[pull] main from googleapis:main

.ci/integration.cloudbuild.yaml

@@ -276,7 +276,7 @@ steps:
       - "GOPATH=/gopath"
       - "BIGQUERY_PROJECT=$PROJECT_ID"
       - "SERVICE_ACCOUNT_EMAIL=$SERVICE_ACCOUNT_EMAIL"
-    secretEnv: ["CLIENT_ID"]
+    secretEnv: ["CLIENT_ID", "API_KEY"]
     volumes:
       - name: "go"
         path: "/gopath"
@@ -1573,4 +1573,4 @@ substitutions:
   _MARIADB_PORT: "3307"
   _MARIADB_DATABASE: test_database
   _SNOWFLAKE_DATABASE: "test"
-  _SNOWFLAKE_SCHEMA: "PUBLIC"
+  _SNOWFLAKE_SCHEMA: "PUBLIC"

.github/workflows/deploy_dev_docs_to_cf.yaml

@@ -49,7 +49,7 @@ jobs:
       - name: Setup Hugo
         uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3
         with:
-          hugo-version: "0.145.0"
+          hugo-version: "0.160.0"
           extended: true
 
       - name: Setup Node

.github/workflows/deploy_previous_version_docs_to_cf.yaml

@@ -76,7 +76,7 @@ jobs:
       - name: Setup Hugo and Node
         uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3
         with:
-          hugo-version: "0.145.0"
+          hugo-version: "0.160.0"
           extended: true
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:

.github/workflows/deploy_versioned_docs_to_cf.yaml

@@ -43,7 +43,7 @@ jobs:
       - name: Setup Hugo
         uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3
         with:
-          hugo-version: "0.145.0"
+          hugo-version: "0.160.0"
           extended: true
 
       - name: Setup Node

.github/workflows/docs_preview_build_cf.yaml

@@ -47,7 +47,7 @@ jobs:
       - name: Setup Hugo
         uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3
         with:
-          hugo-version: "0.145.0"
+          hugo-version: "0.160.0"
           extended: true
 
       - name: Setup Node

.gitignore

@@ -26,3 +26,4 @@ __pycache__/
 mcp-toolbox
 toolbox
 toolbox.exe
+**/test.db

cmd/internal/config_test.go

@@ -1877,7 +1877,7 @@ func TestPrebuiltTools(t *testing.T) {
 			wantToolset: server.ToolsetConfigs{
 				"looker_dev_tools": tools.ToolsetConfig{
 					Name:      "looker_dev_tools",
-					ToolNames: []string{"health_pulse", "health_analyze", "health_vacuum", "dev_mode", "get_projects", "get_project_files", "get_project_file", "create_project_file", "update_project_file", "delete_project_file", "get_project_directories", "create_project_directory", "delete_project_directory", "validate_project", "get_connections", "get_connection_schemas", "get_connection_databases", "get_connection_tables", "get_connection_table_columns", "get_lookml_tests", "run_lookml_tests", "create_view_from_table", "project_git_branch"},
+					ToolNames: []string{"health_pulse", "health_analyze", "health_vacuum", "dev_mode", "get_projects", "get_project_files", "get_project_file", "create_project_file", "update_project_file", "delete_project_file", "get_project_directories", "create_project_directory", "delete_project_directory", "validate_project", "get_connections", "get_connection_schemas", "get_connection_databases", "get_connection_tables", "get_connection_table_columns", "get_lookml_tests", "run_lookml_tests", "create_view_from_table", "list_git_branches", "get_git_branch", "create_git_branch", "switch_git_branch", "delete_git_branch"},
 				},
 			},
 		},

cmd/internal/imports.go

@@ -98,6 +98,7 @@ import (
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/dataproc/dataproclistjobs"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/dgraph"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/elasticsearch/elasticsearchesql"
+	_ "github.com/googleapis/mcp-toolbox/internal/tools/elasticsearch/elasticsearchexecuteesql"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/firebird/firebirdexecutesql"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/firebird/firebirdsql"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/firestore/firestoreadddocuments"
@@ -114,10 +115,12 @@ import (
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookeradddashboardfilter"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookerconversationalanalytics"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookercreateagent"
+	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookercreategitbranch"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookercreateprojectdirectory"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookercreateprojectfile"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookercreateviewfromtable"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookerdeleteagent"
+	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookerdeletegitbranch"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookerdeleteprojectdirectory"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookerdeleteprojectfile"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookerdevmode"
@@ -132,6 +135,7 @@ import (
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookergetdimensions"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookergetexplores"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookergetfilters"
+	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookergetgitbranch"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookergetlookmltests"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookergetlooks"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookergetmeasures"
@@ -141,11 +145,11 @@ import (
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookergetprojectfile"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookergetprojectfiles"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookergetprojects"
-	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookergitbranch"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookerhealthanalyze"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookerhealthpulse"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookerhealthvacuum"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookerlistagents"
+	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookerlistgitbranches"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookermakedashboard"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookermakelook"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookerquery"
@@ -154,6 +158,7 @@ import (
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookerrundashboard"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookerrunlook"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookerrunlookmltests"
+	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookerswitchgitbranch"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookerupdateagent"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookerupdateprojectfile"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/looker/lookervalidateproject"

docs/en/documentation/configuration/authentication/generic.md

@@ -19,34 +19,106 @@ your client ID or the intended audience for the token), the
 `authorizationServer` of your identity provider, and optionally a list of
 `scopesRequired` that must be present in the token's claims.
 
-## Behavior
+## Usage Modes
 
-### Token Validation
+The Generic Auth Service supports two distinct modes of operation:
 
-When a request is received, the service will:
+### 1. Toolbox Auth
 
-1. Extract the token from the `<name>_token` header (e.g.,
-   `my-generic-auth_token`).
-2. Fetch the JWKS from the configured `authorizationServer` (caching it in the
-   background) to verify the token's signature.
-3. Validate that the token is not expired and its signature is valid.
-4. Verify that the `aud` (audience) claim matches the configured `audience`.
-   claim contains all required scopes.
-5. Return the validated claims to be used for [Authenticated
-   Parameters][auth-params] or [Authorized Invocations][auth-invoke].
+This mode is used for Toolbox's native authentication/authorization features. It
+is active when you reference the auth service in a tool's configuration and
+`mcpEnabled` is set to false.
 
-[auth-invoke]: ../tools/_index.md#authorized-invocations
-[auth-params]: ../tools/_index.md#authenticated-parameters
+- **Header**: Expects the token in a custom header matching `<name>_token`
+  (e.g., `my-generic-auth_token`).
+- **Token Type**: Only supports **JWT** (OIDC) tokens.
+- **Usage**: Used for [Authenticated Parameters][auth-params] and [Authorized
+  Invocations][auth-invoke].
+
+#### Token Validation
+
+When a request is received in this mode, the service will:
 
-## Example
+1. Extract the token from the `<name>_token` header.
+2. Treat it as a JWT (opaque tokens are not supported in this mode).
+3. Validates signature using JWKS fetched from `authorizationServer`.
+4. Verifies expiration (`exp`) and audience (`aud`).
+5. Verifies required scopes in `scope` claim.
+
+#### Example
 
 ```yaml
 kind: authServices
 name: my-generic-auth
 type: generic
 audience: ${YOUR_OIDC_AUDIENCE}
 authorizationServer: https://your-idp.example.com
-mcpEnabled: false
+# mcpEnabled: false
+scopesRequired:
+  - read
+  - write
+```
+
+#### Tool Usage Example
+
+To use this auth service for **Authenticated Parameters** or **Authorized
+Invocations**, reference it in your tool configuration:
+
+```yaml
+kind: tool
+name: secure_query
+type: postgres-sql
+source: my-pg-instance
+statement: |
+  SELECT * FROM data WHERE user_id = $1
+parameters:
+  - name: user_id
+    type: strings
+    description: Auto-populated from token
+    authServices:
+      - name: my-generic-auth
+        field: sub # Extract 'sub' claim from JWT
+authRequired:
+  - my-generic-auth # Require valid token for invocation
+```
+
+### 2. MCP Authorization
+
+This mode enforces global authentication for all MCP endpoints. It is active
+when `mcpEnabled` is set to `true` in the auth service configuration.
+
+- **Header**: Expects the token in the standard `Authorization: Bearer <token>`
+  header.
+- **Token Type**: Supports both **JWT** and **Opaque** tokens.
+- **Usage**: Used to secure the entire MCP server.
+
+#### Token Validation
+
+When a request is received in this mode, the service will:
+
+1. Extract the token from the `Authorization` header after `Bearer ` prefix.
+2. Determine if the token is a JWT or an opaque token based on format (JWTs
+   contain exactly two dots).
+3. For **JWTs**:
+   - Validates signature using JWKS fetched from `authorizationServer`.
+   - Verifies expiration (`exp`) and audience (`aud`).
+   - Verifies required scopes in `scope` claim.
+4. For **Opaque Tokens**:
+   - Calls the introspection endpoint (as listed in the `authorizationServer`'s
+     OIDC configuration).
+   - Verifies that the token is `active`.
+   - Verifies expiration (`exp`) and audience (`aud`).
+   - Verifies required scopes in `scope` field.
+
+#### Example
+
+```yaml
+kind: authServices
+name: my-generic-auth
+type: generic
+audience: ${YOUR_TOKEN_AUDIENCE}
+authorizationServer: https://your-idp.example.com
+mcpEnabled: true
 scopesRequired:
   - read
   - write
@@ -56,6 +128,11 @@ scopesRequired:
 ${ENV_NAME} instead of hardcoding your secrets into the configuration file.
 {{< /notice >}}
 
+[auth-invoke]: ../tools/_index.md#authorized-invocations
+[auth-params]: ../tools/_index.md#authenticated-parameters
+[mcp-auth]:
+  https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization
+
 ## Reference
 
 | **field**           | **type** | **required** | **description**                                                                                                                                               |

docs/en/documentation/configuration/pre-post-processing/go/adk/go.mod

@@ -1,6 +1,6 @@
 module example.com/adk-agent
 
-go 1.24.4
+go 1.25.0
 
 require (
 	github.com/googleapis/mcp-toolbox-sdk-go v0.5.1
@@ -26,14 +26,14 @@ require (
 	github.com/gorilla/websocket v1.5.3 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
-	go.opentelemetry.io/otel v1.39.0 // indirect
-	go.opentelemetry.io/otel/metric v1.39.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.39.0 // indirect
-	go.opentelemetry.io/otel/trace v1.39.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
+	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	golang.org/x/crypto v0.47.0 // indirect
 	golang.org/x/net v0.49.0 // indirect
 	golang.org/x/oauth2 v0.34.0 // indirect
-	golang.org/x/sys v0.40.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
 	golang.org/x/text v0.33.0 // indirect
 	google.golang.org/api v0.263.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260122232226-8e98ce8d340d // indirect

docs/en/documentation/configuration/pre-post-processing/go/adk/go.sum

@@ -78,16 +78,16 @@ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.6
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0/go.mod h1:fvPi2qXDqFs8M4B4fmJhE92TyQs9Ydjlg3RvfUp+NbQ=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg=
-go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
-go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
-go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
-go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
-go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
-go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
-go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
-go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
-go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
-go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
+go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
+go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
+go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
+go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
+go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
+go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
+go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
+go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
+go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
+go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
@@ -98,8 +98,8 @@ golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
 golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
 golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
-golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
 golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=

docs/en/documentation/connect-to/ides/looker_mcp.md

@@ -551,7 +551,11 @@ as well as get the database schema needed to write LookML effectively.
 1. **get_lookml_tests**: Retrieves a list of available LookML tests for a project.
 1. **run_lookml_tests**: Executes specific LookML tests within a project.
 1. **create_view_from_table**: Generates boilerplate LookML views directly from the database schema.
-1. **project_git_branch**: Fetch and manipulate the git branch of a LookML project.
+1. **list_git_branches**: List the available git branches of a LookML project.
+1. **get_git_branch**: Get the current git branch of a LookML project.
+1. **create_git_branch**: Create a new git branch for a LookML project.
+1. **switch_git_branch**: Switch the git branch of a LookML project.
+1. **delete_git_branch**: Delete a git branch of a LookML project.
 
 {{< notice note >}}
 Prebuilt tools are pre-1.0, so expect some tool changes between versions. LLMs