feat(npm): Bump server package versions to 0.25.0 and generate new platform-specific build artifacts. (#2284)

Releases the NPM package versions with latest toolbox release
(`v.0.25.0`).

.ci/integration.cloudbuild.yaml

@@ -825,7 +825,27 @@ steps:
           elasticsearch \
           elasticsearch
 
-
+  - id: "snowflake"
+    name: golang:1
+    waitFor: ["compile-test-binary"]
+    entrypoint: /bin/bash
+    env:
+      - "GOPATH=/gopath"
+      - "SERVICE_ACCOUNT_EMAIL=$SERVICE_ACCOUNT_EMAIL"
+      - "SNOWFLAKE_DATABASE=$_SNOWFLAKE_DATABASE"
+      - "SNOWFLAKE_SCHEMA=$_SNOWFLAKE_SCHEMA"
+    secretEnv: ["CLIENT_ID", "SNOWFLAKE_USER", "SNOWFLAKE_PASS", "SNOWFLAKE_ACCOUNT"]
+    volumes:
+      - name: "go"
+        path: "/gopath"
+    args:
+      - -c
+      - |
+        .ci/test_with_coverage.sh \
+          "Snowflake" \
+          snowflake \
+          snowflake
+ 
   - id: "cassandra"
     name: golang:1
     waitFor: ["compile-test-binary"]
@@ -875,8 +895,8 @@ steps:
         total_coverage=$(go tool cover -func=oracle_coverage.out | grep "total:" | awk '{print $3}')
         echo "Oracle total coverage: $total_coverage"
         coverage_numeric=$(echo "$total_coverage" | sed 's/%//')
-        if awk -v cov="$coverage_numeric" 'BEGIN {exit !(cov < 30)}'; then
-            echo "Coverage failure: $total_coverage is below 30%."
+        if awk -v cov="$coverage_numeric" 'BEGIN {exit !(cov < 20)}'; then
+            echo "Coverage failure: $total_coverage is below 20%."
             exit 1
         fi
 
@@ -1038,6 +1058,12 @@ availableSecrets:
       env: ELASTICSEARCH_USER
     - versionName: projects/$PROJECT_ID/secrets/elastic_search_pass/versions/latest
       env: ELASTICSEARCH_PASS
+    - versionName: projects/$PROJECT_ID/secrets/snowflake_account/versions/latest
+      env: SNOWFLAKE_ACCOUNT
+    - versionName: projects/$PROJECT_ID/secrets/snowflake_user/versions/latest
+      env: SNOWFLAKE_USER
+    - versionName: projects/$PROJECT_ID/secrets/snowflake_pass/versions/latest
+      env: SNOWFLAKE_PASS
     - versionName: projects/$PROJECT_ID/secrets/cassandra_user/versions/latest
       env: CASSANDRA_USER
     - versionName: projects/$PROJECT_ID/secrets/cassandra_pass/versions/latest
@@ -1124,4 +1150,5 @@ substitutions:
   _SINGLESTORE_USER: "root"
   _MARIADB_PORT: "3307"
   _MARIADB_DATABASE: test_database
-
+  _SNOWFLAKE_DATABASE: "test"
+  _SNOWFLAKE_SCHEMA: "PUBLIC"

.gitignore

@@ -20,4 +20,4 @@ node_modules
 
 # executable
 genai-toolbox
-toolbox
+toolbox

.hugo/hugo.toml

@@ -51,6 +51,10 @@ ignoreFiles = ["quickstart/shared", "quickstart/python", "quickstart/js", "quick
 # Add a new version block here before every release
 # The order of versions in this file is mirrored into the dropdown
 
+[[params.versions]]
+  version = "v0.25.0"
+  url = "https://googleapis.github.io/genai-toolbox/v0.25.0/"
+
 [[params.versions]]
   version = "v0.24.0"
   url = "https://googleapis.github.io/genai-toolbox/v0.24.0/"

CHANGELOG.md

@@ -1,5 +1,30 @@
 # Changelog
 
+## [0.25.0](https://github.com/googleapis/genai-toolbox/compare/v0.24.0...v0.25.0) (2026-01-08)
+
+
+### Features
+
+* Add `embeddingModel` support ([#2121](https://github.com/googleapis/genai-toolbox/issues/2121)) ([9c62f31](https://github.com/googleapis/genai-toolbox/commit/9c62f313ff5edf0a3b5b8a3e996eba078fba4095))
+* Add `allowed-hosts` flag ([#2254](https://github.com/googleapis/genai-toolbox/issues/2254)) ([17b41f6](https://github.com/googleapis/genai-toolbox/commit/17b41f64531b8fe417c28ada45d1992ba430dc1b))
+* Add parameter default value to manifest ([#2264](https://github.com/googleapis/genai-toolbox/issues/2264)) ([9d1feca](https://github.com/googleapis/genai-toolbox/commit/9d1feca10810fa42cb4c94a409252f1bd373ee36))
+* **snowflake:** Add Snowflake Source and Tools ([#858](https://github.com/googleapis/genai-toolbox/issues/858)) ([b706b5b](https://github.com/googleapis/genai-toolbox/commit/b706b5bc685aeda277f277868bae77d38d5fd7b6))
+* **prebuilt/cloud-sql-mysql:** Update CSQL MySQL prebuilt tools to use IAM ([#2202](https://github.com/googleapis/genai-toolbox/issues/2202)) ([731a32e](https://github.com/googleapis/genai-toolbox/commit/731a32e5360b4d6862d81fcb27d7127c655679a8))
+* **sources/bigquery:** Make credentials scope configurable ([#2210](https://github.com/googleapis/genai-toolbox/issues/2210)) ([a450600](https://github.com/googleapis/genai-toolbox/commit/a4506009b93771b77fb05ae97044f914967e67ed))
+* **sources/trino:** Add ssl verification options and fix docs example ([#2155](https://github.com/googleapis/genai-toolbox/issues/2155)) ([4a4cf1e](https://github.com/googleapis/genai-toolbox/commit/4a4cf1e712b671853678dba99c4dc49dd4fc16a2))
+* **tools/looker:** Add ability to set destination folder with `make_look` and `make_dashboard`. ([#2245](https://github.com/googleapis/genai-toolbox/issues/2245)) ([eb79339](https://github.com/googleapis/genai-toolbox/commit/eb793398cd1cc4006d9808ccda5dc7aea5e92bd5))
+* **tools/postgressql:** Add tool to list store procedure ([#2156](https://github.com/googleapis/genai-toolbox/issues/2156)) ([cf0fc51](https://github.com/googleapis/genai-toolbox/commit/cf0fc515b57d9b84770076f3c0c5597c4597ef62))
+* **tools/postgressql:** Add Parameter `embeddedBy` config support ([#2151](https://github.com/googleapis/genai-toolbox/issues/2151)) ([17b70cc](https://github.com/googleapis/genai-toolbox/commit/17b70ccaa754d15bcc33a1a3ecb7e652520fa600))
+
+
+### Bug Fixes
+
+* **server:** Add `embeddingModel` config initialization ([#2281](https://github.com/googleapis/genai-toolbox/issues/2281)) ([a779975](https://github.com/googleapis/genai-toolbox/commit/a7799757c9345f99b6d2717841fbf792d364e1a2))
+* **sources/cloudgda:** Add import for cloudgda source ([#2217](https://github.com/googleapis/genai-toolbox/issues/2217)) ([7daa411](https://github.com/googleapis/genai-toolbox/commit/7daa4111f4ebfb0a35319fd67a8f7b9f0f99efcf))
+* **tools/alloydb-wait-for-operation:** Fix connection message generation ([#2228](https://github.com/googleapis/genai-toolbox/issues/2228)) ([7053fbb](https://github.com/googleapis/genai-toolbox/commit/7053fbb1953653143d39a8510916ea97a91022a6))
+* **tools/alloydbainl:** Only add psv when NL Config Param is defined ([#2265](https://github.com/googleapis/genai-toolbox/issues/2265)) ([ef8f3b0](https://github.com/googleapis/genai-toolbox/commit/ef8f3b02f2f38ce94a6ba9acf35d08b9469bef4e))
+* **tools/looker:** Looker client OAuth nil pointer error ([#2231](https://github.com/googleapis/genai-toolbox/issues/2231)) ([268700b](https://github.com/googleapis/genai-toolbox/commit/268700bdbf8281de0318d60ca613ed3672990b20))
+
 ## [0.24.0](https://github.com/googleapis/genai-toolbox/compare/v0.23.0...v0.24.0) (2025-12-19)
 
 

README.md

@@ -140,7 +140,7 @@ To install Toolbox as a binary:
 >
 > ```sh
 > # see releases page for other versions
-> export VERSION=0.24.0
+> export VERSION=0.25.0
 > curl -L -o toolbox https://storage.googleapis.com/genai-toolbox/v$VERSION/linux/amd64/toolbox
 > chmod +x toolbox
 > ```
@@ -153,7 +153,7 @@ To install Toolbox as a binary:
 >
 > ```sh
 > # see releases page for other versions
-> export VERSION=0.24.0
+> export VERSION=0.25.0
 > curl -L -o toolbox https://storage.googleapis.com/genai-toolbox/v$VERSION/darwin/arm64/toolbox
 > chmod +x toolbox
 > ```
@@ -166,7 +166,7 @@ To install Toolbox as a binary:
 >
 > ```sh
 > # see releases page for other versions
-> export VERSION=0.24.0
+> export VERSION=0.25.0
 > curl -L -o toolbox https://storage.googleapis.com/genai-toolbox/v$VERSION/darwin/amd64/toolbox
 > chmod +x toolbox
 > ```
@@ -179,7 +179,7 @@ To install Toolbox as a binary:
 >
 > ```cmd
 > :: see releases page for other versions
-> set VERSION=0.24.0
+> set VERSION=0.25.0
 > curl -o toolbox.exe "https://storage.googleapis.com/genai-toolbox/v%VERSION%/windows/amd64/toolbox.exe"
 > ```
 >
@@ -191,7 +191,7 @@ To install Toolbox as a binary:
 >
 > ```powershell
 > # see releases page for other versions
-> $VERSION = "0.24.0"
+> $VERSION = "0.25.0"
 > curl.exe -o toolbox.exe "https://storage.googleapis.com/genai-toolbox/v$VERSION/windows/amd64/toolbox.exe"
 > ```
 >
@@ -204,7 +204,7 @@ You can also install Toolbox as a container:
 
 ```sh
 # see releases page for other versions
-export VERSION=0.24.0
+export VERSION=0.25.0
 docker pull us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:$VERSION
 ```
 
@@ -228,7 +228,7 @@ To install from source, ensure you have the latest version of
 [Go installed](https://go.dev/doc/install), and then run the following command:
 
 ```sh
-go install github.com/googleapis/genai-toolbox@v0.24.0
+go install github.com/googleapis/genai-toolbox@v0.25.0
 ```
 <!-- {x-release-please-end} -->
 

cmd/root.go

@@ -33,6 +33,7 @@ import (
 	"github.com/fsnotify/fsnotify"
 	yaml "github.com/goccy/go-yaml"
 	"github.com/googleapis/genai-toolbox/internal/auth"
+	"github.com/googleapis/genai-toolbox/internal/embeddingmodels"
 	"github.com/googleapis/genai-toolbox/internal/log"
 	"github.com/googleapis/genai-toolbox/internal/prebuiltconfigs"
 	"github.com/googleapis/genai-toolbox/internal/prompts"
@@ -197,6 +198,7 @@ import (
 	_ "github.com/googleapis/genai-toolbox/internal/tools/postgres/postgreslistroles"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/postgres/postgreslistschemas"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/postgres/postgreslistsequences"
+	_ "github.com/googleapis/genai-toolbox/internal/tools/postgres/postgresliststoredprocedure"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/postgres/postgreslisttables"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/postgres/postgreslisttablespaces"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/postgres/postgreslisttablestats"
@@ -213,6 +215,8 @@ import (
 	_ "github.com/googleapis/genai-toolbox/internal/tools/serverlessspark/serverlesssparklistbatches"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/singlestore/singlestoreexecutesql"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/singlestore/singlestoresql"
+	_ "github.com/googleapis/genai-toolbox/internal/tools/snowflake/snowflakeexecutesql"
+	_ "github.com/googleapis/genai-toolbox/internal/tools/snowflake/snowflakesql"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/spanner/spannerexecutesql"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/spanner/spannerlistgraphs"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/spanner/spannerlisttables"
@@ -261,6 +265,7 @@ import (
 	_ "github.com/googleapis/genai-toolbox/internal/sources/redis"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/serverlessspark"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/singlestore"
+	_ "github.com/googleapis/genai-toolbox/internal/sources/snowflake"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/spanner"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/sqlite"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/tidb"
@@ -376,7 +381,9 @@ func NewCommand(opts ...Option) *Command {
 	flags.BoolVar(&cmd.cfg.Stdio, "stdio", false, "Listens via MCP STDIO instead of acting as a remote HTTP server.")
 	flags.BoolVar(&cmd.cfg.DisableReload, "disable-reload", false, "Disables dynamic reloading of tools file.")
 	flags.BoolVar(&cmd.cfg.UI, "ui", false, "Launches the Toolbox UI web server.")
+	// TODO: Insecure by default. Might consider updating this for v1.0.0
 	flags.StringSliceVar(&cmd.cfg.AllowedOrigins, "allowed-origins", []string{"*"}, "Specifies a list of origins permitted to access this server. Defaults to '*'.")
+	flags.StringSliceVar(&cmd.cfg.AllowedHosts, "allowed-hosts", []string{"*"}, "Specifies a list of hosts permitted to access this server. Defaults to '*'.")
 
 	// wrap RunE command so that we have access to original Command object
 	cmd.RunE = func(*cobra.Command, []string) error { return run(cmd) }
@@ -385,12 +392,13 @@ func NewCommand(opts ...Option) *Command {
 }
 
 type ToolsFile struct {
-	Sources      server.SourceConfigs      `yaml:"sources"`
-	AuthSources  server.AuthServiceConfigs `yaml:"authSources"` // Deprecated: Kept for compatibility.
-	AuthServices server.AuthServiceConfigs `yaml:"authServices"`
-	Tools        server.ToolConfigs        `yaml:"tools"`
-	Toolsets     server.ToolsetConfigs     `yaml:"toolsets"`
-	Prompts      server.PromptConfigs      `yaml:"prompts"`
+	Sources         server.SourceConfigs         `yaml:"sources"`
+	AuthSources     server.AuthServiceConfigs    `yaml:"authSources"` // Deprecated: Kept for compatibility.
+	AuthServices    server.AuthServiceConfigs    `yaml:"authServices"`
+	EmbeddingModels server.EmbeddingModelConfigs `yaml:"embeddingModels"`
+	Tools           server.ToolConfigs           `yaml:"tools"`
+	Toolsets        server.ToolsetConfigs        `yaml:"toolsets"`
+	Prompts         server.PromptConfigs         `yaml:"prompts"`
 }
 
 // parseEnv replaces environment variables ${ENV_NAME} with their values.
@@ -439,11 +447,12 @@ func parseToolsFile(ctx context.Context, raw []byte) (ToolsFile, error) {
 // All resource names (sources, authServices, tools, toolsets) must be unique across all files.
 func mergeToolsFiles(files ...ToolsFile) (ToolsFile, error) {
 	merged := ToolsFile{
-		Sources:      make(server.SourceConfigs),
-		AuthServices: make(server.AuthServiceConfigs),
-		Tools:        make(server.ToolConfigs),
-		Toolsets:     make(server.ToolsetConfigs),
-		Prompts:      make(server.PromptConfigs),
+		Sources:         make(server.SourceConfigs),
+		AuthServices:    make(server.AuthServiceConfigs),
+		EmbeddingModels: make(server.EmbeddingModelConfigs),
+		Tools:           make(server.ToolConfigs),
+		Toolsets:        make(server.ToolsetConfigs),
+		Prompts:         make(server.PromptConfigs),
 	}
 
 	var conflicts []string
@@ -479,6 +488,15 @@ func mergeToolsFiles(files ...ToolsFile) (ToolsFile, error) {
 			}
 		}
 
+		// Check for conflicts and merge embeddingModels
+		for name, em := range file.EmbeddingModels {
+			if _, exists := merged.EmbeddingModels[name]; exists {
+				conflicts = append(conflicts, fmt.Sprintf("embedding model '%s' (file #%d)", name, fileIndex+1))
+			} else {
+				merged.EmbeddingModels[name] = em
+			}
+		}
+
 		// Check for conflicts and merge tools
 		for name, tool := range file.Tools {
 			if _, exists := merged.Tools[name]; exists {
@@ -583,14 +601,14 @@ func handleDynamicReload(ctx context.Context, toolsFile ToolsFile, s *server.Ser
 		panic(err)
 	}
 
-	sourcesMap, authServicesMap, toolsMap, toolsetsMap, promptsMap, promptsetsMap, err := validateReloadEdits(ctx, toolsFile)
+	sourcesMap, authServicesMap, embeddingModelsMap, toolsMap, toolsetsMap, promptsMap, promptsetsMap, err := validateReloadEdits(ctx, toolsFile)
 	if err != nil {
 		errMsg := fmt.Errorf("unable to validate reloaded edits: %w", err)
 		logger.WarnContext(ctx, errMsg.Error())
 		return err
 	}
 
-	s.ResourceMgr.SetResources(sourcesMap, authServicesMap, toolsMap, toolsetsMap, promptsMap, promptsetsMap)
+	s.ResourceMgr.SetResources(sourcesMap, authServicesMap, embeddingModelsMap, toolsMap, toolsetsMap, promptsMap, promptsetsMap)
 
 	return nil
 }
@@ -598,7 +616,7 @@ func handleDynamicReload(ctx context.Context, toolsFile ToolsFile, s *server.Ser
 // validateReloadEdits checks that the reloaded tools file configs can initialized without failing
 func validateReloadEdits(
 	ctx context.Context, toolsFile ToolsFile,
-) (map[string]sources.Source, map[string]auth.AuthService, map[string]tools.Tool, map[string]tools.Toolset, map[string]prompts.Prompt, map[string]prompts.Promptset, error,
+) (map[string]sources.Source, map[string]auth.AuthService, map[string]embeddingmodels.EmbeddingModel, map[string]tools.Tool, map[string]tools.Toolset, map[string]prompts.Prompt, map[string]prompts.Promptset, error,
 ) {
 	logger, err := util.LoggerFromContext(ctx)
 	if err != nil {
@@ -616,22 +634,23 @@ func validateReloadEdits(
 	defer span.End()
 
 	reloadedConfig := server.ServerConfig{
-		Version:            versionString,
-		SourceConfigs:      toolsFile.Sources,
-		AuthServiceConfigs: toolsFile.AuthServices,
-		ToolConfigs:        toolsFile.Tools,
-		ToolsetConfigs:     toolsFile.Toolsets,
-		PromptConfigs:      toolsFile.Prompts,
+		Version:               versionString,
+		SourceConfigs:         toolsFile.Sources,
+		AuthServiceConfigs:    toolsFile.AuthServices,
+		EmbeddingModelConfigs: toolsFile.EmbeddingModels,
+		ToolConfigs:           toolsFile.Tools,
+		ToolsetConfigs:        toolsFile.Toolsets,
+		PromptConfigs:         toolsFile.Prompts,
 	}
 
-	sourcesMap, authServicesMap, toolsMap, toolsetsMap, promptsMap, promptsetsMap, err := server.InitializeConfigs(ctx, reloadedConfig)
+	sourcesMap, authServicesMap, embeddingModelsMap, toolsMap, toolsetsMap, promptsMap, promptsetsMap, err := server.InitializeConfigs(ctx, reloadedConfig)
 	if err != nil {
 		errMsg := fmt.Errorf("unable to initialize reloaded configs: %w", err)
 		logger.WarnContext(ctx, errMsg.Error())
-		return nil, nil, nil, nil, nil, nil, err
+		return nil, nil, nil, nil, nil, nil, nil, err
 	}
 
-	return sourcesMap, authServicesMap, toolsMap, toolsetsMap, promptsMap, promptsetsMap, nil
+	return sourcesMap, authServicesMap, embeddingModelsMap, toolsMap, toolsetsMap, promptsMap, promptsetsMap, nil
 }
 
 // watchChanges checks for changes in the provided yaml tools file(s) or folder.
@@ -930,6 +949,7 @@ func run(cmd *Command) error {
 
 	cmd.cfg.SourceConfigs = finalToolsFile.Sources
 	cmd.cfg.AuthServiceConfigs = finalToolsFile.AuthServices
+	cmd.cfg.EmbeddingModelConfigs = finalToolsFile.EmbeddingModels
 	cmd.cfg.ToolConfigs = finalToolsFile.Tools
 	cmd.cfg.ToolsetConfigs = finalToolsFile.Toolsets
 	cmd.cfg.PromptConfigs = finalToolsFile.Prompts

cmd/root_test.go

@@ -32,6 +32,7 @@ import (
 	"github.com/google/go-cmp/cmp"
 
 	"github.com/googleapis/genai-toolbox/internal/auth/google"
+	"github.com/googleapis/genai-toolbox/internal/embeddingmodels/gemini"
 	"github.com/googleapis/genai-toolbox/internal/log"
 	"github.com/googleapis/genai-toolbox/internal/prebuiltconfigs"
 	"github.com/googleapis/genai-toolbox/internal/prompts"
@@ -66,6 +67,9 @@ func withDefaults(c server.ServerConfig) server.ServerConfig {
 	if c.AllowedOrigins == nil {
 		c.AllowedOrigins = []string{"*"}
 	}
+	if c.AllowedHosts == nil {
+		c.AllowedHosts = []string{"*"}
+	}
 	return c
 }
 
@@ -219,6 +223,13 @@ func TestServerConfigFlags(t *testing.T) {
 				AllowedOrigins: []string{"http://foo.com", "http://bar.com"},
 			}),
 		},
+		{
+			desc: "allowed hosts",
+			args: []string{"--allowed-hosts", "http://foo.com,http://bar.com"},
+			want: withDefaults(server.ServerConfig{
+				AllowedHosts: []string{"http://foo.com", "http://bar.com"},
+			}),
+		},
 	}
 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
@@ -1351,6 +1362,7 @@ func TestPrebuiltTools(t *testing.T) {
 	cloudsqlmssqlobsvconfig, _ := prebuiltconfigs.Get("cloud-sql-mssql-observability")
 	serverless_spark_config, _ := prebuiltconfigs.Get("serverless-spark")
 	cloudhealthcare_config, _ := prebuiltconfigs.Get("cloud-healthcare")
+	snowflake_config, _ := prebuiltconfigs.Get("snowflake")
 
 	// Set environment variables
 	t.Setenv("API_KEY", "your_api_key")
@@ -1448,6 +1460,14 @@ func TestPrebuiltTools(t *testing.T) {
 	t.Setenv("CLOUD_HEALTHCARE_REGION", "your_gcp_region")
 	t.Setenv("CLOUD_HEALTHCARE_DATASET", "your_healthcare_dataset")
 
+	t.Setenv("SNOWFLAKE_ACCOUNT", "your_account")
+	t.Setenv("SNOWFLAKE_USER", "your_username")
+	t.Setenv("SNOWFLAKE_PASSWORD", "your_pass")
+	t.Setenv("SNOWFLAKE_DATABASE", "your_db")
+	t.Setenv("SNOWFLAKE_SCHEMA", "your_schema")
+	t.Setenv("SNOWFLAKE_WAREHOUSE", "your_wh")
+	t.Setenv("SNOWFLAKE_ROLE", "your_role")
+
 	ctx, err := testutils.ContextWithNewLogger()
 	if err != nil {
 		t.Fatalf("unexpected error: %s", err)
@@ -1503,7 +1523,7 @@ func TestPrebuiltTools(t *testing.T) {
 			wantToolset: server.ToolsetConfigs{
 				"alloydb_postgres_database_tools": tools.ToolsetConfig{
 					Name:      "alloydb_postgres_database_tools",
-					ToolNames: []string{"execute_sql", "list_tables", "list_active_queries", "list_available_extensions", "list_installed_extensions", "list_autovacuum_configurations", "list_memory_configurations", "list_top_bloated_tables", "list_replication_slots", "list_invalid_indexes", "get_query_plan", "list_views", "list_schemas", "database_overview", "list_triggers", "list_indexes", "list_sequences", "long_running_transactions", "list_locks", "replication_stats", "list_query_stats", "get_column_cardinality", "list_publication_tables", "list_tablespaces", "list_pg_settings", "list_database_stats", "list_roles", "list_table_stats"},
+					ToolNames: []string{"execute_sql", "list_tables", "list_active_queries", "list_available_extensions", "list_installed_extensions", "list_autovacuum_configurations", "list_memory_configurations", "list_top_bloated_tables", "list_replication_slots", "list_invalid_indexes", "get_query_plan", "list_views", "list_schemas", "database_overview", "list_triggers", "list_indexes", "list_sequences", "long_running_transactions", "list_locks", "replication_stats", "list_query_stats", "get_column_cardinality", "list_publication_tables", "list_tablespaces", "list_pg_settings", "list_database_stats", "list_roles", "list_table_stats", "list_stored_procedure"},
 				},
 			},
 		},
@@ -1533,7 +1553,7 @@ func TestPrebuiltTools(t *testing.T) {
 			wantToolset: server.ToolsetConfigs{
 				"cloud_sql_postgres_database_tools": tools.ToolsetConfig{
 					Name:      "cloud_sql_postgres_database_tools",
-					ToolNames: []string{"execute_sql", "list_tables", "list_active_queries", "list_available_extensions", "list_installed_extensions", "list_autovacuum_configurations", "list_memory_configurations", "list_top_bloated_tables", "list_replication_slots", "list_invalid_indexes", "get_query_plan", "list_views", "list_schemas", "database_overview", "list_triggers", "list_indexes", "list_sequences", "long_running_transactions", "list_locks", "replication_stats", "list_query_stats", "get_column_cardinality", "list_publication_tables", "list_tablespaces", "list_pg_settings", "list_database_stats", "list_roles", "list_table_stats"},
+					ToolNames: []string{"execute_sql", "list_tables", "list_active_queries", "list_available_extensions", "list_installed_extensions", "list_autovacuum_configurations", "list_memory_configurations", "list_top_bloated_tables", "list_replication_slots", "list_invalid_indexes", "get_query_plan", "list_views", "list_schemas", "database_overview", "list_triggers", "list_indexes", "list_sequences", "long_running_transactions", "list_locks", "replication_stats", "list_query_stats", "get_column_cardinality", "list_publication_tables", "list_tablespaces", "list_pg_settings", "list_database_stats", "list_roles", "list_table_stats", "list_stored_procedure"},
 				},
 			},
 		},
@@ -1633,7 +1653,7 @@ func TestPrebuiltTools(t *testing.T) {
 			wantToolset: server.ToolsetConfigs{
 				"postgres_database_tools": tools.ToolsetConfig{
 					Name:      "postgres_database_tools",
-					ToolNames: []string{"execute_sql", "list_tables", "list_active_queries", "list_available_extensions", "list_installed_extensions", "list_autovacuum_configurations", "list_memory_configurations", "list_top_bloated_tables", "list_replication_slots", "list_invalid_indexes", "get_query_plan", "list_views", "list_schemas", "database_overview", "list_triggers", "list_indexes", "list_sequences", "long_running_transactions", "list_locks", "replication_stats", "list_query_stats", "get_column_cardinality", "list_publication_tables", "list_tablespaces", "list_pg_settings", "list_database_stats", "list_roles", "list_table_stats"},
+					ToolNames: []string{"execute_sql", "list_tables", "list_active_queries", "list_available_extensions", "list_installed_extensions", "list_autovacuum_configurations", "list_memory_configurations", "list_top_bloated_tables", "list_replication_slots", "list_invalid_indexes", "get_query_plan", "list_views", "list_schemas", "database_overview", "list_triggers", "list_indexes", "list_sequences", "long_running_transactions", "list_locks", "replication_stats", "list_query_stats", "get_column_cardinality", "list_publication_tables", "list_tablespaces", "list_pg_settings", "list_database_stats", "list_roles", "list_table_stats", "list_stored_procedure"},
 				},
 			},
 		},
@@ -1745,6 +1765,16 @@ func TestPrebuiltTools(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "Snowflake prebuilt tool",
+			in:   snowflake_config,
+			wantToolset: server.ToolsetConfigs{
+				"snowflake_tools": tools.ToolsetConfig{
+					Name:      "snowflake_tools",
+					ToolNames: []string{"execute_sql", "list_tables"},
+				},
+			},
+		},
 	}
 
 	for _, tc := range tcs {
@@ -1830,9 +1860,10 @@ func TestFileLoadingErrors(t *testing.T) {
 
 func TestMergeToolsFiles(t *testing.T) {
 	file1 := ToolsFile{
-		Sources:  server.SourceConfigs{"source1": httpsrc.Config{Name: "source1"}},
-		Tools:    server.ToolConfigs{"tool1": http.Config{Name: "tool1"}},
-		Toolsets: server.ToolsetConfigs{"set1": tools.ToolsetConfig{Name: "set1"}},
+		Sources:         server.SourceConfigs{"source1": httpsrc.Config{Name: "source1"}},
+		Tools:           server.ToolConfigs{"tool1": http.Config{Name: "tool1"}},
+		Toolsets:        server.ToolsetConfigs{"set1": tools.ToolsetConfig{Name: "set1"}},
+		EmbeddingModels: server.EmbeddingModelConfigs{"model1": gemini.Config{Name: "gemini-text"}},
 	}
 	file2 := ToolsFile{
 		AuthServices: server.AuthServiceConfigs{"auth1": google.Config{Name: "auth1"}},
@@ -1854,11 +1885,12 @@ func TestMergeToolsFiles(t *testing.T) {
 			name:  "merge two distinct files",
 			files: []ToolsFile{file1, file2},
 			want: ToolsFile{
-				Sources:      server.SourceConfigs{"source1": httpsrc.Config{Name: "source1"}},
-				AuthServices: server.AuthServiceConfigs{"auth1": google.Config{Name: "auth1"}},
-				Tools:        server.ToolConfigs{"tool1": http.Config{Name: "tool1"}, "tool2": http.Config{Name: "tool2"}},
-				Toolsets:     server.ToolsetConfigs{"set1": tools.ToolsetConfig{Name: "set1"}, "set2": tools.ToolsetConfig{Name: "set2"}},
-				Prompts:      server.PromptConfigs{},
+				Sources:         server.SourceConfigs{"source1": httpsrc.Config{Name: "source1"}},
+				AuthServices:    server.AuthServiceConfigs{"auth1": google.Config{Name: "auth1"}},
+				Tools:           server.ToolConfigs{"tool1": http.Config{Name: "tool1"}, "tool2": http.Config{Name: "tool2"}},
+				Toolsets:        server.ToolsetConfigs{"set1": tools.ToolsetConfig{Name: "set1"}, "set2": tools.ToolsetConfig{Name: "set2"}},
+				Prompts:         server.PromptConfigs{},
+				EmbeddingModels: server.EmbeddingModelConfigs{"model1": gemini.Config{Name: "gemini-text"}},
 			},
 			wantErr: false,
 		},
@@ -1871,22 +1903,24 @@ func TestMergeToolsFiles(t *testing.T) {
 			name:  "merge single file",
 			files: []ToolsFile{file1},
 			want: ToolsFile{
-				Sources:      file1.Sources,
-				AuthServices: make(server.AuthServiceConfigs),
-				Tools:        file1.Tools,
-				Toolsets:     file1.Toolsets,
-				Prompts:      server.PromptConfigs{},
+				Sources:         file1.Sources,
+				AuthServices:    make(server.AuthServiceConfigs),
+				EmbeddingModels: server.EmbeddingModelConfigs{"model1": gemini.Config{Name: "gemini-text"}},
+				Tools:           file1.Tools,
+				Toolsets:        file1.Toolsets,
+				Prompts:         server.PromptConfigs{},
 			},
 		},
 		{
 			name:  "merge empty list",
 			files: []ToolsFile{},
 			want: ToolsFile{
-				Sources:      make(server.SourceConfigs),
-				AuthServices: make(server.AuthServiceConfigs),
-				Tools:        make(server.ToolConfigs),
-				Toolsets:     make(server.ToolsetConfigs),
-				Prompts:      server.PromptConfigs{},
+				Sources:         make(server.SourceConfigs),
+				AuthServices:    make(server.AuthServiceConfigs),
+				EmbeddingModels: make(server.EmbeddingModelConfigs),
+				Tools:           make(server.ToolConfigs),
+				Toolsets:        make(server.ToolsetConfigs),
+				Prompts:         server.PromptConfigs{},
 			},
 		},
 	}

cmd/version.txt

@@ -1 +1 @@
-0.24.0
+0.25.0

docs/BIGQUERY_README.md

@@ -68,6 +68,7 @@ The BigQuery MCP server is configured using environment variables.
 export BIGQUERY_PROJECT="<your-gcp-project-id>"
 export BIGQUERY_LOCATION="<your-dataset-location>"  # Optional
 export BIGQUERY_USE_CLIENT_OAUTH="true"  # Optional
+export BIGQUERY_SCOPES="<comma-separated-scopes>"  # Optional
 ```
 
 Add the following configuration to your MCP client (e.g., `settings.json` for Gemini CLI, `mcp_config.json` for Antigravity):

docs/en/blogs/_index.md

@@ -0,0 +1,18 @@
+---
+title: "Featured Articles"
+weight: 3
+description: Toolbox Medium Blogs
+manualLink: "https://medium.com/@mcp_toolbox"
+manualLinkTarget: _blank
+---
+
+<html>
+  <head>
+    <title>Redirecting to Featured Articles</title>
+    <link rel="canonical" href="https://medium.com/@mcp_toolbox"/>
+    <meta http-equiv="refresh" content="0;url=https://medium.com/@mcp_toolbox"/>
+  </head>
+  <body>
+    <p>If you are not automatically redirected, please <a href="https://medium.com/@mcp_toolbox">follow this link to our articles</a>.</p>
+  </body>
+</html>

docs/en/getting-started/colab_quickstart.ipynb

@@ -234,7 +234,7 @@
       },
       "outputs": [],
       "source": [
-        "version = \"0.24.0\" # x-release-please-version\n",
+        "version = \"0.25.0\" # x-release-please-version\n",
         "! curl -O https://storage.googleapis.com/genai-toolbox/v{version}/linux/amd64/toolbox\n",
         "\n",
         "# Make the binary executable\n",

docs/en/getting-started/introduction/_index.md

@@ -103,7 +103,7 @@ To install Toolbox as a binary on Linux (AMD64):
 
 ```sh
 # see releases page for other versions
-export VERSION=0.24.0
+export VERSION=0.25.0
 curl -L -o toolbox https://storage.googleapis.com/genai-toolbox/v$VERSION/linux/amd64/toolbox
 chmod +x toolbox
 ```
@@ -114,7 +114,7 @@ To install Toolbox as a binary on macOS (Apple Silicon):
 
 ```sh
 # see releases page for other versions
-export VERSION=0.24.0
+export VERSION=0.25.0
 curl -L -o toolbox https://storage.googleapis.com/genai-toolbox/v$VERSION/darwin/arm64/toolbox
 chmod +x toolbox
 ```
@@ -125,7 +125,7 @@ To install Toolbox as a binary on macOS (Intel):
 
 ```sh
 # see releases page for other versions
-export VERSION=0.24.0
+export VERSION=0.25.0
 curl -L -o toolbox https://storage.googleapis.com/genai-toolbox/v$VERSION/darwin/amd64/toolbox
 chmod +x toolbox
 ```
@@ -136,7 +136,7 @@ To install Toolbox as a binary on Windows (Command Prompt):
 
 ```cmd
 :: see releases page for other versions
-set VERSION=0.24.0
+set VERSION=0.25.0
 curl -o toolbox.exe "https://storage.googleapis.com/genai-toolbox/v%VERSION%/windows/amd64/toolbox.exe"
 ```
 
@@ -146,7 +146,7 @@ To install Toolbox as a binary on Windows (PowerShell):
 
 ```powershell
 # see releases page for other versions
-$VERSION = "0.24.0"
+$VERSION = "0.25.0"
 curl.exe -o toolbox.exe "https://storage.googleapis.com/genai-toolbox/v$VERSION/windows/amd64/toolbox.exe"
 ```
 
@@ -158,7 +158,7 @@ You can also install Toolbox as a container:
 
 ```sh
 # see releases page for other versions
-export VERSION=0.24.0
+export VERSION=0.25.0
 docker pull us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:$VERSION
 ```
 
@@ -177,7 +177,7 @@ To install from source, ensure you have the latest version of
 [Go installed](https://go.dev/doc/install), and then run the following command:
 
 ```sh
-go install github.com/googleapis/genai-toolbox@v0.24.0
+go install github.com/googleapis/genai-toolbox@v0.25.0
 ```
 
 {{% /tab %}}

docs/en/getting-started/mcp_quickstart/_index.md

@@ -105,7 +105,7 @@ In this section, we will download Toolbox, configure our tools in a
     <!-- {x-release-please-start-version} -->
     ```bash
     export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/$OS/toolbox
     ```
     <!-- {x-release-please-end} -->
 

docs/en/getting-started/quickstart/go/adkgo/go.mod

@@ -28,11 +28,11 @@ require (
 	go.opentelemetry.io/otel/metric v1.38.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.38.0 // indirect
 	go.opentelemetry.io/otel/trace v1.38.0 // indirect
-	golang.org/x/crypto v0.43.0 // indirect
-	golang.org/x/net v0.46.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
 	golang.org/x/oauth2 v0.32.0 // indirect
-	golang.org/x/sys v0.37.0 // indirect
-	golang.org/x/text v0.30.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	google.golang.org/api v0.255.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda // indirect
 	google.golang.org/grpc v1.76.0 // indirect

docs/en/getting-started/quickstart/go/adkgo/go.sum

@@ -88,18 +88,18 @@ go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJr
 go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
-golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
-golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
-golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
 golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
-golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
-golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
 golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=

docs/en/getting-started/quickstart/js/adk/package-lock.json

@@ -1813,9 +1813,9 @@
       }
     },
     "node_modules/qs": {
-      "version": "6.14.0",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz",
-      "integrity": "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==",
+      "version": "6.14.1",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.1.tgz",
+      "integrity": "sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==",
       "license": "BSD-3-Clause",
       "dependencies": {
         "side-channel": "^1.1.0"

docs/en/getting-started/quickstart/js/genAI/package-lock.json

@@ -569,11 +569,12 @@
       }
     },
     "node_modules/jws": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.0.tgz",
-      "integrity": "sha512-KDncfTmOZoOMTFG4mBlG0qUIOlc03fmzH+ru6RgYVZhPkyiy/92Owlt/8UEN+a4TXR1FQetfIpJE8ApdvdVxTg==",
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.1.tgz",
+      "integrity": "sha512-EKI/M/yqPncGUUh44xz0PxSidXFr/+r0pA70+gIYhjv+et7yxM+s29Y+VGDkovRofQem0fs7Uvf4+YmAdyRduA==",
+      "license": "MIT",
       "dependencies": {
-        "jwa": "^2.0.0",
+        "jwa": "^2.0.1",
         "safe-buffer": "^5.0.1"
       }
     },

docs/en/getting-started/quickstart/js/genkit/package-lock.json

@@ -3376,22 +3376,23 @@
       }
     },
     "node_modules/body-parser": {
-      "version": "1.20.3",
-      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.3.tgz",
-      "integrity": "sha512-7rAxByjUMqQ3/bHJy7D6OGXvx/MMc4IqBn/X0fcM1QUcAItpZrBEYhWGem+tzXH90c+G01ypMcYJBO9Y30203g==",
+      "version": "1.20.4",
+      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.4.tgz",
+      "integrity": "sha512-ZTgYYLMOXY9qKU/57FAo8F+HA2dGX7bqGc71txDRC1rS4frdFI5R7NhluHxH6M0YItAP0sHB4uqAOcYKxO6uGA==",
+      "license": "MIT",
       "dependencies": {
-        "bytes": "3.1.2",
+        "bytes": "~3.1.2",
         "content-type": "~1.0.5",
         "debug": "2.6.9",
         "depd": "2.0.0",
-        "destroy": "1.2.0",
-        "http-errors": "2.0.0",
-        "iconv-lite": "0.4.24",
-        "on-finished": "2.4.1",
-        "qs": "6.13.0",
-        "raw-body": "2.5.2",
+        "destroy": "~1.2.0",
+        "http-errors": "~2.0.1",
+        "iconv-lite": "~0.4.24",
+        "on-finished": "~2.4.1",
+        "qs": "~6.14.0",
+        "raw-body": "~2.5.3",
         "type-is": "~1.6.18",
-        "unpipe": "1.0.0"
+        "unpipe": "~1.0.0"
       },
       "engines": {
         "node": ">= 0.8",
@@ -3406,11 +3407,40 @@
         "ms": "2.0.0"
       }
     },
+    "node_modules/body-parser/node_modules/http-errors": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz",
+      "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==",
+      "license": "MIT",
+      "dependencies": {
+        "depd": "~2.0.0",
+        "inherits": "~2.0.4",
+        "setprototypeof": "~1.2.0",
+        "statuses": "~2.0.2",
+        "toidentifier": "~1.0.1"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
     "node_modules/body-parser/node_modules/ms": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
       "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
     },
+    "node_modules/body-parser/node_modules/statuses": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz",
+      "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
     "node_modules/buffer-equal-constant-time": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz",
@@ -3434,6 +3464,7 @@
       "version": "3.1.2",
       "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
       "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==",
+      "license": "MIT",
       "engines": {
         "node": ">= 0.8"
       }
@@ -3830,38 +3861,39 @@
       }
     },
     "node_modules/express": {
-      "version": "4.21.2",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.21.2.tgz",
-      "integrity": "sha512-28HqgMZAmih1Czt9ny7qr6ek2qddF4FclbMzwhCREB6OFfH+rXAnuNCwo1/wFvrtbgsQDb4kSbX9de9lFbrXnA==",
+      "version": "4.22.1",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.22.1.tgz",
+      "integrity": "sha512-F2X8g9P1X7uCPZMA3MVf9wcTqlyNp7IhH5qPCI0izhaOIYXaW9L535tGA3qmjRzpH+bZczqq7hVKxTR4NWnu+g==",
+      "license": "MIT",
       "dependencies": {
         "accepts": "~1.3.8",
         "array-flatten": "1.1.1",
-        "body-parser": "1.20.3",
-        "content-disposition": "0.5.4",
+        "body-parser": "~1.20.3",
+        "content-disposition": "~0.5.4",
         "content-type": "~1.0.4",
-        "cookie": "0.7.1",
-        "cookie-signature": "1.0.6",
+        "cookie": "~0.7.1",
+        "cookie-signature": "~1.0.6",
         "debug": "2.6.9",
         "depd": "2.0.0",
         "encodeurl": "~2.0.0",
         "escape-html": "~1.0.3",
         "etag": "~1.8.1",
-        "finalhandler": "1.3.1",
-        "fresh": "0.5.2",
-        "http-errors": "2.0.0",
+        "finalhandler": "~1.3.1",
+        "fresh": "~0.5.2",
+        "http-errors": "~2.0.0",
         "merge-descriptors": "1.0.3",
         "methods": "~1.1.2",
-        "on-finished": "2.4.1",
+        "on-finished": "~2.4.1",
         "parseurl": "~1.3.3",
-        "path-to-regexp": "0.1.12",
+        "path-to-regexp": "~0.1.12",
         "proxy-addr": "~2.0.7",
-        "qs": "6.13.0",
+        "qs": "~6.14.0",
         "range-parser": "~1.2.1",
         "safe-buffer": "5.2.1",
-        "send": "0.19.0",
-        "serve-static": "1.16.2",
+        "send": "~0.19.0",
+        "serve-static": "~1.16.2",
         "setprototypeof": "1.2.0",
-        "statuses": "2.0.1",
+        "statuses": "~2.0.1",
         "type-is": "~1.6.18",
         "utils-merge": "1.0.1",
         "vary": "~1.1.2"
@@ -4904,6 +4936,7 @@
       "version": "0.4.24",
       "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
       "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
+      "license": "MIT",
       "dependencies": {
         "safer-buffer": ">= 2.1.2 < 3"
       },
@@ -5661,11 +5694,12 @@
       }
     },
     "node_modules/qs": {
-      "version": "6.13.0",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.13.0.tgz",
-      "integrity": "sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==",
+      "version": "6.14.1",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.1.tgz",
+      "integrity": "sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==",
+      "license": "BSD-3-Clause",
       "dependencies": {
-        "side-channel": "^1.0.6"
+        "side-channel": "^1.1.0"
       },
       "engines": {
         "node": ">=0.6"
@@ -5683,19 +5717,49 @@
       }
     },
     "node_modules/raw-body": {
-      "version": "2.5.2",
-      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.2.tgz",
-      "integrity": "sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA==",
+      "version": "2.5.3",
+      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.3.tgz",
+      "integrity": "sha512-s4VSOf6yN0rvbRZGxs8Om5CWj6seneMwK3oDb4lWDH0UPhWcxwOWw5+qk24bxq87szX1ydrwylIOp2uG1ojUpA==",
+      "license": "MIT",
       "dependencies": {
-        "bytes": "3.1.2",
-        "http-errors": "2.0.0",
-        "iconv-lite": "0.4.24",
-        "unpipe": "1.0.0"
+        "bytes": "~3.1.2",
+        "http-errors": "~2.0.1",
+        "iconv-lite": "~0.4.24",
+        "unpipe": "~1.0.0"
       },
       "engines": {
         "node": ">= 0.8"
       }
     },
+    "node_modules/raw-body/node_modules/http-errors": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz",
+      "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==",
+      "license": "MIT",
+      "dependencies": {
+        "depd": "~2.0.0",
+        "inherits": "~2.0.4",
+        "setprototypeof": "~1.2.0",
+        "statuses": "~2.0.2",
+        "toidentifier": "~1.0.1"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/raw-body/node_modules/statuses": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz",
+      "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
     "node_modules/readable-stream": {
       "version": "3.6.2",
       "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz",
@@ -5813,7 +5877,8 @@
     "node_modules/safer-buffer": {
       "version": "2.1.2",
       "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
-      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
+      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
+      "license": "MIT"
     },
     "node_modules/semver": {
       "version": "7.7.2",

docs/en/getting-started/quickstart/js/langchain/package-lock.json

@@ -66,40 +66,6 @@
         "node": ">=20"
       }
     },
-    "node_modules/@langchain/core/node_modules/langsmith": {
-      "version": "0.4.2",
-      "resolved": "https://registry.npmjs.org/langsmith/-/langsmith-0.4.2.tgz",
-      "integrity": "sha512-BvBeFgSmR9esl8x5wsiDlALiHKKPybw2wE2Hh6x1tgSZki46H9c9KI9/06LARbPhyyDu/TZU7exfg6fnhdj1Qg==",
-      "license": "MIT",
-      "dependencies": {
-        "@types/uuid": "^10.0.0",
-        "chalk": "^4.1.2",
-        "console-table-printer": "^2.12.1",
-        "p-queue": "^6.6.2",
-        "semver": "^7.6.3",
-        "uuid": "^10.0.0"
-      },
-      "peerDependencies": {
-        "@opentelemetry/api": "*",
-        "@opentelemetry/exporter-trace-otlp-proto": "*",
-        "@opentelemetry/sdk-trace-base": "*",
-        "openai": "*"
-      },
-      "peerDependenciesMeta": {
-        "@opentelemetry/api": {
-          "optional": true
-        },
-        "@opentelemetry/exporter-trace-otlp-proto": {
-          "optional": true
-        },
-        "@opentelemetry/sdk-trace-base": {
-          "optional": true
-        },
-        "openai": {
-          "optional": true
-        }
-      }
-    },
     "node_modules/@langchain/google-genai": {
       "version": "2.1.3",
       "resolved": "https://registry.npmjs.org/@langchain/google-genai/-/google-genai-2.1.3.tgz",
@@ -888,13 +854,14 @@
       }
     },
     "node_modules/langchain": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/langchain/-/langchain-1.0.2.tgz",
-      "integrity": "sha512-He/xvjVl8DHESvdaW6Dpyba72OaLCAfS2CyOm1aWrlJ4C38dKXyTIxphtld8hiii6MWX7qMSmu2EaUwWBx2STg==",
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/langchain/-/langchain-1.2.3.tgz",
+      "integrity": "sha512-3k986xJuqg4az53JxV5LnGlOzIXF1d9Kq6Y9s7XjitvzhpsbFuTDV5/kiF4cx3pkNGyw0mUXC4tLz9RxucO0hw==",
+      "license": "MIT",
       "dependencies": {
         "@langchain/langgraph": "^1.0.0",
         "@langchain/langgraph-checkpoint": "^1.0.0",
-        "langsmith": "~0.3.74",
+        "langsmith": ">=0.4.0 <1.0.0",
         "uuid": "^10.0.0",
         "zod": "^3.25.76 || ^4"
       },
@@ -902,19 +869,19 @@
         "node": ">=20"
       },
       "peerDependencies": {
-        "@langchain/core": "^1.0.0"
+        "@langchain/core": "1.1.8"
       }
     },
     "node_modules/langsmith": {
-      "version": "0.3.77",
-      "resolved": "https://registry.npmjs.org/langsmith/-/langsmith-0.3.77.tgz",
-      "integrity": "sha512-wbS/9IX/hOAsOEOtPj8kCS8H0tFHaelwQ97gTONRtIfoPPLd9MMUmhk0KQB5DdsGAI5abg966+f0dZ/B+YRRzg==",
+      "version": "0.4.3",
+      "resolved": "https://registry.npmjs.org/langsmith/-/langsmith-0.4.3.tgz",
+      "integrity": "sha512-vuBAagBZulXj0rpZhUTxmHhrYIBk53z8e2Q8ty4OHVkahN4ul7Im3OZxD9jsXZB0EuncK1xRYtY8J3BW4vj1zw==",
+      "license": "MIT",
       "dependencies": {
         "@types/uuid": "^10.0.0",
         "chalk": "^4.1.2",
         "console-table-printer": "^2.12.1",
         "p-queue": "^6.6.2",
-        "p-retry": "4",
         "semver": "^7.6.3",
         "uuid": "^10.0.0"
       },

docs/en/getting-started/quickstart/js/llamaindex/package-lock.json

@@ -882,11 +882,12 @@
       }
     },
     "node_modules/jws": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.0.tgz",
-      "integrity": "sha512-KDncfTmOZoOMTFG4mBlG0qUIOlc03fmzH+ru6RgYVZhPkyiy/92Owlt/8UEN+a4TXR1FQetfIpJE8ApdvdVxTg==",
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.1.tgz",
+      "integrity": "sha512-EKI/M/yqPncGUUh44xz0PxSidXFr/+r0pA70+gIYhjv+et7yxM+s29Y+VGDkovRofQem0fs7Uvf4+YmAdyRduA==",
+      "license": "MIT",
       "dependencies": {
-        "jwa": "^2.0.0",
+        "jwa": "^2.0.1",
         "safe-buffer": "^5.0.1"
       }
     },

docs/en/getting-started/quickstart/python/core/requirements.txt

@@ -1,3 +1,3 @@
-google-genai==1.56.0
+google-genai==1.57.0
 toolbox-core==0.5.4
 pytest==9.0.2

docs/en/getting-started/quickstart/python/langchain/requirements.txt

@@ -1,5 +1,5 @@
-langchain==1.2.0
-langchain-google-vertexai==3.2.0
+langchain==1.2.2
+langchain-google-vertexai==3.2.1
 langgraph==1.0.5
 toolbox-langchain==0.5.4
 pytest==9.0.2

docs/en/getting-started/quickstart/shared/configure_toolbox.md

@@ -13,7 +13,7 @@ In this section, we will download Toolbox, configure our tools in a
     <!-- {x-release-please-start-version} -->
     ```bash
     export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/$OS/toolbox
     ```
     <!-- {x-release-please-end} -->
 

docs/en/how-to/connect-ide/looker_mcp.md

@@ -100,19 +100,19 @@ After you install Looker in the MCP Store, resources and tools from the server a
 
 {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/linux/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/arm64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
     <!-- {x-release-please-end} -->

docs/en/how-to/connect-ide/mssql_mcp.md

@@ -45,19 +45,19 @@ instance:
    <!-- {x-release-please-start-version} -->
    {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/linux/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/arm64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
     <!-- {x-release-please-end} -->

docs/en/how-to/connect-ide/mysql_mcp.md

@@ -43,19 +43,19 @@ expose your developer assistant tools to a MySQL instance:
    <!-- {x-release-please-start-version} -->
    {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/linux/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/arm64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
     <!-- {x-release-please-end} -->

docs/en/how-to/connect-ide/neo4j_mcp.md

@@ -44,19 +44,19 @@ expose your developer assistant tools to a Neo4j instance:
    <!-- {x-release-please-start-version} -->
    {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/linux/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/arm64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
     <!-- {x-release-please-end} -->

docs/en/how-to/connect-ide/postgres_mcp.md

@@ -56,19 +56,19 @@ Omni](https://cloud.google.com/alloydb/omni/current/docs/overview).
    <!-- {x-release-please-start-version} -->
    {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/linux/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/arm64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
     <!-- {x-release-please-end} -->

docs/en/how-to/connect-ide/sqlite_mcp.md

@@ -43,19 +43,19 @@ to expose your developer assistant tools to a SQLite instance:
    <!-- {x-release-please-start-version} -->
    {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/linux/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/arm64/toolbox
 {{< /tab >}}
 
 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/amd64/toolbox
 {{< /tab >}}
 
 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
     <!-- {x-release-please-end} -->

docs/en/how-to/deploy_docker.md

@@ -68,7 +68,12 @@ networks:
 ```
 
     {{< notice tip >}}  
-To prevent DNS rebinding attack, use the `--allowed-origins` flag to specify a
+To prevent DNS rebinding attack, use the `--allowed-hosts` flag to specify a
+list of hosts for validation. E.g. `command: [ "toolbox",
+"--tools-file", "/config/tools.yaml", "--address", "0.0.0.0",
+"--allowed-hosts", "localhost:5000"]`
+
+To implement CORs, use the `--allowed-origins` flag to specify a
 list of origins permitted to access the server. E.g. `command: [ "toolbox",
 "--tools-file", "/config/tools.yaml", "--address", "0.0.0.0",
 "--allowed-origins", "https://foo.bar"]`

docs/en/how-to/deploy_gke.md

@@ -188,9 +188,13 @@ description: >
                   path: tools.yaml
     ```
 
-    {{< notice tip >}}  
+    {{< notice tip >}}
 To prevent DNS rebinding attack, use the `--allowed-origins` flag to specify a
 list of origins permitted to access the server. E.g. `args: ["--address",
+"0.0.0.0", "--allowed-hosts", "foo.bar:5000"]`
+
+To implement CORs, use the `--allowed-origins` flag to specify a
+list of origins permitted to access the server. E.g. `args: ["--address",
 "0.0.0.0", "--allowed-origins", "https://foo.bar"]`
 {{< /notice >}}
 

docs/en/how-to/deploy_toolbox.md

@@ -142,14 +142,18 @@ deployment will time out.
 
 ### Update deployed server to be secure
 
-To prevent DNS rebinding attack, use the `--allowed-origins` flag to specify a
-list of origins permitted to access the server. In order to do that, you will
+To prevent DNS rebinding attack, use the `--allowed-hosts` flag to specify a
+list of hosts. In order to do that, you will
 have to re-deploy the cloud run service with the new flag.
 
+To implement CORs checks, use the `--allowed-origins` flag to specify a list of
+origins permitted to access the server.
+
 1. Set an environment variable to the cloud run url: 
 
     ```bash
     export URL=<cloud run url>
+    export HOST=<cloud run host>
     ```
 
 2. Redeploy Toolbox:
@@ -160,7 +164,7 @@ have to re-deploy the cloud run service with the new flag.
         --service-account toolbox-identity \
         --region us-central1 \
         --set-secrets "/app/tools.yaml=tools:latest" \
-        --args="--tools-file=/app/tools.yaml","--address=0.0.0.0","--port=8080","--allowed-origins=$URL"
+        --args="--tools-file=/app/tools.yaml","--address=0.0.0.0","--port=8080","--allowed-origins=$URL","--allowed-hosts=$HOST"
         # --allow-unauthenticated # https://cloud.google.com/run/docs/authenticating/public#gcloud
     ```
 
@@ -172,7 +176,7 @@ have to re-deploy the cloud run service with the new flag.
         --service-account toolbox-identity \
         --region us-central1 \
         --set-secrets "/app/tools.yaml=tools:latest" \
-        --args="--tools-file=/app/tools.yaml","--address=0.0.0.0","--port=8080","--allowed-origins=$URL" \
+        --args="--tools-file=/app/tools.yaml","--address=0.0.0.0","--port=8080","--allowed-origins=$URL","--allowed-hosts=$HOST" \
         # TODO(dev): update the following to match your VPC if necessary
         --network default \
         --subnet default

docs/en/reference/cli.md

@@ -8,25 +8,26 @@ description: >
 
 ## Reference
 
-| Flag (Short) | Flag (Long)                | Description                                                                                                                                                                                   | Default     |
-|--------------|----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
-| `-a`         | `--address`                | Address of the interface the server will listen on.                                                                                                                                           | `127.0.0.1` |
-|              | `--disable-reload`         | Disables dynamic reloading of tools file.                                                                                                                                                     |             |
-| `-h`         | `--help`                   | help for toolbox                                                                                                                                                                              |             |
-|              | `--log-level`              | Specify the minimum level logged. Allowed: 'DEBUG', 'INFO', 'WARN', 'ERROR'.                                                                                                                  | `info`      |
-|              | `--logging-format`         | Specify logging format to use. Allowed: 'standard' or 'JSON'.                                                                                                                                 | `standard`  |
-| `-p`         | `--port`                   | Port the server will listen on.                                                                                                                                                               | `5000`      |
-|              | `--prebuilt`               | Use a prebuilt tool configuration by source type. See [Prebuilt Tools Reference](prebuilt-tools.md) for allowed values.                                     |             |
-|              | `--stdio`                  | Listens via MCP STDIO instead of acting as a remote HTTP server.                                                                                                                              |             |
-|              | `--telemetry-gcp`          | Enable exporting directly to Google Cloud Monitoring.                                                                                                                                         |             |
-|              | `--telemetry-otlp`         | Enable exporting using OpenTelemetry Protocol (OTLP) to the specified endpoint (e.g. 'http://127.0.0.1:4318')                                                                                 |             |
-|              | `--telemetry-service-name` | Sets the value of the service.name resource attribute for telemetry data.                                                                                                                     | `toolbox`   |
+| Flag (Short) | Flag (Long)                | Description                                                                                                                                                                      | Default     |
+|--------------|----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
+| `-a`         | `--address`                | Address of the interface the server will listen on.                                                                                                                              | `127.0.0.1` |
+|              | `--disable-reload`         | Disables dynamic reloading of tools file.                                                                                                                                        |             |
+| `-h`         | `--help`                   | help for toolbox                                                                                                                                                                 |             |
+|              | `--log-level`              | Specify the minimum level logged. Allowed: 'DEBUG', 'INFO', 'WARN', 'ERROR'.                                                                                                     | `info`      |
+|              | `--logging-format`         | Specify logging format to use. Allowed: 'standard' or 'JSON'.                                                                                                                    | `standard`  |
+| `-p`         | `--port`                   | Port the server will listen on.                                                                                                                                                  | `5000`      |
+|              | `--prebuilt`               | Use a prebuilt tool configuration by source type. See [Prebuilt Tools Reference](prebuilt-tools.md) for allowed values.                                                          |             |
+|              | `--stdio`                  | Listens via MCP STDIO instead of acting as a remote HTTP server.                                                                                                                 |             |
+|              | `--telemetry-gcp`          | Enable exporting directly to Google Cloud Monitoring.                                                                                                                            |             |
+|              | `--telemetry-otlp`         | Enable exporting using OpenTelemetry Protocol (OTLP) to the specified endpoint (e.g. 'http://127.0.0.1:4318')                                                                    |             |
+|              | `--telemetry-service-name` | Sets the value of the service.name resource attribute for telemetry data.                                                                                                        | `toolbox`   |
 |              | `--tools-file`             | File path specifying the tool configuration. Cannot be used with --tools-files or --tools-folder.                                                                                |             |
 |              | `--tools-files`            | Multiple file paths specifying tool configurations. Files will be merged. Cannot be used with --tools-file or --tools-folder.                                                    |             |
 |              | `--tools-folder`           | Directory path containing YAML tool configuration files. All .yaml and .yml files in the directory will be loaded and merged. Cannot be used with --tools-file or --tools-files. |             |
-|              | `--ui`                     | Launches the Toolbox UI web server.                                                                                                                                                           |             |
-|              | `--allowed-origins`        | Specifies a list of origins permitted to access this server.                                                                                                                                  | `*`         |
-| `-v`         | `--version`                | version for toolbox                                                                                                                                                                           |             |
+|              | `--ui`                     | Launches the Toolbox UI web server.                                                                                                                                              |             |
+|              | `--allowed-origins`        | Specifies a list of origins permitted to access this server for CORs access.                                                                                                     | `*`         |
+|              | `--allowed-hosts`          | Specifies a list of hosts permitted to access this server to prevent DNS rebinding attacks.                                                                                      | `*`         |
+| `-v`         | `--version`                | version for toolbox                                                                                                                                                              |             |
 
 ## Examples
 

docs/en/reference/prebuilt-tools.md

@@ -105,6 +105,8 @@ See [Usage Examples](../reference/cli.md#examples).
     *   `BIGQUERY_LOCATION`: (Optional) The dataset location.
     *   `BIGQUERY_USE_CLIENT_OAUTH`: (Optional) If `true`, forwards the client's
         OAuth access token for authentication. Defaults to `false`.
+    *   `BIGQUERY_SCOPES`: (Optional) A comma-separated list of OAuth scopes to
+        use for authentication.
 *   **Permissions:**
     *   **BigQuery User** (`roles/bigquery.user`) to execute queries and view
         metadata.

docs/en/resources/embeddingModels/_index.md

@@ -0,0 +1,84 @@
+---
+title: "EmbeddingModels"
+type: docs
+weight: 2
+description: >
+  EmbeddingModels represent services that transform text into vector embeddings for semantic search.
+---
+
+EmbeddingModels represent services that generate vector representations of text
+data. In the MCP Toolbox, these models enable **Semantic Queries**,
+allowing [Tools](../tools/) to automatically convert human-readable text into
+numerical vectors before using them in a query.
+
+This is primarily used in two scenarios:
+
+- **Vector Ingestion**: Converting a text parameter into a vector string during
+  an `INSERT` operation.
+
+- **Semantic Search**: Converting a natural language query into a vector to
+  perform similarity searches.
+
+## Example
+
+The following configuration defines an embedding model and applies it to
+specific tool parameters.
+
+{{< notice tip >}}
+Use environment variable replacement with the format ${ENV_NAME}
+instead of hardcoding your API keys into the configuration file.
+{{< /notice >}}
+
+### Step 1 - Define an Embedding Model
+
+Define an embedding model in the `embeddingModels` section:
+
+```yaml
+embeddingModels:
+  gemini-model: # Name of the embedding model
+    kind: gemini
+    model: gemini-embedding-001
+    apiKey: ${GOOGLE_API_KEY}
+    dimension: 768
+
+```
+
+### Step 2 - Embed Tool Parameters
+
+Use the defined embedding model, embed your query parameters using the
+`embeddedBy` field. Only string-typed
+parameters can be embedded:
+
+```yaml
+tools:
+  # Vector ingestion tool
+  insert_embedding:
+    kind: postgres-sql
+    source: my-pg-instance
+    statement: |
+      INSERT INTO documents (content, embedding) 
+      VALUES ($1, $2);
+    parameters:
+      - name: content
+        type: string
+      - name: vector_string
+        type: string
+        description: The text to be vectorized and stored.
+        embeddedBy: gemini-model # refers to the name of a defined embedding model
+
+  # Semantic search tool
+  search_embedding:
+    kind: postgres-sql
+    source: my-pg-instance
+    statement: |
+      SELECT id, content, embedding <-> $1 AS distance 
+      FROM documents
+      ORDER BY distance LIMIT 1
+    parameters:
+      - name: semantic_search_string
+        type: string
+        description: The search query that will be converted to a vector.
+        embeddedBy: gemini-model # refers to the name of a defined embedding model
+```
+
+## Kinds of Embedding Models

docs/en/resources/embeddingModels/gemini.md

@@ -0,0 +1,73 @@
+---
+title: "Gemini Embedding"
+type: docs
+weight: 1
+description: >
+  Use Google's Gemini models to generate high-performance text embeddings for vector databases.
+---
+
+## About
+
+Google Gemini provides state-of-the-art embedding models that convert text into
+high-dimensional vectors. 
+
+### Authentication
+
+Toolbox uses your [Application Default Credentials
+(ADC)][adc] to authorize with the
+Gemini API client.
+
+Optionally, you can use an [API key][api-key] obtain an API
+Key from the [Google AI Studio][ai-studio].
+
+We recommend using an API key for testing and using application default
+credentials for production.
+
+[adc]: https://cloud.google.com/docs/authentication#adc
+[api-key]: https://ai.google.dev/gemini-api/docs/api-key#api-keys
+[ai-studio]: https://aistudio.google.com/app/apikey
+
+## Behavior
+
+### Automatic Vectorization
+
+When a tool parameter is configured with `embeddedBy: <your-gemini-model-name>`,
+the Toolbox intercepts the raw text input from the client and sends it to the
+Gemini API. The resulting numerical array is then formatted before being passed
+to your database source.
+
+### Dimension Matching
+
+The `dimension` field must match the expected size of your database column
+(e.g., a `vector(768)` column in PostgreSQL). This setting is supported by newer
+models since 2024 only. You cannot set this value if using the earlier model
+(`models/embedding-001`). Check out [available Gemini models][modellist] for more
+information.
+
+[modellist]:
+    https://docs.cloud.google.com/vertex-ai/generative-ai/docs/embeddings/get-text-embeddings#supported-models
+
+## Example
+
+```yaml
+embeddingModels:
+  gemini-model:
+    kind: gemini
+    model: gemini-embedding-001
+    apiKey: ${GOOGLE_API_KEY}
+    dimension: 768
+```
+
+{{< notice tip >}}
+Use environment variable replacement with the format ${ENV_NAME}
+instead of hardcoding your secrets into the configuration file.
+{{< /notice >}}
+
+## Reference
+
+| **field** | **type** | **required** | **description**                                              |
+|-----------|:--------:|:------------:|--------------------------------------------------------------|
+| kind      |  string  |     true     | Must be `gemini`.                                            |
+| model     |  string  |     true     | The Gemini model ID to use (e.g., `gemini-embedding-001`).   |
+| apiKey    |  string  |    false     | Your API Key from Google AI Studio.                          |
+| dimension | integer  |    false     | The number of dimensions in the output vector (e.g., `768`). |

docs/en/resources/sources/alloydb-pg.md

@@ -94,7 +94,10 @@ cluster][alloydb-free-trial].
   instance.
 
 - [`postgres-list-roles`](../tools/postgres/postgres-list-roles.md)
-  Lists all the user-created roles in PostgreSQL database..
+  Lists all the user-created roles in PostgreSQL database.
+
+- [`postgres-list-stored-procedure`](../tools/postgres/postgres-list-stored-procedure.md)
+  Lists all the stored procedure in PostgreSQL database.
 
 ### Pre-built Configurations
 

docs/en/resources/sources/bigquery.md

@@ -94,6 +94,13 @@ intend to run. Common roles include `roles/bigquery.user` (which includes
 permissions to run jobs and read data) or `roles/bigbigquery.dataViewer`.
 Follow this [guide][set-adc] to set up your ADC.
 
+If you are running on Google Compute Engine (GCE) or Google Kubernetes Engine
+(GKE), you might need to explicitly set the access scopes for the service
+account. While you can configure scopes when creating the VM or node pool, you
+can also specify them in the source configuration using the `scopes` field.
+Common scopes include `https://www.googleapis.com/auth/bigquery` or
+`https://www.googleapis.com/auth/cloud-platform`.
+
 ### Authentication via User's OAuth Access Token
 
 If the `useClientOAuth` parameter is set to `true`, Toolbox will instead use the
@@ -124,6 +131,9 @@ sources:
     #   - "my_dataset_1"
     #   - "other_project.my_dataset_2"
     # impersonateServiceAccount: "service-account@project-id.iam.gserviceaccount.com" # Optional: Service account to impersonate
+    # scopes: # Optional: List of OAuth scopes to request.
+    #   - "https://www.googleapis.com/auth/bigquery"
+    #   - "https://www.googleapis.com/auth/drive.readonly"
 ```
 
 Initialize a BigQuery source that uses the client's access token:
@@ -140,6 +150,9 @@ sources:
     #   - "my_dataset_1"
     #   - "other_project.my_dataset_2"
     # impersonateServiceAccount: "service-account@project-id.iam.gserviceaccount.com" # Optional: Service account to impersonate
+    # scopes: # Optional: List of OAuth scopes to request.
+    #   - "https://www.googleapis.com/auth/bigquery"
+    #   - "https://www.googleapis.com/auth/drive.readonly"
 ```
 
 ## Reference
@@ -152,4 +165,5 @@ sources:
 | writeMode                 |  string  |    false     | Controls the write behavior for tools. `allowed` (default): All queries are permitted. `blocked`: Only `SELECT` statements are allowed for the `bigquery-execute-sql` tool. `protected`: Enables session-based execution where all tools associated with this source instance share the same [BigQuery session](https://cloud.google.com/bigquery/docs/sessions-intro). This allows for stateful operations using temporary tables (e.g., `CREATE TEMP TABLE`). For `bigquery-execute-sql`, `SELECT` statements can be used on all tables, but write operations are restricted to the session's temporary dataset. For tools like `bigquery-sql`, `bigquery-forecast`, and `bigquery-analyze-contribution`, the `writeMode` restrictions do not apply, but they will operate within the shared session. **Note:** The `protected` mode cannot be used with `useClientOAuth: true`. It is also not recommended for multi-user server environments, as all users would share the same session. A session is terminated automatically after 24 hours of inactivity or after 7 days, whichever comes first. A new session is created on the next request, and any temporary data from the previous session will be lost. |
 | allowedDatasets           | []string |    false     | An optional list of dataset IDs that tools using this source are allowed to access. If provided, any tool operation attempting to access a dataset not in this list will be rejected. To enforce this, two types of operations are also disallowed: 1) Dataset-level operations (e.g., `CREATE SCHEMA`), and 2) operations where table access cannot be statically analyzed (e.g., `EXECUTE IMMEDIATE`, `CREATE PROCEDURE`). If a single dataset is provided, it will be treated as the default for prebuilt tools. |
 | useClientOAuth            |   bool   |    false     | If true, forwards the client's OAuth access token from the "Authorization" header to downstream queries. **Note:** This cannot be used with `writeMode: protected`.                                                                                                                                                                                                                                                                                                                                                |
+| scopes                    | []string |    false     | A list of OAuth 2.0 scopes to use for the credentials. If not provided, default scopes are used.                                                                                                                                                                                                                                                                                                                                                                                                                     |
 | impersonateServiceAccount |  string  |    false     | Service account email to impersonate when making BigQuery and Dataplex API calls. The authenticated principal must have the `roles/iam.serviceAccountTokenCreator` role on the target service account. [Learn More](https://cloud.google.com/iam/docs/service-account-impersonation)                                                                                                                                                                                                                                |

docs/en/resources/sources/cloud-sql-pg.md

@@ -91,7 +91,10 @@ to a database by following these instructions][csql-pg-quickstart].
   instance.
 
 - [`postgres-list-roles`](../tools/postgres/postgres-list-roles.md)
-  Lists all the user-created roles in PostgreSQL database..
+  Lists all the user-created roles in PostgreSQL database.
+
+- [`postgres-list-stored-procedure`](../tools/postgres/postgres-list-stored-procedure.md)
+  Lists all the stored procedure in PostgreSQL database.
 
 ### Pre-built Configurations
 

docs/en/resources/sources/dataplex.md

@@ -229,22 +229,38 @@ Finds resources that were created within, before, or after a given date or time.
 ### Aspect Search
 To search for entries based on their attached aspects, use the following query syntax.
 
-aspect:x	Matches x as a substring of the full path to the aspect type of an aspect that is attached to the entry, in the format projectid.location.ASPECT_TYPE_ID
-aspect=x	Matches x as the full path to the aspect type of an aspect that is attached to the entry, in the format projectid.location.ASPECT_TYPE_ID
-aspect:xOPERATORvalue	
-Searches for aspect field values. Matches x as a substring of the full path to the aspect type and field name of an aspect that is attached to the entry, in the format projectid.location.ASPECT_TYPE_ID.FIELD_NAME
+`has:x`
+Matches `x` as a substring of the full path to the aspect type of an aspect that is attached to the entry, in the format `projectid.location.ASPECT_TYPE_ID`
 
-The list of supported {OPERATOR}s depends on the type of field in the aspect, as follows:
-- String: = (exact match) and : (substring)
-- All number types: =, :, <, >, <=, >=, =>, =<
-- Enum: =
-- Datetime: same as for numbers, but the values to compare are treated as datetimes instead of numbers
-- Boolean: =
+`has=x`
+Matches `x` as the full path to the aspect type of an aspect that is attached to the entry, in the format `projectid.location.ASPECT_TYPE_ID`
 
-Only top-level fields of the aspect are searchable. For example, all of the following queries match entries where the value of the is-enrolled field in the employee-info aspect type is true. Other entries that match on the substring are also returned.
-- aspect:example-project.us-central1.employee-info.is-enrolled=true
-- aspect:example-project.us-central1.employee=true
-- aspect:employee=true
+`xOPERATORvalue`
+Searches for aspect field values. Matches x as a substring of the full path to the aspect type and field name of an aspect that is attached to the entry, in the format `projectid.location.ASPECT_TYPE_ID.FIELD_NAME`
+
+The list of supported operators depends on the type of field in the aspect, as follows:
+* **String**: `=` (exact match)
+* **All number types**: `=`, `:`, `<`, `>`, `<=`, `>=`, `=>`, `=<`
+* **Enum**: `=` (exact match only)
+* **Datetime**: same as for numbers, but the values to compare are treated as datetimes instead of numbers
+* **Boolean**: `=`
+
+Only top-level fields of the aspect are searchable.
+
+* Syntax for system aspect types:
+    * `ASPECT_TYPE_ID.FIELD_NAME`
+    * `dataplex-types.ASPECT_TYPE_ID.FIELD_NAME`
+    * `dataplex-types.LOCATION.ASPECT_TYPE_ID.FIELD_NAME`
+For example, the following queries match entries where the value of the `type` field in the `bigquery-dataset` aspect is `default`:
+    * `bigquery-dataset.type=default`
+    * `dataplex-types.bigquery-dataset.type=default`
+    * `dataplex-types.global.bigquery-dataset.type=default`
+* Syntax for custom aspect types:
+    * If the aspect is created in the global region: `PROJECT_ID.ASPECT_TYPE_ID.FIELD_NAME`
+    * If the aspect is created in a specific region: `PROJECT_ID.REGION.ASPECT_TYPE_ID.FIELD_NAME`
+For example, the following queries match entries where the value of the `is-enrolled` field in the `employee-info` aspect is `true`.
+    * `example-project.us-central1.employee-info.is-enrolled=true`
+    * `example-project.employee-info.is-enrolled=true`
 
 Example:-
 You can use following filters
@@ -258,6 +274,25 @@ Logical AND and logical OR are supported. For example, foo OR bar.
 You can negate a predicate with a - (hyphen) or NOT prefix. For example, -name:foo returns resources with names that don't match the predicate foo.
 Logical operators are case-sensitive. `OR` and `AND` are acceptable whereas `or` and `and` are not.
 
+### Abbreviated syntax
+
+An abbreviated search syntax is also available, using `|` (vertical bar) for `OR` operators and `,` (comma) for `AND` operators.
+
+For example, to search for entries inside one of many projects using the `OR` operator, you can use the following abbreviated syntax:
+
+`projectid:(id1|id2|id3|id4)`
+
+The same search without using abbreviated syntax looks like the following:
+
+`projectid:id1 OR projectid:id2 OR projectid:id3 OR projectid:id4`
+
+To search for entries with matching column names, use the following:
+
+* **AND**: `column:(name1,name2,name3)`
+* **OR**: `column:(name1|name2|name3)`
+
+This abbreviated syntax works for the qualified predicates except for `label` in keyword search.
+
 ### Request
 1. Always try to rewrite the prompt using search syntax.
 

docs/en/resources/sources/postgres.md

@@ -85,7 +85,10 @@ reputation for reliability, feature robustness, and performance.
   server.
 
 - [`postgres-list-roles`](../tools/postgres/postgres-list-roles.md)
-  Lists all the user-created roles in PostgreSQL database..
+  Lists all the user-created roles in PostgreSQL database.
+
+- [`postgres-list-stored-procedure`](../tools/postgres/postgres-list-stored-procedure.md)
+  Lists all the stored procedure in PostgreSQL database.
 
 ### Pre-built Configurations
 

docs/en/resources/sources/snowflake.md

@@ -0,0 +1,63 @@
+---
+title: "Snowflake"
+type: docs
+weight: 1
+description: >
+  Snowflake is a cloud-based data platform.
+
+---
+
+## About
+
+[Snowflake][sf-docs] is a cloud data platform that provides a data warehouse-as-a-service designed for the cloud.
+
+[sf-docs]: https://docs.snowflake.com/
+
+## Available Tools
+
+- [`snowflake-sql`](../tools/snowflake/snowflake-sql.md)  
+  Execute SQL queries as prepared statements in Snowflake.
+
+- [`snowflake-execute-sql`](../tools/snowflake/snowflake-execute-sql.md)  
+  Run parameterized SQL statements in Snowflake.
+
+## Requirements
+
+### Database User
+
+This source only uses standard authentication. You will need to create a
+Snowflake user to login to the database with.
+
+## Example
+
+```yaml
+sources:
+    my-sf-source:
+        kind: snowflake
+        account: ${SNOWFLAKE_ACCOUNT}
+        user: ${SNOWFLAKE_USER}
+        password: ${SNOWFLAKE_PASSWORD}
+        database: ${SNOWFLAKE_DATABASE}
+        schema: ${SNOWFLAKE_SCHEMA}
+        warehouse: ${SNOWFLAKE_WAREHOUSE}
+        role: ${SNOWFLAKE_ROLE}
+```
+
+{{< notice tip >}}
+Use environment variable replacement with the format ${ENV_NAME}
+instead of hardcoding your secrets into the configuration file.
+{{< /notice >}}
+
+## Reference
+
+| **field** | **type** | **required** | **description**                                                        |
+|-----------|:--------:|:------------:|------------------------------------------------------------------------|
+| kind      |  string  |     true     | Must be "snowflake".                                                   |
+| account   |  string  |     true     | Your Snowflake account identifier.                                     |
+| user      |  string  |     true     | Name of the Snowflake user to connect as (e.g. "my-sf-user").          |
+| password  |  string  |     true     | Password of the Snowflake user (e.g. "my-password").                   |
+| database  |  string  |     true     | Name of the Snowflake database to connect to (e.g. "my_db").           |
+| schema    |  string  |     true     | Name of the schema to use (e.g. "my_schema").                          |
+| warehouse |  string  |     false    | The virtual warehouse to use. Defaults to "COMPUTE_WH".                |
+| role      |  string  |     false    | The security role to use. Defaults to "ACCOUNTADMIN".                  |
+| timeout   |  integer |     false    | The connection timeout in seconds. Defaults to 60.                     |

docs/en/resources/sources/trino.md

@@ -50,16 +50,19 @@ instead of hardcoding your secrets into the configuration file.
 
 ## Reference
 
-| **field**       | **type** | **required** | **description**                                                              |
-|-----------------|:--------:|:------------:|------------------------------------------------------------------------------|
-| kind            |  string  |     true     | Must be "trino".                                                             |
-| host            |  string  |     true     | Trino coordinator hostname (e.g. "trino.example.com")                        |
-| port            |  string  |     true     | Trino coordinator port (e.g. "8080", "8443")                                 |
-| user            |  string  |    false     | Username for authentication (e.g. "analyst"). Optional for anonymous access. |
-| password        |  string  |    false     | Password for basic authentication                                            |
-| catalog         |  string  |     true     | Default catalog to use for queries (e.g. "hive")                             |
-| schema          |  string  |     true     | Default schema to use for queries (e.g. "default")                           |
-| queryTimeout    |  string  |    false     | Query timeout duration (e.g. "30m", "1h")                                    |
-| accessToken     |  string  |    false     | JWT access token for authentication                                          |
-| kerberosEnabled | boolean  |    false     | Enable Kerberos authentication (default: false)                              |
-| sslEnabled      | boolean  |    false     | Enable SSL/TLS (default: false)                                              |
+| **field**              | **type** | **required** | **description**                                                              |
+| ---------------------- | :------: | :----------: | ---------------------------------------------------------------------------- |
+| kind                   |  string  |     true     | Must be "trino".                                                             |
+| host                   |  string  |     true     | Trino coordinator hostname (e.g. "trino.example.com")                        |
+| port                   |  string  |     true     | Trino coordinator port (e.g. "8080", "8443")                                 |
+| user                   |  string  |    false     | Username for authentication (e.g. "analyst"). Optional for anonymous access. |
+| password               |  string  |    false     | Password for basic authentication                                            |
+| catalog                |  string  |     true     | Default catalog to use for queries (e.g. "hive")                             |
+| schema                 |  string  |     true     | Default schema to use for queries (e.g. "default")                           |
+| queryTimeout           |  string  |    false     | Query timeout duration (e.g. "30m", "1h")                                    |
+| accessToken            |  string  |    false     | JWT access token for authentication                                          |
+| kerberosEnabled        | boolean  |    false     | Enable Kerberos authentication (default: false)                              |
+| sslEnabled             | boolean  |    false     | Enable SSL/TLS (default: false)                                              |
+| disableSslVerification | boolean  |    false     | Skip SSL/TLS certificate verification (default: false)                       |
+| sslCertPath            |  string  |    false     | Path to a custom SSL/TLS certificate file                                    |
+| sslCert                |  string  |    false     | Custom SSL/TLS certificate content                                           |

docs/en/resources/tools/looker/looker-make-dashboard.md

@@ -18,9 +18,11 @@ It's compatible with the following sources:
 
 - [looker](../../sources/looker.md)
 
-`looker-make-dashboard` takes one parameter:
+`looker-make-dashboard` takes three parameters:
 
 1. the `title`
+2. the `description`
+3. an optional `folder` id. If not provided, the user's default folder will be used.
 
 ## Example
 

docs/en/resources/tools/looker/looker-make-look.md

@@ -18,7 +18,7 @@ It's compatible with the following sources:
 
 - [looker](../../sources/looker.md)
 
-`looker-make-look` takes eleven parameters:
+`looker-make-look` takes twelve parameters:
 
 1. the `model`
 2. the `explore`
@@ -31,6 +31,7 @@ It's compatible with the following sources:
 9. an optional `vis_config`
 10. the `title`
 11. an optional `description`
+12. an optional `folder` id. If not provided, the user's default folder will be used.
 
 ## Example
 

docs/en/resources/tools/postgres/postgres-list-stored-procedure.md

@@ -0,0 +1,141 @@
+---
+title: "postgres-list-stored-procedure"
+type: docs
+weight: 1
+description: >
+  The "postgres-list-stored-procedure" tool retrieves metadata for stored procedures in PostgreSQL, including procedure definitions, owners, languages, and descriptions.
+aliases:
+- /resources/tools/postgres-list-stored-procedure
+---
+
+## About
+
+The `postgres-list-stored-procedure` tool queries PostgreSQL system catalogs (`pg_proc`, `pg_namespace`, `pg_roles`, and `pg_language`) to retrieve comprehensive metadata about stored procedures in the database. It filters for procedures (kind = 'p') and provides the full procedure definition along with ownership and language information.
+
+Compatible sources:
+
+- [alloydb-postgres](../../sources/alloydb-pg.md)
+- [cloud-sql-postgres](../../sources/cloud-sql-pg.md)
+- [postgres](../../sources/postgres.md)
+
+The tool returns a JSON array where each element represents a stored procedure with its schema, name, owner, language, complete definition, and optional description. Results are sorted by schema name and procedure name, with a default limit of 20 procedures.
+
+## Parameters
+
+| parameter    | type    | required | default | description |
+|--------------|---------|----------|---------|-------------|
+| role_name    | string  | false    | null    | Optional: The owner name to filter stored procedures by (supports partial matching) |
+| schema_name  | string  | false    | null    | Optional: The schema name to filter stored procedures by (supports partial matching) |
+| limit        | integer | false    | 20      | Optional: The maximum number of stored procedures to return |
+
+## Example
+
+```yaml
+tools:
+  list_stored_procedure:
+    kind: postgres-list-stored-procedure
+    source: postgres-source
+    description: "Retrieves stored procedure metadata including definitions and owners."
+```
+
+### Example Requests
+
+**List all stored procedures (default limit 20):**
+```json
+{}
+```
+
+**Filter by specific owner (role):**
+```json
+{
+  "role_name": "app_user"
+}
+```
+
+**Filter by schema:**
+```json
+{
+  "schema_name": "public"
+}
+```
+
+**Filter by owner and schema with custom limit:**
+```json
+{
+  "role_name": "postgres",
+  "schema_name": "public",
+  "limit": 50
+}
+```
+
+**Filter by partial schema name:**
+```json
+{
+  "schema_name": "audit"
+}
+```
+
+### Example Response
+
+```json
+[
+  {
+    "schema_name": "public",
+    "name": "process_payment",
+    "owner": "postgres",
+    "language": "plpgsql",
+    "definition": "CREATE OR REPLACE PROCEDURE public.process_payment(p_order_id integer, p_amount numeric)\n LANGUAGE plpgsql\nAS $procedure$\nBEGIN\n  UPDATE orders SET status = 'paid', amount = p_amount WHERE id = p_order_id;\n  INSERT INTO payment_log (order_id, amount, timestamp) VALUES (p_order_id, p_amount, now());\n  COMMIT;\nEND\n$procedure$",
+    "description": "Processes payment for an order and logs the transaction"
+  },
+  {
+    "schema_name": "public",
+    "name": "cleanup_old_records",
+    "owner": "postgres",
+    "language": "plpgsql",
+    "definition": "CREATE OR REPLACE PROCEDURE public.cleanup_old_records(p_days_old integer)\n LANGUAGE plpgsql\nAS $procedure$\nDECLARE\n  v_deleted integer;\nBEGIN\n  DELETE FROM audit_logs WHERE created_at < now() - (p_days_old || ' days')::interval;\n  GET DIAGNOSTICS v_deleted = ROW_COUNT;\n  RAISE NOTICE 'Deleted % records', v_deleted;\nEND\n$procedure$",
+    "description": "Removes audit log records older than specified days"
+  },
+  {
+    "schema_name": "audit",
+    "name": "audit_table_changes",
+    "owner": "app_user",
+    "language": "plpgsql",
+    "definition": "CREATE OR REPLACE PROCEDURE audit.audit_table_changes()\n LANGUAGE plpgsql\nAS $procedure$\nBEGIN\n  INSERT INTO audit.change_log (table_name, operation, changed_at) VALUES (TG_TABLE_NAME, TG_OP, now());\nEND\n$procedure$",
+    "description": null
+  }
+]
+```
+
+## Output Fields Reference
+
+| field       | type    | description |
+|-------------|---------|-------------|
+| schema_name | string  | Name of the schema containing the stored procedure. |
+| name        | string  | Name of the stored procedure. |
+| owner       | string  | PostgreSQL role/user who owns the stored procedure. |
+| language    | string  | Programming language in which the procedure is written (e.g., plpgsql, sql, c). |
+| definition  | string  | Complete SQL definition of the stored procedure, including the CREATE PROCEDURE statement. |
+| description | string  | Optional description or comment for the procedure (may be null if no comment is set). |
+
+## Use Cases
+
+- **Code review and auditing**: Export procedure definitions for version control or compliance audits.
+- **Documentation generation**: Automatically extract procedure metadata and descriptions for documentation.
+- **Permission auditing**: Identify procedures owned by specific users or in specific schemas.
+- **Migration planning**: Retrieve all procedure definitions when planning database migrations.
+- **Dependency analysis**: Review procedure definitions to understand dependencies and call chains.
+- **Security assessment**: Audit which roles own and can modify stored procedures.
+
+## Performance Considerations
+
+- The tool filters at the database level using LIKE pattern matching, so partial matches are supported.
+- Procedure definitions can be large; consider using the `limit` parameter for large databases with many procedures.
+- Results are ordered by schema name and procedure name for consistent output.
+- The default limit of 20 procedures is suitable for most use cases; increase as needed.
+
+## Notes
+
+- Only stored **procedures** are returned; functions and other callable objects are excluded via the `prokind = 'p'` filter.
+- Filtering uses `LIKE` pattern matching, so filter values support partial matches (e.g., `role_name: "app"` will match "app_user", "app_admin", etc.).
+- The `definition` field contains the complete, runnable CREATE PROCEDURE statement.
+- The `description` field is populated from comments set via PostgreSQL's COMMENT command and may be null.

docs/en/resources/tools/snowflake/_index.md

@@ -0,0 +1,7 @@
+---
+title: "Snowflake"
+type: docs
+weight: 1
+description: > 
+  Tools that work with Snowflake Sources.
+---

docs/en/resources/tools/snowflake/snowflake-execute-sql.md

@@ -0,0 +1,40 @@
+---
+title: "snowflake-execute-sql"
+type: docs
+weight: 1
+description: >
+  A "snowflake-execute-sql" tool executes a SQL statement against a Snowflake
+  database.
+---
+
+## About
+
+A `snowflake-execute-sql` tool executes a SQL statement against a Snowflake
+database. It's compatible with any of the following sources:
+
+- [snowflake](../../sources/snowflake.md)
+
+`snowflake-execute-sql` takes one input parameter `sql` and run the sql
+statement against the `source`.
+
+> **Note:** This tool is intended for developer assistant workflows with
+> human-in-the-loop and shouldn't be used for production agents.
+
+## Example
+
+```yaml
+tools:
+ execute_sql_tool:
+    kind: snowflake-execute-sql
+    source: my-snowflake-instance
+    description: Use this tool to execute sql statement.
+```
+
+## Reference
+
+| **field**    |   **type**    | **required** | **description**                                           |
+|--------------|:-------------:|:------------:|-----------------------------------------------------------|
+| kind         |    string     |     true     | Must be "snowflake-execute-sql".                          |
+| source       |    string     |     true     | Name of the source the SQL should execute on.             |
+| description  |    string     |     true     | Description of the tool that is passed to the LLM.        |
+| authRequired | array[string] |    false     | List of auth services that are required to use this tool. |

docs/en/resources/tools/snowflake/snowflake-sql.md

@@ -0,0 +1,103 @@
+---
+title: "snowflake-sql"
+type: docs
+weight: 1
+description: >
+  A "snowflake-sql" tool executes a pre-defined SQL statement against a 
+  Snowflake database.
+---
+
+## About
+
+A `snowflake-sql` tool executes a pre-defined SQL statement against a Snowflake
+database. It's compatible with any of the following sources:
+
+- [snowflake](../../sources/snowflake.md)
+
+The specified SQL statement is executed as a prepared statement, and specified
+parameters will be inserted according to their position: e.g. `:1` will be the
+first parameter specified, `:2` will be the second parameter, and so on.
+
+> **Note:** This tool uses parameterized queries to prevent SQL injections.
+> Query parameters can be used as substitutes for arbitrary expressions.
+> Parameters cannot be used as substitutes for identifiers, column names, table
+> names, or other parts of the query.
+
+## Example
+
+```yaml
+tools:
+ search_flights_by_number:
+    kind: snowflake-sql
+    source: my-snowflake-instance
+    statement: |
+      SELECT * FROM flights
+      WHERE airline = :1
+      AND flight_number = :2
+      LIMIT 10
+    description: |
+      Use this tool to get information for a specific flight.
+      Takes an airline code and flight number and returns info on the flight.
+      Do NOT use this tool with a flight id. Do NOT guess an airline code or flight number.
+      A airline code is a code for an airline service consisting of two-character
+      airline designator and followed by flight number, which is 1 to 4 digit number.
+      For example, if given CY 0123, the airline is "CY", and flight_number is "123".
+      Another example for this is DL 1234, the airline is "DL", and flight_number is "1234".
+      If the tool returns more than one option choose the date closes to today.
+      Example:
+      {{
+          "airline": "CY",
+          "flight_number": "888",
+      }}
+      Example:
+      {{
+          "airline": "DL",
+          "flight_number": "1234",
+      }}
+    parameters:
+      - name: airline
+        type: string
+        description: Airline unique 2 letter identifier
+      - name: flight_number
+        type: string
+        description: 1 to 4 digit number
+```
+
+### Example with Template Parameters
+
+> **Note:** This tool allows direct modifications to the SQL statement,
+> including identifiers, column names, and table names. **This makes it more
+> vulnerable to SQL injections**. Using basic parameters only (see above) is
+> recommended for performance and safety reasons. For more details, please check
+> [templateParameters](..#template-parameters).
+
+```yaml
+tools:
+ list_table:
+    kind: snowflake
+    source: my-snowflake-instance
+    statement: |
+      SELECT * FROM {{.tableName}};
+    description: |
+      Use this tool to list all information from a specific table.
+      Example:
+      {{
+          "tableName": "flights",
+      }}
+    templateParameters:
+      - name: tableName
+        type: string
+        description: Table to select from
+```
+
+## Reference
+
+| **field**          |                   **type**                   | **required** | **description**                                                                                                                        |
+|--------------------|:--------------------------------------------:|:------------:|----------------------------------------------------------------------------------------------------------------------------------------|
+| kind               |                    string                    |     true     | Must be "snowflake-sql".                                                                                                               |
+| source             |                    string                    |     true     | Name of the source the SQL should execute on.                                                                                          |
+| description        |                    string                    |     true     | Description of the tool that is passed to the LLM.                                                                                     |
+| statement          |                    string                    |     true     | SQL statement to execute on.                                                                                                           |
+| parameters         |   [parameters](../#specifying-parameters)    |    false     | List of [parameters](../#specifying-parameters) that will be inserted into the SQL statement.                                          |
+| templateParameters | [templateParameters](..#template-parameters) |    false     | List of [templateParameters](..#template-parameters) that will be inserted into the SQL statement before executing prepared statement. |
+| authRequired       |                array[string]                 |    false     | List of auth services that are required to use this tool.                                                                              |

docs/en/resources/tools/trino/trino-sql.md

@@ -16,11 +16,7 @@ database. It's compatible with any of the following sources:
 
 - [trino](../../sources/trino.md)
 
-The specified SQL statement is executed as a [prepared statement][trino-prepare],
-and specified parameters will be inserted according to their position: e.g. `$1`
-will be the first parameter specified, `$2` will be the second parameter, and so
-on. If template parameters are included, they will be resolved before execution
-of the prepared statement.
+The specified SQL statement is executed as a [prepared statement][trino-prepare], and expects parameters in the SQL query to be in the form of placeholders `?`.
 
 [trino-prepare]: https://trino.io/docs/current/sql/prepare.html
 
@@ -38,8 +34,8 @@ tools:
     source: my-trino-instance
     statement: |
       SELECT * FROM hive.sales.orders
-      WHERE region = $1
-      AND order_date >= DATE($2)
+      WHERE region = ?
+      AND order_date >= DATE(?)
       LIMIT 10
     description: |
       Use this tool to get information for orders in a specific region.

docs/en/samples/alloydb/ai-nl/alloydb_ai_nl.ipynb

@@ -771,7 +771,7 @@
       },
       "outputs": [],
       "source": [
-        "version = \"0.24.0\" # x-release-please-version\n",
+        "version = \"0.25.0\" # x-release-please-version\n",
         "! curl -L -o /content/toolbox https://storage.googleapis.com/genai-toolbox/v{version}/linux/amd64/toolbox\n",
         "\n",
         "# Make the binary executable\n",

docs/en/samples/alloydb/mcp_quickstart.md

@@ -123,7 +123,7 @@ In this section, we will download and install the Toolbox binary.
     <!-- {x-release-please-start-version} -->
     ```bash
     export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    export VERSION="0.24.0"
+    export VERSION="0.25.0"
     curl -O https://storage.googleapis.com/genai-toolbox/v$VERSION/$OS/toolbox
     ```
     <!-- {x-release-please-end} -->

docs/en/samples/bigquery/colab_quickstart_bigquery.ipynb

@@ -220,7 +220,7 @@
       },
       "outputs": [],
       "source": [
-        "version = \"0.24.0\" # x-release-please-version\n",
+        "version = \"0.25.0\" # x-release-please-version\n",
         "! curl -O https://storage.googleapis.com/genai-toolbox/v{version}/linux/amd64/toolbox\n",
         "\n",
         "# Make the binary executable\n",

docs/en/samples/bigquery/local_quickstart.md

@@ -179,7 +179,7 @@ to use BigQuery, and then run the Toolbox server.
     <!-- {x-release-please-start-version} -->
     ```bash
     export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/$OS/toolbox
     ```
     <!-- {x-release-please-end} -->
 

docs/en/samples/bigquery/mcp_quickstart/_index.md

@@ -98,7 +98,7 @@ In this section, we will download Toolbox, configure our tools in a
     <!-- {x-release-please-start-version} -->
     ```bash
     export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/$OS/toolbox
     ```
     <!-- {x-release-please-end} -->
 

docs/en/samples/looker/looker_gemini.md

@@ -34,7 +34,7 @@ In this section, we will download Toolbox and run the Toolbox server.
     <!-- {x-release-please-start-version} -->
     ```bash
     export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/$OS/toolbox
     ```
     <!-- {x-release-please-end} -->
 

docs/en/samples/looker/looker_gemini_oauth/_index.md

@@ -48,7 +48,7 @@ In this section, we will download Toolbox and run the Toolbox server.
     <!-- {x-release-please-start-version} -->
     ```bash
     export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/$OS/toolbox
     ```
     <!-- {x-release-please-end} -->
 

docs/en/samples/looker/looker_mcp_inspector/_index.md

@@ -34,7 +34,7 @@ In this section, we will download Toolbox and run the Toolbox server.
     <!-- {x-release-please-start-version} -->
     ```bash
     export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/$OS/toolbox
     ```
     <!-- {x-release-please-end} -->
 

docs/en/samples/snowflake/_index.md

@@ -0,0 +1,161 @@
+---
+title: "Snowflake"
+type: docs
+weight: 2
+description: >
+  How to get started running Toolbox with MCP Inspector and Snowflake as the source.
+---
+
+## Overview
+
+[Model Context Protocol](https://modelcontextprotocol.io) is an open protocol
+that standardizes how applications provide context to LLMs. Check out this page
+on how to [connect to Toolbox via MCP](../../how-to/connect_via_mcp.md).
+
+## Before you begin
+
+This guide assumes you have already done the following:
+
+1.  [Create a Snowflake account](https://signup.snowflake.com/).
+1.  Connect to the instance using [SnowSQL](https://docs.snowflake.com/en/user-guide/snowsql), or any other Snowflake client.
+
+## Step 1: Set up your environment
+
+Copy the environment template and update it with your Snowflake credentials:
+
+```bash
+cp examples/snowflake-env.sh my-snowflake-env.sh
+```
+
+Edit `my-snowflake-env.sh` with your actual Snowflake connection details:
+
+```bash
+export SNOWFLAKE_ACCOUNT="your-account-identifier"
+export SNOWFLAKE_USER="your-username"
+export SNOWFLAKE_PASSWORD="your-password"
+export SNOWFLAKE_DATABASE="your-database"
+export SNOWFLAKE_SCHEMA="your-schema"
+export SNOWFLAKE_WAREHOUSE="COMPUTE_WH"
+export SNOWFLAKE_ROLE="ACCOUNTADMIN"
+```
+
+## Step 2: Install Toolbox
+
+In this section, we will download and install the Toolbox binary.
+
+1. Download the latest version of Toolbox as a binary:
+
+    {{< notice tip >}}
+   Select the
+   [correct binary](https://github.com/googleapis/genai-toolbox/releases)
+   corresponding to your OS and CPU architecture.
+    {{< /notice >}}
+    <!-- {x-release-please-start-version} -->
+    ```bash
+    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
+    export VERSION="0.10.0"
+    curl -O https://storage.googleapis.com/genai-toolbox/v$VERSION/$OS/toolbox
+    ```
+    <!-- {x-release-please-end} -->
+
+1. Make the binary executable:
+
+    ```bash
+    chmod +x toolbox
+    ```
+
+## Step 3: Configure the tools
+
+You have two options:
+
+#### Option A: Use the prebuilt configuration
+
+```bash
+./toolbox --prebuilt snowflake
+```
+
+#### Option B: Use the custom configuration
+
+Create a `tools.yaml` file and add the following content. You must replace the placeholders with your actual Snowflake configuration.
+
+```yaml
+sources:
+  snowflake-source:
+    kind: snowflake
+    account: ${SNOWFLAKE_ACCOUNT}
+    user: ${SNOWFLAKE_USER}
+    password: ${SNOWFLAKE_PASSWORD}
+    database: ${SNOWFLAKE_DATABASE}
+    schema: ${SNOWFLAKE_SCHEMA}
+    warehouse: ${SNOWFLAKE_WAREHOUSE}
+    role: ${SNOWFLAKE_ROLE}
+
+tools:
+    execute_sql:
+        kind: snowflake-execute-sql
+        source: snowflake-source
+        description: Use this tool to execute SQL.
+
+    list_tables:
+        kind: snowflake-sql
+        source: snowflake-source
+        description: "Lists detailed schema information for user-created tables."
+        statement: |
+           SELECT table_name, table_type 
+           FROM information_schema.tables 
+           WHERE table_schema = current_schema()
+           ORDER BY table_name;
+```
+
+For more info on tools, check out the
+[Tools](../../resources/tools/) section.
+
+## Step 4: Run the Toolbox server
+
+Run the Toolbox server, pointing to the `tools.yaml` file created earlier:
+
+```bash
+./toolbox --tools-file "tools.yaml"
+```
+
+## Step 5: Connect to MCP Inspector
+
+1. Run the MCP Inspector:
+
+    ```bash
+    npx @modelcontextprotocol/inspector
+    ```
+
+1. Type `y` when it asks to install the inspector package.
+
+1. It should show the following when the MCP Inspector is up and running (please take note of `<YOUR_SESSION_TOKEN>`):
+
+    ```bash
+    Starting MCP inspector...
+    ⚙️ Proxy server listening on localhost:6277
+    🔑 Session token: <YOUR_SESSION_TOKEN>
+       Use this token to authenticate requests or set DANGEROUSLY_OMIT_AUTH=true to disable auth
+
+    🚀 MCP Inspector is up and running at:
+       http://localhost:6274/?MCP_PROXY_AUTH_TOKEN=<YOUR_SESSION_TOKEN>
+    ```
+
+1. Open the above link in your browser.
+
+1. For `Transport Type`, select `Streamable HTTP`.
+
+1. For `URL`, type in `http://127.0.0.1:5000/mcp`.
+
+1. For `Configuration` -> `Proxy Session Token`, make sure `<YOUR_SESSION_TOKEN>` is present.
+
+1. Click Connect.
+
+1. Select `List Tools`, you will see a list of tools configured in `tools.yaml`.
+
+1. Test out your tools here!
+
+## What's next
+
+- Learn more about [MCP Inspector](../../how-to/connect_via_mcp.md).
+- Learn more about [Toolbox Resources](../../resources/).
+- Learn more about [Toolbox How-to guides](../../how-to/).

docs/en/samples/snowflake/runme.py

@@ -0,0 +1,18 @@
+import asyncio
+from toolbox_core import ToolboxClient
+
+
+async def main():
+    # Replace with the actual URL where your Toolbox service is running
+    async with ToolboxClient("http://127.0.0.1:5000") as toolbox:
+        tool = await toolbox.load_tool("execute_sql")
+        result = await tool("SELECT 1")
+        print(result)
+
+        tool = await toolbox.load_tool("list_tables")
+        result = await tool(table_names="DIM_DATE")
+        print(result)
+
+
+if __name__ == "__main__":
+    asyncio.run(main())

docs/en/samples/snowflake/snowflake-config.yaml

@@ -0,0 +1,68 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+sources:
+  my-snowflake-db:
+    kind: snowflake
+    account: ${SNOWFLAKE_ACCOUNT}
+    user: ${SNOWFLAKE_USER}
+    password: ${SNOWFLAKE_PASSWORD}
+    database: ${SNOWFLAKE_DATABASE}
+    schema: ${SNOWFLAKE_SCHEMA}
+    warehouse: ${SNOWFLAKE_WAREHOUSE}  # Optional, defaults to COMPUTE_WH if not set
+    role: ${SNOWFLAKE_ROLE}           # Optional, defaults to ACCOUNTADMIN if not set
+
+tools:
+  execute_sql:
+    kind: snowflake-execute-sql
+    source: my-snowflake-db
+    description: Execute arbitrary SQL statements on Snowflake
+
+  get_customer_orders:
+    kind: snowflake-sql
+    source: my-snowflake-db
+    description: Get orders for a specific customer
+    statement: |
+      SELECT o.order_id, o.order_date, o.total_amount, o.status
+      FROM orders o
+      WHERE o.customer_id = $1
+      ORDER BY o.order_date DESC
+    parameters:
+      - name: customer_id
+        type: string
+        description: The customer ID to look up orders for
+
+  daily_sales_report:
+    kind: snowflake-sql
+    source: my-snowflake-db
+    description: Generate daily sales report for a specific date
+    statement: |
+      SELECT 
+        DATE(order_date) as sales_date,
+        COUNT(*) as total_orders,
+        SUM(total_amount) as total_revenue,
+        AVG(total_amount) as avg_order_value
+      FROM orders
+      WHERE DATE(order_date) = $1
+      GROUP BY DATE(order_date)
+    parameters:
+      - name: report_date
+        type: string
+        description: The date to generate report for (YYYY-MM-DD format)
+
+toolsets:
+  snowflake-analytics:
+    - execute_sql
+    - get_customer_orders
+    - daily_sales_report

docs/en/samples/snowflake/snowflake-env.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Snowflake Connection Configuration
+# Copy this file to snowflake-env.sh and update with your actual values
+# Then source it before running the toolbox: source snowflake-env.sh
+
+# Required environment variables
+export SNOWFLAKE_ACCOUNT="your-account-identifier"     # e.g., "xy12345.snowflakecomputing.com"
+export SNOWFLAKE_USER="your-username"                  # Your Snowflake username
+export SNOWFLAKE_PASSWORD="your-password"              # Your Snowflake password
+export SNOWFLAKE_DATABASE="your-database"              # Database name
+export SNOWFLAKE_SCHEMA="your-schema"                  # Schema name (usually "PUBLIC")
+
+# Optional environment variables (will use defaults if not set)
+export SNOWFLAKE_WAREHOUSE="COMPUTE_WH"                # Warehouse name (default: COMPUTE_WH)
+export SNOWFLAKE_ROLE="ACCOUNTADMIN"                   # Role name (default: ACCOUNTADMIN)
+
+echo "Snowflake environment variables have been set!"
+echo "Account: $SNOWFLAKE_ACCOUNT"
+echo "User: $SNOWFLAKE_USER"
+echo "Database: $SNOWFLAKE_DATABASE"
+echo "Schema: $SNOWFLAKE_SCHEMA"
+echo "Warehouse: $SNOWFLAKE_WAREHOUSE"
+echo "Role: $SNOWFLAKE_ROLE"
+echo ""
+echo "You can now run the toolbox with:"
+echo "  ./toolbox --prebuilt snowflake                    # Use prebuilt configuration"
+echo "  ./toolbox --tools-file docs/en/samples/snowflake/snowflake-config.yaml  # Use custom configuration"

docs/en/samples/snowflake/test-snowflake.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+# Test script to demonstrate Snowflake configuration with environment variables
+# This script shows how to set up and test the Snowflake toolbox configuration
+
+echo "=== Testing Snowflake Configuration ==="
+echo ""
+
+# Set up test environment variables (replace with your actual values)
+echo "Setting up test environment variables..."
+export SNOWFLAKE_ACCOUNT="test-account"
+export SNOWFLAKE_USER="test-user"
+export SNOWFLAKE_PASSWORD="test-password"
+export SNOWFLAKE_DATABASE="test-database"
+export SNOWFLAKE_SCHEMA="test-schema"
+export SNOWFLAKE_WAREHOUSE="COMPUTE_WH"
+export SNOWFLAKE_ROLE="ACCOUNTADMIN"
+
+echo "Environment variables set:"
+echo "  SNOWFLAKE_ACCOUNT: $SNOWFLAKE_ACCOUNT"
+echo "  SNOWFLAKE_USER: $SNOWFLAKE_USER"
+echo "  SNOWFLAKE_DATABASE: $SNOWFLAKE_DATABASE"
+echo "  SNOWFLAKE_SCHEMA: $SNOWFLAKE_SCHEMA"
+echo "  SNOWFLAKE_WAREHOUSE: $SNOWFLAKE_WAREHOUSE"
+echo "  SNOWFLAKE_ROLE: $SNOWFLAKE_ROLE"
+echo ""
+
+echo "=== Testing Prebuilt Configuration ==="
+echo "This will attempt to initialize with the prebuilt Snowflake configuration:"
+echo "Command: ./toolbox --prebuilt snowflake --stdio"
+echo ""
+echo "Expected result: Connection failure due to test credentials (this is normal)"
+echo ""
+
+# Test the prebuilt configuration (this will fail with test credentials, which is expected)
+timeout 5s ./toolbox --prebuilt snowflake --stdio 2>&1 | head -5
+
+echo ""
+echo "=== Testing Custom Configuration ==="
+echo "This will attempt to initialize with the custom Snowflake configuration:"
+echo "Command: ./toolbox --tools-file docs/en/samples/snowflake/snowflake-config.yaml --stdio"
+echo ""
+echo "Expected result: Connection failure due to test credentials (this is normal)"
+echo ""
+
+# Test the custom configuration (this will fail with test credentials, which is expected)
+timeout 5s ./toolbox --tools-file docs/en/samples/snowflake/snowflake-config.yaml --stdio 2>&1 | head -5
+
+echo ""
+echo "=== Instructions for Real Usage ==="
+echo "1. Copy docs/en/samples/snowflake/snowflake-env.sh to your own file"
+echo "2. Edit it with your actual Snowflake credentials"
+echo "3. Source the file: source your-snowflake-env.sh"
+echo "4. Run: ./toolbox --prebuilt snowflake"
+echo ""
+echo "For more information, see docs/en/samples/snowflake"

gemini-extension.json

@@ -1,6 +1,6 @@
 {
   "name": "mcp-toolbox-for-databases",
-  "version": "0.24.0",
+  "version": "0.25.0",
   "description": "MCP Toolbox for Databases is an open-source MCP server for more than 30 different datasources.",
   "contextFileName": "MCP-TOOLBOX-EXTENSION.md"
 }

go.mod

@@ -37,13 +37,14 @@ require (
 	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
 	github.com/jackc/pgx/v5 v5.7.6
-	github.com/json-iterator/go v1.1.12
+	github.com/jmoiron/sqlx v1.4.0
 	github.com/looker-open-source/sdk-codegen/go v0.25.21
 	github.com/microsoft/go-mssqldb v1.9.3
 	github.com/nakagami/firebirdsql v0.9.15
 	github.com/neo4j/neo4j-go-driver/v5 v5.28.4
 	github.com/redis/go-redis/v9 v9.17.2
 	github.com/sijms/go-ora/v2 v2.9.0
+	github.com/snowflakedb/gosnowflake v1.18.1
 	github.com/spf13/cobra v1.10.1
 	github.com/thlib/go-timezone-local v0.0.7
 	github.com/trinodb/trino-go-client v0.330.0
@@ -60,6 +61,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.38.0
 	golang.org/x/oauth2 v0.33.0
 	google.golang.org/api v0.256.0
+	google.golang.org/genai v1.37.0
 	google.golang.org/genproto v0.0.0-20251022142026-3a174f9686a8
 	google.golang.org/protobuf v1.36.10
 	modernc.org/sqlite v1.40.0
@@ -88,13 +90,40 @@ require (
 	cloud.google.com/go/monitoring v1.24.3 // indirect
 	cloud.google.com/go/trace v1.11.7 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
+	github.com/99designs/keyring v1.2.2 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0 // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
 	github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.54.0 // indirect
 	github.com/PuerkitoBio/goquery v1.10.3 // indirect
 	github.com/VictoriaMetrics/easyproto v0.1.4 // indirect
 	github.com/ajg/form v1.5.1 // indirect
+	github.com/apache/arrow-go/v18 v18.4.0 // indirect
 	github.com/apache/arrow/go/v15 v15.0.2 // indirect
+	github.com/apache/thrift v0.22.0 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.39.0 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.31.8 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.12 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.7 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.7 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.7 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.88.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.29.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.38.4 // indirect
+	github.com/aws/smithy-go v1.23.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect
 	github.com/couchbase/gocbcore/v10 v10.8.1 // indirect
@@ -102,8 +131,10 @@ require (
 	github.com/couchbase/goprotostellar v1.0.2 // indirect
 	github.com/couchbase/tools-common/errors v1.0.0 // indirect
 	github.com/couchbaselabs/gocbconnstr/v2 v2.0.0 // indirect
+	github.com/danieljoos/wincred v1.2.2 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/dvsekhvalnov/jose2go v1.7.0 // indirect
 	github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
@@ -115,7 +146,9 @@ require (
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
 	github.com/godror/knownpb v0.3.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
@@ -127,6 +160,7 @@ require (
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
+	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
@@ -138,20 +172,27 @@ require (
 	github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
 	github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect
 	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
+	github.com/klauspost/asmfmt v1.3.2 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.11 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 // indirect
+	github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/montanaflynn/stats v0.7.1 // indirect
+	github.com/mtibben/percent v0.2.1 // indirect
 	github.com/nakagami/chacha20 v0.1.0 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
 	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
@@ -181,6 +222,7 @@ require (
 	golang.org/x/sync v0.18.0 // indirect
 	golang.org/x/sys v0.38.0 // indirect
 	golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8 // indirect
+	golang.org/x/term v0.37.0 // indirect
 	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
 	golang.org/x/tools v0.38.0 // indirect

go.sum

@@ -643,6 +643,10 @@ filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8=
 git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc=
+github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 h1:/vQbFIOMbk2FiG/kXiLl8BRyzTWDw7gX/Hz7Dd5eDMs=
+github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4/go.mod h1:hN7oaIRCjzsZ2dE+yG5k+rsdt3qcwykqK6HVGcKwsw4=
+github.com/99designs/keyring v1.2.2 h1:pZd3neh/EmUzWONb35LxQfvuY7kiSXAq3HQd97+XBn0=
+github.com/99designs/keyring v1.2.2/go.mod h1:wes/FrByc8j7lFOAGLGSNEg8f/PaI3cgTBqhFkHUrPk=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 h1:Gt0j3wceWMwPmiazCa8MzMA0MfhmPIz0Qp0FJ6qcM0U=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0/go.mod h1:Ot/6aikWnKWi4l9QB7qVSwa8iMphQNqkWALMoNT3rzM=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1 h1:B+blDbyVIG3WaikNxPnhPiJ1MThR03b3vKGtER95TP4=
@@ -653,11 +657,15 @@ github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 h1:Wgf5rZb
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1/go.mod h1:xxCBG/f/4Vbmh2XQJBsOmNdxWUY5j/s27jujKPbQf14=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 h1:bFWuoEKg+gImo7pvkiQEFAc8ocibADgXeiLAxWhWmkI=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1/go.mod h1:Vih/3yc6yac2JzU4hzpaDupBJP0Flaia9rXXrU8xyww=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0 h1:u/LLAOFgsMv7HmNL4Qufg58y+qElGOt5qv0z1mURkRY=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0/go.mod h1:2e8rMJtl2+2j+HXbTBwnyGpm5Nou7KhvSfxOq8JpTag=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 h1:oygO0locgZJe7PpYPXT5A29ZkwJaPqcva7BVeemZOZs=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
+github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/ClickHouse/ch-go v0.68.0 h1:zd2VD8l2aVYnXFRyhTyKCrxvhSz1AaY4wBUXu/f0GiU=
 github.com/ClickHouse/ch-go v0.68.0/go.mod h1:C89Fsm7oyck9hr6rRo5gqqiVtaIY6AjdD0WFMyNRQ5s=
@@ -701,6 +709,8 @@ github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUS
 github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kktS1LM=
 github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/apache/arrow-go/v18 v18.4.0 h1:/RvkGqH517iY8bZKc4FD5/kkdwXJGjxf28JIXbJ/oB0=
+github.com/apache/arrow-go/v18 v18.4.0/go.mod h1:Aawvwhj8x2jURIzD9Moy72cF0FyJXOpkYpdmGRHcw14=
 github.com/apache/arrow/go/v10 v10.0.1/go.mod h1:YvhnlEePVnBS4+0z3fhPfUy7W1Ikj0Ih0vcRo/gZ1M0=
 github.com/apache/arrow/go/v11 v11.0.0/go.mod h1:Eg5OsL5H+e299f7u5ssuXsuHQVEGC4xei5aX110hRiI=
 github.com/apache/arrow/go/v15 v15.0.2 h1:60IliRbiyTWCWjERBCkO1W4Qun9svcYoZrSLcyOsMLE=
@@ -708,6 +718,8 @@ github.com/apache/arrow/go/v15 v15.0.2/go.mod h1:DGXsR3ajT524njufqf95822i+KTh+ye
 github.com/apache/cassandra-gocql-driver/v2 v2.0.0 h1:Omnzb1Z/P90Dr2TbVNu54ICQL7TKVIIsJO231w484HU=
 github.com/apache/cassandra-gocql-driver/v2 v2.0.0/go.mod h1:QH/asJjB3mHvY6Dot6ZKMMpTcOrWJ8i9GhsvG1g0PK4=
 github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2FXSqgU=
+github.com/apache/thrift v0.22.0 h1:r7mTJdj51TMDe6RtcmNdQxgn9XcyfGDOzegMDRg47uc=
+github.com/apache/thrift v0.22.0/go.mod h1:1e7J/O1Ae6ZQMTYdy9xa3w9k+XHWPfRvdPyJeynQ+/g=
 github.com/aws/aws-sdk-go v1.55.8 h1:JRmEUbU52aJQZ2AjX4q4Wu7t4uZjOu71uyNmaWlUkJQ=
 github.com/aws/aws-sdk-go v1.55.8/go.mod h1:ZkViS9AqA6otK+JBBNH2++sx1sgxrPKcSzPPvQkUtXk=
 github.com/aws/aws-sdk-go-v2 v1.39.0 h1:xm5WV/2L4emMRmMjHFykqiA4M/ra0DJVSWUkDyBjbg4=
@@ -720,6 +732,8 @@ github.com/aws/aws-sdk-go-v2/credentials v1.18.12 h1:zmc9e1q90wMn8wQbjryy8IwA6Q4
 github.com/aws/aws-sdk-go-v2/credentials v1.18.12/go.mod h1:3VzdRDR5u3sSJRI4kYcOSIBbeYsgtVk7dG5R/U6qLWY=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.7 h1:Is2tPmieqGS2edBnmOJIbdvOA6Op+rRpaYR60iBAwXM=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.7/go.mod h1:F1i5V5421EGci570yABvpIXgRIBPb5JM+lSkHF6Dq5w=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15 h1:7Zwtt/lP3KNRkeZre7soMELMGNoBrutx8nobg1jKWmo=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15/go.mod h1:436h2adoHb57yd+8W+gYPrrA9U/R/SuAuOO42Ushzhw=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.7 h1:UCxq0X9O3xrlENdKf1r9eRJoKz/b0AfGkpp3a7FPlhg=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.7/go.mod h1:rHRoJUNUASj5Z/0eqI4w32vKvC7atoWR0jC+IkmVH8k=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.7 h1:Y6DTZUn7ZUC4th9FMBbo8LVE+1fyq3ofw+tRwkUd3PY=
@@ -804,6 +818,8 @@ github.com/couchbaselabs/gocbconnstr/v2 v2.0.0 h1:HU9DlAYYWR69jQnLN6cpg0fh0hxW/8
 github.com/couchbaselabs/gocbconnstr/v2 v2.0.0/go.mod h1:o7T431UOfFVHDNvMBUmUxpHnhivwv7BziUao/nMl81E=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0=
+github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -822,6 +838,8 @@ github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/dvsekhvalnov/jose2go v1.7.0 h1:bnQc8+GMnidJZA8zc6lLEAb4xNrIqHwO+9TzqvtQZPo=
+github.com/dvsekhvalnov/jose2go v1.7.0/go.mod h1:QsHjhyTlD/lAVqn/NSbVZmSCGeDehTB/mPZadG+mhXU=
 github.com/elastic/elastic-transport-go/v8 v8.8.0 h1:7k1Ua+qluFr6p1jfJjGDl97ssJS/P7cHNInzfxgBQAo=
 github.com/elastic/elastic-transport-go/v8 v8.8.0/go.mod h1:YLHer5cj0csTzNFXoNQ8qhtGY1GTvSqPnKWKaqQE3Hk=
 github.com/elastic/go-elasticsearch/v9 v9.2.0 h1:COeL/g20+ixnUbffe4Wfbu88emrHjAq/LhVfmrjqRQs=
@@ -905,6 +923,7 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.28.0 h1:Q7ibns33JjyW48gHkuFT91qX48KG0ktULL6FgHdG688=
 github.com/go-playground/validator/v10 v10.28.0/go.mod h1:GoI6I1SjPBh9p7ykNE/yj3fFYbyDOpwMn5KXd+m2hUU=
+github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
 github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=
 github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
@@ -915,6 +934,8 @@ github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
 github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 h1:ZpnhV/YsD2/4cESfV5+Hoeu/iUR3ruzNvZ+yQfO03a0=
+github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
 github.com/godror/godror v0.49.6 h1:ts4ZGw8uLJ42e1D7aXmVuSrld0/lzUzmIUjuUuQOgGM=
 github.com/godror/godror v0.49.6/go.mod h1:kTMcxZzRw73RT5kn9v3JkBK4kHI6dqowHotqV72ebU8=
 github.com/godror/knownpb v0.3.0 h1:+caUdy8hTtl7X05aPl3tdL540TvCcaQA6woZQroLZMw=
@@ -1066,6 +1087,8 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4Zs
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs=
+github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c h1:6rhixN/i8ZofjG1Y75iExal34USq5p+wiN1tpie8IrU=
+github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c/go.mod h1:NMPJylDgVpX0MLRlPy15sqSwOFv/U1GZ2m21JhFfek0=
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
@@ -1110,6 +1133,8 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
+github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
+github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
@@ -1121,6 +1146,7 @@ github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0/go.mod h1:1NbS8ALr
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/asmfmt v1.3.2 h1:4Ri7ox3EwapiOjCki+hw14RyKk201CN4rzyCJRFLpK4=
 github.com/klauspost/asmfmt v1.3.2/go.mod h1:AG8TuvYojzulgDAMCnYn50l/5QV3Bs/tp6j0HLHbNSE=
 github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
 github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
@@ -1144,6 +1170,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
+github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/looker-open-source/sdk-codegen/go v0.25.21 h1:nlZ1nz22SKluBNkzplrMHBPEVgJO3zVLF6aAws1rrRA=
 github.com/looker-open-source/sdk-codegen/go v0.25.21/go.mod h1:Br1ntSiruDJ/4nYNjpYyWyCbqJ7+GQceWbIgn0hYims=
 github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
@@ -1156,9 +1184,13 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-sqlite3 v1.14.14/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
+github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
+github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/microsoft/go-mssqldb v1.9.3 h1:hy4p+LDC8LIGvI3JATnLVmBOLMJbmn5X400mr5j0lPs=
 github.com/microsoft/go-mssqldb v1.9.3/go.mod h1:GBbW9ASTiDC+mpgWDGKdm3FnFLTUsLYN3iFL90lQ+PA=
+github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 h1:AMFGa4R4MiIpspGNG7Z948v4n35fFGB3RR3G/ry4FWs=
 github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY=
+github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 h1:+n/aFZefKZp7spd8DFdX7uMikMLXX4oubIzJF4kv/wI=
 github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8IeTMnF8JTXieKnO4Z6JCsikNEzj0DwauVzE=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
@@ -1174,6 +1206,8 @@ github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjY
 github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
 github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE=
 github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
+github.com/mtibben/percent v0.2.1 h1:5gssi8Nqo8QU/r2pynCm+hBQHpkB/uNK7BJCFogWdzs=
+github.com/mtibben/percent v0.2.1/go.mod h1:KG9uO+SZkUp+VkRHsCdYQV3XSZrrSpR3O9ibNBTZrns=
 github.com/nakagami/chacha20 v0.1.0 h1:2fbf5KeVUw7oRpAe6/A7DqvBJLYYu0ka5WstFbnkEVo=
 github.com/nakagami/chacha20 v0.1.0/go.mod h1:xpoujepNFA7MvYLvX5xKHzlOHimDrLI9Ll8zfOJ0l2E=
 github.com/nakagami/firebirdsql v0.9.15 h1:Mf05jaFI8+kjy6sBstsAu76zOkJ44AGd6cpApWNrp/0=
@@ -1182,6 +1216,7 @@ github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdh
 github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/neo4j/neo4j-go-driver/v5 v5.28.4 h1:7toxehVcYkZbyxV4W3Ib9VcnyRBQPucF+VwNNmtSXi4=
 github.com/neo4j/neo4j-go-driver/v5 v5.28.4/go.mod h1:Vff8OwT7QpLm7L2yYr85XNWe9Rbqlbeb9asNXJTHO4k=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/oklog/ulid/v2 v2.0.2 h1:r4fFzBm+bv0wNKNh5eXTwU7i85y5x+uwkxCUTNVQqLc=
 github.com/oklog/ulid/v2 v2.0.2/go.mod h1:mtBL0Qe/0HAx6/a4Z30qxVIAL1eQDweXq5lxOEiwQ68=
 github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8=
@@ -1247,6 +1282,8 @@ github.com/sijms/go-ora/v2 v2.9.0/go.mod h1:QgFInVi3ZWyqAiJwzBQA+nbKYKH77tdp1PYo
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/snowflakedb/gosnowflake v1.18.1 h1:Nb4AWSnSBWe1UKpKTwCZxjYhYo1JH7GgKhO3wW1kR10=
+github.com/snowflakedb/gosnowflake v1.18.1/go.mod h1:7D4+cLepOWrerVsH+tevW3zdMJ5/WrEN7ZceAC6xBv0=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
 github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
@@ -1650,10 +1687,12 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220829200755-d48e67d00261/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -1869,6 +1908,8 @@ google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/genai v1.37.0 h1:dgp71k1wQ+/+APdZrN3LFgAGnVnr5IdTF1Oj0Dg+BQc=
+google.golang.org/genai v1.37.0/go.mod h1:A3kkl0nyBjyFlNjgxIwKq70julKbIxpSxqKO5gw/gmk=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
@@ -2073,6 +2114,7 @@ google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aO
 google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=

internal/embeddingmodels/embeddingmodels.go

@@ -0,0 +1,59 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package embeddingmodels
+
+import (
+	"context"
+	"strconv"
+	"strings"
+)
+
+// EmbeddingModelConfig is the interface for configuring embedding models.
+type EmbeddingModelConfig interface {
+	EmbeddingModelConfigKind() string
+	Initialize(context.Context) (EmbeddingModel, error)
+}
+
+type EmbeddingModel interface {
+	EmbeddingModelKind() string
+	ToConfig() EmbeddingModelConfig
+	EmbedParameters(context.Context, []string) ([][]float32, error)
+}
+
+type VectorFormatter func(vectorFloats []float32) any
+
+// FormatVectorForPgvector converts a slice of floats into a PostgreSQL vector literal string: '[x, y, z]'
+func FormatVectorForPgvector(vectorFloats []float32) any {
+	if len(vectorFloats) == 0 {
+		return "[]"
+	}
+
+	// Pre-allocate the builder.
+	var b strings.Builder
+	b.Grow(len(vectorFloats) * 10)
+
+	b.WriteByte('[')
+	for i, f := range vectorFloats {
+		if i > 0 {
+			b.WriteString(", ")
+		}
+		b.Write(strconv.AppendFloat(nil, float64(f), 'g', -1, 32))
+	}
+	b.WriteByte(']')
+
+	return b.String()
+}
+
+var _ VectorFormatter = FormatVectorForPgvector

internal/embeddingmodels/gemini/gemini.go

@@ -0,0 +1,122 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gemini
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/googleapis/genai-toolbox/internal/embeddingmodels"
+	"github.com/googleapis/genai-toolbox/internal/util"
+	"google.golang.org/genai"
+)
+
+const EmbeddingModelKind string = "gemini"
+
+// validate interface
+var _ embeddingmodels.EmbeddingModelConfig = Config{}
+
+type Config struct {
+	Name      string `yaml:"name" validate:"required"`
+	Kind      string `yaml:"kind" validate:"required"`
+	Model     string `yaml:"model" validate:"required"`
+	ApiKey    string `yaml:"apiKey"`
+	Dimension int32  `yaml:"dimension"`
+}
+
+// Returns the embedding model kind
+func (cfg Config) EmbeddingModelConfigKind() string {
+	return EmbeddingModelKind
+}
+
+// Initialize a Gemini embedding model
+func (cfg Config) Initialize(ctx context.Context) (embeddingmodels.EmbeddingModel, error) {
+	// Get client configs
+	configs := &genai.ClientConfig{}
+	if cfg.ApiKey != "" {
+		configs.APIKey = cfg.ApiKey
+	}
+
+	// Create new Gemini API client
+	client, err := genai.NewClient(ctx, configs)
+	if err != nil {
+		return nil, fmt.Errorf("unable to create Gemini API client")
+	}
+
+	m := &EmbeddingModel{
+		Config: cfg,
+		Client: client,
+	}
+	return m, nil
+}
+
+var _ embeddingmodels.EmbeddingModel = EmbeddingModel{}
+
+type EmbeddingModel struct {
+	Client *genai.Client
+	Config
+}
+
+// Returns the embedding model kind
+func (m EmbeddingModel) EmbeddingModelKind() string {
+	return EmbeddingModelKind
+}
+
+func (m EmbeddingModel) ToConfig() embeddingmodels.EmbeddingModelConfig {
+	return m.Config
+}
+
+func (m EmbeddingModel) EmbedParameters(ctx context.Context, parameters []string) ([][]float32, error) {
+	logger, err := util.LoggerFromContext(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("unable to get logger from ctx: %s", err)
+	}
+
+	contents := convertStringsToContents(parameters)
+
+	embedConfig := &genai.EmbedContentConfig{
+		TaskType: "SEMANTIC_SIMILARITY",
+	}
+
+	if m.Dimension > 0 {
+		embedConfig.OutputDimensionality = genai.Ptr(m.Dimension)
+	}
+
+	result, err := m.Client.Models.EmbedContent(ctx, m.Model, contents, embedConfig)
+	if err != nil {
+		logger.ErrorContext(ctx, "Error calling EmbedContent for model %s: %v", m.Model, err)
+		return nil, err
+	}
+
+	embeddings := make([][]float32, 0, len(result.Embeddings))
+	for _, embedding := range result.Embeddings {
+		embeddings = append(embeddings, embedding.Values)
+	}
+
+	logger.InfoContext(ctx, "Successfully embedded %d text parameters using model %s", len(parameters), m.Model)
+
+	return embeddings, nil
+}
+
+// convertStringsToContents takes a slice of strings and converts it into a slice of *genai.Content objects.
+func convertStringsToContents(texts []string) []*genai.Content {
+	contents := make([]*genai.Content, 0, len(texts))
+
+	for _, text := range texts {
+		content := genai.NewContentFromText(text, "")
+		contents = append(contents, content)
+	}
+	return contents
+}

internal/embeddingmodels/gemini/gemini_test.go

@@ -0,0 +1,130 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gemini_test
+
+import (
+	"testing"
+
+	yaml "github.com/goccy/go-yaml"
+	"github.com/google/go-cmp/cmp"
+	"github.com/googleapis/genai-toolbox/internal/embeddingmodels"
+	"github.com/googleapis/genai-toolbox/internal/embeddingmodels/gemini"
+	"github.com/googleapis/genai-toolbox/internal/server"
+	"github.com/googleapis/genai-toolbox/internal/testutils"
+)
+
+func TestParseFromYamlGemini(t *testing.T) {
+	tcs := []struct {
+		desc string
+		in   string
+		want server.EmbeddingModelConfigs
+	}{
+		{
+			desc: "basic example",
+			in: `
+            embeddingModels:
+                my-gemini-model:
+                    kind: gemini
+                    model: text-embedding-004
+            `,
+			want: map[string]embeddingmodels.EmbeddingModelConfig{
+				"my-gemini-model": gemini.Config{
+					Name:  "my-gemini-model",
+					Kind:  gemini.EmbeddingModelKind,
+					Model: "text-embedding-004",
+				},
+			},
+		},
+		{
+			desc: "full example with optional fields",
+			in: `
+            embeddingModels:
+                complex-gemini:
+                    kind: gemini
+                    model: text-embedding-004
+                    apiKey: "test-api-key"
+                    dimension: 768
+            `,
+			want: map[string]embeddingmodels.EmbeddingModelConfig{
+				"complex-gemini": gemini.Config{
+					Name:      "complex-gemini",
+					Kind:      gemini.EmbeddingModelKind,
+					Model:     "text-embedding-004",
+					ApiKey:    "test-api-key",
+					Dimension: 768,
+				},
+			},
+		},
+	}
+	for _, tc := range tcs {
+		t.Run(tc.desc, func(t *testing.T) {
+			got := struct {
+				Models server.EmbeddingModelConfigs `yaml:"embeddingModels"`
+			}{}
+			// Parse contents
+			err := yaml.Unmarshal(testutils.FormatYaml(tc.in), &got)
+			if err != nil {
+				t.Fatalf("unable to unmarshal: %s", err)
+			}
+			if !cmp.Equal(tc.want, got.Models) {
+				t.Fatalf("incorrect parse: %v", cmp.Diff(tc.want, got.Models))
+			}
+		})
+	}
+}
+func TestFailParseFromYamlGemini(t *testing.T) {
+	tcs := []struct {
+		desc string
+		in   string
+		err  string
+	}{
+		{
+			desc: "missing required model field",
+			in: `
+            embeddingModels:
+                bad-model:
+                    kind: gemini
+            `,
+			// Removed the specific model name from the prefix to match your output
+			err: "unable to parse as \"gemini\": Key: 'Config.Model' Error:Field validation for 'Model' failed on the 'required' tag",
+		},
+		{
+			desc: "unknown field",
+			in: `
+            embeddingModels:
+                bad-field:
+                    kind: gemini
+                    model: text-embedding-004
+                    invalid_param: true
+            `,
+			// Updated to match the specific line-starting format of your error output
+			err: "unable to parse as \"gemini\": [1:1] unknown field \"invalid_param\"\n>  1 | invalid_param: true\n       ^\n   2 | kind: gemini\n   3 | model: text-embedding-004",
+		},
+	}
+	for _, tc := range tcs {
+		t.Run(tc.desc, func(t *testing.T) {
+			got := struct {
+				Models server.EmbeddingModelConfigs `yaml:"embeddingModels"`
+			}{}
+			err := yaml.Unmarshal(testutils.FormatYaml(tc.in), &got)
+			if err == nil {
+				t.Fatalf("expect parsing to fail")
+			}
+			if err.Error() != tc.err {
+				t.Fatalf("unexpected error:\ngot:  %q\nwant: %q", err.Error(), tc.err)
+			}
+		})
+	}
+}

internal/prebuiltconfigs/prebuiltconfigs_test.go

@@ -49,6 +49,7 @@ var expectedToolSources = []string{
 	"postgres",
 	"serverless-spark",
 	"singlestore",
+	"snowflake",
 	"spanner-postgres",
 	"spanner",
 	"sqlite",
@@ -127,9 +128,9 @@ func TestGetPrebuiltTool(t *testing.T) {
 	sqlite_config, _ := Get("sqlite")
 	neo4jconfig, _ := Get("neo4j")
 	healthcare_config, _ := Get("cloud-healthcare")
-
+	snowflake_config, _ := Get("snowflake")
 	if len(alloydb_admin_config) <= 0 {
-		t.Fatalf("unexpected error: could not fetch alloydb prebuilt tools yaml")
+		t.Fatalf("unexpected error: could not fetch alloydb admin prebuilt tools yaml")
 	}
 	if len(alloydb_config) <= 0 {
 		t.Fatalf("unexpected error: could not fetch alloydb prebuilt tools yaml")
@@ -197,6 +198,9 @@ func TestGetPrebuiltTool(t *testing.T) {
 	if len(singlestore_config) <= 0 {
 		t.Fatalf("unexpected error: could not fetch singlestore prebuilt tools yaml")
 	}
+	if len(snowflake_config) <= 0 {
+		t.Fatalf("unexpected error: could not fetch snowflake prebuilt tools yaml")
+	}
 	if len(spanner_config) <= 0 {
 		t.Fatalf("unexpected error: could not fetch spanner prebuilt tools yaml")
 	}
@@ -218,6 +222,9 @@ func TestGetPrebuiltTool(t *testing.T) {
 	if len(healthcare_config) <= 0 {
 		t.Fatalf("unexpected error: could not fetch healthcare prebuilt tools yaml")
 	}
+	if len(snowflake_config) <= 0 {
+		t.Fatalf("unexpected error: could not fetch snowflake prebuilt tools yaml")
+	}
 }
 
 func TestFailGetPrebuiltTool(t *testing.T) {

internal/prebuiltconfigs/tools/alloydb-postgres.yaml

@@ -224,6 +224,10 @@ tools:
         kind: postgres-list-roles
         source: alloydb-pg-source
 
+    list_stored_procedure:
+        kind: postgres-list-stored-procedure
+        source: alloydb-pg-source
+
 toolsets:
     alloydb_postgres_database_tools:
         - execute_sql
@@ -254,3 +258,4 @@ toolsets:
         - list_database_stats
         - list_roles
         - list_table_stats
+        - list_stored_procedure

internal/prebuiltconfigs/tools/bigquery.yaml

@@ -18,6 +18,7 @@ sources:
     project: ${BIGQUERY_PROJECT}
     location: ${BIGQUERY_LOCATION:}
     useClientOAuth: ${BIGQUERY_USE_CLIENT_OAUTH:false}
+    scopes: ${BIGQUERY_SCOPES:}
 
 tools:
   analyze_contribution:

internal/prebuiltconfigs/tools/cloud-sql-mysql.yaml

@@ -19,8 +19,8 @@ sources:
     region: ${CLOUD_SQL_MYSQL_REGION}
     instance: ${CLOUD_SQL_MYSQL_INSTANCE}
     database: ${CLOUD_SQL_MYSQL_DATABASE}
-    user: ${CLOUD_SQL_MYSQL_USER}
-    password: ${CLOUD_SQL_MYSQL_PASSWORD}
+    user: ${CLOUD_SQL_MYSQL_USER:}
+    password: ${CLOUD_SQL_MYSQL_PASSWORD:}
     ipType: ${CLOUD_SQL_MYSQL_IP_TYPE:PUBLIC}
 tools:
   execute_sql:

internal/prebuiltconfigs/tools/cloud-sql-postgres.yaml

@@ -226,6 +226,10 @@ tools:
         kind: postgres-list-roles
         source: cloudsql-pg-source
 
+    list_stored_procedure:
+        kind: postgres-list-stored-procedure
+        source: cloudsql-pg-source
+
 toolsets:
     cloud_sql_postgres_database_tools:
         - execute_sql
@@ -256,3 +260,4 @@ toolsets:
         - list_database_stats
         - list_roles
         - list_table_stats
+        - list_stored_procedure

internal/prebuiltconfigs/tools/postgres.yaml

@@ -225,6 +225,10 @@ tools:
         kind: postgres-list-roles
         source: postgresql-source
 
+    list_stored_procedure:
+        kind: postgres-list-stored-procedure
+        source: postgresql-source
+
 toolsets:
     postgres_database_tools:
         - execute_sql
@@ -255,3 +259,4 @@ toolsets:
         - list_database_stats
         - list_roles
         - list_table_stats
+        - list_stored_procedure

internal/prebuiltconfigs/tools/snowflake.yaml

@@ -0,0 +1,142 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+sources:
+    snowflake-source:
+        kind: snowflake
+        account: ${SNOWFLAKE_ACCOUNT}
+        user: ${SNOWFLAKE_USER}
+        password: ${SNOWFLAKE_PASSWORD}
+        database: ${SNOWFLAKE_DATABASE}
+        schema: ${SNOWFLAKE_SCHEMA}
+        warehouse: ${SNOWFLAKE_WAREHOUSE}
+        role: ${SNOWFLAKE_ROLE}
+
+tools:
+    execute_sql:
+        kind: snowflake-execute-sql
+        source: snowflake-source
+        description: Use this tool to execute SQL.
+
+    list_tables:
+        kind: snowflake-sql
+        source: snowflake-source
+        description: "Lists detailed schema information (object type, columns, constraints, indexes, owner, comment) as JSON for user-created tables. Filters by a comma-separated list of names. If names are omitted, lists all tables in the specified database and schema."
+        statement: |
+           WITH
+           input_param AS (
+                SELECT ? AS param -- Single bind variable here
+           )
+           ,
+           all_tables_mode AS (
+                SELECT COALESCE(TRIM(param), '') = '' AS is_all_tables
+                FROM input_param
+           ) --SELECT * FROM all_tables_mode;
+           ,
+           filtered_table_names AS (
+                SELECT DISTINCT TRIM(LOWER(value)) AS table_name
+                FROM input_param, all_tables_mode, TABLE(SPLIT_TO_TABLE(param, ','))
+                WHERE NOT is_all_tables
+           ) -- SELECT * FROM filtered_table_names;
+           ,
+           table_info AS (
+                SELECT
+                    t.TABLE_CATALOG,
+                    t.TABLE_SCHEMA,
+                    t.TABLE_NAME,
+                    t.TABLE_TYPE,
+                    t.TABLE_OWNER,
+                    t.COMMENT
+                FROM
+                    all_tables_mode
+                    CROSS JOIN ${SNOWFLAKE_DATABASE}.INFORMATION_SCHEMA.TABLES T
+                WHERE
+                    t.TABLE_TYPE = 'BASE TABLE'
+                    AND t.TABLE_SCHEMA NOT IN ('INFORMATION_SCHEMA')
+                    AND t.TABLE_SCHEMA = '${SNOWFLAKE_SCHEMA}'
+                    AND is_all_tables OR LOWER(T.TABLE_NAME) IN (SELECT table_name FROM filtered_table_names)
+            ) -- SELECT * FROM table_info;
+            ,
+            columns_info AS (
+                SELECT
+                    c.TABLE_CATALOG AS database_name,
+                    c.TABLE_SCHEMA AS schema_name,
+                    c.TABLE_NAME AS table_name,
+                    c.COLUMN_NAME AS column_name,
+                    c.DATA_TYPE AS data_type,
+                    c.ORDINAL_POSITION AS column_ordinal_position,
+                    c.IS_NULLABLE AS is_nullable,
+                    c.COLUMN_DEFAULT AS column_default,
+                    c.COMMENT AS column_comment
+                FROM
+                    ${SNOWFLAKE_DATABASE}.INFORMATION_SCHEMA.COLUMNS c
+                    INNER JOIN table_info USING (TABLE_CATALOG, TABLE_SCHEMA, TABLE_NAME)
+            )
+            ,
+            constraints_info AS (
+                SELECT
+                    tc.TABLE_CATALOG AS database_name,
+                    tc.TABLE_SCHEMA AS schema_name,
+                    tc.TABLE_NAME AS table_name,
+                    tc.CONSTRAINT_NAME AS constraint_name,
+                    tc.CONSTRAINT_TYPE AS constraint_type
+                FROM
+                    ${SNOWFLAKE_DATABASE}.INFORMATION_SCHEMA.TABLE_CONSTRAINTS tc
+                    INNER JOIN table_info USING (TABLE_CATALOG, TABLE_SCHEMA, TABLE_NAME)
+                GROUP BY
+                    tc.TABLE_CATALOG, tc.TABLE_SCHEMA, tc.TABLE_NAME, tc.CONSTRAINT_NAME, tc.CONSTRAINT_TYPE
+            )
+            SELECT
+                ti.TABLE_SCHEMA AS schema_name,
+                ti.TABLE_NAME AS object_name,
+                OBJECT_CONSTRUCT(
+                    'schema_name', ti.TABLE_SCHEMA,
+                    'object_name', ti.TABLE_NAME,
+                    'object_type', ti.TABLE_TYPE,
+                    'owner', ti.TABLE_OWNER,
+                    'comment', ti.COMMENT,
+                    'columns', COALESCE(
+                        (SELECT ARRAY_AGG(
+                            OBJECT_CONSTRUCT(
+                                'column_name', ci.column_name,
+                                'data_type', ci.data_type,
+                                'ordinal_position', ci.column_ordinal_position,
+                                'is_nullable', ci.is_nullable,
+                                'column_default', ci.column_default,
+                                'column_comment', ci.column_comment
+                            )
+                        ) FROM columns_info ci WHERE ci.table_name = ti.TABLE_NAME AND ci.schema_name = ti.TABLE_SCHEMA),
+                        ARRAY_CONSTRUCT()
+                    ),
+                    'constraints', COALESCE(
+                        (SELECT ARRAY_AGG(
+                            OBJECT_CONSTRUCT(
+                                'constraint_name', cons.constraint_name,
+                                'constraint_type', cons.constraint_type
+                            )
+                        ) FROM constraints_info cons WHERE cons.table_name = ti.TABLE_NAME AND cons.schema_name = ti.TABLE_SCHEMA),
+                        ARRAY_CONSTRUCT()
+                    )
+                ) AS object_details
+            FROM table_info ti
+            ORDER BY ti.TABLE_SCHEMA, ti.TABLE_NAME;
+        parameters:
+            - name: table_names
+              type: string
+              description: "Optional: A comma-separated list of table names. If empty, details for all tables in the specified database and schema will be listed."
+
+toolsets:
+    snowflake_tools:
+        - execute_sql
+        - list_tables

internal/server/api.go

@@ -246,6 +246,14 @@ func toolInvokeHandler(s *Server, w http.ResponseWriter, r *http.Request) {
 	}
 	s.logger.DebugContext(ctx, fmt.Sprintf("invocation params: %s", params))
 
+	params, err = tool.EmbedParams(ctx, params, s.ResourceMgr.GetEmbeddingModelMap())
+	if err != nil {
+		err = fmt.Errorf("error embedding parameters: %w", err)
+		s.logger.DebugContext(ctx, err.Error())
+		_ = render.Render(w, r, newErrResponse(err, http.StatusBadRequest))
+		return
+	}
+
 	res, err := tool.Invoke(ctx, s.ResourceMgr, params, accessToken)
 
 	// Determine what error to return to the users.

internal/server/common_test.go

@@ -24,6 +24,7 @@ import (
 	"testing"
 
 	"github.com/go-chi/chi/v5"
+	"github.com/googleapis/genai-toolbox/internal/embeddingmodels"
 	"github.com/googleapis/genai-toolbox/internal/log"
 	"github.com/googleapis/genai-toolbox/internal/prompts"
 	"github.com/googleapis/genai-toolbox/internal/server/resources"
@@ -64,6 +65,10 @@ func (t MockTool) ParseParams(data map[string]any, claimsMap map[string]map[stri
 	return parameters.ParseParams(t.Params, data, claimsMap)
 }
 
+func (t MockTool) EmbedParams(ctx context.Context, paramValues parameters.ParamValues, embeddingModelsMap map[string]embeddingmodels.EmbeddingModel) (parameters.ParamValues, error) {
+	return parameters.EmbedParams(ctx, t.Params, paramValues, embeddingModelsMap, nil)
+}
+
 func (t MockTool) Manifest() tools.Manifest {
 	pMs := make([]parameters.ParameterManifest, 0, len(t.Params))
 	for _, p := range t.Params {
@@ -276,7 +281,7 @@ func setUpServer(t *testing.T, router string, tools map[string]tools.Tool, tools
 
 	sseManager := newSseManager(ctx)
 
-	resourceManager := resources.NewResourceManager(nil, nil, tools, toolsets, prompts, promptsets)
+	resourceManager := resources.NewResourceManager(nil, nil, nil, tools, toolsets, prompts, promptsets)
 
 	server := Server{
 		version:         fakeVersionString,

internal/server/config.go

@@ -21,6 +21,8 @@ import (
 	yaml "github.com/goccy/go-yaml"
 	"github.com/googleapis/genai-toolbox/internal/auth"
 	"github.com/googleapis/genai-toolbox/internal/auth/google"
+	"github.com/googleapis/genai-toolbox/internal/embeddingmodels"
+	"github.com/googleapis/genai-toolbox/internal/embeddingmodels/gemini"
 	"github.com/googleapis/genai-toolbox/internal/prompts"
 	"github.com/googleapis/genai-toolbox/internal/sources"
 	"github.com/googleapis/genai-toolbox/internal/tools"
@@ -38,6 +40,8 @@ type ServerConfig struct {
 	SourceConfigs SourceConfigs
 	// AuthServiceConfigs defines what sources of authentication are available for tools.
 	AuthServiceConfigs AuthServiceConfigs
+	// EmbeddingModelConfigs defines a models used to embed parameters.
+	EmbeddingModelConfigs EmbeddingModelConfigs
 	// ToolConfigs defines what tools are available.
 	ToolConfigs ToolConfigs
 	// ToolsetConfigs defines what tools are available.
@@ -64,6 +68,8 @@ type ServerConfig struct {
 	UI bool
 	// Specifies a list of origins permitted to access this server.
 	AllowedOrigins []string
+	// Specifies a list of hosts permitted to access this server
+	AllowedHosts []string
 }
 
 type logFormat string
@@ -205,6 +211,50 @@ func (c *AuthServiceConfigs) UnmarshalYAML(ctx context.Context, unmarshal func(i
 	return nil
 }
 
+// EmbeddingModelConfigs is a type used to allow unmarshal of the embedding model config map
+type EmbeddingModelConfigs map[string]embeddingmodels.EmbeddingModelConfig
+
+// validate interface
+var _ yaml.InterfaceUnmarshalerContext = &EmbeddingModelConfigs{}
+
+func (c *EmbeddingModelConfigs) UnmarshalYAML(ctx context.Context, unmarshal func(interface{}) error) error {
+	*c = make(EmbeddingModelConfigs)
+	// Parse the 'kind' fields for each embedding model
+	var raw map[string]util.DelayedUnmarshaler
+	if err := unmarshal(&raw); err != nil {
+		return err
+	}
+
+	for name, u := range raw {
+		// Unmarshal to a general type that ensure it capture all fields
+		var v map[string]any
+		if err := u.Unmarshal(&v); err != nil {
+			return fmt.Errorf("unable to unmarshal embedding model %q: %w", name, err)
+		}
+
+		kind, ok := v["kind"]
+		if !ok {
+			return fmt.Errorf("missing 'kind' field for embedding model %q", name)
+		}
+
+		dec, err := util.NewStrictDecoder(v)
+		if err != nil {
+			return fmt.Errorf("error creating decoder: %w", err)
+		}
+		switch kind {
+		case gemini.EmbeddingModelKind:
+			actual := gemini.Config{Name: name}
+			if err := dec.DecodeContext(ctx, &actual); err != nil {
+				return fmt.Errorf("unable to parse as %q: %w", kind, err)
+			}
+			(*c)[name] = actual
+		default:
+			return fmt.Errorf("%q is not a valid kind of auth source", kind)
+		}
+	}
+	return nil
+}
+
 // ToolConfigs is a type used to allow unmarshal of the tool configs
 type ToolConfigs map[string]tools.ToolConfig
 

internal/server/mcp_test.go

@@ -1107,7 +1107,7 @@ func TestStdioSession(t *testing.T) {
 
 	sseManager := newSseManager(ctx)
 
-	resourceManager := resources.NewResourceManager(nil, nil, toolsMap, toolsets, promptsMap, promptsets)
+	resourceManager := resources.NewResourceManager(nil, nil, nil, toolsMap, toolsets, promptsMap, promptsets)
 
 	server := &Server{
 		version:         fakeVersionString,

internal/server/resources/resources.go

@@ -18,6 +18,7 @@ import (
 	"sync"
 
 	"github.com/googleapis/genai-toolbox/internal/auth"
+	"github.com/googleapis/genai-toolbox/internal/embeddingmodels"
 	"github.com/googleapis/genai-toolbox/internal/prompts"
 	"github.com/googleapis/genai-toolbox/internal/sources"
 	"github.com/googleapis/genai-toolbox/internal/tools"
@@ -25,30 +26,33 @@ import (
 
 // ResourceManager contains available resources for the server. Should be initialized with NewResourceManager().
 type ResourceManager struct {
-	mu           sync.RWMutex
-	sources      map[string]sources.Source
-	authServices map[string]auth.AuthService
-	tools        map[string]tools.Tool
-	toolsets     map[string]tools.Toolset
-	prompts      map[string]prompts.Prompt
-	promptsets   map[string]prompts.Promptset
+	mu              sync.RWMutex
+	sources         map[string]sources.Source
+	authServices    map[string]auth.AuthService
+	embeddingModels map[string]embeddingmodels.EmbeddingModel
+	tools           map[string]tools.Tool
+	toolsets        map[string]tools.Toolset
+	prompts         map[string]prompts.Prompt
+	promptsets      map[string]prompts.Promptset
 }
 
 func NewResourceManager(
 	sourcesMap map[string]sources.Source,
 	authServicesMap map[string]auth.AuthService,
+	embeddingModelsMap map[string]embeddingmodels.EmbeddingModel,
 	toolsMap map[string]tools.Tool, toolsetsMap map[string]tools.Toolset,
 	promptsMap map[string]prompts.Prompt, promptsetsMap map[string]prompts.Promptset,
 
 ) *ResourceManager {
 	resourceMgr := &ResourceManager{
-		mu:           sync.RWMutex{},
-		sources:      sourcesMap,
-		authServices: authServicesMap,
-		tools:        toolsMap,
-		toolsets:     toolsetsMap,
-		prompts:      promptsMap,
-		promptsets:   promptsetsMap,
+		mu:              sync.RWMutex{},
+		sources:         sourcesMap,
+		authServices:    authServicesMap,
+		embeddingModels: embeddingModelsMap,
+		tools:           toolsMap,
+		toolsets:        toolsetsMap,
+		prompts:         promptsMap,
+		promptsets:      promptsetsMap,
 	}
 
 	return resourceMgr
@@ -68,6 +72,13 @@ func (r *ResourceManager) GetAuthService(authServiceName string) (auth.AuthServi
 	return authService, ok
 }
 
+func (r *ResourceManager) GetEmbeddingModel(embeddingModelName string) (embeddingmodels.EmbeddingModel, bool) {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+	model, ok := r.embeddingModels[embeddingModelName]
+	return model, ok
+}
+
 func (r *ResourceManager) GetTool(toolName string) (tools.Tool, bool) {
 	r.mu.RLock()
 	defer r.mu.RUnlock()
@@ -96,11 +107,12 @@ func (r *ResourceManager) GetPromptset(promptsetName string) (prompts.Promptset,
 	return promptset, ok
 }
 
-func (r *ResourceManager) SetResources(sourcesMap map[string]sources.Source, authServicesMap map[string]auth.AuthService, toolsMap map[string]tools.Tool, toolsetsMap map[string]tools.Toolset, promptsMap map[string]prompts.Prompt, promptsetsMap map[string]prompts.Promptset) {
+func (r *ResourceManager) SetResources(sourcesMap map[string]sources.Source, authServicesMap map[string]auth.AuthService, embeddingModelsMap map[string]embeddingmodels.EmbeddingModel, toolsMap map[string]tools.Tool, toolsetsMap map[string]tools.Toolset, promptsMap map[string]prompts.Prompt, promptsetsMap map[string]prompts.Promptset) {
 	r.mu.Lock()
 	defer r.mu.Unlock()
 	r.sources = sourcesMap
 	r.authServices = authServicesMap
+	r.embeddingModels = embeddingModelsMap
 	r.tools = toolsMap
 	r.toolsets = toolsetsMap
 	r.prompts = promptsMap
@@ -117,6 +129,16 @@ func (r *ResourceManager) GetAuthServiceMap() map[string]auth.AuthService {
 	return copiedMap
 }
 
+func (r *ResourceManager) GetEmbeddingModelMap() map[string]embeddingmodels.EmbeddingModel {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+	copiedMap := make(map[string]embeddingmodels.EmbeddingModel, len(r.embeddingModels))
+	for k, v := range r.embeddingModels {
+		copiedMap[k] = v
+	}
+	return copiedMap
+}
+
 func (r *ResourceManager) GetToolsMap() map[string]tools.Tool {
 	r.mu.RLock()
 	defer r.mu.RUnlock()

internal/server/resources/resources_test.go

@@ -19,6 +19,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/googleapis/genai-toolbox/internal/auth"
+	"github.com/googleapis/genai-toolbox/internal/embeddingmodels"
 	"github.com/googleapis/genai-toolbox/internal/prompts"
 	"github.com/googleapis/genai-toolbox/internal/server/resources"
 	"github.com/googleapis/genai-toolbox/internal/sources"
@@ -36,6 +37,7 @@ func TestUpdateServer(t *testing.T) {
 		},
 	}
 	newAuth := map[string]auth.AuthService{"example-auth": nil}
+	newEmbeddingModels := map[string]embeddingmodels.EmbeddingModel{"example-model": nil}
 	newTools := map[string]tools.Tool{"example-tool": nil}
 	newToolsets := map[string]tools.Toolset{
 		"example-toolset": {
@@ -54,7 +56,7 @@ func TestUpdateServer(t *testing.T) {
 			Prompts: []*prompts.Prompt{},
 		},
 	}
-	resMgr := resources.NewResourceManager(newSources, newAuth, newTools, newToolsets, newPrompts, newPromptsets)
+	resMgr := resources.NewResourceManager(newSources, newAuth, newEmbeddingModels, newTools, newToolsets, newPrompts, newPromptsets)
 
 	gotSource, _ := resMgr.GetSource("example-source")
 	if diff := cmp.Diff(gotSource, newSources["example-source"]); diff != "" {
@@ -95,7 +97,7 @@ func TestUpdateServer(t *testing.T) {
 		},
 	}
 
-	resMgr.SetResources(updateSource, newAuth, newTools, newToolsets, newPrompts, newPromptsets)
+	resMgr.SetResources(updateSource, newAuth, newEmbeddingModels, newTools, newToolsets, newPrompts, newPromptsets)
 	gotSource, _ = resMgr.GetSource("example-source2")
 	if diff := cmp.Diff(gotSource, updateSource["example-source2"]); diff != "" {
 		t.Errorf("error updating server, sources (-want +got):\n%s", diff)

internal/server/server.go

@@ -30,6 +30,7 @@ import (
 	"github.com/go-chi/cors"
 	"github.com/go-chi/httplog/v2"
 	"github.com/googleapis/genai-toolbox/internal/auth"
+	"github.com/googleapis/genai-toolbox/internal/embeddingmodels"
 	"github.com/googleapis/genai-toolbox/internal/log"
 	"github.com/googleapis/genai-toolbox/internal/prompts"
 	"github.com/googleapis/genai-toolbox/internal/server/resources"
@@ -56,6 +57,7 @@ type Server struct {
 func InitializeConfigs(ctx context.Context, cfg ServerConfig) (
 	map[string]sources.Source,
 	map[string]auth.AuthService,
+	map[string]embeddingmodels.EmbeddingModel,
 	map[string]tools.Tool,
 	map[string]tools.Toolset,
 	map[string]prompts.Prompt,
@@ -91,7 +93,7 @@ func InitializeConfigs(ctx context.Context, cfg ServerConfig) (
 			return s, nil
 		}()
 		if err != nil {
-			return nil, nil, nil, nil, nil, nil, err
+			return nil, nil, nil, nil, nil, nil, nil, err
 		}
 		sourcesMap[name] = s
 	}
@@ -119,7 +121,7 @@ func InitializeConfigs(ctx context.Context, cfg ServerConfig) (
 			return a, nil
 		}()
 		if err != nil {
-			return nil, nil, nil, nil, nil, nil, err
+			return nil, nil, nil, nil, nil, nil, nil, err
 		}
 		authServicesMap[name] = a
 	}
@@ -129,6 +131,34 @@ func InitializeConfigs(ctx context.Context, cfg ServerConfig) (
 	}
 	l.InfoContext(ctx, fmt.Sprintf("Initialized %d authServices: %s", len(authServicesMap), strings.Join(authServiceNames, ", ")))
 
+	// Initialize and validate embedding models from configs.
+	embeddingModelsMap := make(map[string]embeddingmodels.EmbeddingModel)
+	for name, ec := range cfg.EmbeddingModelConfigs {
+		em, err := func() (embeddingmodels.EmbeddingModel, error) {
+			_, span := instrumentation.Tracer.Start(
+				ctx,
+				"toolbox/server/embeddingmodel/init",
+				trace.WithAttributes(attribute.String("model_kind", ec.EmbeddingModelConfigKind())),
+				trace.WithAttributes(attribute.String("model_name", name)),
+			)
+			defer span.End()
+			em, err := ec.Initialize(ctx)
+			if err != nil {
+				return nil, fmt.Errorf("unable to initialize embedding model %q: %w", name, err)
+			}
+			return em, nil
+		}()
+		if err != nil {
+			return nil, nil, nil, nil, nil, nil, nil, err
+		}
+		embeddingModelsMap[name] = em
+	}
+	embeddingModelNames := make([]string, 0, len(embeddingModelsMap))
+	for name := range embeddingModelsMap {
+		embeddingModelNames = append(embeddingModelNames, name)
+	}
+	l.InfoContext(ctx, fmt.Sprintf("Initialized %d embeddingModels: %s", len(embeddingModelsMap), strings.Join(embeddingModelNames, ", ")))
+
 	// initialize and validate the tools from configs
 	toolsMap := make(map[string]tools.Tool)
 	for name, tc := range cfg.ToolConfigs {
@@ -147,7 +177,7 @@ func InitializeConfigs(ctx context.Context, cfg ServerConfig) (
 			return t, nil
 		}()
 		if err != nil {
-			return nil, nil, nil, nil, nil, nil, err
+			return nil, nil, nil, nil, nil, nil, nil, err
 		}
 		toolsMap[name] = t
 	}
@@ -184,7 +214,7 @@ func InitializeConfigs(ctx context.Context, cfg ServerConfig) (
 			return t, err
 		}()
 		if err != nil {
-			return nil, nil, nil, nil, nil, nil, err
+			return nil, nil, nil, nil, nil, nil, nil, err
 		}
 		toolsetsMap[name] = t
 	}
@@ -216,7 +246,7 @@ func InitializeConfigs(ctx context.Context, cfg ServerConfig) (
 			return p, nil
 		}()
 		if err != nil {
-			return nil, nil, nil, nil, nil, nil, err
+			return nil, nil, nil, nil, nil, nil, nil, err
 		}
 		promptsMap[name] = p
 	}
@@ -253,7 +283,7 @@ func InitializeConfigs(ctx context.Context, cfg ServerConfig) (
 			return p, err
 		}()
 		if err != nil {
-			return nil, nil, nil, nil, nil, nil, err
+			return nil, nil, nil, nil, nil, nil, nil, err
 		}
 		promptsetsMap[name] = p
 	}
@@ -267,7 +297,22 @@ func InitializeConfigs(ctx context.Context, cfg ServerConfig) (
 	}
 	l.InfoContext(ctx, fmt.Sprintf("Initialized %d promptsets: %s", len(promptsetsMap), strings.Join(promptsetNames, ", ")))
 
-	return sourcesMap, authServicesMap, toolsMap, toolsetsMap, promptsMap, promptsetsMap, nil
+	return sourcesMap, authServicesMap, embeddingModelsMap, toolsMap, toolsetsMap, promptsMap, promptsetsMap, nil
+}
+
+func hostCheck(allowedHosts map[string]struct{}) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			_, hasWildcard := allowedHosts["*"]
+			_, hostIsAllowed := allowedHosts[r.Host]
+			if !hasWildcard && !hostIsAllowed {
+				// Return 400 Bad Request or 403 Forbidden to block the attack
+				http.Error(w, "Invalid Host header", http.StatusBadRequest)
+				return
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
 }
 
 // NewServer returns a Server object based on provided Config.
@@ -320,7 +365,7 @@ func NewServer(ctx context.Context, cfg ServerConfig) (*Server, error) {
 	httpLogger := httplog.NewLogger("httplog", httpOpts)
 	r.Use(httplog.RequestLogger(httpLogger))
 
-	sourcesMap, authServicesMap, toolsMap, toolsetsMap, promptsMap, promptsetsMap, err := InitializeConfigs(ctx, cfg)
+	sourcesMap, authServicesMap, embeddingModelsMap, toolsMap, toolsetsMap, promptsMap, promptsetsMap, err := InitializeConfigs(ctx, cfg)
 	if err != nil {
 		return nil, fmt.Errorf("unable to initialize configs: %w", err)
 	}
@@ -330,7 +375,7 @@ func NewServer(ctx context.Context, cfg ServerConfig) (*Server, error) {
 
 	sseManager := newSseManager(ctx)
 
-	resourceManager := resources.NewResourceManager(sourcesMap, authServicesMap, toolsMap, toolsetsMap, promptsMap, promptsetsMap)
+	resourceManager := resources.NewResourceManager(sourcesMap, authServicesMap, embeddingModelsMap, toolsMap, toolsetsMap, promptsMap, promptsetsMap)
 
 	s := &Server{
 		version:         cfg.Version,
@@ -344,7 +389,7 @@ func NewServer(ctx context.Context, cfg ServerConfig) (*Server, error) {
 
 	// cors
 	if slices.Contains(cfg.AllowedOrigins, "*") {
-		s.logger.WarnContext(ctx, "wildcard (`*`) allows all origin to access the resource and is not secure. Use it with cautious for public, non-sensitive data, or during local development. Recommended to use `--allowed-origins` flag to prevent DNS rebinding attacks")
+		s.logger.WarnContext(ctx, "wildcard (`*`) allows all origin to access the resource and is not secure. Use it with cautious for public, non-sensitive data, or during local development. Recommended to use `--allowed-origins` flag")
 	}
 	corsOpts := cors.Options{
 		AllowedOrigins:   cfg.AllowedOrigins,
@@ -355,6 +400,15 @@ func NewServer(ctx context.Context, cfg ServerConfig) (*Server, error) {
 		MaxAge:           300,                        // cache preflight results for 5 minutes
 	}
 	r.Use(cors.Handler(corsOpts))
+	// validate hosts for DNS rebinding attacks
+	if slices.Contains(cfg.AllowedHosts, "*") {
+		s.logger.WarnContext(ctx, "wildcard (`*`) allows all hosts to access the resource and is not secure. Use it with cautious for public, non-sensitive data, or during local development. Recommended to use `--allowed-hosts` flag to prevent DNS rebinding attacks")
+	}
+	allowedHostsMap := make(map[string]struct{}, len(cfg.AllowedHosts))
+	for _, h := range cfg.AllowedHosts {
+		allowedHostsMap[h] = struct{}{}
+	}
+	r.Use(hostCheck(allowedHostsMap))
 
 	// control plane
 	apiR, err := apiRouter(s)

internal/server/server_test.go

@@ -25,6 +25,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/googleapis/genai-toolbox/internal/auth"
+	"github.com/googleapis/genai-toolbox/internal/embeddingmodels"
 	"github.com/googleapis/genai-toolbox/internal/log"
 	"github.com/googleapis/genai-toolbox/internal/prompts"
 	"github.com/googleapis/genai-toolbox/internal/server"
@@ -42,9 +43,10 @@ func TestServe(t *testing.T) {
 
 	addr, port := "127.0.0.1", 5000
 	cfg := server.ServerConfig{
-		Version: "0.0.0",
-		Address: addr,
-		Port:    port,
+		Version:      "0.0.0",
+		Address:      addr,
+		Port:         port,
+		AllowedHosts: []string{"*"},
 	}
 
 	otelShutdown, err := telemetry.SetupOTel(ctx, "0.0.0", "", false, "toolbox")
@@ -144,6 +146,7 @@ func TestUpdateServer(t *testing.T) {
 		},
 	}
 	newAuth := map[string]auth.AuthService{"example-auth": nil}
+	newEmbeddingModels := map[string]embeddingmodels.EmbeddingModel{"example-model": nil}
 	newTools := map[string]tools.Tool{"example-tool": nil}
 	newToolsets := map[string]tools.Toolset{
 		"example-toolset": {
@@ -162,7 +165,7 @@ func TestUpdateServer(t *testing.T) {
 			Prompts: []*prompts.Prompt{},
 		},
 	}
-	s.ResourceMgr.SetResources(newSources, newAuth, newTools, newToolsets, newPrompts, newPromptsets)
+	s.ResourceMgr.SetResources(newSources, newAuth, newEmbeddingModels, newTools, newToolsets, newPrompts, newPromptsets)
 	if err != nil {
 		t.Errorf("error updating server: %s", err)
 	}

internal/sources/alloydbpg/alloydb_pg.go

@@ -24,6 +24,7 @@ import (
 	"github.com/goccy/go-yaml"
 	"github.com/googleapis/genai-toolbox/internal/sources"
 	"github.com/googleapis/genai-toolbox/internal/util"
+	"github.com/googleapis/genai-toolbox/internal/util/orderedmap"
 	"github.com/jackc/pgx/v5/pgxpool"
 	"go.opentelemetry.io/otel/trace"
 )
@@ -104,22 +105,22 @@ func (s *Source) PostgresPool() *pgxpool.Pool {
 func (s *Source) RunSQL(ctx context.Context, statement string, params []any) (any, error) {
 	results, err := s.Pool.Query(ctx, statement, params...)
 	if err != nil {
-		return nil, fmt.Errorf("unable to execute query: %w. Query: %v , Values: %v. Toolbox v0.19.0+ is only compatible with AlloyDB AI NL v1.0.3+. Please ensure that you are using the latest AlloyDB AI NL extension", err, statement, params)
+		return nil, fmt.Errorf("unable to execute query: %w", err)
 	}
+	defer results.Close()
 
 	fields := results.FieldDescriptions()
-
 	var out []any
 	for results.Next() {
 		v, err := results.Values()
 		if err != nil {
 			return nil, fmt.Errorf("unable to parse row: %w", err)
 		}
-		vMap := make(map[string]any)
+		row := orderedmap.Row{}
 		for i, f := range fields {
-			vMap[f.Name] = v[i]
+			row.Add(f.Name, v[i])
 		}
-		out = append(out, vMap)
+		out = append(out, row)
 	}
 	// this will catch actual query execution errors
 	if err := results.Err(); err != nil {

internal/sources/bigquery/bigquery.go

@@ -17,7 +17,9 @@ package bigquery
 import (
 	"context"
 	"fmt"
+	"math/big"
 	"net/http"
+	"reflect"
 	"strings"
 	"sync"
 	"time"
@@ -26,18 +28,24 @@ import (
 	dataplexapi "cloud.google.com/go/dataplex/apiv1"
 	"github.com/goccy/go-yaml"
 	"github.com/googleapis/genai-toolbox/internal/sources"
+	"github.com/googleapis/genai-toolbox/internal/tools"
 	"github.com/googleapis/genai-toolbox/internal/util"
+	"github.com/googleapis/genai-toolbox/internal/util/orderedmap"
 	"go.opentelemetry.io/otel/trace"
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
 	bigqueryrestapi "google.golang.org/api/bigquery/v2"
 	"google.golang.org/api/googleapi"
 	"google.golang.org/api/impersonate"
+	"google.golang.org/api/iterator"
 	"google.golang.org/api/option"
 )
 
 const SourceKind string = "bigquery"
 
+// CloudPlatformScope is a broad scope for Google Cloud Platform services.
+const CloudPlatformScope = "https://www.googleapis.com/auth/cloud-platform"
+
 const (
 	// No write operations are allowed.
 	WriteModeBlocked string = "blocked"
@@ -72,14 +80,42 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (sources
 
 type Config struct {
 	// BigQuery configs
-	Name                      string   `yaml:"name" validate:"required"`
-	Kind                      string   `yaml:"kind" validate:"required"`
-	Project                   string   `yaml:"project" validate:"required"`
-	Location                  string   `yaml:"location"`
-	WriteMode                 string   `yaml:"writeMode"`
-	AllowedDatasets           []string `yaml:"allowedDatasets"`
-	UseClientOAuth            bool     `yaml:"useClientOAuth"`
-	ImpersonateServiceAccount string   `yaml:"impersonateServiceAccount"`
+	Name                      string              `yaml:"name" validate:"required"`
+	Kind                      string              `yaml:"kind" validate:"required"`
+	Project                   string              `yaml:"project" validate:"required"`
+	Location                  string              `yaml:"location"`
+	WriteMode                 string              `yaml:"writeMode"`
+	AllowedDatasets           StringOrStringSlice `yaml:"allowedDatasets"`
+	UseClientOAuth            bool                `yaml:"useClientOAuth"`
+	ImpersonateServiceAccount string              `yaml:"impersonateServiceAccount"`
+	Scopes                    StringOrStringSlice `yaml:"scopes"`
+}
+
+// StringOrStringSlice is a custom type that can unmarshal both a single string
+// (which it splits by comma) and a sequence of strings into a string slice.
+type StringOrStringSlice []string
+
+// UnmarshalYAML implements the yaml.Unmarshaler interface.
+func (s *StringOrStringSlice) UnmarshalYAML(unmarshal func(any) error) error {
+	var v any
+	if err := unmarshal(&v); err != nil {
+		return err
+	}
+	switch val := v.(type) {
+	case string:
+		*s = strings.Split(val, ",")
+		return nil
+	case []any:
+		for _, item := range val {
+			if str, ok := item.(string); ok {
+				*s = append(*s, str)
+			} else {
+				return fmt.Errorf("element in sequence is not a string: %v", item)
+			}
+		}
+		return nil
+	}
+	return fmt.Errorf("cannot unmarshal %T into StringOrStringSlice", v)
 }
 
 func (r Config) SourceConfigKind() string {
@@ -128,7 +164,7 @@ func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.So
 
 	} else {
 		// Initializes a BigQuery Google SQL source
-		client, restService, tokenSource, err = initBigQueryConnection(ctx, tracer, r.Name, r.Project, r.Location, r.ImpersonateServiceAccount)
+		client, restService, tokenSource, err = initBigQueryConnection(ctx, tracer, r.Name, r.Project, r.Location, r.ImpersonateServiceAccount, r.Scopes)
 		if err != nil {
 			return nil, fmt.Errorf("error creating client from ADC: %w", err)
 		}
@@ -391,19 +427,26 @@ func (s *Source) BigQueryTokenSource() oauth2.TokenSource {
 	return s.TokenSource
 }
 
-func (s *Source) BigQueryTokenSourceWithScope(ctx context.Context, scope string) (oauth2.TokenSource, error) {
+func (s *Source) BigQueryTokenSourceWithScope(ctx context.Context, scopes []string) (oauth2.TokenSource, error) {
+	if len(scopes) == 0 {
+		scopes = s.Scopes
+		if len(scopes) == 0 {
+			scopes = []string{CloudPlatformScope}
+		}
+	}
+
 	if s.ImpersonateServiceAccount != "" {
-		// Create impersonated credentials token source with the requested scope
+		// Create impersonated credentials token source with the requested scopes
 		ts, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{
 			TargetPrincipal: s.ImpersonateServiceAccount,
-			Scopes:          []string{scope},
+			Scopes:          scopes,
 		})
 		if err != nil {
-			return nil, fmt.Errorf("failed to create impersonated credentials for %q with scope %q: %w", s.ImpersonateServiceAccount, scope, err)
+			return nil, fmt.Errorf("failed to create impersonated credentials for %q with scopes %v: %w", s.ImpersonateServiceAccount, scopes, err)
 		}
 		return ts, nil
 	}
-	return google.DefaultTokenSource(ctx, scope)
+	return google.DefaultTokenSource(ctx, scopes...)
 }
 
 func (s *Source) GetMaxQueryResultRows() int {
@@ -449,7 +492,7 @@ func (s *Source) lazyInitDataplexClient(ctx context.Context, tracer trace.Tracer
 
 	return func() (*dataplexapi.CatalogClient, DataplexClientCreator, error) {
 		once.Do(func() {
-			c, cc, e := initDataplexConnection(ctx, tracer, s.Name, s.Project, s.UseClientOAuth, s.ImpersonateServiceAccount)
+			c, cc, e := initDataplexConnection(ctx, tracer, s.Name, s.Project, s.UseClientOAuth, s.ImpersonateServiceAccount, s.Scopes)
 			if e != nil {
 				err = fmt.Errorf("failed to initialize dataplex client: %w", e)
 				return
@@ -483,6 +526,131 @@ func (s *Source) lazyInitDataplexClient(ctx context.Context, tracer trace.Tracer
 	}
 }
 
+func (s *Source) RetrieveClientAndService(accessToken tools.AccessToken) (*bigqueryapi.Client, *bigqueryrestapi.Service, error) {
+	bqClient := s.BigQueryClient()
+	restService := s.BigQueryRestService()
+
+	// Initialize new client if using user OAuth token
+	if s.UseClientAuthorization() {
+		tokenStr, err := accessToken.ParseBearerToken()
+		if err != nil {
+			return nil, nil, fmt.Errorf("error parsing access token: %w", err)
+		}
+		bqClient, restService, err = s.BigQueryClientCreator()(tokenStr, true)
+		if err != nil {
+			return nil, nil, fmt.Errorf("error creating client from OAuth access token: %w", err)
+		}
+	}
+	return bqClient, restService, nil
+}
+
+func (s *Source) RunSQL(ctx context.Context, bqClient *bigqueryapi.Client, statement, statementType string, params []bigqueryapi.QueryParameter, connProps []*bigqueryapi.ConnectionProperty) (any, error) {
+	query := bqClient.Query(statement)
+	query.Location = bqClient.Location
+	if params != nil {
+		query.Parameters = params
+	}
+	if connProps != nil {
+		query.ConnectionProperties = connProps
+	}
+
+	// This block handles SELECT statements, which return a row set.
+	// We iterate through the results, convert each row into a map of
+	// column names to values, and return the collection of rows.
+	job, err := query.Run(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("unable to execute query: %w", err)
+	}
+	it, err := job.Read(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("unable to read query results: %w", err)
+	}
+
+	var out []any
+	for {
+		var val []bigqueryapi.Value
+		err = it.Next(&val)
+		if err == iterator.Done {
+			break
+		}
+		if err != nil {
+			return nil, fmt.Errorf("unable to iterate through query results: %w", err)
+		}
+		schema := it.Schema
+		row := orderedmap.Row{}
+		for i, field := range schema {
+			row.Add(field.Name, NormalizeValue(val[i]))
+		}
+		out = append(out, row)
+	}
+	// If the query returned any rows, return them directly.
+	if len(out) > 0 {
+		return out, nil
+	}
+
+	// This handles the standard case for a SELECT query that successfully
+	// executes but returns zero rows.
+	if statementType == "SELECT" {
+		return "The query returned 0 rows.", nil
+	}
+	// This is the fallback for a successful query that doesn't return content.
+	// In most cases, this will be for DML/DDL statements like INSERT, UPDATE, CREATE, etc.
+	// However, it is also possible that this was a query that was expected to return rows
+	// but returned none, a case that we cannot distinguish here.
+	return "Query executed successfully and returned no content.", nil
+}
+
+// NormalizeValue converts BigQuery specific types to standard JSON-compatible types.
+// Specifically, it handles *big.Rat (used for NUMERIC/BIGNUMERIC) by converting
+// them to decimal strings with up to 38 digits of precision, trimming trailing zeros.
+// It recursively handles slices (arrays) and maps (structs) using reflection.
+func NormalizeValue(v any) any {
+	if v == nil {
+		return nil
+	}
+
+	// Handle *big.Rat specifically.
+	if rat, ok := v.(*big.Rat); ok {
+		// Convert big.Rat to a decimal string.
+		// Use a precision of 38 digits (enough for BIGNUMERIC and NUMERIC)
+		// and trim trailing zeros to match BigQuery's behavior.
+		s := rat.FloatString(38)
+		if strings.Contains(s, ".") {
+			s = strings.TrimRight(s, "0")
+			s = strings.TrimRight(s, ".")
+		}
+		return s
+	}
+
+	// Use reflection for slices and maps to handle various underlying types.
+	rv := reflect.ValueOf(v)
+	switch rv.Kind() {
+	case reflect.Slice, reflect.Array:
+		// Preserve []byte as is, so json.Marshal encodes it as Base64 string (BigQuery BYTES behavior).
+		if rv.Type().Elem().Kind() == reflect.Uint8 {
+			return v
+		}
+		newSlice := make([]any, rv.Len())
+		for i := 0; i < rv.Len(); i++ {
+			newSlice[i] = NormalizeValue(rv.Index(i).Interface())
+		}
+		return newSlice
+	case reflect.Map:
+		// Ensure keys are strings to produce a JSON-compatible map.
+		if rv.Type().Key().Kind() != reflect.String {
+			return v
+		}
+		newMap := make(map[string]any, rv.Len())
+		iter := rv.MapRange()
+		for iter.Next() {
+			newMap[iter.Key().String()] = NormalizeValue(iter.Value().Interface())
+		}
+		return newMap
+	}
+
+	return v
+}
+
 func initBigQueryConnection(
 	ctx context.Context,
 	tracer trace.Tracer,
@@ -490,6 +658,7 @@ func initBigQueryConnection(
 	project string,
 	location string,
 	impersonateServiceAccount string,
+	scopes []string,
 ) (*bigqueryapi.Client, *bigqueryrestapi.Service, oauth2.TokenSource, error) {
 	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceKind, name)
 	defer span.End()
@@ -502,12 +671,21 @@ func initBigQueryConnection(
 	var tokenSource oauth2.TokenSource
 	var opts []option.ClientOption
 
+	var credScopes []string
+	if len(scopes) > 0 {
+		credScopes = scopes
+	} else if impersonateServiceAccount != "" {
+		credScopes = []string{CloudPlatformScope}
+	} else {
+		credScopes = []string{bigqueryapi.Scope}
+	}
+
 	if impersonateServiceAccount != "" {
-		// Create impersonated credentials token source with cloud-platform scope
+		// Create impersonated credentials token source
 		// This broader scope is needed for tools like conversational analytics
 		cloudPlatformTokenSource, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{
 			TargetPrincipal: impersonateServiceAccount,
-			Scopes:          []string{"https://www.googleapis.com/auth/cloud-platform"},
+			Scopes:          credScopes,
 		})
 		if err != nil {
 			return nil, nil, nil, fmt.Errorf("failed to create impersonated credentials for %q: %w", impersonateServiceAccount, err)
@@ -519,9 +697,9 @@ func initBigQueryConnection(
 		}
 	} else {
 		// Use default credentials
-		cred, err := google.FindDefaultCredentials(ctx, bigqueryapi.Scope)
+		cred, err := google.FindDefaultCredentials(ctx, credScopes...)
 		if err != nil {
-			return nil, nil, nil, fmt.Errorf("failed to find default Google Cloud credentials with scope %q: %w", bigqueryapi.Scope, err)
+			return nil, nil, nil, fmt.Errorf("failed to find default Google Cloud credentials with scopes %v: %w", credScopes, err)
 		}
 		tokenSource = cred.TokenSource
 		opts = []option.ClientOption{
@@ -612,6 +790,7 @@ func initDataplexConnection(
 	project string,
 	useClientOAuth bool,
 	impersonateServiceAccount string,
+	scopes []string,
 ) (*dataplexapi.CatalogClient, DataplexClientCreator, error) {
 	var client *dataplexapi.CatalogClient
 	var clientCreator DataplexClientCreator
@@ -630,11 +809,16 @@ func initDataplexConnection(
 	} else {
 		var opts []option.ClientOption
 
+		credScopes := scopes
+		if len(credScopes) == 0 {
+			credScopes = []string{CloudPlatformScope}
+		}
+
 		if impersonateServiceAccount != "" {
 			// Create impersonated credentials token source
 			ts, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{
 				TargetPrincipal: impersonateServiceAccount,
-				Scopes:          []string{"https://www.googleapis.com/auth/cloud-platform"},
+				Scopes:          credScopes,
 			})
 			if err != nil {
 				return nil, nil, fmt.Errorf("failed to create impersonated credentials for %q: %w", impersonateServiceAccount, err)
@@ -645,7 +829,7 @@ func initDataplexConnection(
 			}
 		} else {
 			// Use default credentials
-			cred, err := google.FindDefaultCredentials(ctx)
+			cred, err := google.FindDefaultCredentials(ctx, credScopes...)
 			if err != nil {
 				return nil, nil, fmt.Errorf("failed to find default Google Cloud credentials: %w", err)
 			}

internal/sources/bigquery/bigquery_test.go

@@ -15,6 +15,8 @@
 package bigquery_test
 
 import (
+	"math/big"
+	"reflect"
 	"testing"
 
 	yaml "github.com/goccy/go-yaml"
@@ -130,6 +132,28 @@ func TestParseFromYamlBigQuery(t *testing.T) {
 				},
 			},
 		},
+		{
+			desc: "with custom scopes example",
+			in: `
+			sources:
+				my-instance:
+					kind: bigquery
+					project: my-project
+					location: us
+					scopes:
+						- https://www.googleapis.com/auth/bigquery
+						- https://www.googleapis.com/auth/cloud-platform
+			`,
+			want: server.SourceConfigs{
+				"my-instance": bigquery.Config{
+					Name:     "my-instance",
+					Kind:     bigquery.SourceKind,
+					Project:  "my-project",
+					Location: "us",
+					Scopes:   []string{"https://www.googleapis.com/auth/bigquery", "https://www.googleapis.com/auth/cloud-platform"},
+				},
+			},
+		},
 	}
 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
@@ -195,3 +219,105 @@ func TestFailParseFromYaml(t *testing.T) {
 		})
 	}
 }
+
+func TestNormalizeValue(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    any
+		expected any
+	}{
+		{
+			name:     "big.Rat 1/3 (NUMERIC scale 9)",
+			input:    new(big.Rat).SetFrac64(1, 3),               // 0.33333333333...
+			expected: "0.33333333333333333333333333333333333333", // FloatString(38)
+		},
+		{
+			name:     "big.Rat 19/2 (9.5)",
+			input:    new(big.Rat).SetFrac64(19, 2),
+			expected: "9.5",
+		},
+		{
+			name:     "big.Rat 12341/10 (1234.1)",
+			input:    new(big.Rat).SetFrac64(12341, 10),
+			expected: "1234.1",
+		},
+		{
+			name:     "big.Rat 10/1 (10)",
+			input:    new(big.Rat).SetFrac64(10, 1),
+			expected: "10",
+		},
+		{
+			name:     "string",
+			input:    "hello",
+			expected: "hello",
+		},
+		{
+			name:     "int",
+			input:    123,
+			expected: 123,
+		},
+		{
+			name: "nested slice of big.Rat",
+			input: []any{
+				new(big.Rat).SetFrac64(19, 2),
+				new(big.Rat).SetFrac64(1, 4),
+			},
+			expected: []any{"9.5", "0.25"},
+		},
+		{
+			name: "nested map of big.Rat",
+			input: map[string]any{
+				"val1": new(big.Rat).SetFrac64(19, 2),
+				"val2": new(big.Rat).SetFrac64(1, 2),
+			},
+			expected: map[string]any{
+				"val1": "9.5",
+				"val2": "0.5",
+			},
+		},
+		{
+			name: "complex nested structure",
+			input: map[string]any{
+				"list": []any{
+					map[string]any{
+						"rat": new(big.Rat).SetFrac64(3, 2),
+					},
+				},
+			},
+			expected: map[string]any{
+				"list": []any{
+					map[string]any{
+						"rat": "1.5",
+					},
+				},
+			},
+		},
+		{
+			name: "slice of *big.Rat",
+			input: []*big.Rat{
+				new(big.Rat).SetFrac64(19, 2),
+				new(big.Rat).SetFrac64(1, 4),
+			},
+			expected: []any{"9.5", "0.25"},
+		},
+		{
+			name:     "slice of strings",
+			input:    []string{"a", "b"},
+			expected: []any{"a", "b"},
+		},
+		{
+			name:     "byte slice (BYTES)",
+			input:    []byte("hello"),
+			expected: []byte("hello"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := bigquery.NormalizeValue(tt.input)
+			if !reflect.DeepEqual(got, tt.expected) {
+				t.Errorf("NormalizeValue() = %v, want %v", got, tt.expected)
+			}
+		})
+	}
+}

internal/sources/bigtable/bigtable.go

@@ -22,6 +22,7 @@ import (
 	"github.com/goccy/go-yaml"
 	"github.com/googleapis/genai-toolbox/internal/sources"
 	"github.com/googleapis/genai-toolbox/internal/util"
+	"github.com/googleapis/genai-toolbox/internal/util/parameters"
 	"go.opentelemetry.io/otel/trace"
 	"google.golang.org/api/option"
 )
@@ -88,6 +89,94 @@ func (s *Source) BigtableClient() *bigtable.Client {
 	return s.Client
 }
 
+func getBigtableType(paramType string) (bigtable.SQLType, error) {
+	switch paramType {
+	case "boolean":
+		return bigtable.BoolSQLType{}, nil
+	case "string":
+		return bigtable.StringSQLType{}, nil
+	case "integer":
+		return bigtable.Int64SQLType{}, nil
+	case "float":
+		return bigtable.Float64SQLType{}, nil
+	case "array":
+		return bigtable.ArraySQLType{}, nil
+	default:
+		return nil, fmt.Errorf("unknow param type %s", paramType)
+	}
+}
+
+func getMapParamsType(tparams parameters.Parameters) (map[string]bigtable.SQLType, error) {
+	btParamTypes := make(map[string]bigtable.SQLType)
+	for _, p := range tparams {
+		if p.GetType() == "array" {
+			itemType, err := getBigtableType(p.Manifest().Items.Type)
+			if err != nil {
+				return nil, err
+			}
+			btParamTypes[p.GetName()] = bigtable.ArraySQLType{
+				ElemType: itemType,
+			}
+			continue
+		}
+		paramType, err := getBigtableType(p.GetType())
+		if err != nil {
+			return nil, err
+		}
+		btParamTypes[p.GetName()] = paramType
+	}
+	return btParamTypes, nil
+}
+
+func (s *Source) RunSQL(ctx context.Context, statement string, configParam parameters.Parameters, params parameters.ParamValues) (any, error) {
+	mapParamsType, err := getMapParamsType(configParam)
+	if err != nil {
+		return nil, fmt.Errorf("fail to get map params: %w", err)
+	}
+
+	ps, err := s.BigtableClient().PrepareStatement(
+		ctx,
+		statement,
+		mapParamsType,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("unable to prepare statement: %w", err)
+	}
+
+	bs, err := ps.Bind(params.AsMap())
+	if err != nil {
+		return nil, fmt.Errorf("unable to bind: %w", err)
+	}
+
+	var out []any
+	var rowErr error
+	err = bs.Execute(ctx, func(resultRow bigtable.ResultRow) bool {
+		vMap := make(map[string]any)
+		cols := resultRow.Metadata.Columns
+
+		for _, c := range cols {
+			var columValue any
+			if err = resultRow.GetByName(c.Name, &columValue); err != nil {
+				rowErr = err
+				return false
+			}
+			vMap[c.Name] = columValue
+		}
+
+		out = append(out, vMap)
+
+		return true
+	})
+	if err != nil {
+		return nil, fmt.Errorf("unable to execute client: %w", err)
+	}
+	if rowErr != nil {
+		return nil, fmt.Errorf("error processing row: %w", rowErr)
+	}
+
+	return out, nil
+}
+
 func initBigtableClient(ctx context.Context, tracer trace.Tracer, name, project, instance string) (*bigtable.Client, error) {
 	//nolint:all // Reassigned ctx
 	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceKind, name)

internal/sources/cassandra/cassandra.go

@@ -21,6 +21,7 @@ import (
 	gocql "github.com/apache/cassandra-gocql-driver/v2"
 	"github.com/goccy/go-yaml"
 	"github.com/googleapis/genai-toolbox/internal/sources"
+	"github.com/googleapis/genai-toolbox/internal/util/parameters"
 	"go.opentelemetry.io/otel/trace"
 )
 
@@ -89,10 +90,32 @@ func (s *Source) ToConfig() sources.SourceConfig {
 }
 
 // SourceKind implements sources.Source.
-func (s Source) SourceKind() string {
+func (s *Source) SourceKind() string {
 	return SourceKind
 }
 
+func (s *Source) RunSQL(ctx context.Context, statement string, params parameters.ParamValues) (any, error) {
+	sliceParams := params.AsSlice()
+	iter := s.CassandraSession().Query(statement, sliceParams...).IterContext(ctx)
+
+	// Create a slice to store the out
+	var out []map[string]interface{}
+
+	// Scan results into a map and append to the slice
+	for {
+		row := make(map[string]interface{}) // Create a new map for each row
+		if !iter.MapScan(row) {
+			break // No more rows
+		}
+		out = append(out, row)
+	}
+
+	if err := iter.Close(); err != nil {
+		return nil, fmt.Errorf("unable to parse rows: %w", err)
+	}
+	return out, nil
+}
+
 var _ sources.Source = &Source{}
 
 func initCassandraSession(ctx context.Context, tracer trace.Tracer, c Config) (*gocql.Session, error) {

internal/sources/clickhouse/clickhouse.go

@@ -24,6 +24,7 @@ import (
 	_ "github.com/ClickHouse/clickhouse-go/v2"
 	"github.com/goccy/go-yaml"
 	"github.com/googleapis/genai-toolbox/internal/sources"
+	"github.com/googleapis/genai-toolbox/internal/util/parameters"
 	"go.opentelemetry.io/otel/trace"
 )
 
@@ -99,6 +100,69 @@ func (s *Source) ClickHousePool() *sql.DB {
 	return s.Pool
 }
 
+func (s *Source) RunSQL(ctx context.Context, statement string, params parameters.ParamValues) (any, error) {
+	var sliceParams []any
+	if params != nil {
+		sliceParams = params.AsSlice()
+	}
+	results, err := s.ClickHousePool().QueryContext(ctx, statement, sliceParams...)
+	if err != nil {
+		return nil, fmt.Errorf("unable to execute query: %w", err)
+	}
+	defer results.Close()
+
+	cols, err := results.Columns()
+	if err != nil {
+		return nil, fmt.Errorf("unable to retrieve rows column name: %w", err)
+	}
+
+	// create an array of values for each column, which can be re-used to scan each row
+	rawValues := make([]any, len(cols))
+	values := make([]any, len(cols))
+	for i := range rawValues {
+		values[i] = &rawValues[i]
+	}
+
+	colTypes, err := results.ColumnTypes()
+	if err != nil {
+		return nil, fmt.Errorf("unable to get column types: %w", err)
+	}
+
+	var out []any
+	for results.Next() {
+		err := results.Scan(values...)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse row: %w", err)
+		}
+		vMap := make(map[string]any)
+		for i, name := range cols {
+			// ClickHouse driver may return specific types that need handling
+			switch colTypes[i].DatabaseTypeName() {
+			case "String", "FixedString":
+				if rawValues[i] != nil {
+					// Handle potential []byte to string conversion if needed
+					if b, ok := rawValues[i].([]byte); ok {
+						vMap[name] = string(b)
+					} else {
+						vMap[name] = rawValues[i]
+					}
+				} else {
+					vMap[name] = nil
+				}
+			default:
+				vMap[name] = rawValues[i]
+			}
+		}
+		out = append(out, vMap)
+	}
+
+	if err := results.Err(); err != nil {
+		return nil, fmt.Errorf("errors encountered by results.Scan: %w", err)
+	}
+
+	return out, nil
+}
+
 func validateConfig(protocol string) error {
 	validProtocols := map[string]bool{"http": true, "https": true}
 

internal/sources/cloudgda/cloud_gda.go

@@ -14,8 +14,11 @@
 package cloudgda
 
 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 
 	"github.com/goccy/go-yaml"
@@ -131,3 +134,43 @@ func (s *Source) GetClient(ctx context.Context, accessToken string) (*http.Clien
 func (s *Source) UseClientAuthorization() bool {
 	return s.UseClientOAuth
 }
+
+func (s *Source) RunQuery(ctx context.Context, tokenStr string, bodyBytes []byte) (any, error) {
+	// The API endpoint itself always uses the "global" location.
+	apiLocation := "global"
+	apiParent := fmt.Sprintf("projects/%s/locations/%s", s.GetProjectID(), apiLocation)
+	apiURL := fmt.Sprintf("%s/v1beta/%s:queryData", s.GetBaseURL(), apiParent)
+
+	client, err := s.GetClient(ctx, tokenStr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get HTTP client: %w", err)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, apiURL, bytes.NewBuffer(bodyBytes))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response body: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("API request failed with status %d: %s", resp.StatusCode, string(respBody))
+	}
+
+	var result map[string]any
+	if err := json.Unmarshal(respBody, &result); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal response: %w", err)
+	}
+
+	return result, nil
+}

internal/sources/cloudmonitoring/cloud_monitoring.go

@@ -15,7 +15,9 @@ package cloudmonitoring
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 
 	"github.com/goccy/go-yaml"
@@ -131,3 +133,44 @@ func (s *Source) GetClient(ctx context.Context, accessToken string) (*http.Clien
 func (s *Source) UseClientAuthorization() bool {
 	return s.UseClientOAuth
 }
+
+func (s *Source) RunQuery(projectID, query string) (any, error) {
+	url := fmt.Sprintf("%s/v1/projects/%s/location/global/prometheus/api/v1/query", s.BaseURL(), projectID)
+
+	req, err := http.NewRequest(http.MethodGet, url, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	q := req.URL.Query()
+	q.Add("query", query)
+	req.URL.RawQuery = q.Encode()
+
+	req.Header.Set("User-Agent", s.UserAgent())
+
+	resp, err := s.Client().Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response body: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("request failed: %s, body: %s", resp.Status, string(body))
+	}
+
+	if len(body) == 0 {
+		return nil, nil
+	}
+
+	var result map[string]any
+	if err := json.Unmarshal(body, &result); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal json: %w, body: %s", err, string(body))
+	}
+
+	return result, nil
+}

internal/sources/cloudsqladmin/cloud_sql_admin.go

@@ -15,10 +15,16 @@ package cloudsqladmin
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"net/http"
+	"regexp"
+	"strings"
+	"text/template"
+	"time"
 
 	"github.com/goccy/go-yaml"
+	"github.com/googleapis/genai-toolbox/internal/log"
 	"github.com/googleapis/genai-toolbox/internal/sources"
 	"github.com/googleapis/genai-toolbox/internal/util"
 	"go.opentelemetry.io/otel/trace"
@@ -30,6 +36,8 @@ import (
 
 const SourceKind string = "cloud-sql-admin"
 
+var targetLinkRegex = regexp.MustCompile(`/projects/([^/]+)/instances/([^/]+)/databases/([^/]+)`)
+
 // validate interface
 var _ sources.SourceConfig = Config{}
 
@@ -130,3 +138,304 @@ func (s *Source) GetService(ctx context.Context, accessToken string) (*sqladmin.
 func (s *Source) UseClientAuthorization() bool {
 	return s.UseClientOAuth
 }
+
+func (s *Source) CloneInstance(ctx context.Context, project, sourceInstanceName, destinationInstanceName, pointInTime, preferredZone, preferredSecondaryZone, accessToken string) (any, error) {
+	cloneContext := &sqladmin.CloneContext{
+		DestinationInstanceName: destinationInstanceName,
+	}
+
+	if pointInTime != "" {
+		cloneContext.PointInTime = pointInTime
+	}
+	if preferredZone != "" {
+		cloneContext.PreferredZone = preferredZone
+	}
+	if preferredSecondaryZone != "" {
+		cloneContext.PreferredSecondaryZone = preferredSecondaryZone
+	}
+
+	rb := &sqladmin.InstancesCloneRequest{
+		CloneContext: cloneContext,
+	}
+	service, err := s.GetService(ctx, accessToken)
+	if err != nil {
+		return nil, err
+	}
+	resp, err := service.Instances.Clone(project, sourceInstanceName, rb).Do()
+	if err != nil {
+		return nil, fmt.Errorf("error cloning instance: %w", err)
+	}
+	return resp, nil
+}
+
+func (s *Source) CreateDatabase(ctx context.Context, name, project, instance, accessToken string) (any, error) {
+	database := sqladmin.Database{
+		Name:     name,
+		Project:  project,
+		Instance: instance,
+	}
+
+	service, err := s.GetService(ctx, accessToken)
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := service.Databases.Insert(project, instance, &database).Do()
+	if err != nil {
+		return nil, fmt.Errorf("error creating database: %w", err)
+	}
+	return resp, nil
+}
+
+func (s *Source) CreateUsers(ctx context.Context, project, instance, name, password string, iamUser bool, accessToken string) (any, error) {
+	service, err := s.GetService(ctx, accessToken)
+	if err != nil {
+		return nil, err
+	}
+
+	user := sqladmin.User{
+		Name: name,
+	}
+
+	if iamUser {
+		user.Type = "CLOUD_IAM_USER"
+	} else {
+		user.Type = "BUILT_IN"
+		if password == "" {
+			return nil, fmt.Errorf("missing 'password' parameter for non-IAM user")
+		}
+		user.Password = password
+	}
+
+	resp, err := service.Users.Insert(project, instance, &user).Do()
+	if err != nil {
+		return nil, fmt.Errorf("error creating user: %w", err)
+	}
+
+	return resp, nil
+}
+
+func (s *Source) GetInstance(ctx context.Context, projectId, instanceId, accessToken string) (any, error) {
+	service, err := s.GetService(ctx, accessToken)
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := service.Instances.Get(projectId, instanceId).Do()
+	if err != nil {
+		return nil, fmt.Errorf("error getting instance: %w", err)
+	}
+	return resp, nil
+}
+
+func (s *Source) ListDatabase(ctx context.Context, project, instance, accessToken string) (any, error) {
+	service, err := s.GetService(ctx, accessToken)
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := service.Databases.List(project, instance).Do()
+	if err != nil {
+		return nil, fmt.Errorf("error listing databases: %w", err)
+	}
+
+	if resp.Items == nil {
+		return []any{}, nil
+	}
+
+	type databaseInfo struct {
+		Name      string `json:"name"`
+		Charset   string `json:"charset"`
+		Collation string `json:"collation"`
+	}
+
+	var databases []databaseInfo
+	for _, item := range resp.Items {
+		databases = append(databases, databaseInfo{
+			Name:      item.Name,
+			Charset:   item.Charset,
+			Collation: item.Collation,
+		})
+	}
+	return databases, nil
+}
+
+func (s *Source) ListInstance(ctx context.Context, project, accessToken string) (any, error) {
+	service, err := s.GetService(ctx, accessToken)
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := service.Instances.List(project).Do()
+	if err != nil {
+		return nil, fmt.Errorf("error listing instances: %w", err)
+	}
+
+	if resp.Items == nil {
+		return []any{}, nil
+	}
+
+	type instanceInfo struct {
+		Name         string `json:"name"`
+		InstanceType string `json:"instanceType"`
+	}
+
+	var instances []instanceInfo
+	for _, item := range resp.Items {
+		instances = append(instances, instanceInfo{
+			Name:         item.Name,
+			InstanceType: item.InstanceType,
+		})
+	}
+	return instances, nil
+}
+
+func (s *Source) CreateInstance(ctx context.Context, project, name, dbVersion, rootPassword string, settings sqladmin.Settings, accessToken string) (any, error) {
+	instance := sqladmin.DatabaseInstance{
+		Name:            name,
+		DatabaseVersion: dbVersion,
+		RootPassword:    rootPassword,
+		Settings:        &settings,
+		Project:         project,
+	}
+
+	service, err := s.GetService(ctx, accessToken)
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := service.Instances.Insert(project, &instance).Do()
+	if err != nil {
+		return nil, fmt.Errorf("error creating instance: %w", err)
+	}
+
+	return resp, nil
+}
+
+func (s *Source) GetWaitForOperations(ctx context.Context, service *sqladmin.Service, project, operation, connectionMessageTemplate string, delay time.Duration) (any, error) {
+	logger, err := util.LoggerFromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+	op, err := service.Operations.Get(project, operation).Do()
+	if err != nil {
+		logger.DebugContext(ctx, fmt.Sprintf("error getting operation: %s, retrying in %v", err, delay))
+	} else {
+		if op.Status == "DONE" {
+			if op.Error != nil {
+				var errorBytes []byte
+				errorBytes, err = json.Marshal(op.Error)
+				if err != nil {
+					return nil, fmt.Errorf("operation finished with error but could not marshal error object: %w", err)
+				}
+				return nil, fmt.Errorf("operation finished with error: %s", string(errorBytes))
+			}
+
+			var opBytes []byte
+			opBytes, err = op.MarshalJSON()
+			if err != nil {
+				return nil, fmt.Errorf("could not marshal operation: %w", err)
+			}
+
+			var data map[string]any
+			if err := json.Unmarshal(opBytes, &data); err != nil {
+				return nil, fmt.Errorf("could not unmarshal operation: %w", err)
+			}
+
+			if msg, ok := generateCloudSQLConnectionMessage(ctx, s, logger, data, connectionMessageTemplate); ok {
+				return msg, nil
+			}
+			return string(opBytes), nil
+		}
+		logger.DebugContext(ctx, fmt.Sprintf("operation not complete, retrying in %v", delay))
+	}
+	return nil, nil
+}
+
+func generateCloudSQLConnectionMessage(ctx context.Context, source *Source, logger log.Logger, opResponse map[string]any, connectionMessageTemplate string) (string, bool) {
+	operationType, ok := opResponse["operationType"].(string)
+	if !ok || operationType != "CREATE_DATABASE" {
+		return "", false
+	}
+
+	targetLink, ok := opResponse["targetLink"].(string)
+	if !ok {
+		return "", false
+	}
+
+	matches := targetLinkRegex.FindStringSubmatch(targetLink)
+	if len(matches) < 4 {
+		return "", false
+	}
+	project := matches[1]
+	instance := matches[2]
+	database := matches[3]
+
+	dbInstance, err := fetchInstanceData(ctx, source, project, instance)
+	if err != nil {
+		logger.DebugContext(ctx, fmt.Sprintf("error fetching instance data: %v", err))
+		return "", false
+	}
+
+	region := dbInstance.Region
+	if region == "" {
+		return "", false
+	}
+
+	databaseVersion := dbInstance.DatabaseVersion
+	if databaseVersion == "" {
+		return "", false
+	}
+
+	var dbType string
+	if strings.Contains(databaseVersion, "POSTGRES") {
+		dbType = "postgres"
+	} else if strings.Contains(databaseVersion, "MYSQL") {
+		dbType = "mysql"
+	} else if strings.Contains(databaseVersion, "SQLSERVER") {
+		dbType = "mssql"
+	} else {
+		return "", false
+	}
+
+	tmpl, err := template.New("cloud-sql-connection").Parse(connectionMessageTemplate)
+	if err != nil {
+		return fmt.Sprintf("template parsing error: %v", err), false
+	}
+
+	data := struct {
+		Project     string
+		Region      string
+		Instance    string
+		DBType      string
+		DBTypeUpper string
+		Database    string
+	}{
+		Project:     project,
+		Region:      region,
+		Instance:    instance,
+		DBType:      dbType,
+		DBTypeUpper: strings.ToUpper(dbType),
+		Database:    database,
+	}
+
+	var b strings.Builder
+	if err := tmpl.Execute(&b, data); err != nil {
+		return fmt.Sprintf("template execution error: %v", err), false
+	}
+
+	return b.String(), true
+}
+
+func fetchInstanceData(ctx context.Context, source *Source, project, instance string) (*sqladmin.DatabaseInstance, error) {
+	service, err := source.GetService(ctx, "")
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := service.Instances.Get(project, instance).Do()
+	if err != nil {
+		return nil, fmt.Errorf("error getting instance: %w", err)
+	}
+	return resp, nil
+}

internal/sources/cloudsqlmssql/cloud_sql_mssql.go

@@ -25,6 +25,7 @@ import (
 	"github.com/goccy/go-yaml"
 	"github.com/googleapis/genai-toolbox/internal/sources"
 	"github.com/googleapis/genai-toolbox/internal/util"
+	"github.com/googleapis/genai-toolbox/internal/util/orderedmap"
 	"go.opentelemetry.io/otel/trace"
 )
 
@@ -107,6 +108,48 @@ func (s *Source) MSSQLDB() *sql.DB {
 	return s.Db
 }
 
+func (s *Source) RunSQL(ctx context.Context, statement string, params []any) (any, error) {
+	results, err := s.MSSQLDB().QueryContext(ctx, statement, params...)
+	if err != nil {
+		return nil, fmt.Errorf("unable to execute query: %w", err)
+	}
+	defer results.Close()
+
+	cols, err := results.Columns()
+	// If Columns() errors, it might be a DDL/DML without an OUTPUT clause.
+	// We proceed, and results.Err() will catch actual query execution errors.
+	// 'out' will remain nil if cols is empty or err is not nil here.
+	var out []any
+	if err == nil && len(cols) > 0 {
+		// create an array of values for each column, which can be re-used to scan each row
+		rawValues := make([]any, len(cols))
+		values := make([]any, len(cols))
+		for i := range rawValues {
+			values[i] = &rawValues[i]
+		}
+
+		for results.Next() {
+			scanErr := results.Scan(values...)
+			if scanErr != nil {
+				return nil, fmt.Errorf("unable to parse row: %w", scanErr)
+			}
+			row := orderedmap.Row{}
+			for i, name := range cols {
+				row.Add(name, rawValues[i])
+			}
+			out = append(out, row)
+		}
+	}
+
+	// Check for errors from iterating over rows or from the query execution itself.
+	// results.Close() is handled by defer.
+	if err := results.Err(); err != nil {
+		return nil, fmt.Errorf("errors encountered during query execution or row processing: %w", err)
+	}
+
+	return out, nil
+}
+
 func initCloudSQLMssqlConnection(ctx context.Context, tracer trace.Tracer, name, project, region, instance, ipType, user, pass, dbname string) (*sql.DB, error) {
 	//nolint:all // Reassigned ctx
 	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceKind, name)

internal/sources/cloudsqlmysql/cloud_sql_mysql.go

@@ -24,7 +24,9 @@ import (
 	"cloud.google.com/go/cloudsqlconn/mysql/mysql"
 	"github.com/goccy/go-yaml"
 	"github.com/googleapis/genai-toolbox/internal/sources"
+	"github.com/googleapis/genai-toolbox/internal/tools/mysql/mysqlcommon"
 	"github.com/googleapis/genai-toolbox/internal/util"
+	"github.com/googleapis/genai-toolbox/internal/util/orderedmap"
 	"go.opentelemetry.io/otel/trace"
 )
 
@@ -100,6 +102,60 @@ func (s *Source) MySQLPool() *sql.DB {
 	return s.Pool
 }
 
+func (s *Source) RunSQL(ctx context.Context, statement string, params []any) (any, error) {
+	results, err := s.MySQLPool().QueryContext(ctx, statement, params...)
+	if err != nil {
+		return nil, fmt.Errorf("unable to execute query: %w", err)
+	}
+	defer results.Close()
+
+	cols, err := results.Columns()
+	if err != nil {
+		return nil, fmt.Errorf("unable to retrieve rows column name: %w", err)
+	}
+
+	// create an array of values for each column, which can be re-used to scan each row
+	rawValues := make([]any, len(cols))
+	values := make([]any, len(cols))
+	for i := range rawValues {
+		values[i] = &rawValues[i]
+	}
+
+	colTypes, err := results.ColumnTypes()
+	if err != nil {
+		return nil, fmt.Errorf("unable to get column types: %w", err)
+	}
+
+	var out []any
+	for results.Next() {
+		err := results.Scan(values...)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse row: %w", err)
+		}
+		row := orderedmap.Row{}
+		for i, name := range cols {
+			val := rawValues[i]
+			if val == nil {
+				row.Add(name, nil)
+				continue
+			}
+
+			convertedValue, err := mysqlcommon.ConvertToType(colTypes[i], val)
+			if err != nil {
+				return nil, fmt.Errorf("errors encountered when converting values: %w", err)
+			}
+			row.Add(name, convertedValue)
+		}
+		out = append(out, row)
+	}
+
+	if err := results.Err(); err != nil {
+		return nil, fmt.Errorf("errors encountered during row iteration: %w", err)
+	}
+
+	return out, nil
+}
+
 func getConnectionConfig(ctx context.Context, user, pass string) (string, string, bool, error) {
 	useIAM := true
 

internal/sources/cloudsqlpg/cloud_sql_pg.go

@@ -23,6 +23,7 @@ import (
 	"github.com/goccy/go-yaml"
 	"github.com/googleapis/genai-toolbox/internal/sources"
 	"github.com/googleapis/genai-toolbox/internal/util"
+	"github.com/googleapis/genai-toolbox/internal/util/orderedmap"
 	"github.com/jackc/pgx/v5/pgxpool"
 	"go.opentelemetry.io/otel/trace"
 )
@@ -99,6 +100,33 @@ func (s *Source) PostgresPool() *pgxpool.Pool {
 	return s.Pool
 }
 
+func (s *Source) RunSQL(ctx context.Context, statement string, params []any) (any, error) {
+	results, err := s.PostgresPool().Query(ctx, statement, params...)
+	if err != nil {
+		return nil, fmt.Errorf("unable to execute query: %w", err)
+	}
+	defer results.Close()
+
+	fields := results.FieldDescriptions()
+	var out []any
+	for results.Next() {
+		values, err := results.Values()
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse row: %w", err)
+		}
+		row := orderedmap.Row{}
+		for i, f := range fields {
+			row.Add(f.Name, values[i])
+		}
+		out = append(out, row)
+	}
+	// this will catch actual query execution errors
+	if err := results.Err(); err != nil {
+		return nil, fmt.Errorf("unable to execute query: %w", err)
+	}
+	return out, nil
+}
+
 func getConnectionConfig(ctx context.Context, user, pass, dbname string) (string, bool, error) {
 	userAgent, err := util.UserAgentFromContext(ctx)
 	if err != nil {

internal/sources/couchbase/couchbase.go

@@ -17,6 +17,7 @@ package couchbase
 import (
 	"context"
 	"crypto/tls"
+	"encoding/json"
 	"fmt"
 	"os"
 
@@ -24,6 +25,7 @@ import (
 	tlsutil "github.com/couchbase/tools-common/http/tls"
 	"github.com/goccy/go-yaml"
 	"github.com/googleapis/genai-toolbox/internal/sources"
+	"github.com/googleapis/genai-toolbox/internal/util/parameters"
 	"go.opentelemetry.io/otel/trace"
 )
 
@@ -110,6 +112,27 @@ func (s *Source) CouchbaseQueryScanConsistency() uint {
 	return s.QueryScanConsistency
 }
 
+func (s *Source) RunSQL(statement string, params parameters.ParamValues) (any, error) {
+	results, err := s.CouchbaseScope().Query(statement, &gocb.QueryOptions{
+		ScanConsistency: gocb.QueryScanConsistency(s.CouchbaseQueryScanConsistency()),
+		NamedParameters: params.AsMap(),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("unable to execute query: %w", err)
+	}
+
+	var out []any
+	for results.Next() {
+		var result json.RawMessage
+		err := results.Row(&result)
+		if err != nil {
+			return nil, fmt.Errorf("error processing row: %w", err)
+		}
+		out = append(out, result)
+	}
+	return out, nil
+}
+
 func (r Config) createCouchbaseOptions() (gocb.ClusterOptions, error) {
 	cbOpts := gocb.ClusterOptions{}
 

internal/sources/dgraph/dgraph.go

@@ -26,6 +26,7 @@ import (
 
 	"github.com/goccy/go-yaml"
 	"github.com/googleapis/genai-toolbox/internal/sources"
+	"github.com/googleapis/genai-toolbox/internal/util/parameters"
 	"go.opentelemetry.io/otel/trace"
 )
 
@@ -114,6 +115,28 @@ func (s *Source) DgraphClient() *DgraphClient {
 	return s.Client
 }
 
+func (s *Source) RunSQL(statement string, params parameters.ParamValues, isQuery bool, timeout string) (any, error) {
+	paramsMap := params.AsMapWithDollarPrefix()
+	resp, err := s.DgraphClient().ExecuteQuery(statement, paramsMap, isQuery, timeout)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := checkError(resp); err != nil {
+		return nil, err
+	}
+
+	var result struct {
+		Data map[string]interface{} `json:"data"`
+	}
+
+	if err := json.Unmarshal(resp, &result); err != nil {
+		return nil, fmt.Errorf("error parsing JSON: %v", err)
+	}
+
+	return result.Data, nil
+}
+
 func initDgraphHttpClient(ctx context.Context, tracer trace.Tracer, r Config) (*DgraphClient, error) {
 	//nolint:all // Reassigned ctx
 	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceKind, r.Name)
@@ -285,7 +308,7 @@ func (hc *DgraphClient) doLogin(creds map[string]interface{}) error {
 		return err
 	}
 
-	if err := CheckError(resp); err != nil {
+	if err := checkError(resp); err != nil {
 		return err
 	}
 
@@ -370,7 +393,7 @@ func getUrl(baseUrl, resource string, params url.Values) (string, error) {
 	return u.String(), nil
 }
 
-func CheckError(resp []byte) error {
+func checkError(resp []byte) error {
 	var errResp struct {
 		Errors []struct {
 			Message string `json:"message"`

internal/sources/elasticsearch/elasticsearch.go

@@ -15,7 +15,9 @@
 package elasticsearch
 
 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"fmt"
 	"net/http"
 
@@ -149,3 +151,80 @@ func (s *Source) ToConfig() sources.SourceConfig {
 func (s *Source) ElasticsearchClient() EsClient {
 	return s.Client
 }
+
+type EsqlColumn struct {
+	Name string `json:"name"`
+	Type string `json:"type"`
+}
+
+type EsqlResult struct {
+	Columns []EsqlColumn `json:"columns"`
+	Values  [][]any      `json:"values"`
+}
+
+func (s *Source) RunSQL(ctx context.Context, format, query string, params []map[string]any) (any, error) {
+	bodyStruct := struct {
+		Query  string           `json:"query"`
+		Params []map[string]any `json:"params,omitempty"`
+	}{
+		Query:  query,
+		Params: params,
+	}
+	body, err := json.Marshal(bodyStruct)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal query body: %w", err)
+	}
+
+	res, err := esapi.EsqlQueryRequest{
+		Body:       bytes.NewReader(body),
+		Format:     format,
+		FilterPath: []string{"columns", "values"},
+		Instrument: s.ElasticsearchClient().InstrumentationEnabled(),
+	}.Do(ctx, s.ElasticsearchClient())
+
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+
+	if res.IsError() {
+		// Try to extract error message from response
+		var esErr json.RawMessage
+		err = util.DecodeJSON(res.Body, &esErr)
+		if err != nil {
+			return nil, fmt.Errorf("elasticsearch error: status %s", res.Status())
+		}
+		return esErr, nil
+	}
+
+	var result EsqlResult
+	err = util.DecodeJSON(res.Body, &result)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode response body: %w", err)
+	}
+
+	output := EsqlToMap(result)
+
+	return output, nil
+}
+
+// EsqlToMap converts the esqlResult to a slice of maps.
+func EsqlToMap(result EsqlResult) []map[string]any {
+	output := make([]map[string]any, 0, len(result.Values))
+	for _, value := range result.Values {
+		row := make(map[string]any)
+		if value == nil {
+			output = append(output, row)
+			continue
+		}
+		for i, col := range result.Columns {
+			if i < len(value) {
+				row[col.Name] = value[i]
+			} else {
+				row[col.Name] = nil
+			}
+		}
+		output = append(output, row)
+	}
+	return output
+}

internal/sources/elasticsearch/elasticsearch_test.go

@@ -15,6 +15,7 @@
 package elasticsearch_test
 
 import (
+	"reflect"
 	"testing"
 
 	yaml "github.com/goccy/go-yaml"
@@ -64,3 +65,155 @@ func TestParseFromYamlElasticsearch(t *testing.T) {
 		})
 	}
 }
+
+func TestTool_esqlToMap(t1 *testing.T) {
+	tests := []struct {
+		name   string
+		result elasticsearch.EsqlResult
+		want   []map[string]any
+	}{
+		{
+			name: "simple case with two rows",
+			result: elasticsearch.EsqlResult{
+				Columns: []elasticsearch.EsqlColumn{
+					{Name: "first_name", Type: "text"},
+					{Name: "last_name", Type: "text"},
+				},
+				Values: [][]any{
+					{"John", "Doe"},
+					{"Jane", "Smith"},
+				},
+			},
+			want: []map[string]any{
+				{"first_name": "John", "last_name": "Doe"},
+				{"first_name": "Jane", "last_name": "Smith"},
+			},
+		},
+		{
+			name: "different data types",
+			result: elasticsearch.EsqlResult{
+				Columns: []elasticsearch.EsqlColumn{
+					{Name: "id", Type: "integer"},
+					{Name: "active", Type: "boolean"},
+					{Name: "score", Type: "float"},
+				},
+				Values: [][]any{
+					{1, true, 95.5},
+					{2, false, 88.0},
+				},
+			},
+			want: []map[string]any{
+				{"id": 1, "active": true, "score": 95.5},
+				{"id": 2, "active": false, "score": 88.0},
+			},
+		},
+		{
+			name: "no rows",
+			result: elasticsearch.EsqlResult{
+				Columns: []elasticsearch.EsqlColumn{
+					{Name: "id", Type: "integer"},
+					{Name: "name", Type: "text"},
+				},
+				Values: [][]any{},
+			},
+			want: []map[string]any{},
+		},
+		{
+			name: "null values",
+			result: elasticsearch.EsqlResult{
+				Columns: []elasticsearch.EsqlColumn{
+					{Name: "id", Type: "integer"},
+					{Name: "name", Type: "text"},
+				},
+				Values: [][]any{
+					{1, nil},
+					{2, "Alice"},
+				},
+			},
+			want: []map[string]any{
+				{"id": 1, "name": nil},
+				{"id": 2, "name": "Alice"},
+			},
+		},
+		{
+			name: "missing values in a row",
+			result: elasticsearch.EsqlResult{
+				Columns: []elasticsearch.EsqlColumn{
+					{Name: "id", Type: "integer"},
+					{Name: "name", Type: "text"},
+					{Name: "age", Type: "integer"},
+				},
+				Values: [][]any{
+					{1, "Bob"},
+					{2, "Charlie", 30},
+				},
+			},
+			want: []map[string]any{
+				{"id": 1, "name": "Bob", "age": nil},
+				{"id": 2, "name": "Charlie", "age": 30},
+			},
+		},
+		{
+			name: "all null row",
+			result: elasticsearch.EsqlResult{
+				Columns: []elasticsearch.EsqlColumn{
+					{Name: "id", Type: "integer"},
+					{Name: "name", Type: "text"},
+				},
+				Values: [][]any{
+					nil,
+				},
+			},
+			want: []map[string]any{
+				{},
+			},
+		},
+		{
+			name: "empty columns",
+			result: elasticsearch.EsqlResult{
+				Columns: []elasticsearch.EsqlColumn{},
+				Values: [][]any{
+					{},
+					{},
+				},
+			},
+			want: []map[string]any{
+				{},
+				{},
+			},
+		},
+		{
+			name: "more values than columns",
+			result: elasticsearch.EsqlResult{
+				Columns: []elasticsearch.EsqlColumn{
+					{Name: "id", Type: "integer"},
+				},
+				Values: [][]any{
+					{1, "extra"},
+				},
+			},
+			want: []map[string]any{
+				{"id": 1},
+			},
+		},
+		{
+			name: "no columns but with values",
+			result: elasticsearch.EsqlResult{
+				Columns: []elasticsearch.EsqlColumn{},
+				Values: [][]any{
+					{1, "data"},
+				},
+			},
+			want: []map[string]any{
+				{},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t1.Run(tt.name, func(t1 *testing.T) {
+			if got := elasticsearch.EsqlToMap(tt.result); !reflect.DeepEqual(got, tt.want) {
+				t1.Errorf("esqlToMap() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}