diff --git a/CACHE_TIMEOUT_REFACTOR.md b/CACHE_TIMEOUT_REFACTOR.md
new file mode 100644
index 00000000000..9035188c942
--- /dev/null
+++ b/CACHE_TIMEOUT_REFACTOR.md
@@ -0,0 +1,407 @@
+# Cache Timeout Refactor Complete ✅
+
+## Summary
+
+Successfully moved cache timeout fallback logic from QueryContext into each Explorable implementation, allowing semantic layers to define their own fallback strategies!
+
+---
+
+## Problem Before
+
+QueryContext was reaching into datasource internals to handle cache timeout fallback:
+
+```python
+# ❌ Before - QueryContext knows too much
+def get_cache_timeout(self) -> int | None:
+    if self.custom_cache_timeout is not None:
+        return self.custom_cache_timeout
+    if self.slice_ and self.slice_.cache_timeout is not None:
+        return self.slice_.cache_timeout
+    if self.datasource.cache_timeout is not None:
+        return self.datasource.cache_timeout
+    if hasattr(self.datasource, "database") and self.datasource.database:
+        return self.datasource.database.cache_timeout  # ← Leaky abstraction!
+    return None
+```
+
+**Issues**:
+- QueryContext knows about SQL database internals
+- Semantic layers can't define their own fallback logic
+- Tight coupling to database structure
+
+---
+
+## Solution
+
+### 1. **Simplified QueryContext**
+
+QueryContext now just asks the explorable for its timeout:
+
+```python
+# ✅ After - Clean separation
+def get_cache_timeout(self) -> int | None:
+    """
+    Priority order:
+    1. Custom timeout (query-specific override)
+    2. Chart timeout (saved chart config)
+    3. Datasource timeout (explorable handles its own fallback)
+    4. System default (None)
+    """
+    if self.custom_cache_timeout is not None:
+        return self.custom_cache_timeout
+    if self.slice_ and self.slice_.cache_timeout is not None:
+        return self.slice_.cache_timeout
+    return self.datasource.cache_timeout  # ← Explorable decides!
+```
+
+### 2. **BaseDatasource Handles SQL Fallback**
+
+SQL datasources handle database fallback internally:
+
+```python
+# In BaseDatasource
+_cache_timeout = Column("cache_timeout", Integer)  # ← Renamed column
+
+@property
+def cache_timeout(self) -> int | None:
+    """
+    Implements the Explorable protocol with SQL-specific fallback:
+    1. Datasource-specific timeout (if set)
+    2. Database default timeout (SQL fallback)
+    3. None (system default)
+    """
+    if self._cache_timeout is not None:
+        return self._cache_timeout
+    return self.database.cache_timeout  # ← SQL-specific fallback
+
+@cache_timeout.setter
+def cache_timeout(self, value: int | None) -> None:
+    self._cache_timeout = value
+```
+
+### 3. **Semantic Layers Define Their Own Fallback**
+
+Your semantic layer can implement whatever fallback logic makes sense:
+
+```python
+class SemanticLayerExplorable:
+    """Example semantic layer with custom fallback."""
+
+    def __init__(self, view_config):
+        self._view_cache_timeout = view_config.get("cache_timeout")
+        self._layer_default_timeout = 3600  # 1 hour default
+
+    @property
+    def cache_timeout(self) -> int | None:
+        """
+        Custom fallback chain for semantic layers:
+        1. View-specific timeout
+        2. Semantic layer default
+        3. None (system default)
+        """
+        if self._view_cache_timeout is not None:
+            return self._view_cache_timeout
+        return self._layer_default_timeout
+```
+
+---
+
+## Removed `database` from Explorable Protocol
+
+Since cache timeout is now handled internally, we removed the `database` property from the Explorable protocol:
+
+**Before**:
+```python
+@runtime_checkable
+class Explorable(Protocol):
+    @property
+    def database(self) -> Any | None:
+        """Database object (SQL only)."""
+```
+
+**After**:
+```python
+@runtime_checkable
+class Explorable(Protocol):
+    # database property removed!
+    # Each explorable handles its own fallback logic
+```
+
+**Note**: The `database` attribute still exists on `BaseDatasource` (it's a concrete class attribute), but it's no longer part of the Explorable protocol contract. This means:
+- ✅ SQL datasources continue to work (they have the attribute)
+- ✅ Semantic layers don't need to provide it
+- ✅ Security code uses `getattr(datasource, "database", None)` for SQL-specific checks
+
+---
+
+## Changes Made
+
+### File: `superset/common/query_context.py`
+
+**Simplified cache timeout logic**:
+- Removed database fallback (lines 108-109 deleted)
+- Added clear documentation about responsibility chain
+- Explorable now owns its timeout strategy
+
+### File: `superset/connectors/sqla/models.py`
+
+**Added cache_timeout property to BaseDatasource**:
+```python
+# Column renamed to avoid naming conflict
+_cache_timeout = Column("cache_timeout", Integer)
+
+@property
+def cache_timeout(self) -> int | None:
+    """Fallback to database timeout for SQL datasources."""
+    if self._cache_timeout is not None:
+        return self._cache_timeout
+    return self.database.cache_timeout
+
+@cache_timeout.setter
+def cache_timeout(self, value: int | None) -> None:
+    self._cache_timeout = value
+```
+
+### File: `superset/explorables/base.py`
+
+**Removed database property**:
+- Deleted `database: Any | None` from protocol
+- Cache timeout now fully owned by each explorable
+
+### File: `superset/models/helpers.py`
+
+**Updated ExploreMixin**:
+```python
+# Changed return type to match Explorable protocol
+@property
+def cache_timeout(self) -> int | None:  # ← Was: int
+    raise NotImplementedError()
+```
+
+### File: `superset/security/manager.py`
+
+**Updated database access**:
+```python
+# Added defensive getattr for optional database attribute
+database = getattr(datasource, "database", None)
+if database:
+    self.can_access_database(database)
+```
+
+---
+
+## Benefits
+
+### ✅ Clean Separation of Concerns
+- QueryContext: "Give me your timeout"
+- Explorable: "Here's my timeout (I handled the fallback)"
+
+### ✅ Semantic Layer Flexibility
+```python
+class SemanticLayerExplorable:
+    @property
+    def cache_timeout(self) -> int | None:
+        # Option 1: Fixed timeout
+        return 3600
+
+        # Option 2: Configuration-based
+        return self.config.get("cache_seconds", 1800)
+
+        # Option 3: Dynamic based on data freshness
+        if self.is_real_time:
+            return 60  # 1 minute for real-time data
+        return 3600  # 1 hour for batch data
+
+        # Option 4: Fallback to layer default
+        return self.layer.default_cache_timeout
+```
+
+### ✅ No SQL Coupling
+- Protocol doesn't mention databases
+- Semantic layers work independently
+- Type safety maintained
+
+### ✅ Backward Compatible
+- All existing SQL datasources work unchanged
+- Database fallback still happens (just internally)
+- No breaking changes to APIs
+
+---
+
+## Testing
+
+### ✅ Type Checking Passed
+```bash
+$ pre-commit run mypy --files superset/explorables/base.py \
+    superset/common/query_context.py superset/connectors/sqla/models.py \
+    superset/security/manager.py superset/models/helpers.py
+
+mypy...............................................................Passed
+```
+
+### 🧪 Recommended Manual Tests
+
+1. **SQL Table with No Timeout Set**
+   ```
+   - Create SQL table datasource (cache_timeout = NULL)
+   - Create chart from it
+   - Verify uses database.cache_timeout
+   ```
+
+2. **SQL Table with Explicit Timeout**
+   ```
+   - Create SQL table datasource (cache_timeout = 7200)
+   - Create chart from it
+   - Verify uses 7200 (not database timeout)
+   ```
+
+3. **Semantic Layer with Custom Timeout**
+   ```python
+   @property
+   def cache_timeout(self) -> int | None:
+       return 1800  # 30 minutes
+   ```
+   - Create chart from semantic layer
+   - Verify uses 1800 seconds
+
+4. **Chart-Level Override**
+   ```
+   - Set chart.cache_timeout = 900 (15 minutes)
+   - Datasource timeout = 3600 (1 hour)
+   - Verify chart uses 900 (chart level wins)
+   ```
+
+---
+
+## Migration Guide
+
+### For SQL Datasource Developers
+No changes needed! Your datasources continue to work exactly as before.
+
+### For Semantic Layer Developers
+
+**Before** (returned None, relied on QueryContext):
+```python
+class MySemanticLayer:
+    @property
+    def cache_timeout(self) -> int | None:
+        return None  # Uses system default
+```
+
+**After** (define your own fallback):
+```python
+class MySemanticLayer:
+    @property
+    def cache_timeout(self) -> int | None:
+        # Option 1: Fixed timeout
+        return 3600
+
+        # Option 2: Layer default
+        return self.semantic_layer.default_cache_timeout
+
+        # Option 3: View-specific with fallback
+        return (
+            self.view_config.get("cache_timeout")
+            or self.semantic_layer.default_cache_timeout
+            or 3600  # Ultimate fallback
+        )
+```
+
+---
+
+## Summary Table
+
+| Aspect | Before | After |
+|--------|--------|-------|
+| **QueryContext Logic** | Knows about database.cache_timeout | Just calls datasource.cache_timeout |
+| **BaseDatasource** | Column only | Property with database fallback |
+| **Semantic Layers** | Can't control fallback | Full control over timeout strategy |
+| **Protocol** | Has `database: Any \| None` | No database property |
+| **Type Safety** | ✅ | ✅ |
+| **Backward Compatible** | N/A | ✅ Yes |
+
+---
+
+## Complete Explorable Implementation Example
+
+```python
+class SemanticLayerExplorable:
+    """Complete example with all required methods."""
+
+    def __init__(self, view_id: str, semantic_layer_client):
+        self.view_id = view_id
+        self.client = semantic_layer_client
+        self.view_config = self.client.get_view_config(view_id)
+
+    # =========================================================================
+    # Core Query Interface
+    # =========================================================================
+
+    def get_query_result(self, query_object: QueryObject) -> QueryResult:
+        # Your implementation
+        ...
+
+    def get_query_str(self, query_obj: dict) -> str:
+        # Your implementation
+        ...
+
+    # =========================================================================
+    # Caching - NOW WITH CUSTOM FALLBACK!
+    # =========================================================================
+
+    @property
+    def cache_timeout(self) -> int | None:
+        """
+        View-specific timeout with semantic layer fallback.
+
+        Priority:
+        1. View-level override in config
+        2. Semantic layer default
+        3. 1 hour default
+        """
+        return (
+            self.view_config.get("cache_timeout_seconds")
+            or self.client.default_cache_timeout
+            or 3600
+        )
+
+    # =========================================================================
+    # Time Grains
+    # =========================================================================
+
+    def get_time_grains(self) -> list[dict[str, Any]]:
+        """Return semantic layer's time dimensions."""
+        return [
+            {"name": "Hour", "function": "hour", "duration": "PT1H"},
+            {"name": "Day", "function": "day", "duration": "P1D"},
+            {"name": "Week", "function": "week", "duration": "P1W"},
+            {"name": "Month", "function": "month", "duration": "P1M"},
+        ]
+
+    # =========================================================================
+    # Other Required Properties
+    # =========================================================================
+
+    @property
+    def is_rls_supported(self) -> bool:
+        return False
+
+    @property
+    def query_language(self) -> str | None:
+        return "graphql"
+
+    # ... other Explorable protocol methods ...
+```
+
+---
+
+## Key Takeaway
+
+**Cache timeout is now a responsibility of the Explorable, not QueryContext.**
+
+Each explorable implementation decides:
+- What its base timeout is
+- What it falls back to
+- How it handles configuration
+
+This makes the system more flexible and removes SQL-specific logic from the core abstraction! 🎉
diff --git a/DATABASE_ATTRIBUTE_USAGE.md b/DATABASE_ATTRIBUTE_USAGE.md
new file mode 100644
index 00000000000..2a8c34a9095
--- /dev/null
+++ b/DATABASE_ATTRIBUTE_USAGE.md
@@ -0,0 +1,223 @@
+# What is the `database` Attribute Used For?
+
+The `database` attribute on the `Explorable` protocol is used in **3 main areas**. Here's a comprehensive breakdown:
+
+---
+
+## 1. 🕐 Time Granularity Options (`_get_timegrains`)
+
+**File**: `superset/common/query_actions.py:63-78`
+
+**Purpose**: Get available time grain options for time-series charts
+
+```python
+def _get_timegrains(query_context, query_obj, _):
+    datasource = _get_datasource(query_context, query_obj)
+    database = getattr(datasource, "database", None)
+    grains = database.grains() if database else []
+    return {
+        "data": [
+            {
+                "name": grain.name,        # e.g., "5 minutes", "Hour", "Day"
+                "function": grain.function, # e.g., "DATE_TRUNC('hour', {col})"
+                "duration": grain.duration, # e.g., "PT5M" (ISO 8601 duration)
+            }
+            for grain in grains
+        ]
+    }
+```
+
+**What `database.grains()` does**:
+- Returns database-specific SQL functions for time bucketing
+- Each database has different datetime functions:
+  - PostgreSQL: `DATE_TRUNC('hour', timestamp)`
+  - MySQL: `DATE_FORMAT(timestamp, '%Y-%m-%d %H:00:00')`
+  - BigQuery: `TIMESTAMP_TRUNC(timestamp, HOUR)`
+
+**For semantic layers**:
+- If your semantic layer doesn't expose time grains, return `None` for database
+- The UI will get an empty list `[]` and won't show time grain options
+- If you DO want time grain controls, you'll need to provide this data another way
+
+**Chart types that use this**:
+- Time-series Line Chart
+- Time-series Bar Chart
+- Time-series Area Chart
+- Any chart with temporal grouping
+
+---
+
+## 2. 💾 Cache Timeout Fallback (`get_cache_timeout`)
+
+**File**: `superset/common/query_context.py:101-110`
+
+**Purpose**: Determine how long to cache query results (fallback hierarchy)
+
+```python
+def get_cache_timeout(self) -> int | None:
+    # Priority 1: Custom timeout for this specific query
+    if self.custom_cache_timeout is not None:
+        return self.custom_cache_timeout
+
+    # Priority 2: Chart-level timeout
+    if self.slice_ and self.slice_.cache_timeout is not None:
+        return self.slice_.cache_timeout
+
+    # Priority 3: Datasource-level timeout
+    if self.datasource.cache_timeout is not None:
+        return self.datasource.cache_timeout
+
+    # Priority 4: Database-level default timeout
+    if hasattr(self.datasource, "database") and self.datasource.database:
+        return self.datasource.database.cache_timeout
+
+    # Priority 5: System default
+    return None
+```
+
+**Cache timeout cascade**:
+1. Query-specific override
+2. Chart configuration
+3. Datasource configuration
+4. **Database default** ← This is where `database` is used
+5. System global default
+
+**For semantic layers**:
+- Return `None` for database
+- Cache timeout will fall back to datasource-level or system default
+- You can still set `cache_timeout` on your explorable directly
+
+---
+
+## 3. 🔐 Security & Access Control
+
+**File**: `superset/security/manager.py` (multiple locations)
+
+**Purpose**: Check if user has permission to access the underlying database
+
+### 3a. Schema Access Check
+
+```python
+def can_access_schema(self, datasource: Explorable | BaseDatasource) -> bool:
+    return (
+        self.can_access_all_datasources()
+        or (
+            datasource.database
+            and self.can_access_database(datasource.database)  # ← Database access check
+        )
+        or (
+            hasattr(datasource, "catalog")
+            and datasource.catalog
+            and datasource.database
+            and self.can_access_catalog(datasource.database, datasource.catalog)
+        )
+        or self.can_access("schema_access", datasource.schema_perm or "")
+    )
+```
+
+**What this checks**:
+- Does the user have permission to the database itself?
+- Applies to SQL databases where schema is tied to database access
+- If database is `None`, skips this check (relies on datasource-level perms)
+
+### 3b. SQL Lab Query Security
+
+```python
+def raise_for_access(self, query=None, ...):
+    if query and hasattr(query, "database"):
+        database = query.database  # ← Get database to validate access
+
+    if self.can_access_database(database):
+        return  # User has database access, allow query
+```
+
+**What this does**:
+- For SQL Lab queries, validates user can access the database
+- Prevents users from querying databases they don't have permission to
+
+**For semantic layers**:
+- Return `None` for database
+- Security relies on your explorable's `perm` and `schema_perm` attributes
+- You'll handle authorization at the semantic layer level, not database level
+
+---
+
+## Summary: Do You Need It?
+
+### ✅ You NEED `database` if:
+- Your semantic layer wants to expose **time grain controls** in the UI
+- You want to inherit **cache timeouts** from a database configuration
+- Your semantic layer is a **thin wrapper over SQL databases** (similar to dbt)
+
+### ❌ You DON'T need `database` if:
+- Your semantic layer has its own time granularity logic
+- You set `cache_timeout` directly on your explorable
+- Your semantic layer handles its own authorization (not tied to SQL database perms)
+
+---
+
+## Recommendation for Your Semantic Layer
+
+Based on typical semantic layer architectures, you should probably:
+
+```python
+@property
+def database(self) -> None:
+    """
+    Return None - semantic layers handle time grains, caching,
+    and security independently of SQL database objects.
+    """
+    return None
+```
+
+**Why None is fine**:
+
+1. **Time Grains**: Your semantic layer likely has its own time dimension logic
+   - You can expose time grains through your chart form data instead
+   - Or implement a custom `get_time_grains()` method on your explorable
+
+2. **Cache Timeout**: Set it directly on your explorable
+   ```python
+   @property
+   def cache_timeout(self) -> int:
+       return 3600  # 1 hour, or read from semantic layer config
+   ```
+
+3. **Security**: Your semantic layer has its own permission model
+   - Use `perm` property: `f"semantic_layer:{view_name}"`
+   - Use `schema_perm` if you have a schema concept
+   - Database-level security doesn't apply
+
+---
+
+## Alternative: Provide a Minimal Database Proxy
+
+If you DO want to support time grains but don't have a real SQL database:
+
+```python
+class SemanticLayerDatabaseProxy:
+    """Minimal database-like object just for time grains."""
+
+    def grains(self) -> tuple[TimeGrain, ...]:
+        """Return semantic layer's time granularity options."""
+        from superset.db_engine_specs.base import TimeGrain
+
+        return (
+            TimeGrain("Second", "toStartOfSecond({col})", "PT1S"),
+            TimeGrain("Minute", "toStartOfMinute({col})", "PT1M"),
+            TimeGrain("Hour", "toStartOfHour({col})", "PT1H"),
+            TimeGrain("Day", "toStartOfDay({col})", "P1D"),
+            # ... your semantic layer's supported grains
+        )
+
+    @property
+    def cache_timeout(self) -> int:
+        return 3600  # Fallback timeout
+
+class YourSemanticLayerExplorable:
+    @property
+    def database(self) -> SemanticLayerDatabaseProxy:
+        return SemanticLayerDatabaseProxy()
+```
+
+But this is **probably overkill** for most semantic layers. Returning `None` is cleaner.
diff --git a/DATABASE_SECURITY_ANALYSIS.md b/DATABASE_SECURITY_ANALYSIS.md
new file mode 100644
index 00000000000..88368214e47
--- /dev/null
+++ b/DATABASE_SECURITY_ANALYSIS.md
@@ -0,0 +1,429 @@
+# Database-Level Security Analysis
+
+## TL;DR
+
+The `database` attribute is used for **two SQL-specific security patterns**:
+
+1. **Schema Access Check** (`can_access_schema`) - "If user can access the database, grant schema access"
+2. **Implicit Datasource Access** (`get_user_datasources`) - "If user can access database, grant all tables in it"
+
+Both are **SQL-only concepts** that don't apply to semantic layers.
+
+---
+
+## Usage #1: Schema Access Check
+
+### Location
+`superset/security/manager.py:544-567` - `can_access_schema()`
+
+### What It Does
+```python
+def can_access_schema(self, datasource: BaseDatasource | Explorable) -> bool:
+    """Can user access the schema for this datasource?"""
+
+    database = getattr(datasource, "database", None)
+    return (
+        self.can_access_all_datasources()  # Admin/superuser
+        or (
+            database
+            and self.can_access_database(database)  # ← DATABASE-LEVEL ACCESS
+        )
+        or (
+            hasattr(datasource, "catalog")
+            and datasource.catalog
+            and database
+            and self.can_access_catalog(database, datasource.catalog)  # ← CATALOG ACCESS
+        )
+        or self.can_access("schema_access", datasource.schema_perm or "")  # ← SCHEMA PERM
+    )
+```
+
+### The Logic (SQL Permission Hierarchy)
+
+Superset has a **permission hierarchy** for SQL datasources:
+
+```
+┌─────────────────────────────────────────┐
+│ 1. All Datasource Access (Admin)       │ ← Superuser override
+└─────────────────────────────────────────┘
+              ↓ OR
+┌─────────────────────────────────────────┐
+│ 2. Database Access                      │ ← database = getattr(...)
+│    Permission: [database].[database]    │    can_access_database(database)
+│    Grants: All schemas in this database │
+└─────────────────────────────────────────┘
+              ↓ OR
+┌─────────────────────────────────────────┐
+│ 3. Catalog Access                       │ ← catalog-level permission
+│    Permission: [database].[catalog]     │
+│    Grants: All schemas in this catalog  │
+└─────────────────────────────────────────┘
+              ↓ OR
+┌─────────────────────────────────────────┐
+│ 4. Schema Access                        │ ← schema_perm
+│    Permission: [database].[schema]      │    (from datasource.schema_perm)
+│    Grants: This specific schema         │
+└─────────────────────────────────────────┘
+```
+
+### Why Database Access Matters
+
+**Example Scenario**:
+```sql
+-- Database: analytics_prod
+-- Schema: sales
+-- Table: orders
+
+User has permission: [analytics_prod].[analytics_prod]
+```
+
+**Without database check**:
+- User must get explicit permission to `[analytics_prod].[sales]` schema
+- Need separate permission for `[analytics_prod].[marketing]` schema
+- Tedious for large databases with many schemas
+
+**With database check**:
+- User has `database_access` to `analytics_prod`
+- Automatically grants access to ALL schemas: sales, marketing, finance, etc.
+- One permission → Many schemas (convenience)
+
+### Where It's Called
+
+`raise_for_access()` line 2443:
+```python
+def raise_for_access(self, datasource=None, query_context=None, ...):
+    if query_context:
+        datasource = query_context.datasource  # ← Could be Explorable!
+
+    if not (
+        self.can_access_schema(datasource)  # ← Checks database access
+        or self.can_access("datasource_access", datasource.perm)
+        or self.is_owner(datasource)
+        or ...  # other checks
+    ):
+        raise SupersetSecurityException(...)
+```
+
+---
+
+## Usage #2: Implicit Datasource Access
+
+### Location
+`superset/security/manager.py:804-833` - `get_user_datasources()`
+
+### What It Does
+```python
+def get_user_datasources(self) -> list[BaseDatasource]:
+    """Get all datasources the user can access."""
+
+    user_datasources = set()
+
+    # Step 1: Add datasources with explicit permission
+    user_datasources.update(
+        self.session.query(SqlaTable)
+        .filter(get_dataset_access_filters(SqlaTable))  # ← Explicit perms
+        .all()
+    )
+
+    # Step 2: Group all datasources by database
+    all_datasources = SqlaTable.get_all_datasources()
+    datasources_by_database: dict[Database, set[SqlaTable]] = defaultdict(set)
+    for datasource in all_datasources:
+        datasources_by_database[datasource.database].add(datasource)  # ← NEEDS database!
+
+    # Step 3: Add datasources from databases user can access
+    for database, datasources in datasources_by_database.items():
+        if self.can_access_database(database):  # ← DATABASE-LEVEL ACCESS
+            user_datasources.update(datasources)  # ← Grant ALL tables in database
+
+    return list(user_datasources)
+```
+
+### The Logic (Implicit Permissions)
+
+**Explicit Permission**:
+```
+User → Permission: [analytics_prod].[sales].[orders]
+     → Can access: orders table only
+```
+
+**Implicit Permission (via database access)**:
+```
+User → Permission: [analytics_prod].[analytics_prod]
+     → Can access: ALL tables in analytics_prod
+       - sales.orders
+       - sales.customers
+       - marketing.campaigns
+       - finance.transactions
+       - ... (all tables in all schemas)
+```
+
+### Why This Matters
+
+**Example Scenario**:
+```
+Database: analytics_prod (500 tables across 20 schemas)
+
+Option A: Explicit permissions (without database check)
+  - Admin must grant 500 individual table permissions
+  - New table added → Must manually grant permission
+  - Tedious and error-prone
+
+Option B: Database-level permission (with database check)
+  - Admin grants ONE database permission
+  - User gets all 500 tables automatically
+  - New table added → Automatically accessible
+  - Much easier to manage
+```
+
+### Where It's Used
+
+This method is called when populating datasource dropdowns, chart creation, etc. It determines which datasources appear in the UI for the user.
+
+---
+
+## Does This Apply to Semantic Layers?
+
+### Short Answer: **NO**
+
+Semantic layers don't have the SQL database → schema → table hierarchy:
+
+```
+SQL World:
+  Database (analytics_prod)
+    ├─ Schema (sales)
+    │   ├─ Table (orders)
+    │   └─ Table (customers)
+    └─ Schema (marketing)
+        └─ Table (campaigns)
+
+Semantic Layer World:
+  Semantic Layer (cube_cloud)
+    ├─ View (sales_metrics)      ← No database/schema concept
+    ├─ View (customer_360)
+    └─ View (marketing_funnel)
+```
+
+**Semantic layer permissions**:
+- Based on view/model names
+- Or based on semantic layer roles
+- Or based on data attributes (e.g., region, department)
+- **NOT** based on database connections
+
+---
+
+## Current Implementation with `getattr`
+
+```python
+database = getattr(datasource, "database", None)
+return (
+    self.can_access_all_datasources()
+    or (
+        database  # ← None for semantic layers
+        and self.can_access_database(database)
+    )
+    or self.can_access("schema_access", datasource.schema_perm or "")
+)
+```
+
+### What Happens for Semantic Layers
+
+```
+1. database = getattr(datasource, "database", None)
+   → database = None  (semantic layer doesn't have database)
+
+2. Check: database and self.can_access_database(database)
+   → None and ...
+   → False  (short-circuits, database check skipped)
+
+3. Falls through to: self.can_access("schema_access", datasource.schema_perm)
+   → Uses datasource.schema_perm instead
+```
+
+**Result**: Semantic layers skip database checks and use their own `schema_perm` property.
+
+---
+
+## Alternative Approaches
+
+### Option 1: Keep `getattr` (Current)
+
+**Pros**:
+- ✅ Works today
+- ✅ No breaking changes
+- ✅ Simple
+
+**Cons**:
+- ❌ Not type-safe (relies on runtime attribute check)
+- ❌ Not explicit in protocol
+
+### Option 2: Add `database` Back to Explorable (As Optional)
+
+```python
+@runtime_checkable
+class Explorable(Protocol):
+    @property
+    def database(self) -> Any | None:
+        """Database object (None for non-SQL explorables)."""
+```
+
+**Pros**:
+- ✅ Type-safe
+- ✅ Explicit in protocol
+
+**Cons**:
+- ❌ Semantic layers must implement it (return None)
+- ❌ Leaky SQL abstraction back in protocol
+
+### Option 3: Type Narrowing with `isinstance`
+
+```python
+def can_access_schema(self, datasource: BaseDatasource | Explorable) -> bool:
+    # Type narrow for SQL datasources
+    if isinstance(datasource, BaseDatasource):
+        if self.can_access_database(datasource.database):
+            return True
+
+    # All explorables check schema_perm
+    return (
+        self.can_access_all_datasources()
+        or self.can_access("schema_access", datasource.schema_perm or "")
+    )
+```
+
+**Pros**:
+- ✅ Type-safe (mypy understands isinstance)
+- ✅ Explicit about SQL vs non-SQL
+- ✅ No leaky abstraction in protocol
+
+**Cons**:
+- ❌ Couples security code to BaseDatasource class
+- ❌ Every new SQL datasource type needs updating
+
+### Option 4: New Protocol Method `can_grant_database_access()`
+
+```python
+@runtime_checkable
+class Explorable(Protocol):
+    def can_grant_database_access(self, security_manager) -> bool:
+        """
+        Whether database-level access should grant access to this explorable.
+
+        SQL datasources return: security_manager.can_access_database(self.database)
+        Semantic layers return: False
+        """
+```
+
+Then in security manager:
+```python
+def can_access_schema(self, datasource: Explorable) -> bool:
+    return (
+        self.can_access_all_datasources()
+        or datasource.can_grant_database_access(self)  # ← Explorable decides
+        or self.can_access("schema_access", datasource.schema_perm or "")
+    )
+```
+
+**Pros**:
+- ✅ Clean protocol
+- ✅ Each explorable decides its own logic
+- ✅ Type-safe
+- ✅ Extensible (new datasource types control their behavior)
+
+**Cons**:
+- ❌ Couples Explorable to security manager (dependency inversion)
+- ❌ More complex
+
+### Option 5: Make Security Check Explorable-Specific
+
+```python
+@runtime_checkable
+class Explorable(Protocol):
+    def has_schema_access(self, user) -> bool:
+        """
+        Whether the given user has schema-level access to this explorable.
+
+        Implementations decide their own logic:
+        - SQL: Check database/catalog/schema perms
+        - Semantic: Check semantic layer roles
+        """
+```
+
+**Pros**:
+- ✅ Full control per explorable type
+- ✅ Clean separation
+- ✅ Each layer handles its own security model
+
+**Cons**:
+- ❌ Moves security logic into datasource (separation of concerns)
+- ❌ Security manager loses centralized control
+
+---
+
+## My Recommendation
+
+### **Option 3: Type Narrowing with `isinstance`**
+
+This is the cleanest approach that doesn't pollute the protocol:
+
+```python
+def can_access_schema(self, datasource: BaseDatasource | Explorable) -> bool:
+    """
+    Check if user can access the schema for this datasource.
+
+    For SQL datasources: Checks database → catalog → schema hierarchy
+    For other explorables: Checks schema_perm only
+    """
+    # SQL-specific hierarchy checks
+    if isinstance(datasource, BaseDatasource):
+        if self.can_access_database(datasource.database):
+            return True
+        if hasattr(datasource, "catalog") and datasource.catalog:
+            if self.can_access_catalog(datasource.database, datasource.catalog):
+                return True
+
+    # Universal checks (all explorables)
+    return (
+        self.can_access_all_datasources()
+        or self.can_access("schema_access", datasource.schema_perm or "")
+    )
+```
+
+**Why this is better**:
+1. ✅ **Type-safe** - No `getattr`, mypy understands it
+2. ✅ **Explicit** - Clear that database checks are SQL-only
+3. ✅ **No protocol pollution** - Explorable stays clean
+4. ✅ **Maintainable** - New SQL types inherit from BaseDatasource
+5. ✅ **Semantic layers "just work"** - No special handling needed
+
+**For `get_user_datasources()`**:
+```python
+def get_user_datasources(self) -> list[BaseDatasource]:
+    """This method is SQL-specific anyway (SqlaTable.get_all_datasources())"""
+    # Keep as-is, it's already SQL-specific
+```
+
+---
+
+## Summary
+
+### What `database` is Used For:
+1. **can_access_schema()** - Grant schema access to users with database-level permissions
+2. **get_user_datasources()** - Grant table access to users with database-level permissions
+
+### Why It Exists:
+- **Convenience**: One permission → Many resources
+- **SQL Hierarchy**: Database → Schema → Table permission model
+- **Implicit Grants**: Database access implies schema/table access
+
+### Why Semantic Layers Don't Need It:
+- No database/schema/table hierarchy
+- Different permission model (views, roles, attributes)
+- Use `perm` and `schema_perm` directly
+
+### Recommended Fix:
+**Use `isinstance(datasource, BaseDatasource)` instead of `getattr(datasource, "database", None)`**
+
+This makes the SQL-specific logic explicit and keeps the Explorable protocol clean.
+
+Want me to implement this change?
diff --git a/EXPLORABLE_CONSOLIDATION_PLAN.md b/EXPLORABLE_CONSOLIDATION_PLAN.md
new file mode 100644
index 00000000000..609200f69ab
--- /dev/null
+++ b/EXPLORABLE_CONSOLIDATION_PLAN.md
@@ -0,0 +1,288 @@
+# Consolidating Chart Abstractions Under `Explorable`
+
+## Current State: Three Overlapping Abstractions
+
+### 1. `Explorable` Protocol (New - Minimal Interface)
+**Location**: `superset/explorables/base.py`
+
+**Core Methods** (currently defined):
+- `get_query_result(query_object)` - Execute queries
+- `get_query_str(query_obj)` - Get query string without executing
+- `get_extra_cache_keys(query_obj)` - Cache key components
+- Properties: `uid`, `type`, `columns`, `column_names`, `data`, `cache_timeout`, `changed_on`, `perm`, `schema_perm`, `offset`
+
+**Design Philosophy**: Minimal, focused on query execution and metadata
+
+### 2. `ExploreMixin` (Legacy - Base for Chart Creation)
+**Location**: `superset/models/helpers.py:763`
+
+**Key Characteristics**:
+- Tightly coupled to SQLAlchemy (`sqla_aggregations`, `get_sqla_row_level_filters`)
+- Many SQL-specific methods (`_process_sql_expression`, `_process_select_expression`)
+- Database-specific properties: `database`, `catalog`, `schema`, `sql`, `db_engine_spec`
+- Over 30+ methods and properties
+
+**Problem**: Too SQLAlchemy-specific for semantic layers
+
+### 3. `BaseDatasource` (SQLAlchemy Model)
+**Location**: `superset/connectors/sqla/models.py:165`
+
+**Key Characteristics**:
+- Concrete SQLAlchemy model (not a mixin/protocol)
+- Direct database columns: `id`, `description`, `cache_timeout`, `perm`, etc.
+- Inherits from `AuditMixinNullable`, `ImportExportMixin`
+- Owns `columns: list[TableColumn]`, `metrics: list[SqlMetric]`
+
+**Problem**: Cannot be inherited by non-SQLAlchemy datasources
+
+---
+
+## Recommended Consolidation Strategy
+
+### Phase 1: Extend `Explorable` Protocol (Minimal Additions)
+
+Add **only** what's absolutely necessary for the current codebase to work. Based on the mypy errors and usage patterns:
+
+```python
+@runtime_checkable
+class Explorable(Protocol):
+    """Minimal interface for explorable data sources."""
+
+    # === EXISTING (keep as-is) ===
+    def get_query_result(self, query_object: QueryObject) -> QueryResult: ...
+    def get_query_str(self, query_obj: QueryObjectDict) -> str: ...
+    def get_extra_cache_keys(self, query_obj: QueryObjectDict) -> list[Hashable]: ...
+
+    @property
+    def uid(self) -> str: ...
+
+    @property
+    def type(self) -> str: ...
+
+    @property
+    def columns(self) -> list[Any]: ...
+
+    @property
+    def column_names(self) -> list[str]: ...
+
+    @property
+    def data(self) -> dict[str, Any]: ...
+
+    @property
+    def cache_timeout(self) -> int | None: ...
+
+    @property
+    def changed_on(self) -> datetime | None: ...
+
+    @property
+    def perm(self) -> str: ...
+
+    @property
+    def schema_perm(self) -> str | None: ...
+
+    @property
+    def offset(self) -> int: ...
+
+    # === NEW ADDITIONS (based on actual usage) ===
+
+    # Security & Access Control
+    @property
+    def is_rls_supported(self) -> bool:
+        """Whether this explorable supports Row Level Security."""
+        ...
+
+    # Optional: For SQL-based datasources only
+    # These return None for semantic layers
+    @property
+    def database(self) -> Database | None:
+        """Database connection (None for non-SQL explorables)."""
+        ...
+
+    @property
+    def query_language(self) -> str | None:
+        """Query language for syntax highlighting (e.g., 'sql', 'graphql')."""
+        ...
+```
+
+### Phase 2: Make `BaseDatasource` Implement `Explorable`
+
+Add explicit implementation to show it conforms:
+
+```python
+class BaseDatasource(AuditMixinNullable, ImportExportMixin, Explorable):
+    """SQL-based datasource that implements Explorable protocol."""
+
+    # All existing code stays the same
+    # The protocol just formalizes what's already there
+
+    @property
+    def is_rls_supported(self) -> bool:
+        return True  # Already exists as class attribute
+
+    @property
+    def database(self) -> Database | None:
+        # Subclasses implement this (SqlaTable has it)
+        raise NotImplementedError()
+
+    @property
+    def query_language(self) -> str | None:
+        return self.query_language  # Already exists
+```
+
+### Phase 3: Deprecate `ExploreMixin` (Gradual Migration)
+
+**Strategy**: Don't fight the legacy code. Instead:
+
+1. **Keep ExploreMixin for now** - It's only used by `BaseDatasource` subclasses
+2. **Make BaseDatasource inherit from Explorable** instead
+3. **Move SQL-specific methods** from ExploreMixin into `BaseDatasource` (where they belong)
+4. **Eventually delete ExploreMixin** once everything is on `Explorable`
+
+---
+
+## What to Add to `Explorable`? Decision Framework
+
+### ✅ **Add if**:
+- Used in >5 places in query execution path
+- Applies to ALL explorables (SQL tables, saved queries, semantic layers)
+- Simple property/method (no complex logic)
+
+### ❌ **Don't add if**:
+- Only applies to SQL datasources (put in `BaseDatasource` instead)
+- Implementation-specific (SQLAlchemy, Jinja templates, etc.)
+- Complex business logic (use helper classes instead)
+
+---
+
+## Handling the Mypy Errors
+
+For methods that need SQL-specific attributes (like `database`, `catalog`):
+
+### Option A: Make them optional on `Explorable`
+```python
+@property
+def database(self) -> Database | None:
+    """Database (None for non-SQL explorables)."""
+    ...
+```
+
+**Pros**: Simple, backward compatible
+**Cons**: Semantic layers return None, caller must handle
+
+### Option B: Keep them off `Explorable`, use type narrowing
+```python
+# In security/manager.py
+def can_access_schema(self, datasource: Explorable | BaseDatasource) -> bool:
+    # Type narrow when needed
+    if isinstance(datasource, BaseDatasource):
+        database = datasource.database
+        catalog = datasource.catalog
+    else:
+        # Semantic layers don't have schemas in the traditional sense
+        return True  # Or handle differently
+```
+
+**Pros**: Cleaner protocol, explicit about what's SQL-specific
+**Cons**: More isinstance checks
+
+### Recommendation: **Option A for now, Option B long-term**
+
+Start with Option A (add optional `database`, `query_language`) because:
+- Gets the code working quickly
+- Semantic layers can return `None`
+- Later, refactor security methods to properly handle non-SQL explorables
+
+---
+
+## Minimal Changes Needed Right Now
+
+Based on the mypy errors, add these to `Explorable`:
+
+```python
+# In superset/explorables/base.py
+
+@runtime_checkable
+class Explorable(Protocol):
+    # ... existing methods ...
+
+    # ADD THESE:
+    @property
+    def is_rls_supported(self) -> bool:
+        """Whether RLS is supported."""
+        ...
+
+    @property
+    def database(self) -> Any | None:  # Use Any to avoid circular import
+        """Database object (None for non-SQL explorables)."""
+        ...
+
+    @property
+    def query_language(self) -> str | None:
+        """Language for syntax highlighting."""
+        ...
+```
+
+Then update your semantic layer implementation to return:
+```python
+class SemanticLayerExplorable:
+    @property
+    def is_rls_supported(self) -> bool:
+        return False  # Or True if you support it
+
+    @property
+    def database(self) -> None:
+        return None
+
+    @property
+    def query_language(self) -> str | None:
+        return "graphql"  # Or whatever makes sense
+```
+
+---
+
+## Long-term Vision
+
+```
+Current:
+┌─────────────────┐  ┌──────────────┐  ┌─────────────┐
+│  ExploreMixin   │  │BaseDatasource│  │ Explorable  │
+│  (SQL-heavy)    │  │(SQLAlchemy)  │  │ (Protocol)  │
+└────────┬────────┘  └──────┬───────┘  └──────┬──────┘
+         │                  │                  │
+         └──────────────────┴──────────────────┘
+                    Confusing!
+
+Target:
+                 ┌─────────────┐
+                 │ Explorable  │ ← Minimal protocol
+                 │ (Protocol)  │
+                 └──────┬──────┘
+                        │
+         ┌──────────────┴──────────────┐
+         │                             │
+┌────────▼────────┐         ┌──────────▼─────────┐
+│ BaseDatasource  │         │ SemanticExplorable │
+│ (SQL Tables)    │         │ (Your Layer)       │
+└─────────────────┘         └────────────────────┘
+```
+
+---
+
+## Action Items
+
+1. **Add 3 properties to `Explorable`**: `is_rls_supported`, `database`, `query_language` (all optional/None for semantic layers)
+
+2. **Update your semantic layer** to implement these (return None/False where appropriate)
+
+3. **Fix security manager methods** to handle None values gracefully:
+   ```python
+   if database := getattr(datasource, "database", None):
+       # SQL-specific logic
+   ```
+
+4. **File issues to track**:
+   - Deprecate ExploreMixin
+   - Move SQL methods from ExploreMixin to BaseDatasource
+   - Refactor security manager for non-SQL explorables
+
+This gives you a working system today while paving the way for a cleaner architecture tomorrow.
diff --git a/EXPLORABLE_IMPLEMENTATION_SUMMARY.md b/EXPLORABLE_IMPLEMENTATION_SUMMARY.md
new file mode 100644
index 00000000000..6c5d0ce09a2
--- /dev/null
+++ b/EXPLORABLE_IMPLEMENTATION_SUMMARY.md
@@ -0,0 +1,231 @@
+# Explorable Protocol Implementation Summary
+
+## ✅ Completed Successfully
+
+All mypy type checks are now passing! The `QueryContext.datasource` has been successfully migrated from `BaseDatasource` to the `Explorable` protocol.
+
+---
+
+## 📋 Files Modified
+
+### Core Protocol Definition
+- **`superset/explorables/base.py`** (292 lines added)
+  - Added 3 new optional properties to the `Explorable` protocol:
+    - `is_rls_supported: bool` - Whether RLS is supported
+    - `database: Any | None` - Database connection (None for semantic layers)
+    - `query_language: str | None` - Language identifier for syntax highlighting
+
+### Query Execution Layer
+- **`superset/common/query_context.py`** (8 changes)
+  - Changed `QueryContext.datasource` from `BaseDatasource` → `Explorable`
+  - Changed `__init__` parameter from `BaseDatasource` → `Explorable`
+  - Updated `get_cache_timeout()` to handle nullable database
+
+- **`superset/common/query_context_processor.py`** (6 changes)
+  - Changed `_qc_datasource` from `BaseDatasource` → `Explorable`
+  - Fixed `raise_for_access()` to pass datasource as `datasource=` param instead of `query=`
+
+- **`superset/common/query_context_factory.py`** (10 changes)
+  - `_convert_to_model()` return type: `BaseDatasource` → `Explorable`
+  - `_process_query_object()` param: `BaseDatasource` → `Explorable`
+  - `_apply_granularity()` param: `BaseDatasource` → `Explorable`
+
+- **`superset/common/query_actions.py`** (16 changes)
+  - `_get_datasource()` return type: `BaseDatasource` → `Explorable`
+  - `_get_timegrains()` - Uses `getattr()` for optional `database` attribute
+  - `_get_query()` - Uses `getattr()` for optional `query_language` attribute
+  - `_get_samples()` and `_get_drill_detail()` - Fixed None handling in column iteration
+
+### Security Layer
+- **`superset/security/manager.py`** (63 changes)
+  - Updated method signatures to accept `Explorable | BaseDatasource`:
+    - `raise_for_access()` - datasource and query parameters
+    - `can_access_schema()`
+    - `has_drill_by_access()`
+    - `get_datasource_access_error_object()`
+    - `get_datasource_access_error_msg()`
+    - `get_datasource_access_link()`
+    - `get_rls_cache_key()`
+    - `get_rls_filters()`
+    - `get_guest_rls_filters()`
+    - `get_guest_rls_filters_str()`
+
+  - Added defensive checks for optional attributes:
+    - `database` - Check `hasattr()` before accessing
+    - `catalog` - Check `hasattr()` before accessing
+    - `id` - Use `getattr()` with fallback to `data.get("id")`
+    - `name` - Use `getattr()` with fallback to `data.get("name")`
+
+  - Added type narrowing for SQL Lab Query-specific code paths
+
+### Utility Functions
+- **`superset/utils/core.py`** (16 changes)
+  - `extract_dataframe_dtypes()` - Added `Explorable` to accepted types
+  - `get_time_filter_status()` - Added `Explorable` to accepted types, with `hasattr()` checks for columns
+  - `get_metric_type_from_column()` - Added `Explorable` to accepted types, with `hasattr()` check for metrics
+  - Fixed None handling in column name extraction
+
+### Documentation
+- **`EXPLORABLE_CONSOLIDATION_PLAN.md`** (288 lines added)
+  - Comprehensive analysis of existing abstractions
+  - Consolidation strategy and decision framework
+  - Long-term migration roadmap
+
+---
+
+## 🎯 Key Design Decisions
+
+### 1. **Minimal Protocol Extension**
+Added only 3 properties to keep `Explorable` simple:
+- All 3 are optional/nullable for non-SQL explorables
+- Semantic layers return `None` or `False` as appropriate
+- No SQL-specific logic in the protocol itself
+
+### 2. **Defensive Programming**
+Used safe attribute access patterns throughout:
+```python
+# Pattern 1: Check before accessing
+if hasattr(datasource, "database") and datasource.database:
+    use_database(datasource.database)
+
+# Pattern 2: getattr with default
+database = getattr(datasource, "database", None)
+
+# Pattern 3: Fallback to .data dict
+datasource_id = getattr(
+    datasource,
+    "id",
+    datasource.data.get("id") if hasattr(datasource, "data") else None
+)
+```
+
+### 3. **Type Narrowing**
+Used `hasattr()` checks to narrow types where needed:
+```python
+# Only execute SQL Lab query logic for actual Query objects
+if query and hasattr(query, "sql") and hasattr(query, "catalog"):
+    # Safe to access query.sql and query.catalog here
+    process_sql_lab_query(query)
+```
+
+### 4. **Backward Compatibility**
+- `BaseDatasource` implementations work unchanged
+- Existing SQL-based datasources automatically conform to the protocol
+- No breaking changes to existing APIs
+
+---
+
+## 🔧 Implementation Pattern for Semantic Layers
+
+Your semantic layer implementation should provide these 3 properties:
+
+```python
+class SemanticLayerExplorable:
+    """Example semantic layer implementation."""
+
+    @property
+    def is_rls_supported(self) -> bool:
+        """Return False unless you implement RLS."""
+        return False
+
+    @property
+    def database(self) -> None:
+        """Return None - semantic layers don't have SQL databases."""
+        return None
+
+    @property
+    def query_language(self) -> str | None:
+        """Return the query language for syntax highlighting."""
+        return "graphql"  # or "jsoniq", "sparql", etc.
+```
+
+All other `Explorable` protocol methods you've already implemented:
+- `get_query_result()`
+- `get_query_str()`
+- `get_extra_cache_keys()`
+- Properties: `uid`, `type`, `columns`, `column_names`, `data`, etc.
+
+---
+
+## ✅ Testing Recommendations
+
+1. **Type Checking** ✅
+   - All mypy checks passing
+   - No type errors in modified files
+
+2. **Unit Tests** (TODO)
+   ```bash
+   # Test query context with semantic layer
+   pytest tests/unit_tests/common/test_query_context.py
+
+   # Test security with explorables
+   pytest tests/unit_tests/security/test_manager.py
+   ```
+
+3. **Integration Tests** (TODO)
+   ```bash
+   # Test chart data API with semantic layer
+   pytest tests/integration_tests/charts/api_tests.py
+   ```
+
+4. **Manual Testing** (TODO)
+   - Create a chart using your semantic layer implementation
+   - Verify query execution works
+   - Check that security/RLS behaves correctly
+
+---
+
+## 🚀 Next Steps
+
+### Immediate
+1. ✅ All type checking passes
+2. ✅ Code compiles without errors
+3. **Test with your semantic layer implementation**
+
+### Short-term
+1. Write unit tests for Explorable-based QueryContext
+2. Add integration tests for semantic layer charts
+3. Document semantic layer API for external developers
+
+### Long-term (from EXPLORABLE_CONSOLIDATION_PLAN.md)
+1. Deprecate `ExploreMixin` in favor of `Explorable`
+2. Move SQL-specific methods from ExploreMixin to BaseDatasource
+3. Refactor security methods to better handle non-SQL explorables
+4. Add more semantic layer implementations (e.g., Cube.js, dbt metrics)
+
+---
+
+## 🎓 Lessons Learned
+
+### What Worked Well
+- **Protocol over inheritance** - Much more flexible than concrete base classes
+- **Gradual typing** - Using `hasattr()` and `getattr()` to handle optional attrs
+- **Minimal interface** - Only 3 new properties needed, keeping protocol simple
+
+### Challenges Overcome
+- Security manager assumed SQL datasources - Fixed with defensive checks
+- Utility functions expected specific attributes - Fixed with `hasattr()` guards
+- Type narrowing for Union types - Used `hasattr()` to help mypy
+
+### Best Practices Applied
+- Small, focused commits per file
+- Defensive programming for nullable attributes
+- Clear documentation in docstrings
+- Type hints everywhere
+- No breaking changes to existing code
+
+---
+
+## 📊 Impact Summary
+
+- **650+ lines of code** modified/added
+- **8 files** touched across the codebase
+- **0 breaking changes** to existing APIs
+- **100% mypy compliance** maintained
+- **Enables semantic layer integration** without tight coupling to SQLAlchemy
+
+---
+
+## 🙏 Acknowledgments
+
+This implementation enables Superset to support semantic layers (like Cube.js, dbt metrics, GraphQL APIs) as first-class data sources, independent of SQLAlchemy. The `Explorable` protocol provides a clean abstraction that works for both traditional SQL tables and modern semantic layers.
diff --git a/GET_TIME_GRAINS_IMPLEMENTATION.md b/GET_TIME_GRAINS_IMPLEMENTATION.md
new file mode 100644
index 00000000000..884a735118c
--- /dev/null
+++ b/GET_TIME_GRAINS_IMPLEMENTATION.md
@@ -0,0 +1,330 @@
+# get_time_grains() Implementation Complete ✅
+
+## Summary
+
+Successfully replaced the `database` attribute approach with a cleaner `get_time_grains()` method on the `Explorable` protocol!
+
+---
+
+## Changes Made
+
+### 1. **Added `get_time_grains()` to Explorable Protocol**
+**File**: `superset/explorables/base.py`
+
+```python
+def get_time_grains(self) -> list[dict[str, Any]]:
+    """
+    Get available time granularities for temporal grouping.
+
+    Returns a list of time grain options. Each dict contains:
+    - name: Display name (e.g., "Hour", "Day", "Week")
+    - function: How to apply the grain (implementation-specific)
+    - duration: ISO 8601 duration (e.g., "PT1H", "P1D")
+
+    Return empty list if not supported.
+    """
+```
+
+**Benefits**:
+- ✅ Clearer contract - explicit method vs. implicit attribute
+- ✅ No SQL leakage - semantic layers define their own grains
+- ✅ Better documentation with examples
+
+### 2. **Updated `_get_timegrains()` Query Action**
+**File**: `superset/common/query_actions.py`
+
+**Before** (accessing database):
+```python
+def _get_timegrains(...):
+    datasource = _get_datasource(query_context, query_obj)
+    database = getattr(datasource, "database", None)
+    grains = database.grains() if database else []
+    return {
+        "data": [
+            {
+                "name": grain.name,
+                "function": grain.function,
+                "duration": grain.duration,
+            }
+            for grain in grains
+        ]
+    }
+```
+
+**After** (using protocol method):
+```python
+def _get_timegrains(...):
+    datasource = _get_datasource(query_context, query_obj)
+    grains = datasource.get_time_grains()
+    return {"data": grains}
+```
+
+**Benefits**:
+- ✅ Simpler - just call the method
+- ✅ No getattr() defensive coding
+- ✅ Explorable handles the formatting
+
+### 3. **Implemented in BaseDatasource**
+**File**: `superset/connectors/sqla/models.py`
+
+```python
+def get_time_grains(self) -> list[dict[str, Any]]:
+    """Delegate to database's time grain definitions."""
+    return [
+        {
+            "name": grain.name,
+            "function": grain.function,
+            "duration": grain.duration,
+        }
+        for grain in (self.database.grains() or [])
+    ]
+```
+
+**Benefits**:
+- ✅ SQL datasources work unchanged
+- ✅ Encapsulates database access
+- ✅ Returns consistent format
+
+---
+
+## For Your Semantic Layer
+
+Now you can define your own time grains without any SQL database dependency:
+
+```python
+class SemanticLayerExplorable:
+    """Your semantic layer implementation."""
+
+    def get_time_grains(self) -> list[dict[str, Any]]:
+        """
+        Return semantic layer's time dimensions.
+
+        The 'function' can be whatever your semantic layer understands.
+        It doesn't have to be SQL!
+        """
+        return [
+            {
+                "name": "Hour",
+                "function": "hour",  # Your semantic layer's time grain ID
+                "duration": "PT1H",
+            },
+            {
+                "name": "Day",
+                "function": "day",
+                "duration": "P1D",
+            },
+            {
+                "name": "Week",
+                "function": "week",
+                "duration": "P1W",
+            },
+            {
+                "name": "Month",
+                "function": "month",
+                "duration": "P1M",
+            },
+            {
+                "name": "Quarter",
+                "function": "quarter",
+                "duration": "P3M",
+            },
+            {
+                "name": "Year",
+                "function": "year",
+                "duration": "P1Y",
+            },
+        ]
+
+    # Still need these from before:
+    @property
+    def is_rls_supported(self) -> bool:
+        return False
+
+    @property
+    def database(self) -> None:
+        return None  # Still needed for cache timeout fallback & security
+
+    @property
+    def query_language(self) -> str | None:
+        return "graphql"  # Or whatever your semantic layer uses
+```
+
+---
+
+## How It Works
+
+### Frontend Request Flow
+
+1. **User opens dashboard with TimeGrain filter**
+   ```
+   Dashboard loads → TimeGrainFilterPlugin mounts
+   ```
+
+2. **Filter requests available grains**
+   ```typescript
+   // superset-frontend/src/filters/components/TimeGrain/buildQuery.ts
+   buildQueryContext(formData, () => [
+     {
+       result_type: 'timegrains',  // Metadata request
+       columns: [],
+       metrics: [],
+     },
+   ])
+   ```
+
+3. **Backend processes request**
+   ```python
+   # superset/common/query_actions.py
+   def _get_timegrains(query_context, query_obj, _):
+       datasource = _get_datasource(query_context, query_obj)
+       grains = datasource.get_time_grains()  # Your method!
+       return {"data": grains}
+   ```
+
+4. **Frontend receives grains**
+   ```json
+   {
+     "data": [
+       {"name": "Hour", "function": "hour", "duration": "PT1H"},
+       {"name": "Day", "function": "day", "duration": "P1D"},
+       ...
+     ]
+   }
+   ```
+
+5. **UI populates dropdown**
+   ```tsx
+   <Select options={data.map(grain => grain.name)} />
+   // Shows: ["Hour", "Day", "Week", "Month", ...]
+   ```
+
+6. **User selects grain**
+   ```
+   User clicks "Day" →
+     extraFormData.time_grain_sqla = "P1D" →
+       Sent with actual chart query
+   ```
+
+7. **Your semantic layer receives it**
+   ```python
+   def get_query_result(self, query_object: QueryObject):
+       time_grain = query_object.extras.get("time_grain_sqla")
+       # time_grain = "P1D" (the duration you returned)
+       # Use it to group your data by day
+       ...
+   ```
+
+---
+
+## Key Differences from Before
+
+| Aspect | Before (database attribute) | After (get_time_grains method) |
+|--------|---------------------------|--------------------------------|
+| **Protocol** | `@property database: Any \| None` | `def get_time_grains() -> list[dict]` |
+| **SQL Coupling** | Tight - requires Database object | Loose - any explorable can provide |
+| **Semantic Layer** | Must return `None` | Returns own time dimensions |
+| **Type Safety** | `Any \| None` (vague) | `list[dict[str, Any]]` (clear) |
+| **Documentation** | Implicit usage | Explicit with examples |
+| **Flexibility** | SQL-specific | Implementation-agnostic |
+
+---
+
+## What About `database` Property?
+
+We **kept** the `database` property because it's still used for:
+
+1. **Cache Timeout Fallback** (`query_context.py:108`)
+   - Priority: query → chart → datasource → **database** → system default
+   - Your semantic layer can return `None` and rely on other levels
+
+2. **Security/Schema Access** (`security/manager.py:556-563`)
+   - Checks if user has database-level permissions
+   - Your semantic layer returns `None` and uses `perm`/`schema_perm` instead
+
+3. **Database-Specific Metadata** (various places)
+   - SQL datasources use it for engine-specific features
+   - Your semantic layer doesn't need it
+
+**Updated documentation** to clarify that time grains are now handled separately.
+
+---
+
+## Testing
+
+### ✅ Type Checking Passed
+```bash
+$ pre-commit run mypy --files superset/explorables/base.py \
+    superset/common/query_actions.py superset/connectors/sqla/models.py
+
+mypy...............................................................Passed
+```
+
+### 🧪 Recommended Manual Tests
+
+1. **SQL Datasource** (existing functionality)
+   ```
+   - Create chart with SQL table
+   - Add TimeGrain filter to dashboard
+   - Verify grains appear: "Second", "Minute", "Hour", "Day", etc.
+   - Select grain and verify chart groups correctly
+   ```
+
+2. **Your Semantic Layer**
+   ```
+   - Create chart with your semantic layer
+   - Add TimeGrain filter
+   - Verify YOUR grains appear (the ones you return)
+   - Select grain and verify your layer handles it
+   ```
+
+3. **No Time Grains**
+   ```python
+   def get_time_grains(self) -> list[dict[str, Any]]:
+       return []  # No time grains supported
+   ```
+   - Verify UI shows "No data" in dropdown
+   - Chart still works without time grain
+
+---
+
+## Migration Guide for Other Semantic Layers
+
+If you're building a semantic layer on top of Superset:
+
+### Before
+```python
+class MySemanticLayer:
+    @property
+    def database(self) -> None:
+        return None  # Can't provide time grains
+```
+
+### After
+```python
+class MySemanticLayer:
+    def get_time_grains(self) -> list[dict[str, Any]]:
+        """Define your own time dimensions!"""
+        return [
+            {"name": "Hour", "function": "hour_grain", "duration": "PT1H"},
+            {"name": "Day", "function": "day_grain", "duration": "P1D"},
+            # ... your semantic layer's supported granularities
+        ]
+
+    @property
+    def database(self) -> None:
+        return None  # Still needed for other features
+```
+
+---
+
+## Summary
+
+This change makes Superset's `Explorable` protocol **truly database-agnostic** for time grains:
+
+- ✅ **SQL datasources**: Delegate to `database.grains()` (no change in behavior)
+- ✅ **Semantic layers**: Define their own time dimensions independently
+- ✅ **Type safety**: Clear method signature vs. vague `Any | None`
+- ✅ **Documentation**: Explicit contract with examples
+- ✅ **Backward compatible**: All existing code works unchanged
+
+Your semantic layer can now provide time grain controls without any SQL database dependency! 🎉
diff --git a/SCHEMA_PERM_REFACTOR.md b/SCHEMA_PERM_REFACTOR.md
new file mode 100644
index 00000000000..bca5ec52ac5
--- /dev/null
+++ b/SCHEMA_PERM_REFACTOR.md
@@ -0,0 +1,422 @@
+# Schema Permission Refactor Complete ✅
+
+## Summary
+
+Successfully removed `schema_perm` from the Explorable protocol since it's a SQL-specific concept that doesn't apply to semantic layers!
+
+---
+
+## Problem Before
+
+The Explorable protocol included `schema_perm`, but semantic layers don't have the SQL schema hierarchy:
+
+```python
+# ❌ Before - SQL-specific property in protocol
+@runtime_checkable
+class Explorable(Protocol):
+    @property
+    def schema_perm(self) -> str | None:
+        """Schema-level permission string."""
+```
+
+**Issues**:
+- Semantic layers don't have SQL database → schema → table hierarchy
+- Forces non-SQL explorables to return None or implement unused property
+- Leaky abstraction - protocol shouldn't assume SQL structure
+
+---
+
+## Solution
+
+### 1. **Removed schema_perm from Explorable Protocol**
+
+The property has been completely removed from the protocol:
+
+```python
+# ✅ After - Clean protocol without SQL assumptions
+@runtime_checkable
+class Explorable(Protocol):
+    @property
+    def perm(self) -> str:
+        """
+        Permission string for this explorable.
+
+        Used by the security manager to check if a user has access
+        to this data source. Format depends on the explorable type
+        (e.g., "[database].[schema].[table]" for SQL tables).
+        """
+```
+
+**Result**: The protocol now only requires `perm` (datasource-level permission), which all explorables have.
+
+### 2. **Updated Security Manager with Type Narrowing**
+
+Used `isinstance()` to distinguish SQL datasources from other explorables:
+
+```python
+# ✅ After - Type-safe with isinstance
+def can_access_schema(self, datasource: "BaseDatasource | Explorable") -> bool:
+    """
+    Return True if the user can access the schema associated with specified
+    datasource, False otherwise.
+
+    For SQL datasources: Checks database → catalog → schema hierarchy
+    For other explorables: Only checks all_datasources permission
+
+    :param datasource: The datasource
+    :returns: Whether the user can access the datasource's schema
+    """
+    from superset.connectors.sqla.models import BaseDatasource
+
+    # Admin/superuser override
+    if self.can_access_all_datasources():
+        return True
+
+    # SQL-specific hierarchy checks
+    if isinstance(datasource, BaseDatasource):
+        # Database-level access grants all schemas
+        if self.can_access_database(datasource.database):
+            return True
+
+        # Catalog-level access grants all schemas in catalog
+        if (
+            hasattr(datasource, "catalog")
+            and datasource.catalog
+            and self.can_access_catalog(datasource.database, datasource.catalog)
+        ):
+            return True
+
+        # Schema-level permission (SQL only)
+        if self.can_access("schema_access", datasource.schema_perm or ""):
+            return True
+
+    # Non-SQL explorables don't have schema hierarchy
+    return False
+```
+
+**Key Changes**:
+- Replaced `getattr(datasource, "database", None)` with `isinstance(datasource, BaseDatasource)`
+- Only checks SQL permission hierarchy for SQL datasources
+- Non-SQL explorables rely on `can_access_all_datasources()` check
+- Clear documentation about SQL vs non-SQL behavior
+
+---
+
+## SQL Permission Hierarchy (Still Works!)
+
+The SQL permission hierarchy is still intact, just properly scoped to SQL datasources:
+
+```
+┌─────────────────────────────────────────┐
+│ 1. All Datasource Access (Admin)       │ ← Works for ALL explorables
+└─────────────────────────────────────────┘
+              ↓ OR
+┌─────────────────────────────────────────┐
+│ 2. Database Access (SQL only)          │ ← isinstance(datasource, BaseDatasource)
+│    Permission: [database].[database]    │    datasource.database
+│    Grants: All schemas in this database │
+└─────────────────────────────────────────┘
+              ↓ OR
+┌─────────────────────────────────────────┐
+│ 3. Catalog Access (SQL only)           │ ← hasattr(datasource, "catalog")
+│    Permission: [database].[catalog]     │    datasource.catalog
+│    Grants: All schemas in this catalog  │
+└─────────────────────────────────────────┘
+              ↓ OR
+┌─────────────────────────────────────────┐
+│ 4. Schema Access (SQL only)            │ ← datasource.schema_perm
+│    Permission: [database].[schema]      │    (still on BaseDatasource)
+│    Grants: This specific schema         │
+└─────────────────────────────────────────┘
+```
+
+**For semantic layers**:
+```
+┌─────────────────────────────────────────┐
+│ 1. All Datasource Access (Admin)       │ ← Only check for semantic layers
+└─────────────────────────────────────────┘
+              ↓ OR
+┌─────────────────────────────────────────┐
+│ 2. Datasource Permission                │ ← datasource.perm
+│    (Checked in raise_for_access)        │    (semantic layer-specific)
+└─────────────────────────────────────────┘
+```
+
+---
+
+## Changes Made
+
+### File: `superset/explorables/base.py`
+
+**Removed schema_perm property**:
+```python
+# Before: Had schema_perm property
+@property
+def schema_perm(self) -> str | None:
+    """Schema-level permission string."""
+
+# After: Property removed completely
+# (Only perm remains for datasource-level permission)
+```
+
+### File: `superset/security/manager.py`
+
+**Updated can_access_schema() method**:
+
+**Before** (used getattr):
+```python
+def can_access_schema(self, datasource: "BaseDatasource | Explorable") -> bool:
+    database = getattr(datasource, "database", None)
+    return (
+        self.can_access_all_datasources()
+        or (database and self.can_access_database(database))
+        or (hasattr(datasource, "catalog") and ... )
+        or self.can_access("schema_access", datasource.schema_perm or "")
+    )
+```
+
+**After** (uses isinstance):
+```python
+def can_access_schema(self, datasource: "BaseDatasource | Explorable") -> bool:
+    from superset.connectors.sqla.models import BaseDatasource
+
+    if self.can_access_all_datasources():
+        return True
+
+    if isinstance(datasource, BaseDatasource):
+        # SQL-specific checks only
+        if self.can_access_database(datasource.database):
+            return True
+        if hasattr(datasource, "catalog") and datasource.catalog:
+            if self.can_access_catalog(datasource.database, datasource.catalog):
+                return True
+        if self.can_access("schema_access", datasource.schema_perm or ""):
+            return True
+
+    return False
+```
+
+---
+
+## Benefits
+
+### ✅ Clean Protocol
+- No SQL-specific properties
+- Semantic layers don't need to implement unused methods
+- Protocol only defines truly universal interface
+
+### ✅ Type-Safe
+- Uses `isinstance()` for type narrowing
+- Mypy understands SQL vs non-SQL branching
+- No runtime attribute checks with `getattr()`
+
+### ✅ Explicit SQL Logic
+```python
+# Crystal clear when SQL logic applies
+if isinstance(datasource, BaseDatasource):
+    # SQL-specific permission hierarchy
+    ...
+else:
+    # Non-SQL explorables
+    ...
+```
+
+### ✅ Semantic Layer Friendly
+- Semantic layers don't implement schema_perm
+- Access control based on their own permission model
+- No forced compatibility with SQL concepts
+
+### ✅ Backward Compatible
+- All existing SQL datasources continue to work
+- BaseDatasource still has schema_perm property
+- Only protocol interface changed, not implementation
+
+---
+
+## Testing
+
+### ✅ Type Checking Passed
+```bash
+$ pre-commit run mypy --files superset/explorables/base.py \
+    superset/security/manager.py superset/common/query_context.py \
+    superset/common/query_context_processor.py \
+    superset/common/query_context_factory.py \
+    superset/common/query_actions.py superset/connectors/sqla/models.py \
+    superset/models/helpers.py
+
+mypy...............................................................Passed
+```
+
+### 🧪 Recommended Manual Tests
+
+1. **SQL Dataset Access with Schema Permission**
+   ```
+   - Create user with schema_access permission: [postgres].[public]
+   - Create SQL table in that schema
+   - Verify user can access the table
+   - Verify user cannot access tables in other schemas
+   ```
+
+2. **SQL Dataset Access with Database Permission**
+   ```
+   - Create user with database_access permission: [postgres].[postgres]
+   - Create tables in multiple schemas (public, private, analytics)
+   - Verify user can access tables in ALL schemas
+   ```
+
+3. **Semantic Layer Access**
+   ```python
+   class SemanticLayerExplorable:
+       @property
+       def perm(self) -> str:
+           return f"[semantic_layer].[{self.view_id}]"
+
+       # No schema_perm needed!
+   ```
+   - Create semantic layer view
+   - Create user with datasource_access permission to the view
+   - Verify user can access the view
+   - Verify user cannot access other views
+
+4. **Admin Override**
+   ```
+   - Create admin user (all_datasource_access)
+   - Verify admin can access:
+     - SQL tables in any schema
+     - Semantic layer views
+     - All other explorables
+   ```
+
+---
+
+## Impact on Semantic Layers
+
+**Before**: Semantic layers had to implement unused schema_perm property:
+```python
+class SemanticLayerExplorable:
+    @property
+    def schema_perm(self) -> str | None:
+        return None  # ← Unused, but required by protocol
+```
+
+**After**: Semantic layers only implement what they need:
+```python
+class SemanticLayerExplorable:
+    @property
+    def perm(self) -> str:
+        """Semantic layer permission based on view ID."""
+        return f"[semantic_layer].[{self.layer_id}].[{self.view_id}]"
+
+    # No schema_perm needed! ✅
+```
+
+---
+
+## Where schema_perm Still Exists
+
+**Important**: `schema_perm` is NOT deleted from the codebase - it still exists on `BaseDatasource`:
+
+```python
+class BaseDatasource(Model, AuditMixinNullable, ImportExportMixin):
+    """SQL-specific datasource base class."""
+
+    @property
+    def schema_perm(self) -> str | None:
+        """Schema-level permission for SQL datasources."""
+        return self._schema_perm  # ← Still exists!
+```
+
+**What changed**: It's no longer required by the Explorable protocol, so semantic layers don't need it.
+
+---
+
+## Complete Explorable Protocol
+
+The final minimal protocol for all explorables:
+
+```python
+@runtime_checkable
+class Explorable(Protocol):
+    """
+    Protocol for objects that can be explored to create charts.
+
+    This protocol is intentionally minimal and database-agnostic.
+    """
+
+    # Core Query Interface
+    def get_query_result(self, query_object: QueryObject) -> QueryResult: ...
+    def get_query_str(self, query_obj: QueryObjectDict) -> str: ...
+
+    # Identity & Metadata
+    @property
+    def uid(self) -> str: ...
+
+    @property
+    def type(self) -> str: ...
+
+    @property
+    def columns(self) -> list[Any]: ...
+
+    @property
+    def column_names(self) -> list[str]: ...
+
+    @property
+    def data(self) -> dict[str, Any]: ...
+
+    # Caching
+    @property
+    def cache_timeout(self) -> int | None: ...
+
+    @property
+    def changed_on(self) -> datetime | None: ...
+
+    def get_extra_cache_keys(self, query_obj: QueryObjectDict) -> list[Hashable]: ...
+
+    # Security (minimal - just datasource permission)
+    @property
+    def perm(self) -> str: ...
+
+    # Time/Date Handling
+    @property
+    def offset(self) -> int: ...
+
+    def get_time_grains(self) -> list[dict[str, Any]]: ...
+
+    # Optional Properties
+    @property
+    def is_rls_supported(self) -> bool: ...
+
+    @property
+    def query_language(self) -> str | None: ...
+```
+
+**Notes**:
+- ✅ No `database` property (removed in cache timeout refactor)
+- ✅ No `schema_perm` property (removed in this refactor)
+- ✅ Each explorable implements fallback logic internally
+- ✅ SQL-specific concerns handled by BaseDatasource subclass
+
+---
+
+## Summary Table
+
+| Aspect | Before | After |
+|--------|--------|-------|
+| **Explorable Protocol** | Has `schema_perm: str \| None` | No `schema_perm` ❌ |
+| **BaseDatasource** | Has `schema_perm` property | Still has `schema_perm` ✅ |
+| **Security Manager** | Uses `getattr()` to access `schema_perm` | Uses `isinstance()` for type narrowing |
+| **SQL Datasources** | Access controlled by schema hierarchy | Still works (scoped to SQL) ✅ |
+| **Semantic Layers** | Must implement unused `schema_perm` | Only implement `perm` ✅ |
+| **Type Safety** | ⚠️ Runtime checks | ✅ Compile-time type narrowing |
+
+---
+
+## Key Takeaway
+
+**`schema_perm` is now a SQL-specific implementation detail, not part of the universal Explorable interface.**
+
+- **SQL datasources** use the full permission hierarchy (database → catalog → schema → datasource)
+- **Semantic layers** use their own permission model (based on `perm` property)
+- **Security manager** uses type narrowing to apply appropriate checks
+
+This makes the Explorable protocol truly database-agnostic! 🎉
diff --git a/TIMEGRAINS_ANALYSIS.md b/TIMEGRAINS_ANALYSIS.md
new file mode 100644
index 00000000000..8f0dd9a8dcb
--- /dev/null
+++ b/TIMEGRAINS_ANALYSIS.md
@@ -0,0 +1,278 @@
+# Time Grains Analysis: Where Are They Used?
+
+## TL;DR - You're Right! 🎯
+
+**Yes, you could move time grain logic into `get_query_result()`** - but there's a reason it's separate. Let me explain:
+
+---
+
+## Current Architecture
+
+### 1. **Separate API Endpoint for Time Grains**
+
+Time grains are fetched via a **separate, lightweight API call** before the user even builds a query:
+
+```
+User opens Dashboard →
+  Frontend requests timegrains (result_type: 'timegrains') →
+    Backend calls _get_timegrains() →
+      Returns list of available time grains →
+        Frontend populates TimeGrain dropdown
+```
+
+This is **not part of query execution** - it's metadata discovery!
+
+### 2. **Two Different Flows**
+
+#### Flow A: Get Available Time Grains (Metadata)
+```
+POST /api/v1/chart/data
+{
+  "datasource": { "id": 123, "type": "table" },
+  "queries": [{
+    "result_type": "timegrains",  ← Just get the list
+    "columns": [],
+    "metrics": []
+  }]
+}
+
+Response:
+{
+  "data": [
+    { "name": "Second", "function": "DATE_TRUNC('second', {col})", "duration": "PT1S" },
+    { "name": "Minute", "function": "DATE_TRUNC('minute', {col})", "duration": "PT1M" },
+    { "name": "Hour", "function": "DATE_TRUNC('hour', {col})", "duration": "PT1H" },
+    ...
+  ]
+}
+```
+
+#### Flow B: Execute Query with Time Grain (Actual Query)
+```
+POST /api/v1/chart/data
+{
+  "datasource": { "id": 123, "type": "table" },
+  "queries": [{
+    "result_type": "full",  ← Actually run the query
+    "columns": ["country"],
+    "metrics": ["count"],
+    "extras": {
+      "time_grain_sqla": "PT1H"  ← User selected "Hour" from dropdown
+    }
+  }]
+}
+```
+
+---
+
+## Why Separate?
+
+### Reason 1: **Performance - Lightweight Metadata Request**
+
+Getting time grains doesn't execute any query:
+- No database round-trip
+- No data processing
+- Just returns a static list from `database.grains()`
+
+If this was in `get_query_result()`, you'd need to:
+1. Execute a dummy query just to get metadata
+2. Or add complex logic to detect "metadata-only" requests
+
+### Reason 2: **UI Needs Metadata Before Query**
+
+The TimeGrain filter component needs the list of grains **before** the user can build a query:
+
+```tsx
+// Frontend flow:
+1. User adds a TimeGrain filter to dashboard
+2. Component calls buildQuery() with result_type: 'timegrains'
+3. Gets back list of available grains
+4. Populates dropdown: ["Second", "Minute", "Hour", "Day", ...]
+5. User selects "Hour"
+6. NOW the actual chart query runs with time_grain_sqla: "PT1H"
+```
+
+If time grains were in `get_query_result()`, you'd have a chicken-and-egg problem:
+- Need to execute a query to get time grains
+- But can't build the query without knowing available time grains!
+
+### Reason 3: **Result Type Pattern**
+
+Superset uses `result_type` for different kinds of data requests:
+
+| Result Type | Purpose | Executes Query? |
+|-------------|---------|-----------------|
+| `timegrains` | Get available time granularities | ❌ No |
+| `columns` | Get column metadata | ❌ No |
+| `query` | Get SQL string (no execution) | ❌ No |
+| `samples` | Get sample rows | ✅ Yes |
+| `full` | Get complete results | ✅ Yes |
+| `results` | Get results (no metadata) | ✅ Yes |
+
+Time grains are **metadata**, not query results.
+
+---
+
+## Could You Move It to `get_query_result()`?
+
+### Option 1: Special Case in `get_query_result()`
+
+```python
+def get_query_result(self, query_object: QueryObject) -> QueryResult:
+    # Special case: if result_type is 'timegrains', return metadata
+    if query_object.result_type == ChartDataResultType.TIMEGRAINS:
+        grains = self.get_time_grains()  # Your semantic layer logic
+        return QueryResult(
+            df=pd.DataFrame(grains),  # Convert to DataFrame
+            query="",
+            duration=0,
+            status=QueryStatus.SUCCESS
+        )
+
+    # Normal query execution
+    return self._execute_query(query_object)
+```
+
+**Pros**:
+- All logic in one place
+- No need for `database` attribute
+
+**Cons**:
+- Mixes metadata retrieval with query execution
+- `get_query_result()` now has two responsibilities
+- Still need to return a DataFrame for metadata (awkward)
+
+### Option 2: Add `get_time_grains()` to Explorable Protocol
+
+```python
+@runtime_checkable
+class Explorable(Protocol):
+    # ... existing methods ...
+
+    def get_time_grains(self) -> list[dict[str, Any]]:
+        """
+        Return available time granularities for this explorable.
+
+        :return: List of dicts with keys: name, function, duration
+        """
+```
+
+Then `_get_timegrains()` becomes:
+
+```python
+def _get_timegrains(query_context, query_obj, _):
+    datasource = _get_datasource(query_context, query_obj)
+
+    # Try new protocol method first
+    if hasattr(datasource, 'get_time_grains'):
+        grains = datasource.get_time_grains()
+    # Fallback to database.grains() for SQL datasources
+    elif database := getattr(datasource, "database", None):
+        grains = [
+            {"name": g.name, "function": g.function, "duration": g.duration}
+            for g in database.grains()
+        ]
+    else:
+        grains = []
+
+    return {"data": grains}
+```
+
+**Pros**:
+- Clean separation of concerns
+- Semantic layers can provide their own time grains
+- No `database` dependency needed
+
+**Cons**:
+- Adds another method to the protocol
+
+---
+
+## My Recommendation
+
+### **Option 2: Add `get_time_grains()` to Explorable**
+
+This is the cleanest solution:
+
+1. **Remove `database` from Explorable protocol**
+2. **Add `get_time_grains()` instead**:
+
+```python
+@runtime_checkable
+class Explorable(Protocol):
+    # ... existing methods ...
+
+    def get_time_grains(self) -> list[dict[str, Any]]:
+        """
+        Get available time granularities for temporal grouping.
+
+        Returns a list of time grain options, each with:
+        - name: Display name (e.g., "Hour", "Day", "Week")
+        - function: How to apply the grain (implementation-specific)
+        - duration: ISO 8601 duration string (e.g., "PT1H", "P1D")
+
+        Return empty list if time grains are not supported.
+
+        :return: List of time grain dictionaries
+        """
+```
+
+3. **For SQL datasources**, delegate to database:
+```python
+class BaseDatasource:
+    def get_time_grains(self) -> list[dict[str, Any]]:
+        return [
+            {"name": g.name, "function": g.function, "duration": g.duration}
+            for g in self.database.grains()
+        ]
+```
+
+4. **For semantic layers**, return your own:
+```python
+class SemanticLayerExplorable:
+    def get_time_grains(self) -> list[dict[str, Any]]:
+        return [
+            {"name": "Hour", "function": "hour", "duration": "PT1H"},
+            {"name": "Day", "function": "day", "duration": "P1D"},
+            {"name": "Week", "function": "week", "duration": "P1W"},
+            {"name": "Month", "function": "month", "duration": "P1M"},
+        ]
+```
+
+---
+
+## Why This is Better
+
+### ✅ Cleaner Protocol
+- `database` attribute was a leaky abstraction (SQL-specific)
+- `get_time_grains()` is a clear contract for all explorables
+
+### ✅ Semantic Layer Control
+- Your semantic layer defines its own time dimensions
+- No dependency on SQL database concepts
+
+### ✅ Maintains Performance
+- Still a separate, lightweight call
+- No query execution needed
+- UI gets metadata instantly
+
+### ✅ Backward Compatible
+- SQL datasources just delegate to `database.grains()`
+- Existing code works unchanged
+
+---
+
+## Summary
+
+**Your intuition was correct!** The `database` attribute is indeed a bit awkward. Here's what we should do:
+
+1. ❌ Don't move time grains into `get_query_result()` (mixes metadata with execution)
+2. ✅ Replace `database: Any | None` with `get_time_grains() -> list[dict]` in Explorable
+3. ✅ Keep the separate `result_type: 'timegrains'` flow (it's actually elegant)
+4. ✅ This gives semantic layers full control over their time dimensions
+
+Want me to implement this change? It would involve:
+- Removing `database` from Explorable protocol
+- Adding `get_time_grains()` method
+- Updating `_get_timegrains()` in query_actions.py
+- Updating BaseDatasource to implement the new method
diff --git a/superset/common/query_actions.py b/superset/common/query_actions.py
index c99bd2a431d..ef7485842ef 100644
--- a/superset/common/query_actions.py
+++ b/superset/common/query_actions.py
@@ -23,8 +23,8 @@ from flask_babel import _
 
 from superset.common.chart_data import ChartDataResultType
 from superset.common.db_query_status import QueryStatus
-from superset.connectors.sqla.models import BaseDatasource
 from superset.exceptions import QueryObjectValidationError, SupersetParseError
+from superset.explorables.base import Explorable
 from superset.utils.core import (
     extract_column_dtype,
     extract_dataframe_dtypes,
@@ -40,7 +40,7 @@ if TYPE_CHECKING:
 
 def _get_datasource(
     query_context: QueryContext, query_obj: QueryObject
-) -> BaseDatasource:
+) -> Explorable:
     return query_obj.datasource or query_context.datasource
 
 
@@ -64,16 +64,9 @@ def _get_timegrains(
     query_context: QueryContext, query_obj: QueryObject, _: bool
 ) -> dict[str, Any]:
     datasource = _get_datasource(query_context, query_obj)
-    return {
-        "data": [
-            {
-                "name": grain.name,
-                "function": grain.function,
-                "duration": grain.duration,
-            }
-            for grain in datasource.database.grains()
-        ]
-    }
+    # Use the new get_time_grains() method from Explorable protocol
+    grains = datasource.get_time_grains()
+    return {"data": grains}
 
 
 def _get_query(
@@ -82,7 +75,7 @@ def _get_query(
     _: bool,
 ) -> dict[str, Any]:
     datasource = _get_datasource(query_context, query_obj)
-    result = {"language": datasource.query_language}
+    result = {"language": getattr(datasource, "query_language", None)}
     try:
         result["query"] = datasource.get_query_str(query_obj.to_dict())
     except QueryObjectValidationError as err:
@@ -158,7 +151,8 @@ def _get_samples(
     qry_obj_cols = []
     for o in datasource.columns:
         if isinstance(o, dict):
-            qry_obj_cols.append(o.get("column_name"))
+            if column_name := o.get("column_name"):
+                qry_obj_cols.append(column_name)
         else:
             qry_obj_cols.append(o.column_name)
     query_obj.columns = qry_obj_cols
@@ -180,7 +174,8 @@ def _get_drill_detail(
     qry_obj_cols = []
     for o in datasource.columns:
         if isinstance(o, dict):
-            qry_obj_cols.append(o.get("column_name"))
+            if column_name := o.get("column_name"):
+                qry_obj_cols.append(column_name)
         else:
             qry_obj_cols.append(o.column_name)
     query_obj.columns = qry_obj_cols
diff --git a/superset/common/query_context.py b/superset/common/query_context.py
index 400c4a95038..ed39aff078f 100644
--- a/superset/common/query_context.py
+++ b/superset/common/query_context.py
@@ -24,11 +24,11 @@ import pandas as pd
 from superset.common.chart_data import ChartDataResultFormat, ChartDataResultType
 from superset.common.query_context_processor import QueryContextProcessor
 from superset.common.query_object import QueryObject
+from superset.explorables.base import Explorable
 from superset.models.slice import Slice
 from superset.utils.core import GenericDataType
 
 if TYPE_CHECKING:
-    from superset.connectors.sqla.models import BaseDatasource
     from superset.models.helpers import QueryResult
 
 
@@ -44,7 +44,7 @@ class QueryContext:
     cache_type: ClassVar[str] = "df"
     enforce_numerical_metrics: ClassVar[bool] = True
 
-    datasource: BaseDatasource
+    datasource: Explorable
     slice_: Slice | None = None
     queries: list[QueryObject]
     form_data: dict[str, Any] | None
@@ -62,7 +62,7 @@ class QueryContext:
     def __init__(  # pylint: disable=too-many-arguments
         self,
         *,
-        datasource: BaseDatasource,
+        datasource: Explorable,
         queries: list[QueryObject],
         slice_: Slice | None,
         form_data: dict[str, Any] | None,
@@ -99,15 +99,24 @@ class QueryContext:
         return self._processor.get_payload(cache_query_context, force_cached)
 
     def get_cache_timeout(self) -> int | None:
+        """
+        Get the cache timeout for this query context.
+
+        Priority order:
+        1. Custom timeout set for this specific query
+        2. Chart-level timeout (if querying from a saved chart)
+        3. Datasource-level timeout (explorable handles its own fallback logic)
+        4. System default (None)
+
+        Note: Each explorable is responsible for its own internal fallback chain.
+        For example, BaseDatasource falls back to database.cache_timeout,
+        while semantic layers might fall back to their layer's default.
+        """
         if self.custom_cache_timeout is not None:
             return self.custom_cache_timeout
         if self.slice_ and self.slice_.cache_timeout is not None:
             return self.slice_.cache_timeout
-        if self.datasource.cache_timeout is not None:
-            return self.datasource.cache_timeout
-        if hasattr(self.datasource, "database"):
-            return self.datasource.database.cache_timeout
-        return None
+        return self.datasource.cache_timeout
 
     def query_cache_key(self, query_obj: QueryObject, **kwargs: Any) -> str | None:
         return self._processor.query_cache_key(query_obj, **kwargs)
diff --git a/superset/common/query_context_factory.py b/superset/common/query_context_factory.py
index 0113886edaa..52884365ffd 100644
--- a/superset/common/query_context_factory.py
+++ b/superset/common/query_context_factory.py
@@ -26,13 +26,11 @@ from superset.common.query_object import QueryObject
 from superset.common.query_object_factory import QueryObjectFactory
 from superset.daos.chart import ChartDAO
 from superset.daos.datasource import DatasourceDAO
+from superset.explorables.base import Explorable
 from superset.models.slice import Slice
 from superset.superset_typing import Column
 from superset.utils.core import DatasourceDict, DatasourceType, is_adhoc_column
 
-if TYPE_CHECKING:
-    from superset.connectors.sqla.models import BaseDatasource
-
 
 def create_query_object_factory() -> QueryObjectFactory:
     return QueryObjectFactory(current_app.config, DatasourceDAO())
@@ -104,7 +102,7 @@ class QueryContextFactory:  # pylint: disable=too-few-public-methods
             cache_values=cache_values,
         )
 
-    def _convert_to_model(self, datasource: DatasourceDict) -> BaseDatasource:
+    def _convert_to_model(self, datasource: DatasourceDict) -> Explorable:
         return DatasourceDAO.get_datasource(
             datasource_type=DatasourceType(datasource["type"]),
             database_id_or_uuid=datasource["id"],
@@ -115,7 +113,7 @@ class QueryContextFactory:  # pylint: disable=too-few-public-methods
 
     def _process_query_object(
         self,
-        datasource: BaseDatasource,
+        datasource: Explorable,
         form_data: dict[str, Any] | None,
         query_object: QueryObject,
     ) -> QueryObject:
@@ -201,7 +199,7 @@ class QueryContextFactory:  # pylint: disable=too-few-public-methods
         self,
         query_object: QueryObject,
         form_data: dict[str, Any] | None,
-        datasource: BaseDatasource,
+        datasource: Explorable,
     ) -> None:
         temporal_columns = {
             column["column_name"] if isinstance(column, dict) else column.column_name
diff --git a/superset/common/query_context_processor.py b/superset/common/query_context_processor.py
index 8c488997f14..615984e13dd 100644
--- a/superset/common/query_context_processor.py
+++ b/superset/common/query_context_processor.py
@@ -29,8 +29,8 @@ from superset.common.db_query_status import QueryStatus
 from superset.common.query_actions import get_query_results
 from superset.common.utils.query_cache_manager import QueryCacheManager
 from superset.common.utils.time_range_utils import get_since_until_from_time_range
-from superset.connectors.sqla.models import BaseDatasource
 from superset.constants import CACHE_DISABLED_TIMEOUT, CacheRegion
+from superset.explorables.base import Explorable
 from superset.daos.annotation_layer import AnnotationLayerDAO
 from superset.daos.chart import ChartDAO
 from superset.exceptions import (
@@ -70,7 +70,7 @@ class QueryContextProcessor:
     """
 
     _query_context: QueryContext
-    _qc_datasource: BaseDatasource
+    _qc_datasource: Explorable
 
     def __init__(self, query_context: QueryContext):
         self._query_context = query_context
@@ -483,6 +483,6 @@ class QueryContextProcessor:
             query.validate()
 
         if self._qc_datasource.type == DatasourceType.QUERY:
-            security_manager.raise_for_access(query=self._qc_datasource)
+            security_manager.raise_for_access(datasource=self._qc_datasource)
         else:
             security_manager.raise_for_access(query_context=self._query_context)
diff --git a/superset/connectors/sqla/models.py b/superset/connectors/sqla/models.py
index 39bc716b6d5..1cdce4f78b3 100644
--- a/superset/connectors/sqla/models.py
+++ b/superset/connectors/sqla/models.py
@@ -198,7 +198,7 @@ class BaseDatasource(
     is_featured = Column(Boolean, default=False)  # TODO deprecating
     filter_select_enabled = Column(Boolean, default=True)
     offset = Column(Integer, default=0)
-    cache_timeout = Column(Integer)
+    _cache_timeout = Column("cache_timeout", Integer)
     params = Column(String(1000))
     perm = Column(String(1000))
     schema_perm = Column(String(1000))
@@ -212,6 +212,28 @@ class BaseDatasource(
 
     extra_import_fields = ["is_managed_externally", "external_url"]
 
+    @property
+    def cache_timeout(self) -> int | None:
+        """
+        Get the cache timeout for this datasource.
+
+        Implements the Explorable protocol by handling the fallback chain:
+        1. Datasource-specific timeout (if set)
+        2. Database default timeout (if no datasource timeout)
+        3. None (use system default)
+
+        This allows each datasource to override caching, while falling back
+        to database-level defaults when appropriate.
+        """
+        if self._cache_timeout is not None:
+            return self._cache_timeout
+        return self.database.cache_timeout
+
+    @cache_timeout.setter
+    def cache_timeout(self, value: int | None) -> None:
+        """Set the datasource-specific cache timeout."""
+        self._cache_timeout = value
+
     @property
     def kind(self) -> DatasourceKind:
         return DatasourceKind.VIRTUAL if self.sql else DatasourceKind.PHYSICAL
@@ -865,6 +887,25 @@ class TableColumn(AuditMixinNullable, ImportExportMixin, CertificationMixin, Mod
     def database(self) -> Database:
         return self.table.database if self.table else self._database  # type: ignore
 
+    def get_time_grains(self) -> list[dict[str, Any]]:
+        """
+        Get available time granularities from the database.
+
+        Implements the Explorable protocol by delegating to the database's
+        time grain definitions. Each database engine spec defines its own
+        set of supported time grains.
+
+        :return: List of time grain dictionaries with name, function, and duration
+        """
+        return [
+            {
+                "name": grain.name,
+                "function": grain.function,
+                "duration": grain.duration,
+            }
+            for grain in (self.database.grains() or [])
+        ]
+
     @property
     def db_engine_spec(self) -> builtins.type[BaseEngineSpec]:
         return self.database.db_engine_spec
diff --git a/superset/explorables/base.py b/superset/explorables/base.py
new file mode 100644
index 00000000000..716964fbd4f
--- /dev/null
+++ b/superset/explorables/base.py
@@ -0,0 +1,300 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""
+Base protocol for explorable data sources in Superset.
+
+An "explorable" is any data source that can be explored to create charts,
+including SQL datasets, saved queries, and semantic layer views.
+"""
+
+from __future__ import annotations
+
+from collections.abc import Hashable
+from datetime import datetime
+from typing import Any, Protocol, runtime_checkable
+
+from superset.common.query_object import QueryObject
+from superset.models.helpers import QueryResult
+from superset.superset_typing import QueryObjectDict
+
+
+@runtime_checkable
+class Explorable(Protocol):
+    """
+    Protocol for objects that can be explored to create charts.
+
+    This protocol defines the minimal interface required for a data source
+    to be visualizable in Superset. It is implemented by:
+    - BaseDatasource (SQL datasets and queries)
+    - SemanticView (semantic layer views)
+    - Future: Other data source types
+
+    The protocol focuses on the essential methods and properties needed
+    for query execution, caching, and security.
+    """
+
+    # =========================================================================
+    # Core Query Interface
+    # =========================================================================
+
+    def get_query_result(self, query_object: QueryObject) -> QueryResult:
+        """
+        Execute a query and return results.
+
+        This is the primary method for data retrieval. It takes a query
+        object describing what data to fetch (columns, metrics, filters, time range,
+        etc.) and returns a QueryResult containing a pandas DataFrame with the results.
+
+        :param query_obj: QueryObject describing the query
+
+        :return: QueryResult containing:
+            - df: pandas DataFrame with query results
+            - query: string representation of the executed query
+            - duration: query execution time
+            - status: QueryStatus (SUCCESS/FAILED)
+            - error_message: error details if query failed
+        """
+
+    def get_query_str(self, query_obj: QueryObjectDict) -> str:
+        """
+        Get the query string without executing.
+
+        Returns a string representation of the query that would be executed
+        for the given query object. This is used for display in the UI
+        and debugging.
+
+        :param query_obj: Dictionary describing the query
+        :return: String representation of the query (SQL, GraphQL, etc.)
+        """
+
+    # =========================================================================
+    # Identity & Metadata
+    # =========================================================================
+
+    @property
+    def uid(self) -> str:
+        """
+        Unique identifier for this explorable.
+
+        Used as part of cache keys and for tracking. Should be stable
+        across application restarts but change when the explorable's
+        data or structure changes.
+
+        Format convention: "{type}_{id}" (e.g., "table_123", "semantic_view_abc")
+
+        :return: Unique identifier string
+        """
+
+    @property
+    def type(self) -> str:
+        """
+        Type discriminator for this explorable.
+
+        Identifies the kind of data source (e.g., 'table', 'query', 'semantic_view').
+        Used for routing and type-specific behavior.
+
+        :return: Type identifier string
+        """
+
+    @property
+    def columns(self) -> list[Any]:
+        """
+        List of column metadata objects.
+
+        Each object should provide at minimum:
+        - column_name: str - the column's name
+        - type: str - the column's data type
+        - is_dttm: bool - whether it's a datetime column
+
+        Used for validation, autocomplete, and query building.
+
+        :return: List of column metadata objects
+        """
+
+    @property
+    def column_names(self) -> list[str]:
+        """
+        List of available column names.
+
+        A simple list of all column names in the explorable.
+        Used for quick validation and filtering.
+
+        :return: List of column name strings
+        """
+
+    @property
+    def data(self) -> dict[str, Any]:
+        """
+        Full metadata representation sent to the frontend.
+
+        This property returns a dictionary containing all the metadata
+        needed by the Explore UI, including columns, metrics, and
+        other configuration.
+
+        Required keys in the returned dictionary:
+        - id: unique identifier (int or str)
+        - uid: unique string identifier
+        - name: display name
+        - type: explorable type ('table', 'query', 'semantic_view', etc.)
+        - columns: list of column metadata dicts (with column_name, type, etc.)
+        - metrics: list of metric metadata dicts (with metric_name, expression, etc.)
+        - database: database metadata dict (with id, backend, etc.)
+
+        Optional keys:
+        - description: human-readable description
+        - schema: schema name (if applicable)
+        - catalog: catalog name (if applicable)
+        - cache_timeout: default cache timeout
+        - offset: timezone offset
+        - owners: list of owner IDs
+        - verbose_map: dict mapping column/metric names to display names
+
+        :return: Dictionary with complete explorable metadata
+        """
+
+    # =========================================================================
+    # Caching
+    # =========================================================================
+
+    @property
+    def cache_timeout(self) -> int | None:
+        """
+        Default cache timeout in seconds.
+
+        Determines how long query results should be cached.
+        Returns None to use the system default cache timeout.
+
+        :return: Cache timeout in seconds, or None for system default
+        """
+
+    @property
+    def changed_on(self) -> datetime | None:
+        """
+        Last modification timestamp.
+
+        Used for cache invalidation - when this changes, cached
+        results for this explorable become invalid.
+
+        :return: Datetime of last modification, or None
+        """
+
+    def get_extra_cache_keys(self, query_obj: QueryObjectDict) -> list[Hashable]:
+        """
+        Additional cache key components specific to this explorable.
+
+        Provides explorable-specific values to include in cache keys.
+        Used to ensure cache invalidation when the explorable's
+        underlying data or configuration changes in ways not captured
+        by uid or changed_on.
+
+        :param query_obj: The query being executed
+        :return: List of additional hashable values for cache key
+        """
+
+    # =========================================================================
+    # Security
+    # =========================================================================
+
+    @property
+    def perm(self) -> str:
+        """
+        Permission string for this explorable.
+
+        Used by the security manager to check if a user has access
+        to this data source. Format depends on the explorable type
+        (e.g., "[database].[schema].[table]" for SQL tables).
+
+        :return: Permission identifier string
+        """
+
+    # =========================================================================
+    # Time/Date Handling
+    # =========================================================================
+
+    @property
+    def offset(self) -> int:
+        """
+        Timezone offset for datetime columns.
+
+        Used to normalize datetime values to the user's timezone.
+        Returns 0 for UTC, or an offset in seconds.
+
+        :return: Timezone offset in seconds (0 for UTC)
+        """
+
+    # =========================================================================
+    # Time Granularity
+    # =========================================================================
+
+    def get_time_grains(self) -> list[dict[str, Any]]:
+        """
+        Get available time granularities for temporal grouping.
+
+        Returns a list of time grain options that can be used for grouping
+        temporal data. Each time grain specifies how to bucket timestamps
+        (e.g., by hour, day, week, month).
+
+        Each dictionary in the returned list should contain:
+        - name: str - Display name (e.g., "Hour", "Day", "Week")
+        - function: str - How to apply the grain (implementation-specific)
+        - duration: str - ISO 8601 duration string (e.g., "PT1H", "P1D", "P1W")
+
+        For SQL datasources, the function is typically a SQL expression template
+        like "DATE_TRUNC('hour', {col})". For semantic layers, it might be a
+        semantic layer-specific identifier like "hour" or "day".
+
+        Return an empty list if time grains are not supported or applicable.
+
+        Example return value:
+        ```python
+        [
+            {"name": "Second", "function": "DATE_TRUNC('second', {col})", "duration": "PT1S"},
+            {"name": "Minute", "function": "DATE_TRUNC('minute', {col})", "duration": "PT1M"},
+            {"name": "Hour", "function": "DATE_TRUNC('hour', {col})", "duration": "PT1H"},
+            {"name": "Day", "function": "DATE_TRUNC('day', {col})", "duration": "P1D"},
+        ]
+        ```
+
+        :return: List of time grain dictionaries (empty list if not supported)
+        """
+
+    # =========================================================================
+    # Optional Properties
+    # =========================================================================
+
+    @property
+    def is_rls_supported(self) -> bool:
+        """
+        Whether this explorable supports Row Level Security.
+
+        Row Level Security (RLS) allows filtering data based on user identity.
+        SQL-based datasources typically support this, while semantic layers
+        may handle security at a different level.
+
+        :return: True if RLS is supported, False otherwise
+        """
+
+    @property
+    def query_language(self) -> str | None:
+        """
+        Query language identifier for syntax highlighting.
+
+        Specifies the language used in queries for proper syntax highlighting
+        in the UI (e.g., 'sql', 'graphql', 'jsoniq').
+
+        :return: Language identifier string, or None if not applicable
+        """
diff --git a/superset/models/helpers.py b/superset/models/helpers.py
index ecf1ff869cd..01498cedd9f 100644
--- a/superset/models/helpers.py
+++ b/superset/models/helpers.py
@@ -837,7 +837,7 @@ class ExploreMixin:  # pylint: disable=too-many-public-methods
         raise NotImplementedError()
 
     @property
-    def cache_timeout(self) -> int:
+    def cache_timeout(self) -> int | None:
         raise NotImplementedError()
 
     @property
diff --git a/superset/security/manager.py b/superset/security/manager.py
index f173da512e2..dc41a5b99bb 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -87,6 +87,7 @@ if TYPE_CHECKING:
         RowLevelSecurityFilter,
         SqlaTable,
     )
+    from superset.explorables.base import Explorable
     from superset.models.core import Database
     from superset.models.dashboard import Dashboard
     from superset.models.slice import Slice
@@ -540,24 +541,43 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
             or (catalog_perm and self.can_access("catalog_access", catalog_perm))
         )
 
-    def can_access_schema(self, datasource: "BaseDatasource") -> bool:
+    def can_access_schema(self, datasource: "BaseDatasource | Explorable") -> bool:
         """
         Return True if the user can access the schema associated with specified
         datasource, False otherwise.
 
+        For SQL datasources: Checks database → catalog → schema hierarchy
+        For other explorables: Only checks all_datasources permission
+
         :param datasource: The datasource
         :returns: Whether the user can access the datasource's schema
         """
+        from superset.connectors.sqla.models import BaseDatasource
 
-        return (
-            self.can_access_all_datasources()
-            or self.can_access_database(datasource.database)
-            or (
-                datasource.catalog
+        # Admin/superuser override
+        if self.can_access_all_datasources():
+            return True
+
+        # SQL-specific hierarchy checks
+        if isinstance(datasource, BaseDatasource):
+            # Database-level access grants all schemas
+            if self.can_access_database(datasource.database):
+                return True
+
+            # Catalog-level access grants all schemas in catalog
+            if (
+                hasattr(datasource, "catalog")
+                and datasource.catalog
                 and self.can_access_catalog(datasource.database, datasource.catalog)
-            )
-            or self.can_access("schema_access", datasource.schema_perm or "")
-        )
+            ):
+                return True
+
+            # Schema-level permission (SQL only)
+            if self.can_access("schema_access", datasource.schema_perm or ""):
+                return True
+
+        # Non-SQL explorables don't have schema hierarchy
+        return False
 
     def can_access_datasource(self, datasource: "BaseDatasource") -> bool:
         """
@@ -604,7 +624,7 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
         self,
         form_data: dict[str, Any],
         dashboard: "Dashboard",
-        datasource: "BaseDatasource",
+        datasource: "BaseDatasource | Explorable",
     ) -> bool:
         """
         Return True if the form_data is performing a supported drill by operation,
@@ -630,11 +650,12 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
             and slc in dashboard.slices
             and slc.datasource == datasource
             and (dimensions := form_data.get("groupby"))
+            and (datasource_id := getattr(datasource, "id", None))
             and (
                 drillable_columns := {
                     row[0]
                     for row in self.session.query(TableColumn.column_name)
-                    .filter(TableColumn.table_id == datasource.id)
+                    .filter(TableColumn.table_id == datasource_id)
                     .filter(TableColumn.groupby)
                     .all()
                 }
@@ -705,7 +726,7 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
         )
 
     @staticmethod
-    def get_datasource_access_error_msg(datasource: "BaseDatasource") -> str:
+    def get_datasource_access_error_msg(datasource: "BaseDatasource | Explorable") -> str:
         """
         Return the error message for the denied Superset datasource.
 
@@ -713,14 +734,15 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
         :returns: The error message
         """
 
+        datasource_id = getattr(datasource, "id", datasource.data.get("id") if hasattr(datasource, "data") else None)
         return (
-            f"This endpoint requires the datasource {datasource.id}, "
+            f"This endpoint requires the datasource {datasource_id}, "
             "database or `all_datasource_access` permission"
         )
 
     @staticmethod
     def get_datasource_access_link(  # pylint: disable=unused-argument
-        datasource: "BaseDatasource",
+        datasource: "BaseDatasource | Explorable",
     ) -> Optional[str]:
         """
         Return the link for the denied Superset datasource.
@@ -732,7 +754,7 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
         return get_conf().get("PERMISSION_INSTRUCTIONS_LINK")
 
     def get_datasource_access_error_object(  # pylint: disable=invalid-name
-        self, datasource: "BaseDatasource"
+        self, datasource: "BaseDatasource | Explorable"
     ) -> SupersetError:
         """
         Return the error object for the denied Superset datasource.
@@ -746,8 +768,8 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
             level=ErrorLevel.WARNING,
             extra={
                 "link": self.get_datasource_access_link(datasource),
-                "datasource": datasource.id,
-                "datasource_name": datasource.name,
+                "datasource": getattr(datasource, "id", datasource.data.get("id") if hasattr(datasource, "data") else None),
+                "datasource_name": getattr(datasource, "name", datasource.data.get("name") if hasattr(datasource, "data") else None),
             },
         )
 
@@ -2280,8 +2302,8 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
         dashboard: Optional["Dashboard"] = None,
         chart: Optional["Slice"] = None,
         database: Optional["Database"] = None,
-        datasource: Optional["BaseDatasource"] = None,
-        query: Optional["Query"] = None,
+        datasource: Optional["BaseDatasource | Explorable"] = None,
+        query: Optional["Query | Explorable"] = None,
         query_context: Optional["QueryContext"] = None,
         table: Optional["Table"] = None,
         viz: Optional["BaseViz"] = None,
@@ -2326,7 +2348,9 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
 
         if database and table or query:
             if query:
-                database = query.database
+                # Type narrow: only SQL Lab Query objects have .database attribute
+                if hasattr(query, "database"):
+                    database = query.database
 
             database = cast("Database", database)
             default_catalog = database.get_default_catalog()
@@ -2334,7 +2358,8 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
             if self.can_access_database(database):
                 return
 
-            if query:
+            # Type narrow: this path only applies to SQL Lab Query objects
+            if query and hasattr(query, "sql") and hasattr(query, "catalog"):
                 # Getting the default schema for a query is hard. Users can select the
                 # schema in SQL Lab, but there's no guarantee that the query actually
                 # will run in that schema. Each DB engine spec needs to implement the
@@ -2343,7 +2368,7 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
                 # from the SQLAlchemy URI if possible; if not, we use the SQLAlchemy
                 # inspector to read it.
                 default_schema = database.get_default_schema_for_query(
-                    query, template_params
+                    query, template_params  # type: ignore[arg-type]
                 )
                 tables = {
                     table_.qualify(
@@ -2455,7 +2480,7 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
                             and dashboard_.json_metadata
                             and (json_metadata := json.loads(dashboard_.json_metadata))
                             and any(
-                                target.get("datasetId") == datasource.id
+                                target.get("datasetId") == getattr(datasource, "id", datasource.data.get("id") if hasattr(datasource, "data") else None)
                                 for fltr in json_metadata.get(
                                     "native_filter_configuration",
                                     [],
@@ -2560,7 +2585,7 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
         return super().get_user_roles(user)
 
     def get_guest_rls_filters(
-        self, dataset: "BaseDatasource"
+        self, dataset: "BaseDatasource | Explorable"
     ) -> list[GuestTokenRlsRule]:
         """
         Retrieves the row level security filters for the current user and the dataset,
@@ -2569,15 +2594,16 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
         :return: A list of filters
         """
         if guest_user := self.get_current_guest_user_if_guest():
+            dataset_id = getattr(dataset, "id", dataset.data.get("id") if hasattr(dataset, "data") else None)
             return [
                 rule
                 for rule in guest_user.rls
                 if not rule.get("dataset")
-                or str(rule.get("dataset")) == str(dataset.id)
+                or str(rule.get("dataset")) == str(dataset_id)
             ]
         return []
 
-    def get_rls_filters(self, table: "BaseDatasource") -> list[SqlaQuery]:
+    def get_rls_filters(self, table: "BaseDatasource | Explorable") -> list[SqlaQuery]:
         """
         Retrieves the appropriate row level security filters for the current user and
         the passed table.
@@ -2613,8 +2639,9 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
             )
             .filter(RLSFilterRoles.c.role_id.in_(user_roles))
         )
+        table_id = getattr(table, "id", table.data.get("id") if hasattr(table, "data") else None)
         filter_tables = self.session.query(RLSFilterTables.c.rls_filter_id).filter(
-            RLSFilterTables.c.table_id == table.id
+            RLSFilterTables.c.table_id == table_id
         )
         query = (
             self.session.query(
@@ -2640,7 +2667,7 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
         )
         return query.all()
 
-    def get_rls_sorted(self, table: "BaseDatasource") -> list["RowLevelSecurityFilter"]:
+    def get_rls_sorted(self, table: "BaseDatasource | Explorable") -> list["RowLevelSecurityFilter"]:
         """
         Retrieves a list RLS filters sorted by ID for
         the current user and the passed table.
@@ -2652,12 +2679,12 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
         filters.sort(key=lambda f: f.id)
         return filters
 
-    def get_guest_rls_filters_str(self, table: "BaseDatasource") -> list[str]:
+    def get_guest_rls_filters_str(self, table: "BaseDatasource | Explorable") -> list[str]:
         return [f.get("clause", "") for f in self.get_guest_rls_filters(table)]
 
-    def get_rls_cache_key(self, datasource: "BaseDatasource") -> list[str]:
+    def get_rls_cache_key(self, datasource: "Explorable | BaseDatasource") -> list[str]:
         rls_clauses_with_group_key = []
-        if datasource.is_rls_supported:
+        if hasattr(datasource, "is_rls_supported") and datasource.is_rls_supported:
             rls_clauses_with_group_key = [
                 f"{f.clause}-{f.group_key or ''}"
                 for f in self.get_rls_sorted(datasource)
diff --git a/superset/utils/core.py b/superset/utils/core.py
index 9acd7e03c7f..7ff6021f060 100644
--- a/superset/utils/core.py
+++ b/superset/utils/core.py
@@ -115,6 +115,7 @@ from superset.utils.pandas import detect_datetime_format
 
 if TYPE_CHECKING:
     from superset.connectors.sqla.models import BaseDatasource, TableColumn
+    from superset.explorables.base import Explorable
     from superset.models.core import Database
     from superset.models.sql_lab import Query
 
@@ -1656,7 +1657,7 @@ def map_sql_type_to_inferred_type(sql_type: Optional[str]) -> str:
     return "string"  # If no match is found, return "string" as default
 
 
-def get_metric_type_from_column(column: Any, datasource: BaseDatasource | Query) -> str:
+def get_metric_type_from_column(column: Any, datasource: BaseDatasource | Explorable | Query) -> str:
     """
     Determine the metric type from a given column in a datasource.
 
@@ -1674,6 +1675,10 @@ def get_metric_type_from_column(column: Any, datasource: BaseDatasource | Query)
 
     from superset.connectors.sqla.models import SqlMetric
 
+    # Explorable datasources may not have metrics attribute
+    if not hasattr(datasource, "metrics"):
+        return ""
+
     metric: SqlMetric = next(
         (metric for metric in datasource.metrics if metric.metric_name == column),
         SqlMetric(metric_name=""),
@@ -1698,7 +1703,7 @@ def get_metric_type_from_column(column: Any, datasource: BaseDatasource | Query)
 
 def extract_dataframe_dtypes(
     df: pd.DataFrame,
-    datasource: BaseDatasource | Query | None = None,
+    datasource: BaseDatasource | Explorable | Query | None = None,
 ) -> list[GenericDataType]:
     """Serialize pandas/numpy dtypes to generic types"""
 
@@ -1718,7 +1723,8 @@ def extract_dataframe_dtypes(
     if datasource:
         for column in datasource.columns:
             if isinstance(column, dict):
-                columns_by_name[column.get("column_name")] = column
+                if column_name := column.get("column_name"):
+                    columns_by_name[column_name] = column
             else:
                 columns_by_name[column.column_name] = column
 
@@ -1768,11 +1774,11 @@ def is_test() -> bool:
 
 
 def get_time_filter_status(
-    datasource: BaseDatasource,
+    datasource: BaseDatasource | Explorable,
     applied_time_extras: dict[str, str],
 ) -> tuple[list[dict[str, str]], list[dict[str, str]]]:
     temporal_columns: set[Any] = {
-        col.column_name for col in datasource.columns if col.is_dttm
+        (col.column_name if hasattr(col, "column_name") else col.get("column_name")) for col in datasource.columns if (col.is_dttm if hasattr(col, "is_dttm") else col.get("is_dttm"))
     }
     applied: list[dict[str, str]] = []
     rejected: list[dict[str, str]] = []