494,6 +623,79 @@ func TestMcpEndpoint(t *testing.T) {
 						},
 					},
 				},
+				{
+					name: "call tool1 unauthorized tool",
+					url:  "/",
+					body: jsonrpc.JSONRPCRequest{
+						Jsonrpc: jsonrpcVersion,
+						Id:      "tools-call-tool1",
+						Request: jsonrpc.Request{
+							Method: "tools/call",
+						},
+						Params: map[string]any{
+							"name": "no_params",
+						},
+					},
+					wantStatusCode: http.StatusOK,
+					want: map[string]any{
+						"jsonrpc": "2.0",
+						"id":      "tools-call-tool1",
+						"result": map[string]any{
+							"content": []any{
+								map[string]any{
+									"type": "text",
+									"text": `"no_params"`,
+								},
+							},
+						},
+					},
+				},
+				{
+					name: "call tool4 unauthorized tool",
+					url:  "/",
+					body: jsonrpc.JSONRPCRequest{
+						Jsonrpc: jsonrpcVersion,
+						Id:      "tools-call-tool4",
+						Request: jsonrpc.Request{
+							Method: "tools/call",
+						},
+						Params: map[string]any{
+							"name": "unauthorized_tool",
+						},
+					},
+					wantStatusCode: http.StatusUnauthorized,
+					want: map[string]any{
+						"jsonrpc": "2.0",
+						"id":      "tools-call-tool4",
+						"error": map[string]any{
+							"code":    -32600.0,
+							"message": "unauthorized Tool call: Please make sure your specify correct auth headers: unauthorized",
+						},
+					},
+				},
+				{
+					name: "call tool5 unauthorized tool",
+					url:  "/",
+					body: jsonrpc.JSONRPCRequest{
+						Jsonrpc: jsonrpcVersion,
+						Id:      "tools-call-tool5",
+						Request: jsonrpc.Request{
+							Method: "tools/call",
+						},
+						Params: map[string]any{
+							"name": "require_client_auth_tool",
+						},
+					},
+					wantStatusCode: http.StatusUnauthorized,
+					want: map[string]any{
+						"jsonrpc": "2.0",
+						"id":      "tools-call-tool5",
+						"error": map[string]any{
+							"code":    -32600.0,
+							"message": "missing access token in the 'Authorization' header",
+						},
+					},
+				},
 			}
 			for _, tc := range testCases {
 				t.Run(tc.name, func(t *testing.T) {
@@ -507,10 +709,15 @@ func TestMcpEndpoint(t *testing.T) {
 					}
 
 					resp, body, err := runRequest(ts, http.MethodPost, tc.url, bytes.NewBuffer(reqMarshal), header)
+
 					if err != nil {
 						t.Fatalf("unexpected error during request: %s", err)
 					}
 
+					if resp.StatusCode != tc.wantStatusCode {
+						t.Errorf("StatusCode mismatch: got %d, want %d", resp.StatusCode, tc.wantStatusCode)
+					}
+
 					// Notifications don't expect a response.
 					if tc.want != nil {
 						if contentType := resp.Header.Get("Content-type"); contentType != "application/json" {

internal/server/server.go

@@ -337,6 +337,11 @@ func NewServer(ctx context.Context, cfg ServerConfig) (*Server, error) {
 		}
 		r.Mount("/ui", webR)
 	}
+	adminR, err := adminRouter(s)
+	if err != nil {
+		return nil, err
+	}
+	r.Mount("/admin", adminR)
 	// default endpoint for validating server is running
 	r.Get("/", func(w http.ResponseWriter, r *http.Request) {
 		_, _ = w.Write([]byte("🧰 Hello, World! 🧰"))

internal/sources/bigquery/bigquery.go

@@ -21,8 +21,10 @@ import (
 	bigqueryapi "cloud.google.com/go/bigquery"
 	"github.com/goccy/go-yaml"
 	"github.com/googleapis/genai-toolbox/internal/sources"
+	"github.com/googleapis/genai-toolbox/internal/tools"
 	"github.com/googleapis/genai-toolbox/internal/util"
 	"go.opentelemetry.io/otel/trace"
+	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
 	bigqueryrestapi "google.golang.org/api/bigquery/v2"
 	"google.golang.org/api/option"
@@ -33,6 +35,8 @@ const SourceKind string = "bigquery"
 // validate interface
 var _ sources.SourceConfig = Config{}
 
+type BigqueryClientCreator func(tokenString tools.AccessToken) (*bigqueryapi.Client, *bigqueryrestapi.Service, error)
+
 func init() {
 	if !sources.Register(SourceKind, newConfig) {
 		panic(fmt.Sprintf("source kind %q already registered", SourceKind))
@@ -62,17 +66,19 @@ func (r Config) SourceConfigKind() string {
 
 func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.Source, error) {
 	// Initializes a BigQuery Google SQL source
-	client, restService, err := initBigQueryConnection(ctx, tracer, r.Name, r.Project, r.Location)
+	client, restService, tokenSource, clientCreator, err := initBigQueryConnection(ctx, tracer, r.Name, r.Project, r.Location)
 	if err != nil {
 		return nil, err
 	}
 
 	s := &Source{
-		Name:        r.Name,
-		Kind:        SourceKind,
-		Client:      client,
-		RestService: restService,
-		Location:    r.Location,
+		Name:               r.Name,
+		Kind:               SourceKind,
+		Client:             client,
+		RestService:        restService,
+		TokenSource:        tokenSource,
+		MaxQueryResultRows: 50,
+		ClientCreator:      clientCreator,
 	}
 	return s, nil
 
@@ -82,11 +88,13 @@ var _ sources.Source = &Source{}
 
 type Source struct {
 	// BigQuery Google SQL struct with client
-	Name        string `yaml:"name"`
-	Kind        string `yaml:"kind"`
-	Client      *bigqueryapi.Client
-	RestService *bigqueryrestapi.Service
-	Location    string `yaml:"location"`
+	Name               string `yaml:"name"`
+	Kind               string `yaml:"kind"`
+	Client             *bigqueryapi.Client
+	RestService        *bigqueryrestapi.Service
+	TokenSource        oauth2.TokenSource
+	MaxQueryResultRows int
+	ClientCreator      BigqueryClientCreator
 }
 
 func (s *Source) SourceKind() string {
@@ -102,38 +110,96 @@ func (s *Source) BigQueryRestService() *bigqueryrestapi.Service {
 	return s.RestService
 }
 
+func (s *Source) BigQueryTokenSource() oauth2.TokenSource {
+	return s.TokenSource
+}
+
+func (s *Source) GetMaxQueryResultRows() int {
+	return s.MaxQueryResultRows
+}
+
+func (s *Source) BigQueryClientCreator() BigqueryClientCreator {
+	return s.ClientCreator
+}
+
 func initBigQueryConnection(
 	ctx context.Context,
 	tracer trace.Tracer,
 	name string,
 	project string,
 	location string,
-) (*bigqueryapi.Client, *bigqueryrestapi.Service, error) {
+) (*bigqueryapi.Client, *bigqueryrestapi.Service, oauth2.TokenSource, BigqueryClientCreator, error) {
 	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceKind, name)
 	defer span.End()
 
 	cred, err := google.FindDefaultCredentials(ctx, bigqueryapi.Scope)
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to find default Google Cloud credentials with scope %q: %w", bigqueryapi.Scope, err)
+		return nil, nil, nil, nil, fmt.Errorf("failed to find default Google Cloud credentials with scope %q: %w", bigqueryapi.Scope, err)
 	}
 
 	userAgent, err := util.UserAgentFromContext(ctx)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, nil, err
 	}
 
 	// Initialize the high-level BigQuery client
 	client, err := bigqueryapi.NewClient(ctx, project, option.WithUserAgent(userAgent), option.WithCredentials(cred))
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to create BigQuery client for project %q: %w", project, err)
+		return nil, nil, nil, nil, fmt.Errorf("failed to create BigQuery client for project %q: %w", project, err)
 	}
 	client.Location = location
 
 	// Initialize the low-level BigQuery REST service using the same credentials
 	restService, err := bigqueryrestapi.NewService(ctx, option.WithUserAgent(userAgent), option.WithCredentials(cred))
+	if err != nil {
+		return nil, nil, nil, nil, fmt.Errorf("failed to create BigQuery v2 service: %w", err)
+	}
+
+	clientCreator := newBigQueryClientCreator(ctx, project, location, userAgent)
+	return client, restService, cred.TokenSource, clientCreator, nil
+}
+
+// initBigQueryConnectionWithOAuthToken initialize a BigQuery client with an
+// OAuth access token.
+func initBigQueryConnectionWithOAuthToken(
+	ctx context.Context,
+	project string,
+	location string,
+	userAgent string,
+	tokenString tools.AccessToken,
+) (*bigqueryapi.Client, *bigqueryrestapi.Service, error) {
+	// Construct token source
+	token := &oauth2.Token{
+		AccessToken: string(tokenString),
+	}
+	ts := oauth2.StaticTokenSource(token)
+
+	// Initialize the BigQuery client with tokenSource
+	client, err := bigqueryapi.NewClient(ctx, project, option.WithUserAgent(userAgent), option.WithTokenSource(ts))
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to create BigQuery client for project %q: %w", project, err)
+	}
+	client.Location = location
+
+	// Initialize the low-level BigQuery REST service using the same credentials
+	restService, err := bigqueryrestapi.NewService(ctx, option.WithUserAgent(userAgent), option.WithTokenSource(ts))
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to create BigQuery v2 service: %w", err)
 	}
 
 	return client, restService, nil
 }
+
+// newBigQueryClientCreator sets the project parameters for the init helper
+// function. The returned function takes in an OAuth access token and uses it to
+// create a BQ client.
+func newBigQueryClientCreator(
+	ctx context.Context,
+	project string,
+	location string,
+	userAgent string,
+) func(tools.AccessToken) (*bigqueryapi.Client, *bigqueryrestapi.Service, error) {
+	return func(tokenString tools.AccessToken) (*bigqueryapi.Client, *bigqueryrestapi.Service, error) {
+		return initBigQueryConnectionWithOAuthToken(ctx, project, location, userAgent, tokenString)
+	}
+}

internal/sources/clickhouse/clickhouse.go

@@ -0,0 +1,145 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package clickhouse
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"net/url"
+	"time"
+
+	_ "github.com/ClickHouse/clickhouse-go/v2"
+	"github.com/goccy/go-yaml"
+	"github.com/googleapis/genai-toolbox/internal/sources"
+	"go.opentelemetry.io/otel/trace"
+)
+
+const SourceKind string = "clickhouse"
+
+// validate interface
+var _ sources.SourceConfig = Config{}
+
+func init() {
+	if !sources.Register(SourceKind, newConfig) {
+		panic(fmt.Sprintf("source kind %q already registered", SourceKind))
+	}
+}
+
+func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (sources.SourceConfig, error) {
+	actual := Config{Name: name}
+	if err := decoder.DecodeContext(ctx, &actual); err != nil {
+		return nil, err
+	}
+	return actual, nil
+}
+
+type Config struct {
+	Name     string `yaml:"name" validate:"required"`
+	Kind     string `yaml:"kind" validate:"required"`
+	Host     string `yaml:"host" validate:"required"`
+	Port     string `yaml:"port" validate:"required"`
+	Database string `yaml:"database" validate:"required"`
+	User     string `yaml:"user" validate:"required"`
+	Password string `yaml:"password"`
+	Protocol string `yaml:"protocol"`
+	Secure   bool   `yaml:"secure"`
+}
+
+func (r Config) SourceConfigKind() string {
+	return SourceKind
+}
+
+func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.Source, error) {
+	pool, err := initClickHouseConnectionPool(ctx, tracer, r.Name, r.Host, r.Port, r.User, r.Password, r.Database, r.Protocol, r.Secure)
+	if err != nil {
+		return nil, fmt.Errorf("unable to create pool: %w", err)
+	}
+
+	err = pool.PingContext(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("unable to connect successfully: %w", err)
+	}
+
+	s := &Source{
+		Name: r.Name,
+		Kind: SourceKind,
+		Pool: pool,
+	}
+	return s, nil
+}
+
+var _ sources.Source = &Source{}
+
+type Source struct {
+	Name string `yaml:"name"`
+	Kind string `yaml:"kind"`
+	Pool *sql.DB
+}
+
+func (s *Source) SourceKind() string {
+	return SourceKind
+}
+
+func (s *Source) ClickHousePool() *sql.DB {
+	return s.Pool
+}
+
+func validateConfig(protocol string) error {
+	validProtocols := map[string]bool{"http": true, "https": true}
+
+	if protocol != "" && !validProtocols[protocol] {
+		return fmt.Errorf("invalid protocol: %s, must be one of: http, https", protocol)
+	}
+	return nil
+}
+
+func initClickHouseConnectionPool(ctx context.Context, tracer trace.Tracer, name, host, port, user, pass, dbname, protocol string, secure bool) (*sql.DB, error) {
+	//nolint:all // Reassigned ctx
+	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceKind, name)
+	defer span.End()
+
+	if protocol == "" {
+		protocol = "https"
+	}
+
+	if err := validateConfig(protocol); err != nil {
+		return nil, err
+	}
+
+	encodedUser := url.QueryEscape(user)
+	encodedPass := url.QueryEscape(pass)
+
+	var dsn string
+	scheme := protocol
+	if protocol == "http" && secure {
+		scheme = "https"
+	}
+	dsn = fmt.Sprintf("%s://%s:%s@%s:%s/%s", scheme, encodedUser, encodedPass, host, port, dbname)
+	if scheme == "https" {
+		dsn += "?secure=true&skip_verify=false"
+	}
+
+	pool, err := sql.Open("clickhouse", dsn)
+	if err != nil {
+		return nil, fmt.Errorf("sql.Open: %w", err)
+	}
+
+	pool.SetMaxOpenConns(25)
+	pool.SetMaxIdleConns(5)
+	pool.SetConnMaxLifetime(5 * time.Minute)
+
+	return pool, nil
+}

internal/sources/clickhouse/clickhouse_test.go

@@ -0,0 +1,348 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package clickhouse
+
+import (
+	"context"
+	"strings"
+	"testing"
+
+	"github.com/goccy/go-yaml"
+	"github.com/google/go-cmp/cmp"
+	"github.com/googleapis/genai-toolbox/internal/testutils"
+	"go.opentelemetry.io/otel"
+)
+
+func TestConfigSourceConfigKind(t *testing.T) {
+	config := Config{}
+	if config.SourceConfigKind() != SourceKind {
+		t.Errorf("Expected %s, got %s", SourceKind, config.SourceConfigKind())
+	}
+}
+
+func TestNewConfig(t *testing.T) {
+	tests := []struct {
+		name     string
+		yaml     string
+		expected Config
+	}{
+		{
+			name: "all fields specified",
+			yaml: `
+				name: test-clickhouse
+				kind: clickhouse
+				host: localhost
+				port: "8443"
+				user: default
+				password: "mypass"
+				database: mydb
+				protocol: https
+				secure: true
+			`,
+			expected: Config{
+				Name:     "test-clickhouse",
+				Kind:     "clickhouse",
+				Host:     "localhost",
+				Port:     "8443",
+				User:     "default",
+				Password: "mypass",
+				Database: "mydb",
+				Protocol: "https",
+				Secure:   true,
+			},
+		},
+		{
+			name: "minimal configuration with defaults",
+			yaml: `
+				name: minimal-clickhouse
+				kind: clickhouse
+				host: 127.0.0.1
+				port: "8123"
+				user: testuser
+				database: testdb
+			`,
+			expected: Config{
+				Name:     "minimal-clickhouse",
+				Kind:     "clickhouse",
+				Host:     "127.0.0.1",
+				Port:     "8123",
+				User:     "testuser",
+				Password: "",
+				Database: "testdb",
+				Protocol: "",
+				Secure:   false,
+			},
+		},
+		{
+			name: "http protocol",
+			yaml: `
+				name: http-clickhouse
+				kind: clickhouse
+				host: clickhouse.example.com
+				port: "8123"
+				user: analytics
+				password: "securepass"
+				database: analytics_db
+				protocol: http
+				secure: false
+			`,
+			expected: Config{
+				Name:     "http-clickhouse",
+				Kind:     "clickhouse",
+				Host:     "clickhouse.example.com",
+				Port:     "8123",
+				User:     "analytics",
+				Password: "securepass",
+				Database: "analytics_db",
+				Protocol: "http",
+				Secure:   false,
+			},
+		},
+		{
+			name: "https with secure connection",
+			yaml: `
+				name: secure-clickhouse
+				kind: clickhouse
+				host: secure.clickhouse.io
+				port: "8443"
+				user: secureuser
+				password: "verysecure"
+				database: production
+				protocol: https
+				secure: true
+			`,
+			expected: Config{
+				Name:     "secure-clickhouse",
+				Kind:     "clickhouse",
+				Host:     "secure.clickhouse.io",
+				Port:     "8443",
+				User:     "secureuser",
+				Password: "verysecure",
+				Database: "production",
+				Protocol: "https",
+				Secure:   true,
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			decoder := yaml.NewDecoder(strings.NewReader(string(testutils.FormatYaml(tt.yaml))))
+			config, err := newConfig(context.Background(), tt.expected.Name, decoder)
+			if err != nil {
+				t.Fatalf("Failed to create config: %v", err)
+			}
+
+			clickhouseConfig, ok := config.(Config)
+			if !ok {
+				t.Fatalf("Expected Config type, got %T", config)
+			}
+
+			if diff := cmp.Diff(tt.expected, clickhouseConfig); diff != "" {
+				t.Errorf("Config mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}
+
+func TestNewConfigInvalidYAML(t *testing.T) {
+	tests := []struct {
+		name        string
+		yaml        string
+		expectError bool
+	}{
+		{
+			name: "invalid yaml syntax",
+			yaml: `
+				name: test-clickhouse
+				kind: clickhouse
+				host: [invalid
+			`,
+			expectError: true,
+		},
+		{
+			name: "missing required fields",
+			yaml: `
+				name: test-clickhouse
+				kind: clickhouse
+			`,
+			expectError: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			decoder := yaml.NewDecoder(strings.NewReader(string(testutils.FormatYaml(tt.yaml))))
+			_, err := newConfig(context.Background(), "test-clickhouse", decoder)
+			if tt.expectError && err == nil {
+				t.Errorf("Expected error but got none")
+			}
+			if !tt.expectError && err != nil {
+				t.Errorf("Expected no error but got: %v", err)
+			}
+		})
+	}
+}
+
+func TestSource_SourceKind(t *testing.T) {
+	source := &Source{}
+	if source.SourceKind() != SourceKind {
+		t.Errorf("Expected %s, got %s", SourceKind, source.SourceKind())
+	}
+}
+
+func TestValidateConfig(t *testing.T) {
+	tests := []struct {
+		name        string
+		protocol    string
+		expectError bool
+	}{
+		{
+			name:        "valid https protocol",
+			protocol:    "https",
+			expectError: false,
+		},
+		{
+			name:        "valid http protocol",
+			protocol:    "http",
+			expectError: false,
+		},
+		{
+			name:        "invalid protocol",
+			protocol:    "invalid",
+			expectError: true,
+		},
+		{
+			name:        "invalid protocol - native not supported",
+			protocol:    "native",
+			expectError: true,
+		},
+		{
+			name:        "empty values use defaults",
+			protocol:    "",
+			expectError: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateConfig(tt.protocol)
+			if tt.expectError && err == nil {
+				t.Errorf("Expected error but got none")
+			}
+			if !tt.expectError && err != nil {
+				t.Errorf("Expected no error but got: %v", err)
+			}
+		})
+	}
+}
+
+func TestInitClickHouseConnectionPoolDSNGeneration(t *testing.T) {
+	tracer := otel.Tracer("test")
+	ctx := context.Background()
+
+	tests := []struct {
+		name      string
+		host      string
+		port      string
+		user      string
+		pass      string
+		dbname    string
+		protocol  string
+		secure    bool
+		shouldErr bool
+	}{
+		{
+			name:      "http protocol with defaults",
+			host:      "localhost",
+			port:      "8123",
+			user:      "default",
+			pass:      "",
+			dbname:    "default",
+			protocol:  "http",
+			secure:    false,
+			shouldErr: true,
+		},
+		{
+			name:      "https protocol with secure",
+			host:      "localhost",
+			port:      "8443",
+			user:      "default",
+			pass:      "",
+			dbname:    "default",
+			protocol:  "https",
+			secure:    true,
+			shouldErr: true,
+		},
+		{
+			name:      "special characters in password",
+			host:      "localhost",
+			port:      "8443",
+			user:      "test@user",
+			pass:      "pass@word:with/special&chars",
+			dbname:    "default",
+			protocol:  "https",
+			secure:    true,
+			shouldErr: true,
+		},
+		{
+			name:      "invalid protocol should fail",
+			host:      "localhost",
+			port:      "9000",
+			user:      "default",
+			pass:      "",
+			dbname:    "default",
+			protocol:  "invalid",
+			secure:    false,
+			shouldErr: true,
+		},
+		{
+			name:      "empty protocol defaults to https",
+			host:      "localhost",
+			port:      "8443",
+			user:      "user",
+			pass:      "pass",
+			dbname:    "testdb",
+			protocol:  "",
+			secure:    true,
+			shouldErr: true,
+		},
+		{
+			name:      "http with secure flag should upgrade to https",
+			host:      "example.com",
+			port:      "8443",
+			user:      "user",
+			pass:      "pass",
+			dbname:    "db",
+			protocol:  "http",
+			secure:    true,
+			shouldErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			pool, err := initClickHouseConnectionPool(ctx, tracer, "test", tt.host, tt.port, tt.user, tt.pass, tt.dbname, tt.protocol, tt.secure)
+
+			if !tt.shouldErr && err != nil {
+				t.Errorf("Expected no error, got: %v", err)
+			}
+
+			if pool != nil {
+				pool.Close()
+			}
+		})
+	}
+}

internal/sources/firebird/firebird.go

@@ -0,0 +1,114 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package firebird
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"time"
+
+	"github.com/goccy/go-yaml"
+	"github.com/googleapis/genai-toolbox/internal/sources"
+	"go.opentelemetry.io/otel/trace"
+)
+
+const SourceKind string = "firebird"
+
+var _ sources.SourceConfig = Config{}
+
+func init() {
+	if !sources.Register(SourceKind, newConfig) {
+		panic(fmt.Sprintf("source kind %q already registered", SourceKind))
+	}
+}
+
+func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (sources.SourceConfig, error) {
+	actual := Config{Name: name}
+	if err := decoder.DecodeContext(ctx, &actual); err != nil {
+		return nil, err
+	}
+	return actual, nil
+}
+
+type Config struct {
+	Name     string `yaml:"name" validate:"required"`
+	Kind     string `yaml:"kind" validate:"required"`
+	Host     string `yaml:"host" validate:"required"`
+	Port     string `yaml:"port" validate:"required"`
+	User     string `yaml:"user" validate:"required"`
+	Password string `yaml:"password" validate:"required"`
+	Database string `yaml:"database" validate:"required"`
+}
+
+func (r Config) SourceConfigKind() string {
+	return SourceKind
+}
+
+func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.Source, error) {
+	pool, err := initFirebirdConnectionPool(ctx, tracer, r.Name, r.Host, r.Port, r.User, r.Password, r.Database)
+	if err != nil {
+		return nil, fmt.Errorf("unable to create pool: %w", err)
+	}
+
+	err = pool.PingContext(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("unable to connect successfully: %w", err)
+	}
+
+	s := &Source{
+		Name: r.Name,
+		Kind: SourceKind,
+		Db:   pool,
+	}
+	return s, nil
+}
+
+var _ sources.Source = &Source{}
+
+type Source struct {
+	Name string `yaml:"name"`
+	Kind string `yaml:"kind"`
+	Db   *sql.DB
+}
+
+func (s *Source) SourceKind() string {
+	return SourceKind
+}
+
+func (s *Source) FirebirdDB() *sql.DB {
+	return s.Db
+}
+
+func initFirebirdConnectionPool(ctx context.Context, tracer trace.Tracer, name, host, port, user, pass, dbname string) (*sql.DB, error) {
+	_, span := sources.InitConnectionSpan(ctx, tracer, SourceKind, name)
+	defer span.End()
+
+	// urlExample := "user:password@host:port/path/to/database.fdb"
+	dsn := fmt.Sprintf("%s:%s@%s:%s/%s", user, pass, host, port, dbname)
+
+	db, err := sql.Open("firebirdsql", dsn)
+	if err != nil {
+		return nil, fmt.Errorf("unable to create connection pool: %w", err)
+	}
+
+	// Configure connection pool to prevent deadlocks
+	db.SetMaxOpenConns(5)
+	db.SetMaxIdleConns(2)
+	db.SetConnMaxLifetime(5 * time.Minute)
+	db.SetConnMaxIdleTime(1 * time.Minute)
+
+	return db, nil
+}

internal/sources/firebird/firebird_test.go

@@ -0,0 +1,127 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package firebird_test
+
+import (
+	"testing"
+
+	yaml "github.com/goccy/go-yaml"
+	"github.com/google/go-cmp/cmp"
+	"github.com/googleapis/genai-toolbox/internal/server"
+	"github.com/googleapis/genai-toolbox/internal/sources/firebird"
+	"github.com/googleapis/genai-toolbox/internal/testutils"
+)
+
+func TestParseFromYamlFirebird(t *testing.T) {
+	tcs := []struct {
+		desc string
+		in   string
+		want server.SourceConfigs
+	}{
+		{
+			desc: "basic example",
+			in: `
+			sources:
+				my-fdb-instance:
+					kind: firebird
+					host: my-host
+					port: my-port
+					database: my_db
+					user: my_user
+					password: my_pass
+			`,
+			want: server.SourceConfigs{
+				"my-fdb-instance": firebird.Config{
+					Name:     "my-fdb-instance",
+					Kind:     firebird.SourceKind,
+					Host:     "my-host",
+					Port:     "my-port",
+					Database: "my_db",
+					User:     "my_user",
+					Password: "my_pass",
+				},
+			},
+		},
+	}
+	for _, tc := range tcs {
+		t.Run(tc.desc, func(t *testing.T) {
+			got := struct {
+				Sources server.SourceConfigs `yaml:"sources"`
+			}{}
+			// Parse contents
+			err := yaml.Unmarshal(testutils.FormatYaml(tc.in), &got)
+			if err != nil {
+				t.Fatalf("unable to unmarshal: %s", err)
+			}
+			if !cmp.Equal(tc.want, got.Sources) {
+				t.Fatalf("incorrect parse: want %v, got %v", tc.want, got.Sources)
+			}
+		})
+	}
+
+}
+
+func TestFailParseFromYaml(t *testing.T) {
+	tcs := []struct {
+		desc string
+		in   string
+		err  string
+	}{
+		{
+			desc: "extra field",
+			in: `
+			sources:
+				my-fdb-instance:
+					kind: firebird
+					host: my-host
+					port: my-port
+					database: my_db
+					user: my_user
+					password: my_pass
+					foo: bar
+			`,
+			err: "unable to parse source \"my-fdb-instance\" as \"firebird\": [2:1] unknown field \"foo\"\n   1 | database: my_db\n>  2 | foo: bar\n       ^\n   3 | host: my-host\n   4 | kind: firebird\n   5 | password: my_pass\n   6 | ",
+		},
+		{
+			desc: "missing required field",
+			in: `
+			sources:
+				my-fdb-instance:
+					kind: firebird
+					host: my-host
+					port: my-port
+					database: my_db
+					user: my_user
+			`,
+			err: "unable to parse source \"my-fdb-instance\" as \"firebird\": Key: 'Config.Password' Error:Field validation for 'Password' failed on the 'required' tag",
+		},
+	}
+	for _, tc := range tcs {
+		t.Run(tc.desc, func(t *testing.T) {
+			got := struct {
+				Sources server.SourceConfigs `yaml:"sources"`
+			}{}
+			// Parse contents
+			err := yaml.Unmarshal(testutils.FormatYaml(tc.in), &got)
+			if err == nil {
+				t.Fatalf("expect parsing to fail")
+			}
+			errStr := err.Error()
+			if errStr != tc.err {
+				t.Fatalf("unexpected error: got %q, want %q", errStr, tc.err)
+			}
+		})
+	}
+}

internal/sources/looker/looker.go

@@ -39,7 +39,14 @@ func init() {
 }
 
 func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (sources.SourceConfig, error) {
-	actual := Config{Name: name, SslVerification: "true", Timeout: "600s"} // Default Ssl,timeout
+	actual := Config{
+		Name:               name,
+		SslVerification:    true,
+		Timeout:            "600s",
+		ShowHiddenModels:   true,
+		ShowHiddenExplores: true,
+		ShowHiddenFields:   true,
+	} // Default Ssl,timeout, ShowHidden
 	if err := decoder.DecodeContext(ctx, &actual); err != nil {
 		return nil, err
 	}
@@ -47,13 +54,16 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (sources
 }
 
 type Config struct {
-	Name            string `yaml:"name" validate:"required"`
-	Kind            string `yaml:"kind" validate:"required"`
-	BaseURL         string `yaml:"base_url" validate:"required"`
-	ClientId        string `yaml:"client_id" validate:"required"`
-	ClientSecret    string `yaml:"client_secret" validate:"required"`
-	SslVerification string `yaml:"verify_ssl"`
-	Timeout         string `yaml:"timeout"`
+	Name               string `yaml:"name" validate:"required"`
+	Kind               string `yaml:"kind" validate:"required"`
+	BaseURL            string `yaml:"base_url" validate:"required"`
+	ClientId           string `yaml:"client_id" validate:"required"`
+	ClientSecret       string `yaml:"client_secret" validate:"required"`
+	SslVerification    bool   `yaml:"verify_ssl"`
+	Timeout            string `yaml:"timeout"`
+	ShowHiddenModels   bool   `yaml:"show_hidden_models"`
+	ShowHiddenExplores bool   `yaml:"show_hidden_explores"`
+	ShowHiddenFields   bool   `yaml:"show_hidden_fields"`
 }
 
 func (r Config) SourceConfigKind() string {
@@ -77,14 +87,14 @@ func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.So
 		return nil, fmt.Errorf("unable to parse Timeout string as time.Duration: %s", err)
 	}
 
-	if r.SslVerification != "true" {
+	if !r.SslVerification {
 		logger.WarnContext(ctx, "Insecure HTTP is enabled for Looker source %s. TLS certificate verification is skipped.\n", r.Name)
 	}
 	cfg := rtl.ApiSettings{
 		AgentTag:     userAgent,
 		BaseUrl:      r.BaseURL,
 		ApiVersion:   "4.0",
-		VerifySsl:    (r.SslVerification == "true"),
+		VerifySsl:    r.SslVerification,
 		Timeout:      int32(duration.Seconds()),
 		ClientId:     r.ClientId,
 		ClientSecret: r.ClientSecret,
@@ -98,11 +108,14 @@ func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.So
 	logger.DebugContext(ctx, fmt.Sprintf("logged in as user %v %v.\n", *me.FirstName, *me.LastName))
 
 	s := &Source{
-		Name:        r.Name,
-		Kind:        SourceKind,
-		Timeout:     r.Timeout,
-		Client:      sdk,
-		ApiSettings: &cfg,
+		Name:               r.Name,
+		Kind:               SourceKind,
+		Timeout:            r.Timeout,
+		Client:             sdk,
+		ApiSettings:        &cfg,
+		ShowHiddenModels:   r.ShowHiddenModels,
+		ShowHiddenExplores: r.ShowHiddenExplores,
+		ShowHiddenFields:   r.ShowHiddenFields,
 	}
 	return s, nil
 
@@ -111,11 +124,14 @@ func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.So
 var _ sources.Source = &Source{}
 
 type Source struct {
-	Name        string `yaml:"name"`
-	Kind        string `yaml:"kind"`
-	Timeout     string `yaml:"timeout"`
-	Client      *v4.LookerSDK
-	ApiSettings *rtl.ApiSettings
+	Name               string `yaml:"name"`
+	Kind               string `yaml:"kind"`
+	Timeout            string `yaml:"timeout"`
+	Client             *v4.LookerSDK
+	ApiSettings        *rtl.ApiSettings
+	ShowHiddenModels   bool `yaml:"show_hidden_models"`
+	ShowHiddenExplores bool `yaml:"show_hidden_explores"`
+	ShowHiddenFields   bool `yaml:"show_hidden_fields"`
 }
 
 func (s *Source) SourceKind() string {

internal/sources/looker/looker_test.go

@@ -43,13 +43,16 @@ func TestParseFromYamlLooker(t *testing.T) {
 			`,
 			want: map[string]sources.SourceConfig{
 				"my-looker-instance": looker.Config{
-					Name:            "my-looker-instance",
-					Kind:            looker.SourceKind,
-					BaseURL:         "http://example.looker.com/",
-					ClientId:        "jasdl;k;tjl",
-					ClientSecret:    "sdakl;jgflkasdfkfg",
-					Timeout:         "600s",
-					SslVerification: "true",
+					Name:               "my-looker-instance",
+					Kind:               looker.SourceKind,
+					BaseURL:            "http://example.looker.com/",
+					ClientId:           "jasdl;k;tjl",
+					ClientSecret:       "sdakl;jgflkasdfkfg",
+					Timeout:            "600s",
+					SslVerification:    true,
+					ShowHiddenModels:   true,
+					ShowHiddenExplores: true,
+					ShowHiddenFields:   true,
 				},
 			},
 		},