Manage the full lifecycle of ADBPG Supabase projects.
Use for listing/querying projects, create, pause/resume, reset password, API Keys, and security IP management.
Triggers: "Supabase", "supabase project", "spb-xxx", "ADBPG Supabase"
Scope — Alibaba Cloud ADBPG only (not Supabase CLI)
This skill controls projects provisioned on Alibaba Cloud via GPDB / aliyun gpdb APIs.
Do not use the standalone supabase CLI (supabase login, supabase projects list, etc.) for create/list/pause/resume here — that targets Supabase Cloud or self-hosted stacks, not ADBPG-managed Supabase instances.
All lifecycle and query operations in this skill are aliyun gpdb … with --user-agent AlibabaCloud-Agent-Skills/alibabacloud-analyticdb-postgresql-supabase-ops.
ProjectId format (spb-)
ProjectId from create/list/get APIs uses the prefix spb- plus an alphanumeric suffix (e.g. spb-2zen7c8752x12328). Use this exact value in --project-id.
If the user’s string does not match any instance, run list-supabase-projects in the right --biz-region-id and match ProjectName or the returned ProjectId.
Prerequisites
Pre-check: Aliyun CLI >= 3.3.3 required
Run aliyun version to verify >= 3.3.3. If not installed or version too low,
run curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash to install/update,
or see references/cli-installation-guide.md for installation instructions.
Then [MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation.
Then [MUST] run aliyun plugin update to ensure that any existing plugins on your local machine are always up-to-date.
[MUST] CLI User-Agent — Every aliyun CLI command invocation must include:
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-analyticdb-postgresql-supabase-ops
At the start of the Core Workflow (before any CLI invocation):
[MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution.
Run the following commands before any CLI invocation:
[MUST] Disable AI-Mode at EVERY exit point — Before delivering the final response for ANY reason, always disable AI-mode first. This applies to ALL exit paths: workflow success, workflow failure, error/exception, user cancellation, session end, or any other scenario where no further CLI commands will be executed.
AI-mode is only used for Agent Skill invocation scenarios and MUST NOT remain enabled after the skill stops running.
bash
aliyun configure ai-mode disable
Credential Verification
Pre-check: Alibaba Cloud Credentials Required
Security Rules:
NEVER read, echo, or print AK/SK values (e.g., echo $ALIBABA_CLOUD_ACCESS_KEY_ID is FORBIDDEN)
NEVER ask the user to input AK/SK directly in the conversation or command line
NEVER use aliyun configure set with literal credential values
ONLY use aliyun configure list to check credential status
bash
aliyun configure list
Check the output for a valid profile (AK, STS, or OAuth identity).
Configure credentials outside of this session (via aliyun configure in terminal or environment variables in shell profile)
Return and re-run after aliyun configure list shows a valid profile
RAM Permissions
Ensure the current account has the required permissions before executing operations. See references/ram-policies.md for details.
Permission Pre-check: Use ram-permission-diagnose skill to check current user permissions, compare against references/ram-policies.md, and abort with prompt if any permission is missing.
Parameter Confirmation
IMPORTANT: Parameter Confirmation — Before executing any command or API call,
ALL user-customizable parameters (e.g., RegionId, ProjectId, instance names, CIDR blocks,
passwords, VPC/VSwitch IDs, etc.) MUST be confirmed with the user.
For create, the skill supplies recommended defaults (and optional auto-discovery). You must present that full plan and obtain explicit user approval (or replaced values) before running create-supabase-project.
Final execution confirmation (read-only vs mutating)
No separate final “execute” step — only for read-only information retrieval: aliyun gpdb list-supabase-projects, aliyun gpdb get-supabase-project, get-supabase-project-api-keys, get-supabase-project-dashboard-account, and discovery-only calls such as aliyun vpc describe-vpcs, aliyun vpc describe-vswitches, aliyun gpdb describe-regions (same class as list / describe: no resource state change).
Final user confirmation [MUST] — before the CLI runs, for every mutating operation: create, pause, resume, reset password, modify security IPs. Show what will execute and key parameters (e.g. project-id, new password hint without logging secret, new whitelist). Obtain explicit approval.
After create, provisioning poll via get-supabase-project does not need a new confirmation — the user already approved create; polling is verification only.
User input or recommend max AvailableIpAddressCount in zone
AccountPassword
Required (create) / reset
Database password
User input or generate per API rules; user may replace
SecurityIPList
Required (create) / modify
IP whitelist
127.0.0.1; user may supply IPs/CIDRs
ProjectSpec
Required (create)
Instance spec
2C2G (skill default recommendation; user may choose e.g. 1C1G)
StorageSize
Optional (create)
Storage (GB)
20 (skill default recommendation)
DiskPerformanceLevel
Optional (create)
PL0 / PL1
PL0
PayType / UsedTime / Period
Optional (create)
Billing
POSTPAY (后付费) by default; set --period / --used-time only for prepaid/subscription
ClientToken
Optional (create)
Idempotency
Omit unless user retries same create
Timeout Configuration
Timeout Settings
Default CLI read timeout is often ~60 seconds per HTTP read — usually enough for create-supabase-project, because creation is asynchronous: the API accepts the request and returns ProjectId quickly; it does not block until the instance is ready.
3–5 minutes is the typical time for background provisioning to finish — not the duration of the create HTTP response. Use Success Verification (poll get-supabase-project until Status is running) to wait for that phase.
Create success criterion: after create-supabase-project returns ProjectId, the instance is not ready until get-supabase-project reports Status = running (API uses lowercase) — that state means provisioning succeeded and the project is usable.
If any command hits read timeouts in practice, raise --read-timeout for that call (e.g. --read-timeout 120).
Core Workflow
All commands use aliyun gpdb <command> format, must include --user-agent AlibabaCloud-Agent-Skills/alibabacloud-analyticdb-postgresql-supabase-ops.
Per Final execution confirmation: read-only list / get / describe may run without a final execute prompt; create, pause, resume, reset password, modify IPs require explicit final user confirmation before invocation.
Risk: Low | Read-only — no final execution confirmation
Policy: Fulfilling a request to read keys via this official Alibaba Cloud API (with RAM/account access) is not the same as scraping secrets from an unrelated codebase. Decline only when the task is clearly exfiltration from repos or third-party systems; otherwise run get-supabase-project-api-keys, return keys minimally (no logging full secrets), and remind the user to rotate if exposed.
Then proceed to Success Verification (polling) as described below.
Async create — HTTP retries (before you have ProjectId)
Goal: absorb transient CLI/network/API errors without double-creating a different resource.
Reuse the same --client-token on every create attempt in this session for this intended project.
Retry create (max 3 attempts total, including the first) only if the response has noProjectIdand the error looks transient: e.g. throttling, connection reset, read timeout, ServiceUnavailable. Backoff: 5s → 15s → 45s between attempts.
Do not blindly retry create for business errors (e.g. VSwitchIp.NotEnough, invalid parameter) — stop, explain, fix with the user.
If any attempt returns ProjectId → stop calling create; switch to provisioning poll (Success Verification).
If create times out but might have succeeded server-side → poll get-supabase-project by name/region (e.g. list-supabase-projects filtered by ProjectName) before issuing another create with the same token/name.
Capture ProjectId from the create response (format spb- + suffix). The create call returns after the request is accepted, not when provisioning finishes. If create fails or times out, list or get to see if the project already exists before another create (same --client-token if retrying create per Create Project).
Provisioning poll until running or terminal failure — async work often finishes in 3–5 minutes but can run longer under load. Use a two-tier wait:
Tier A — primary: every 30 seconds, call get-supabase-project, up to 20 attempts (~10 minutes).
Tier B — extension (optional): if Status is still a non-terminal provisioning state (e.g. creating / pending — exact strings depend on API), inform the user and add up to 10 more attempts (~5 minutes) before giving up.
Per-poll retry (transient): For each scheduled poll, if get fails with network/read timeout or throttling, retry the sameget up to 3 times with 5 seconds between tries, then continue the outer loop (still count as one poll cycle).
Interpret Status:
running → create / provisioning succeeded; instance is ready — report success to the user.
Terminal failure (if API returns explicit failure/cancelled states) → stop polling; report error code/message; do not assume success.
PROJECT_ID="spb-xxxxx"
STATUS=""
MAX_PRIMARY=20
SLEEP=30
for attempt in $(seq 1 "$MAX_PRIMARY"); do
RAW=""
for inner in 1 2 3; do
RAW=$(aliyun gpdb get-supabase-project \
--project-id "$PROJECT_ID" \
--read-timeout 90 \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-analyticdb-postgresql-supabase-ops \
2>/dev/null) && break
sleep 5
done
STATUS=$(echo "$RAW" | jq -r '.Status // empty')
[ "$STATUS" = "running" ] && break
sleep "$SLEEP"
done
# Optional: extend with user consent +10 polls if still provisioning
[ "$STATUS" = "running" ] || exit 1
If jq is unavailable, inspect the get output for Status each time; same retry and tier rules apply.
After other operations
Operation
Verify with
Success hint
List
list-supabase-projects
Projects present in JSON, RequestId present
Get / API keys / dashboard
matching get-* command
Expected fields in JSON, no error code
Pause / resume
get-supabase-project
Status matches paused / running per API
Reset password / modify IPs
get-supabase-project
Whitelist or success response as applicable; password change is also validated by reconnecting (see reference doc)
Best Practices
Read-only list/get/describe (see Final execution confirmation) may run without a final execute prompt; never run create/pause/resume/reset-password/modify-IPs without explicit final user confirmation
If users lack VPC/VSwitch IDs, discover with vpc describe-vswitches (and optionally vpc describe-vpcs) before create
Must issue warning before pausing projects (service will become unavailable)
Do not recommend setting whitelist to 0.0.0.0/0 due to security risks
ProjectId is always spb-… — if the user’s id is wrong or unknown, use list-supabase-projects to resolve by name or id
Never substitute supabase CLI for aliyun gpdb on this product
Pausing projects saves costs while data is preserved
All commands must include --user-agent AlibabaCloud-Agent-Skills/alibabacloud-analyticdb-postgresql-supabase-ops
After create, always run provisioning poll (or confirm terminal failure) — do not treat “create returned ProjectId” as “instance ready”