Fix order

.asf.yaml

@@ -24,9 +24,7 @@ notifications:
   discussions: notifications@superset.apache.org
 
 github:
-  pull_requests:
-    del_branch_on_merge: true
-    allow_update_branch: true
+  del_branch_on_merge: true
   description: "Apache Superset is a Data Visualization and Data Exploration Platform"
   homepage: https://superset.apache.org/
   labels:

.claude/settings.json

@@ -1,15 +0,0 @@
-{
-  "hooks": {
-    "PreToolUse": [
-      {
-        "matcher": "Bash",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "jq -r '.tool_input.command // \"\"' | grep -qE '^git commit' && cd \"$CLAUDE_PROJECT_DIR\" && echo '🔍 Running pre-commit before commit...' && pre-commit run || true"
-          }
-        ]
-      }
-    ]
-  }
-}

.devcontainer/devcontainer.json

@@ -13,7 +13,7 @@
 
   "features": {
     "ghcr.io/devcontainers/features/docker-in-docker:2": {
-      "moby": false,
+      "moby": true,
       "dockerDashComposeVersion": "v2"
     },
     "ghcr.io/devcontainers/features/node:1": {

.envrc.example

@@ -1,41 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# Auto-configure Docker Compose for multi-instance support
-# Requires direnv: https://direnv.net/
-#
-# Install: brew install direnv (or apt install direnv)
-# Setup: Add 'eval "$(direnv hook bash)"' to ~/.bashrc (or ~/.zshrc)
-# Allow: Run 'direnv allow' in this directory once
-
-# Generate unique project name from directory
-export COMPOSE_PROJECT_NAME=$(basename "$PWD" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g')
-
-# Find available ports sequentially to avoid collisions
-_is_free() { ! lsof -i ":$1" &>/dev/null 2>&1; }
-
-_p=80;    while ! _is_free $_p; do ((_p++)); done; export NGINX_PORT=$_p
-_p=8088;  while ! _is_free $_p; do ((_p++)); done; export SUPERSET_PORT=$_p
-_p=9000;  while ! _is_free $_p; do ((_p++)); done; export NODE_PORT=$_p
-_p=8080;  while ! _is_free $_p || [ $_p -eq $NGINX_PORT ]; do ((_p++)); done; export WEBSOCKET_PORT=$_p
-_p=8081;  while ! _is_free $_p || [ $_p -eq $WEBSOCKET_PORT ]; do ((_p++)); done; export CYPRESS_PORT=$_p
-_p=5432;  while ! _is_free $_p; do ((_p++)); done; export DATABASE_PORT=$_p
-_p=6379;  while ! _is_free $_p; do ((_p++)); done; export REDIS_PORT=$_p
-
-unset _p _is_free
-
-echo "🐳 Superset configured: http://localhost:$SUPERSET_PORT (dev: localhost:$NODE_PORT)"

.github/CODEOWNERS

@@ -20,12 +20,7 @@
 
 # Notify PMC members of changes to GitHub Actions
 
-/.github/ @villebro @geido @eschutho @rusackas @betodealmeida @nytai @mistercrunch @craig-rueda @kgabryje @dpgaspar @sadpandajoe @hainenber
-
-# Notify PMC members of changes to CI-executed scripts (supply-chain risk:
-# scripts/ files run directly in CI workflows and can execute arbitrary code)
-
-/scripts/ @villebro @geido @eschutho @rusackas @betodealmeida @nytai @mistercrunch @craig-rueda @kgabryje @dpgaspar @sadpandajoe @hainenber
+/.github/ @villebro @geido @eschutho @rusackas @betodealmeida @nytai @mistercrunch @craig-rueda @kgabryje @dpgaspar @sadpandajoe
 
 # Notify PMC members of changes to required GitHub Actions
 
@@ -36,13 +31,8 @@
 **/*.geojson @villebro @rusackas
 /superset-frontend/plugins/legacy-plugin-chart-country-map/ @villebro @rusackas
 
-# Notify translation maintainers of changes to translations
-
-/superset/translations/ @sfirke
-
 # Notify PMC members of changes to extension-related files
 
-/docs/developer_portal/extensions/ @michael-s-molina @villebro @rusackas
 /superset-core/ @michael-s-molina @villebro @geido @eschutho @rusackas @kgabryje
 /superset-extensions-cli/ @michael-s-molina @villebro @geido @eschutho @rusackas @kgabryje
 /superset/core/ @michael-s-molina @villebro @geido @eschutho @rusackas @kgabryje

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -41,8 +41,8 @@ body:
       label: Superset version
       options:
         - master / latest-dev
-        - "6.0.0"
         - "5.0.0"
+        - "4.1.3"
     validations:
       required: true
   - type: dropdown

.github/SECURITY.md

@@ -18,32 +18,10 @@ e-mail address [security@superset.apache.org](mailto:security@superset.apache.or
 More details can be found on the ASF website at
 [ASF vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability)
 
-**Submission Standards & AI Policy**
-
-To ensure engineering focus remains on verified risks and to manage high reporting volumes, all reports must meet the following criteria:
-- Plain Text Format: In accordance with Apache guidelines, please provide all details in plain text within the email body. Avoid sending PDFs, Word documents, or password-protected archives.
-- Mandatory AI Disclosure: If you utilized Large Language Models (LLMs) or AI tools to identify a flaw or assist in writing a report, you must disclose this in your submission so our triage team can contextualize the findings.
-- Human-Verified PoC: All submissions must include a manual, step-by-step Proof of Concept (PoC) performed on a supported release. Raw AI outputs, hypothetical chat transcripts, or unverified scanner logs will be closed as Invalid.
-
-We kindly ask you to include the following information in your report to assist our developers in triaging and remediating issues efficiently:
-- Version/Commit: The specific version of Apache Superset or the Git commit hash you are using.
-- Configuration: A sanitized copy of your `superset_config.py` file or any config overrides.
-- Environment: Your deployment method (e.g., Docker Compose, Helm, or source) and relevant OS/Browser details.
-- Impacted Component: Identification of the affected area (e.g., Python backend, React frontend, or a specific database connector).
-- Expected vs. Actual Behavior: A clear description of the intended system behavior versus the observed vulnerability.
-- Detailed Reproduction Steps: Clear, manual steps to reproduce the vulnerability.
-
-**Out of Scope Vulnerabilities**
-
-To prioritize engineering efforts on genuine architectural risks, the following scenarios are explicitly out of scope and will not be issued a CVE:
-- Attacks requiring Admin privileges: (e.g., CSS injection, template manipulation, dashboard ownership overrides, or modifying global system settings). Per the CVE vulnerability definition in CNA Operational Rules 4.1, a qualifying vulnerability must allow violation of a security policy. The Admin role is a fully trusted operational boundary defined by Apache Superset's security policy; actions within this boundary do not violate that policy and are therefore considered intended capabilities 'by design,' not vulnerabilities.
-- Brute Force and Rate Limiting: Reports targeting a lack of resource exhaustion protections, generic rate-limiting, or volumetric Denial of Service (DoS) attempts.
-- Theoretical attack vectors: Issues without a demonstrable, reproducible exploit path.
-- Non-Exploitable Findings: Missing security headers, generic banner disclosures, or descriptive error messages that do not lead to a direct, documented exploit.
-
-**Outcome of Reports**
-
-Reports that are deemed out-of-scope for a CVE but represent valid security best practices or hardening opportunities may be converted into public GitHub issues. This allows the community to contribute to the general hardening of the platform even when a specific vulnerability threshold is not met.
+We kindly ask you to include the following information in your report:
+- Apache Superset version that you are using
+- A sanitized copy of your `superset_config.py` file or any config overrides
+- Detailed steps to reproduce the vulnerability
 
 Note that Apache Superset is not responsible for any third-party dependencies that may
 have security issues. Any vulnerabilities found in third-party dependencies should be
@@ -51,13 +29,6 @@ reported to the maintainers of those projects. Results from security scans of Ap
 Superset dependencies found on its official Docker image can be remediated at release time
 by extending the image itself.
 
-**Vulnerability Aggregation & CVE Attribution**
-
-In accordance with MITRE CNA Operational Rules (4.1.10, 4.1.11, and 4.2.13), Apache Superset issues CVEs based on the underlying architectural root cause rather than the number of affected endpoints or exploit payloads.
-- Aggregation: If multiple exploit vectors stem from the same programmatic failure or shared vulnerable code, they must be aggregated into a single, comprehensive report.
-- Independent Fixes: Separate CVEs will only be assigned if the vulnerabilities reside in decoupled architectural modules and can be fixed independently of one another.
-Reports that fail to aggregate related findings will be merged during triage to ensure an accurate and defensible CVE record.
-
 **Your responsible disclosure and collaboration are invaluable.**
 
 ## Extra Information

.github/actions/change-detector/label-draft-pr.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
       - name: Check if the PR is a draft
         id: check-draft
-        uses: actions/github-script@v8
+        uses: actions/github-script@v6
         with:
           script: |
             const isDraft = context.payload.pull_request.draft;

.github/actions/setup-docker/action.yml

@@ -26,16 +26,16 @@ runs:
 
     - name: Set up QEMU
       if: ${{ inputs.build == 'true' }}
-      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      uses: docker/setup-qemu-action@v3
 
     - name: Set up Docker Buildx
       if: ${{ inputs.build == 'true' }}
-      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+      uses: docker/setup-buildx-action@v3
 
     - name: Try to login to DockerHub
       if: ${{ inputs.login-to-dockerhub == 'true' }}
       continue-on-error: true
-      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+      uses: docker/login-action@v3
       with:
         username: ${{ inputs.dockerhub-user }}
         password: ${{ inputs.dockerhub-token }}

.github/dependabot.yml

@@ -4,51 +4,18 @@ updates:
 
   - package-ecosystem: "github-actions"
     directory: "/"
-    ignore:
-      # Ignore temporarily as release schedule is too mentally taxing for dep-handling maintainers
-      # Additionally, very few PRs are reviewed by this action.
-      - dependency-name: anthropics/claude-code-action
     schedule:
       interval: "daily"
 
   - package-ecosystem: "npm"
     ignore:
-      # TODO: remove below entries until React >= 18.0.0
+      # not until React >= 18.0.0
       - dependency-name: "storybook"
-        update-types: ["version-update:semver-major", "version-update:semver-minor"]
       - dependency-name: "@storybook*"
-        update-types: ["version-update:semver-major", "version-update:semver-minor"]
-      - dependency-name: "eslint-plugin-storybook"
-      - dependency-name: "react-error-boundary"
-      - dependency-name: "@rjsf/*"
-      # remark-gfm v4+ requires react-markdown v9+, which needs React 18
-      - dependency-name: "remark-gfm"
-      - dependency-name: "react-markdown"
-      # TODO: remove below entries until React >= 19.0.0
-      - dependency-name: "react-icons"
       # JSDOM v30 doesn't play well with Jest v30
       # Source: https://jestjs.io/blog#known-issues
       # GH thread: https://github.com/jsdom/jsdom/issues/3492
       - dependency-name: "jest-environment-jsdom"
-      # `@swc/plugin-transform-imports` doesn't work with current Webpack-SWC hybrid setup
-      # See https://github.com/apache/superset/pull/37384#issuecomment-3793991389
-      # TODO: remove the plugin once Lodash usage has been migrated to a more readily tree-shakeable alternative
-      - dependency-name: "@swc/plugin-transform-imports"
-      # `just-handlerbars-helpers` library in plugin-chart-handlebars requires `currencyformatter`` to be < 2
-      - dependency-name: "currencyformatter.js"
-        update-types: ["version-update:semver-major"]
-      # TODO: remove below clause once https://github.com/pmmmwh/react-refresh-webpack-plugin/pull/940 lands onto a future release
-      # and confirm the issue https://github.com/apache/superset/issues/39600 is fixed
-      - dependency-name: "react-checkbox-tree"
-        update-types: ["version-update:semver-major"]
-    groups:
-      storybook:
-        applies-to: version-updates
-        patterns:
-          - "@storybook*"
-          - "storybook"
-        update-types:
-          - "patch"
     directory: "/superset-frontend/"
     schedule:
       interval: "daily"
@@ -59,13 +26,15 @@ updates:
     versioning-strategy: increase
 
 
-  - package-ecosystem: "pip"
-    directory: "/"
+  # NOTE: `uv` support is in beta, more details here:
+  # https://github.com/dependabot/dependabot-core/pull/10040#issuecomment-2696978430
+  - package-ecosystem: "uv"
+    directory: "requirements/"
     open-pull-requests-limit: 10
     schedule:
       interval: "weekly"
     labels:
-      - pip
+      - uv
       - dependabot
 
   - package-ecosystem: "npm"
@@ -77,22 +46,6 @@ updates:
 
   - package-ecosystem: "npm"
     directory: "/docs/"
-    ignore:
-      # TODO: remove below entries until React >= 18.0.0 in superset-frontend
-      - dependency-name: "storybook"
-        update-types: ["version-update:semver-major", "version-update:semver-minor"]
-      - dependency-name: "@storybook*"
-        update-types: ["version-update:semver-major", "version-update:semver-minor"]
-      - dependency-name: "eslint-plugin-storybook"
-      - dependency-name: "react-error-boundary"
-    groups:
-      storybook:
-        applies-to: version-updates
-        patterns:
-          - "@storybook*"
-          - "storybook"
-        update-types:
-          - "patch"
     schedule:
       interval: "daily"
     open-pull-requests-limit: 10
@@ -129,6 +82,16 @@ updates:
     open-pull-requests-limit: 5
     versioning-strategy: increase
 
+  - package-ecosystem: "npm"
+    directory: "/superset-frontend/plugins/legacy-plugin-chart-histogram/"
+    schedule:
+      interval: "daily"
+    labels:
+      - npm
+      - dependabot
+    open-pull-requests-limit: 5
+    versioning-strategy: increase
+
   - package-ecosystem: "npm"
     directory: "/superset-frontend/plugins/legacy-plugin-chart-partition/"
     schedule:
@@ -151,9 +114,6 @@ updates:
 
   - package-ecosystem: "npm"
     directory: "/superset-frontend/plugins/plugin-chart-pivot-table/"
-    ignore:
-      # TODO: remove below entries until React >= 19.0.0
-      - dependency-name: "react-icons"
     schedule:
       interval: "daily"
     labels:
@@ -204,9 +164,6 @@ updates:
 
   - package-ecosystem: "npm"
     directory: "/superset-frontend/plugins/plugin-chart-table/"
-    ignore:
-      # TODO: remove below entries until React >= 19.0.0
-      - dependency-name: "react-icons"
     schedule:
       interval: "daily"
     labels:
@@ -235,6 +192,16 @@ updates:
     open-pull-requests-limit: 5
     versioning-strategy: increase
 
+  - package-ecosystem: "npm"
+    directory: "/superset-frontend/plugins/legacy-plugin-chart-sankey/"
+    schedule:
+      interval: "daily"
+    labels:
+      - npm
+      - dependabot
+    open-pull-requests-limit: 5
+    versioning-strategy: increase
+
   - package-ecosystem: "npm"
     directory: "/superset-frontend/plugins/legacy-preset-chart-nvd3/"
     schedule:
@@ -255,6 +222,16 @@ updates:
     open-pull-requests-limit: 5
     versioning-strategy: increase
 
+  - package-ecosystem: "npm"
+    directory: "/superset-frontend/plugins/legacy-plugin-chart-event-flow/"
+    schedule:
+      interval: "daily"
+    labels:
+      - npm
+      - dependabot
+    open-pull-requests-limit: 5
+    versioning-strategy: increase
+
   - package-ecosystem: "npm"
     directory: "/superset-frontend/plugins/legacy-plugin-chart-paired-t-test/"
     schedule:
@@ -265,6 +242,16 @@ updates:
     open-pull-requests-limit: 5
     versioning-strategy: increase
 
+  - package-ecosystem: "npm"
+    directory: "/superset-frontend/plugins/legacy-plugin-chart-sankey-loop/"
+    schedule:
+      interval: "daily"
+    labels:
+      - npm
+      - dependabot
+    open-pull-requests-limit: 5
+    versioning-strategy: increase
+
   - package-ecosystem: "npm"
     directory: "/superset-frontend/plugins/plugin-chart-echarts/"
     schedule:
@@ -276,7 +263,7 @@ updates:
     versioning-strategy: increase
 
   - package-ecosystem: "npm"
-    directory: "/superset-frontend/plugins/plugin-chart-ag-grid-table/"
+    directory: "/superset-frontend/plugins/preset-chart-xy/"
     schedule:
       interval: "daily"
     labels:
@@ -286,7 +273,7 @@ updates:
     versioning-strategy: increase
 
   - package-ecosystem: "npm"
-    directory: "/superset-frontend/plugins/plugin-chart-cartodiagram/"
+    directory: "/superset-frontend/plugins/legacy-plugin-chart-heatmap/"
     schedule:
       interval: "daily"
     labels:
@@ -305,12 +292,18 @@ updates:
     open-pull-requests-limit: 5
     versioning-strategy: increase
 
+  - package-ecosystem: "npm"
+    directory: "/superset-frontend/plugins/legacy-plugin-chart-sunburst/"
+    schedule:
+      interval: "daily"
+    labels:
+      - npm
+      - dependabot
+    open-pull-requests-limit: 5
+    versioning-strategy: increase
+
   - package-ecosystem: "npm"
     directory: "/superset-frontend/plugins/plugin-chart-handlebars/"
-    ignore:
-      # `just-handlerbars-helpers` library in plugin-chart-handlebars requires `currencyformatter`` to be < 2
-      - dependency-name: "currencyformatter.js"
-        update-types: ["version-update:semver-major"]
     schedule:
       interval: "daily"
     labels:
@@ -345,7 +338,16 @@ updates:
       # not until React >= 18.0.0
       - dependency-name: "react-markdown"
       - dependency-name: "remark-gfm"
-      - dependency-name: "react-error-boundary"
+    schedule:
+      interval: "daily"
+    labels:
+      - npm
+      - dependabot
+    open-pull-requests-limit: 5
+    versioning-strategy: increase
+
+  - package-ecosystem: "npm"
+    directory: "/superset-frontend/packages/superset-ui-demo/"
     schedule:
       interval: "daily"
     labels:

.github/labeler.yml

@@ -17,11 +17,6 @@
   - any-glob-to-any-file:
     - 'superset/migrations/**'
 
-"risk:ci-script":
-- changed-files:
-  - any-glob-to-any-file:
-    - 'scripts/**'
-
 ############################################
 # Dependencies
 ############################################
@@ -77,11 +72,6 @@
   - any-glob-to-any-file:
     - 'superset/translations/zh/**'
 
-"i18n:czech":
-- changed-files:
-  - any-glob-to-any-file:
-    - 'superset/translations/cs/**'
-
 "i18n:traditional-chinese":
 - changed-files:
   - any-glob-to-any-file:
@@ -127,11 +117,6 @@
   - any-glob-to-any-file:
     - 'superset/translations/sk/**'
 
-"i18n:latvian":
-- changed-files:
-  - any-glob-to-any-file:
-    - 'superset/translations/lv/**'
-
 "i18n:ukrainian":
 - changed-files:
   - any-glob-to-any-file:

.github/workflows/bashlib.sh

@@ -117,33 +117,6 @@ testdata() {
   say "::endgroup::"
 }
 
-playwright_testdata() {
-  cd "$GITHUB_WORKSPACE"
-  say "::group::Load all examples for Playwright tests"
-  # must specify PYTHONPATH to make `tests.superset_test_config` importable
-  export PYTHONPATH="$GITHUB_WORKSPACE"
-  pip install -e .
-  superset db upgrade
-  superset load_test_users
-  superset load_examples
-  superset init
-  # Enable DML on the examples database so Playwright tests can create/drop
-  # temporary tables via SQL Lab without depending on external data sources.
-  superset shell <<'PYEOF'
-import sys
-from superset.extensions import db
-from superset.models.core import Database
-examples_db = db.session.query(Database).filter_by(database_name='examples').first()
-if not examples_db:
-    sys.exit('ERROR: examples database not found. load_examples may have failed.')
-
-examples_db.allow_dml = True
-db.session.commit()
-print('Enabled allow_dml on examples database')
-PYEOF
-  say "::endgroup::"
-}
-
 celery-worker() {
   cd "$GITHUB_WORKSPACE"
   say "::group::Start Celery worker"
@@ -318,3 +291,26 @@ monitor_memory() {
     sleep 2
   done
 }
+
+cypress-run-applitools() {
+  cd "$GITHUB_WORKSPACE/superset-frontend/cypress-base"
+
+  local flasklog="${HOME}/flask.log"
+  local port=8081
+  local cypress="./node_modules/.bin/cypress run"
+  local browser=${CYPRESS_BROWSER:-chrome}
+
+  export CYPRESS_BASE_URL="http://localhost:${port}"
+
+  nohup flask run --no-debugger -p $port >"$flasklog" 2>&1 </dev/null &
+  local flaskProcessId=$!
+
+  $cypress --spec "cypress/applitools/**/*" --browser "$browser" --headless
+
+  say "::group::Flask log for default run"
+  cat "$flasklog"
+  say "::endgroup::"
+
+  # make sure the program exits
+  kill $flaskProcessId
+}

.github/workflows/bump-python-package.yml

@@ -32,7 +32,7 @@ jobs:
     steps:
 
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: true
           ref: master
@@ -41,7 +41,7 @@ jobs:
         uses: ./.github/actions/setup-supersetbot/
 
       - name: Set up Python ${{ inputs.python-version }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+        uses: actions/setup-python@v6
         with:
           python-version: "3.10"
 
@@ -51,31 +51,27 @@ jobs:
       - name: supersetbot bump-python -p "${{ github.event.inputs.package }}"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          INPUT_PACKAGE: ${{ github.event.inputs.package }}
-          INPUT_GROUP: ${{ github.event.inputs.group }}
-          INPUT_EXTRA_FLAGS: ${{ github.event.inputs.extra-flags }}
-          INPUT_LIMIT: ${{ github.event.inputs.limit }}
         run: |
           git config --global user.email "action@github.com"
           git config --global user.name "GitHub Action"
 
           PACKAGE_OPT=""
-          if [ -n "${INPUT_PACKAGE}" ]; then
-            PACKAGE_OPT="-p ${INPUT_PACKAGE}"
+          if [ -n "${{ github.event.inputs.package }}" ]; then
+            PACKAGE_OPT="-p ${{ github.event.inputs.package }}"
           fi
 
           GROUP_OPT=""
-          if [ -n "${INPUT_GROUP}" ]; then
-            GROUP_OPT="-g ${INPUT_GROUP}"
+          if [ -n "${{ github.event.inputs.group }}" ]; then
+            GROUP_OPT="-g ${{ github.event.inputs.group }}"
           fi
 
-          EXTRA_FLAGS="${INPUT_EXTRA_FLAGS}"
+          EXTRA_FLAGS="${{ github.event.inputs.extra-flags }}"
 
           supersetbot bump-python \
             --verbose \
             --use-current-repo \
             --include-subpackages \
-            --limit ${INPUT_LIMIT} \
+            --limit ${{ github.event.inputs.limit }} \
             $PACKAGE_OPT \
             $GROUP_OPT \
             $EXTRA_FLAGS

.github/workflows/cancel_duplicates.yml

@@ -31,7 +31,7 @@ jobs:
 
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
         if: steps.check_queued.outputs.count >= 20
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
 
       - name: Cancel duplicate workflow runs
         if: steps.check_queued.outputs.count >= 20

.github/workflows/check-python-deps.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive

.github/workflows/check_db_migration_confict.yml

@@ -25,9 +25,9 @@ jobs:
       pull-requests: write
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
       - name: Check and notify
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v8
         with:
           github-token: ${{ github.token }}
           script: |
@@ -69,7 +69,7 @@ jobs:
                     `❗ @${pull.user.login} Your base branch \`${currentBranch}\` has ` +
                     'also updated `superset/migrations`.\n' +
                     '\n' +
-                    '**Please consider rebasing your branch and [resolving potential db migration conflicts](https://superset.apache.org/docs/contributing/development#merging-db-migrations).**',
+                    '**Please consider rebasing your branch and [resolving potential db migration conflicts](https://github.com/apache/superset/blob/master/CONTRIBUTING.md#merging-db-migrations).**',
                 });
               }
             }

.github/workflows/claude.yml

@@ -17,12 +17,13 @@ jobs:
     steps:
       - name: Check if user is allowed
         id: check
-        env:
-          COMMENTER: ${{ github.event.comment.user.login }}
         run: |
           # List of allowed users
           ALLOWED_USERS="mistercrunch,rusackas"
 
+          # Get the commenter's username
+          COMMENTER="${{ github.event.comment.user.login }}"
+
           echo "Checking permissions for user: $COMMENTER"
 
           # Check if user is in allowed list
@@ -43,13 +44,10 @@ jobs:
       pull-requests: write
     steps:
       - name: Comment access denied
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        env:
-          COMMENTER_LOGIN: ${{ github.event.comment.user.login || github.event.review.user.login || github.event.issue.user.login }}
+        uses: actions/github-script@v8
         with:
           script: |
-            const commenter = process.env.COMMENTER_LOGIN;
-            const message = `👋 Hi @${commenter}!
+            const message = `👋 Hi @${{ github.event.comment.user.login || github.event.review.user.login || github.event.issue.user.login }}!
 
             Thanks for trying to use Claude Code, but currently only certain team members have access to this feature.
 
@@ -73,12 +71,12 @@ jobs:
       id-token: write
     steps:
     - name: Checkout repository
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      uses: actions/checkout@v5
       with:
         fetch-depth: 1
 
     - name: Run Claude PR Action
-      uses: anthropics/claude-code-action@5fb899572b81d2bb648d4d187173a2f423a9677c # beta
+      uses: anthropics/claude-code-action@beta
       with:
         anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
         timeout_minutes: "60"

.github/workflows/codeql-analysis.yml

@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
 
       - name: Check for file changes
         id: check
@@ -41,7 +41,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,6 +53,6 @@ jobs:
 
       - name: Perform CodeQL Analysis
         if: steps.check.outputs.python || steps.check.outputs.frontend
-        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
+        uses: github/codeql-action/analyze@v4
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -27,9 +27,9 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout Repository"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
       - name: "Dependency Review"
-        uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
+        uses: actions/dependency-review-action@v4
         continue-on-error: true
         with:
           fail-on-severity: critical
@@ -39,9 +39,13 @@ jobs:
           # pkg:npm/store2@2.14.2
           #   adding an exception for an ambigious license on store2, which has been resolved in
           #   the latest version. It's MIT: https://github.com/nbubna/store/blob/master/LICENSE-MIT
+          # pkg:npm/applitools/*
+          #   adding exception for all applitools modules (eyes-cypress and its dependencies),
+          #   which has an explicit OSS license approved by ASF
+          #   license: https://applitools.com/legal/open-source-terms-of-use/
           # pkg:npm/node-forge@1.3.1
           #   selecting BSD-3-Clause licensing terms for node-forge to ensure compatibility with Apache
-          allow-dependencies-licenses: pkg:npm/store2@2.14.2, pkg:npm/node-forge@1.3.1, pkg:npm/rgbcolor, pkg:npm/jszip@3.10.1
+          allow-dependencies-licenses: pkg:npm/store2@2.14.2, pkg:npm/applitools/core, pkg:npm/applitools/core-base, pkg:npm/applitools/css-tree, pkg:npm/applitools/ec-client, pkg:npm/applitools/eg-socks5-proxy-server, pkg:npm/applitools/eyes, pkg:npm/applitools/eyes-cypress, pkg:npm/applitools/nml-client, pkg:npm/applitools/tunnel-client, pkg:npm/applitools/utils, pkg:npm/node-forge@1.3.1, pkg:npm/rgbcolor, pkg:npm/jszip@3.10.1
 
   python-dependency-liccheck:
     # NOTE: Configuration for liccheck lives in our pyproject.yml.
@@ -49,7 +53,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: "Checkout Repository"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
 
       - name: Setup Python
         uses: ./.github/actions/setup-backend/

.github/workflows/docker.yml

@@ -42,7 +42,7 @@ jobs:
     steps:
 
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
 
@@ -117,7 +117,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
       - name: Check for file changes

.github/workflows/embedded-sdk-release.yml

@@ -16,12 +16,10 @@ jobs:
         id: check
         shell: bash
         run: |
-          if [ -n "${NPM_TOKEN}" ]; then
+          if [ -n "${{ (secrets.NPM_TOKEN != '') || '' }}" ]; then
             echo "has-secrets=1" >> "$GITHUB_OUTPUT"
           fi
 
-        env:
-          NPM_TOKEN: ${{ (secrets.NPM_TOKEN != '') || '' }}
   build:
     needs: config
     if: needs.config.outputs.has-secrets
@@ -30,8 +28,8 @@ jobs:
       run:
         working-directory: superset-embedded-sdk
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v5
         with:
           node-version-file: './superset-embedded-sdk/.nvmrc'
           registry-url: 'https://registry.npmjs.org'

.github/workflows/embedded-sdk-test.yml

@@ -18,8 +18,8 @@ jobs:
       run:
         working-directory: superset-embedded-sdk
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v5
         with:
           node-version-file: './superset-embedded-sdk/.nvmrc'
           registry-url: 'https://registry.npmjs.org'

.github/workflows/ephemeral-env-pr-close.yml

@@ -20,12 +20,10 @@ jobs:
         id: check
         shell: bash
         run: |
-          if [ -n "${AWS_ACCESS_KEY_ID}" ]; then
+          if [ -n "${{ (secrets.AWS_ACCESS_KEY_ID != '' && secrets.AWS_SECRET_ACCESS_KEY != '') || '' }}" ]; then
             echo "has-secrets=1" >> "$GITHUB_OUTPUT"
           fi
 
-        env:
-          AWS_ACCESS_KEY_ID: ${{ (secrets.AWS_ACCESS_KEY_ID != '' && secrets.AWS_SECRET_ACCESS_KEY != '') || '' }}
   ephemeral-env-cleanup:
     needs: config
     if: needs.config.outputs.has-secrets
@@ -35,7 +33,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6
+        uses: aws-actions/configure-aws-credentials@v5
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -58,7 +56,7 @@ jobs:
       - name: Login to Amazon ECR
         if: steps.describe-services.outputs.active == 'true'
         id: login-ecr
-        uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2
+        uses: aws-actions/amazon-ecr-login@v2
 
       - name: Delete ECR image tag
         if: steps.describe-services.outputs.active == 'true'
@@ -71,7 +69,7 @@ jobs:
 
       - name: Comment (success)
         if: steps.describe-services.outputs.active == 'true'
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v8
         with:
           github-token: ${{github.token}}
           script: |

.github/workflows/ephemeral-env.yml

@@ -47,7 +47,7 @@ jobs:
         id: eval-label
         run: |
           if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            LABEL_NAME="${INPUT_LABEL_NAME}"
+            LABEL_NAME="${{ github.event.inputs.label_name }}"
           else
             LABEL_NAME="${{ github.event.label.name }}"
           fi
@@ -60,12 +60,10 @@ jobs:
             echo "result=noop" >> $GITHUB_OUTPUT
           fi
 
-        env:
-          INPUT_LABEL_NAME: ${{ github.event.inputs.label_name }}
       - name: Get event SHA
         id: get-sha
         if: steps.eval-label.outputs.result == 'up'
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v8
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -96,7 +94,7 @@ jobs:
             core.setOutput("sha", prSha);
 
       - name: Looking for feature flags in PR description
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v8
         id: eval-feature-flags
         if: steps.eval-label.outputs.result == 'up'
         with:
@@ -118,7 +116,7 @@ jobs:
             return results;
 
       - name: Reply with confirmation comment
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v8
         if: steps.eval-label.outputs.result == 'up'
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -162,7 +160,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ needs.ephemeral-env-label.outputs.sha }} : ${{steps.get-sha.outputs.sha}} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           ref: ${{ needs.ephemeral-env-label.outputs.sha }}
           persist-credentials: false
@@ -191,7 +189,7 @@ jobs:
             --extra-flags "--build-arg INCLUDE_CHROMIUM=false"
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6
+        uses: aws-actions/configure-aws-credentials@v5
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -199,7 +197,7 @@ jobs:
 
       - name: Login to Amazon ECR
         id: login-ecr
-        uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2
+        uses: aws-actions/amazon-ecr-login@v2
 
       - name: Load, tag and push image to ECR
         id: push-image
@@ -222,12 +220,12 @@ jobs:
       pull-requests: write
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@v5
         with:
           persist-credentials: false
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6
+        uses: aws-actions/configure-aws-credentials@v5
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -235,7 +233,7 @@ jobs:
 
       - name: Login to Amazon ECR
         id: login-ecr
-        uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2
+        uses: aws-actions/amazon-ecr-login@v2
 
       - name: Check target image exists in ECR
         id: check-image
@@ -250,7 +248,7 @@ jobs:
 
       - name: Fail on missing container image
         if: steps.check-image.outcome == 'failure'
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v8
         with:
           github-token: ${{ github.token }}
           script: |
@@ -265,7 +263,7 @@ jobs:
 
       - name: Fill in the new image ID in the Amazon ECS task definition
         id: task-def
-        uses: aws-actions/amazon-ecs-render-task-definition@6853cfae8c3a7d978fbf68b5a55453395541dfbb # v1
+        uses: aws-actions/amazon-ecs-render-task-definition@v1
         with:
           task-definition: .github/workflows/ecs-task-definition.json
           container-name: superset-ci
@@ -278,9 +276,7 @@ jobs:
       - name: Describe ECS service
         id: describe-services
         run: |
-          echo "active=$(aws ecs describe-services --cluster superset-ci --services pr-${INPUT_ISSUE_NUMBER}-service | jq '.services[] | select(.status == "ACTIVE") | any')" >> $GITHUB_OUTPUT
-        env:
-          INPUT_ISSUE_NUMBER: ${{ github.event.inputs.issue_number || github.event.pull_request.number }}
+          echo "active=$(aws ecs describe-services --cluster superset-ci --services pr-${{ github.event.inputs.issue_number || github.event.pull_request.number }}-service | jq '.services[] | select(.status == "ACTIVE") | any')" >> $GITHUB_OUTPUT
       - name: Create ECS service
         id: create-service
         if: steps.describe-services.outputs.active != 'true'
@@ -300,7 +296,7 @@ jobs:
           --tags key=pr,value=$PR_NUMBER key=github_user,value=${{ github.actor }}
       - name: Deploy Amazon ECS task definition
         id: deploy-task
-        uses: aws-actions/amazon-ecs-deploy-task-definition@a310a830f5c14e583e35d84e4e1ec7dd177c3c9c # v2
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
         with:
           task-definition: ${{ steps.task-def.outputs.task-definition }}
           service: pr-${{ github.event.inputs.issue_number || github.event.pull_request.number }}-service
@@ -311,9 +307,7 @@ jobs:
       - name: List tasks
         id: list-tasks
         run: |
-          echo "task=$(aws ecs list-tasks --cluster superset-ci --service-name pr-${INPUT_ISSUE_NUMBER}-service | jq '.taskArns | first')" >> $GITHUB_OUTPUT
-        env:
-          INPUT_ISSUE_NUMBER: ${{ github.event.inputs.issue_number || github.event.pull_request.number }}
+          echo "task=$(aws ecs list-tasks --cluster superset-ci --service-name pr-${{ github.event.inputs.issue_number || github.event.pull_request.number }}-service | jq '.taskArns | first')" >> $GITHUB_OUTPUT
       - name: Get network interface
         id: get-eni
         run: |
@@ -324,7 +318,7 @@ jobs:
           echo "ip=$(aws ec2 describe-network-interfaces --network-interface-ids ${{ steps.get-eni.outputs.eni }} | jq -r '.NetworkInterfaces | first | .Association.PublicIp')" >> $GITHUB_OUTPUT
       - name: Comment (success)
         if: ${{ success() }}
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v8
         with:
           github-token: ${{github.token}}
           script: |
@@ -337,7 +331,7 @@ jobs:
             });
       - name: Comment (failure)
         if: ${{ failure() }}
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v8
         with:
           github-token: ${{github.token}}
           script: |

.github/workflows/generate-FOSSA-report.yml

@@ -16,12 +16,10 @@ jobs:
         id: check
         shell: bash
         run: |
-          if [ -n "${FOSSA_API_KEY}" ]; then
+          if [ -n "${{ (secrets.FOSSA_API_KEY != '' ) || '' }}" ]; then
             echo "has-secrets=1" >> "$GITHUB_OUTPUT"
           fi
 
-        env:
-          FOSSA_API_KEY: ${{ (secrets.FOSSA_API_KEY != '' ) || '' }}
   license_check:
     needs: config
     if: needs.config.outputs.has-secrets
@@ -29,12 +27,12 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
       - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+        uses: actions/setup-java@v5
         with:
           distribution: "temurin"
           java-version: "11"

.github/workflows/github-action-validator.yml

@@ -14,10 +14,10 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
 
       - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v5
         with:
           node-version: '20'
 

.github/workflows/issue_creation.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
 
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
 

.github/workflows/latest-release-tag.yml

@@ -12,7 +12,7 @@ jobs:
 
     steps:
     - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      uses: actions/checkout@v5
       with:
         persist-credentials: false
         submodules: recursive
@@ -29,7 +29,7 @@ jobs:
 
     - name: Run latest-tag
       uses: ./.github/actions/latest-tag
-      if: steps.latest-tag.outputs.SKIP_TAG != 'true'
+      if: (! ${{ steps.latest-tag.outputs.SKIP_TAG }} )
       with:
         description: Superset latest release
         tag-name: latest

.github/workflows/license-check.yml

@@ -15,12 +15,12 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
       - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+        uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
           java-version: '11'

.github/workflows/no-hold-label.yml

@@ -4,9 +4,6 @@ on:
   pull_request:
     types: [labeled, unlabeled, opened, reopened, synchronize]
 
-permissions:
-  pull-requests: read
-
 # cancel previous workflow jobs for PRs
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
@@ -17,7 +14,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
     - name: Check for 'hold' label
-      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      uses: actions/github-script@v8
       with:
         github-token: ${{secrets.GITHUB_TOKEN}}
         script: |

.github/workflows/pr-lint.yml

@@ -16,7 +16,7 @@ jobs:
       pull-requests: write
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive

.github/workflows/pre-commit.yml

@@ -8,9 +8,6 @@ on:
   pull_request:
     types: [synchronize, opened, reopened, ready_for_review]
 
-permissions:
-  contents: read
-
 # cancel previous workflow jobs for PRs
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
@@ -24,7 +21,7 @@ jobs:
         python-version: ["current", "previous", "next"]
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
@@ -42,7 +39,7 @@ jobs:
           echo "HOMEBREW_REPOSITORY=$HOMEBREW_REPOSITORY" >>"${GITHUB_ENV}"
           brew install norwoodj/tap/helm-docs
       - name: Setup Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v5
         with:
           node-version: '20'
 
@@ -57,32 +54,24 @@ jobs:
           yarn install --immutable
 
       - name: Cache pre-commit environments
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache@v4
         with:
           path: ~/.cache/pre-commit
           key: pre-commit-v2-${{ runner.os }}-py${{ matrix.python-version }}-${{ hashFiles('.pre-commit-config.yaml') }}
           restore-keys: |
             pre-commit-v2-${{ runner.os }}-py${{ matrix.python-version }}-
 
-      - name: Get changed files
-        id: changed_files
-        uses: ./.github/actions/file-changes-action
-        with:
-          output: ' '
-
       - name: pre-commit
         run: |
           set +e  # Don't exit immediately on failure
-          export SKIP=type-checking-frontend
-          pre-commit run --files ${{ steps.changed_files.outputs.files }}
+          export SKIP=eslint-frontend,type-checking-frontend
+          pre-commit run --all-files
           PRE_COMMIT_EXIT_CODE=$?
           git diff --quiet --exit-code
           GIT_DIFF_EXIT_CODE=$?
           if [ "${PRE_COMMIT_EXIT_CODE}" -ne 0 ] || [ "${GIT_DIFF_EXIT_CODE}" -ne 0 ]; then
             if [ "${PRE_COMMIT_EXIT_CODE}" -ne 0 ]; then
-              echo "❌ Pre-commit check failed (exit code: ${PRE_COMMIT_EXIT_CODE})."
-              echo "🔍 Modified files:"
-              git diff --name-only
+              echo "❌ Pre-commit check failed (exit code: ${EXIT_CODE})."
             else
               echo "❌ Git working directory is dirty."
               echo "📌 This likely means that pre-commit made changes that were not committed."

.github/workflows/prefer-typescript.yml

@@ -0,0 +1,70 @@
+name: Prefer TypeScript
+
+on:
+  push:
+    branches:
+      - "master"
+      - "[0-9].[0-9]*"
+    paths:
+      - "superset-frontend/src/**"
+  pull_request:
+    types: [synchronize, opened, reopened, ready_for_review]
+    paths:
+      - "superset-frontend/src/**"
+
+# cancel previous workflow jobs for PRs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  prefer_typescript:
+    if: github.ref == 'ref/heads/master' && github.event_name == 'pull_request'
+    name: Prefer TypeScript
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+          submodules: recursive
+      - name: Get changed files
+        id: changed
+        uses: ./.github/actions/file-changes-action
+        with:
+          githubToken: ${{ github.token }}
+
+      - name: Determine if a .js or .jsx file was added
+        id: check
+        run: |
+          js_files_added() {
+            jq -r '
+              map(
+                select(
+                  endswith(".js") or endswith(".jsx")
+                )
+              ) | join("\n")
+            ' ${HOME}/files_added.json
+          }
+          echo "js_files_added=$(js_files_added)" >> $GITHUB_OUTPUT
+
+      - if: steps.check.outputs.js_files_added
+        name: Add Comment to PR
+        uses: ./.github/actions/comment-on-pr
+        continue-on-error: true
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          msg: |
+            ### WARNING: Prefer TypeScript
+
+            Looks like your PR contains new `.js` or `.jsx` files:
+
+            ```
+            ${{steps.check.outputs.js_files_added}}
+            ```
+
+            As decided in [SIP-36](https://github.com/apache/superset/issues/9101), all new frontend code should be written in TypeScript. Please convert above files to TypeScript then re-request review.

.github/workflows/release.yml

@@ -16,19 +16,17 @@ jobs:
         id: check
         shell: bash
         run: |
-          if [ -n "${NPM_TOKEN}" ]; then
+          if [ -n "${{ (secrets.NPM_TOKEN != '' && secrets.GH_PERSONAL_ACCESS_TOKEN != '') || '' }}" ]; then
             echo "has-secrets=1" >> "$GITHUB_OUTPUT"
           fi
 
-        env:
-          NPM_TOKEN: ${{ (secrets.NPM_TOKEN != '' && secrets.GH_PERSONAL_ACCESS_TOKEN != '') || '' }}
   build:
     needs: config
     if: needs.config.outputs.has-secrets
     name: Bump version and publish package(s)
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@v5
         with:
           # pulls all commits (needed for lerna / semantic release to correctly version)
           fetch-depth: 0
@@ -44,13 +42,13 @@ jobs:
 
       - name: Install Node.js
         if: env.HAS_TAGS
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v5
         with:
           node-version-file: './superset-frontend/.nvmrc'
 
       - name: Cache npm
         if: env.HAS_TAGS
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache@v4
         with:
           path: ~/.npm # npm cache files are stored in `~/.npm` on Linux/macOS
           key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json') }}
@@ -64,7 +62,7 @@ jobs:
         run: echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT
       - name: Cache npm
         if: env.HAS_TAGS
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache@v4
         id: npm-cache # use this to check for `cache-hit` (`steps.npm-cache.outputs.cache-hit != 'true'`)
         with:
           path: ${{ steps.npm-cache-dir-path.outputs.dir }}

.github/workflows/showtime-cleanup.yml

@@ -7,6 +7,12 @@ on:
 
   # Manual trigger for testing
   workflow_dispatch:
+    inputs:
+      max_age_hours:
+        description: 'Maximum age in hours before cleanup'
+        required: false
+        default: '48'
+        type: string
 
 # Common environment variables
 env:
@@ -32,5 +38,13 @@ jobs:
 
       - name: Cleanup expired environments
         run: |
-          echo "Cleaning up environments respecting TTL labels"
-          python -m showtime cleanup --respect-ttl
+          MAX_AGE="${{ github.event.inputs.max_age_hours || '48' }}"
+
+          # Validate max_age is numeric
+          if [[ ! "$MAX_AGE" =~ ^[0-9]+$ ]]; then
+            echo "❌ Invalid max_age_hours format: $MAX_AGE (must be numeric)"
+            exit 1
+          fi
+
+          echo "Cleaning up environments older than ${MAX_AGE}h"
+          python -m showtime cleanup --older-than "${MAX_AGE}h"

.github/workflows/showtime-trigger.yml

@@ -37,7 +37,7 @@ jobs:
     steps:
       - name: Security Check - Authorize Maintainers Only
         id: auth
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v8
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -102,12 +102,10 @@ jobs:
       - name: Install Superset Showtime
         if: steps.auth.outputs.authorized == 'true'
         run: |
-          echo "::notice::Maintainer ${{ github.actor }} triggered deploy for PR ${PULL_REQUEST_NUMBER}"
+          echo "::notice::Maintainer ${{ github.actor }} triggered deploy for PR ${{ github.event.pull_request.number || github.event.inputs.pr_number }}"
           pip install --upgrade superset-showtime
           showtime version
 
-        env:
-          PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number || github.event.inputs.pr_number }}
       - name: Check what actions are needed
         if: steps.auth.outputs.authorized == 'true'
         id: check
@@ -115,14 +113,12 @@ jobs:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          INPUT_PR_NUMBER: ${{ github.event.inputs.pr_number }}
-          INPUT_SHA: ${{ github.event.inputs.sha }}
         run: |
           # Bulletproof PR number extraction
           if [[ -n "${{ github.event.pull_request.number }}" ]]; then
             PR_NUM="${{ github.event.pull_request.number }}"
-          elif [[ -n "${INPUT_PR_NUMBER}" ]]; then
-            PR_NUM="${INPUT_PR_NUMBER}"
+          elif [[ -n "${{ github.event.inputs.pr_number }}" ]]; then
+            PR_NUM="${{ github.event.inputs.pr_number }}"
           else
             echo "❌ No PR number found in event or inputs"
             exit 1
@@ -131,8 +127,8 @@ jobs:
           echo "Using PR number: $PR_NUM"
 
           # Run sync check-only with optional SHA override
-          if [[ -n "${INPUT_SHA}" ]]; then
-            OUTPUT=$(python -m showtime sync $PR_NUM --check-only --sha "${INPUT_SHA}")
+          if [[ -n "${{ github.event.inputs.sha }}" ]]; then
+            OUTPUT=$(python -m showtime sync $PR_NUM --check-only --sha "${{ github.event.inputs.sha }}")
           else
             OUTPUT=$(python -m showtime sync $PR_NUM --check-only)
           fi
@@ -151,7 +147,7 @@ jobs:
 
       - name: Checkout PR code (only if build needed)
         if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.build_needed == 'true'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           ref: ${{ steps.check.outputs.target_sha }}
           persist-credentials: false

.github/workflows/superset-app-cli.yml

@@ -23,7 +23,7 @@ jobs:
       SUPERSET__SQLALCHEMY_DATABASE_URI: postgresql+psycopg2://superset:superset@127.0.0.1:15432/superset
     services:
       postgres:
-        image: postgres:17-alpine
+        image: postgres:16-alpine
         env:
           POSTGRES_USER: superset
           POSTGRES_PASSWORD: superset
@@ -37,7 +37,7 @@ jobs:
           - 16379:6379
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive

.github/workflows/superset-applitool-cypress.yml

@@ -0,0 +1,91 @@
+name: Applitools Cypress
+
+on:
+  schedule:
+    - cron: "0 1 * * *"
+
+jobs:
+  config:
+    runs-on: ubuntu-24.04
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.APPLITOOLS_API_KEY != '' && secrets.APPLITOOLS_API_KEY != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
+  cypress-applitools:
+    needs: config
+    if: needs.config.outputs.has-secrets
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        browser: ["chrome"]
+    env:
+      SUPERSET_ENV: development
+      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
+      SUPERSET__SQLALCHEMY_DATABASE_URI: postgresql+psycopg2://superset:superset@127.0.0.1:15432/superset
+      PYTHONPATH: ${{ github.workspace }}
+      REDIS_PORT: 16379
+      GITHUB_TOKEN: ${{ github.token }}
+      APPLITOOLS_APP_NAME: Superset
+      APPLITOOLS_API_KEY: ${{ secrets.APPLITOOLS_API_KEY }}
+      APPLITOOLS_BATCH_ID: ${{ github.sha }}
+      APPLITOOLS_BATCH_NAME: Superset Cypress
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          POSTGRES_USER: superset
+          POSTGRES_PASSWORD: superset
+        ports:
+          - 15432:5432
+      redis:
+        image: redis:7-alpine
+        ports:
+          - 16379:6379
+    steps:
+      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+          submodules: recursive
+          ref: master
+      - name: Setup Python
+        uses: ./.github/actions/setup-backend/
+      - name: Import test data
+        uses: ./.github/actions/cached-dependencies
+        with:
+          run: testdata
+      - name: Setup Node.js
+        uses: actions/setup-node@v5
+        with:
+          node-version-file: './superset-frontend/.nvmrc'
+      - name: Install npm dependencies
+        uses: ./.github/actions/cached-dependencies
+        with:
+          run: npm-install
+      - name: Build javascript packages
+        uses: ./.github/actions/cached-dependencies
+        with:
+          run: build-instrumented-assets
+      - name: Setup Postgres
+        if: steps.check.outcome == 'failure'
+        uses: ./.github/actions/cached-dependencies
+        with:
+          run: setup-postgres
+      - name: Install cypress
+        uses: ./.github/actions/cached-dependencies
+        with:
+          run: cypress-install
+      - name: Run Cypress
+        uses: ./.github/actions/cached-dependencies
+        env:
+          CYPRESS_BROWSER: ${{ matrix.browser }}
+        with:
+          run: cypress-run-applitools

.github/workflows/superset-applitools-storybook.yml

@@ -0,0 +1,52 @@
+name: Applitools Storybook
+
+on:
+  schedule:
+    - cron: "0 0 * * *"
+
+env:
+  APPLITOOLS_APP_NAME: Superset
+  APPLITOOLS_API_KEY: ${{ secrets.APPLITOOLS_API_KEY }}
+  APPLITOOLS_BATCH_ID: ${{ github.sha }}
+  APPLITOOLS_BATCH_NAME: Superset Storybook
+
+jobs:
+  config:
+    runs-on: ubuntu-24.04
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.APPLITOOLS_API_KEY != '' && secrets.APPLITOOLS_API_KEY != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
+  cron:
+    needs: config
+    if: needs.config.outputs.has-secrets
+    runs-on: ubuntu-24.04
+    steps:
+      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+          submodules: recursive
+          ref: master
+      - name: Set up Node.js
+        uses: actions/setup-node@v5
+        with:
+          node-version-file: './superset-frontend/.nvmrc'
+      - name: Install eyes-storybook dependencies
+        uses: ./.github/actions/cached-dependencies
+        with:
+          run: eyes-storybook-dependencies
+      - name: Install NPM dependencies
+        uses: ./.github/actions/cached-dependencies
+        with:
+          run: npm-install
+      - name: Run Applitools Eyes-Storybook
+        working-directory: ./superset-frontend
+        run: npx eyes-storybook -u https://superset-storybook.netlify.app/

.github/workflows/superset-docs-deploy.yml

@@ -1,13 +1,6 @@
 name: Docs Deployment
 
 on:
-  # Deploy after integration tests complete on master
-  workflow_run:
-    workflows: ["Python-Integration"]
-    types: [completed]
-    branches: [master]
-
-  # Also allow manual trigger and direct pushes to docs
   push:
     paths:
       - "docs/**"
@@ -17,16 +10,6 @@ on:
 
   workflow_dispatch: {}
 
-# Serialize deploys: the action pushes to apache/superset-site without
-# rebasing, so concurrent runs race on the final push and the loser fails
-# with `! [rejected] asf-site -> asf-site (fetch first)`. Cancel any
-# in-progress run as soon as a newer one starts — the destination repo
-# isn't touched until the final push step, so canceling mid-build is safe,
-# and the freshest content always wins.
-concurrency:
-  group: docs-deploy-asf-site
-  cancel-in-progress: true
-
 jobs:
   config:
     runs-on: ubuntu-24.04
@@ -37,31 +20,28 @@ jobs:
         id: check
         shell: bash
         run: |
-          if [ -n "${SUPERSET_SITE_BUILD}" ]; then
+          if [ -n "${{ (secrets.SUPERSET_SITE_BUILD != '' && secrets.SUPERSET_SITE_BUILD != '') || '' }}" ]; then
             echo "has-secrets=1" >> "$GITHUB_OUTPUT"
           fi
 
-        env:
-          SUPERSET_SITE_BUILD: ${{ (secrets.SUPERSET_SITE_BUILD != '' && secrets.SUPERSET_SITE_BUILD != '') || '' }}
   build-deploy:
     needs: config
     if: needs.config.outputs.has-secrets
     name: Build & Deploy
     runs-on: ubuntu-24.04
     steps:
-      - name: "Checkout ${{ github.event.workflow_run.head_sha || github.sha }}"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
+        uses: actions/checkout@v5
         with:
-          ref: ${{ github.event.workflow_run.head_sha || github.sha }}
           persist-credentials: false
           submodules: recursive
       - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v5
         with:
           node-version-file: './docs/.nvmrc'
       - name: Setup Python
         uses: ./.github/actions/setup-backend/
-      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+      - uses: actions/setup-java@v5
         with:
           distribution: 'zulu'
           java-version: '21'
@@ -78,35 +58,6 @@ jobs:
         working-directory: docs
         run: |
           yarn install --check-cache
-      - name: Download database diagnostics (if triggered by integration tests)
-        if: github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success'
-        uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
-        continue-on-error: true
-        with:
-          workflow: superset-python-integrationtest.yml
-          run_id: ${{ github.event.workflow_run.id }}
-          name: database-diagnostics
-          path: docs/src/data/
-      - name: Try to download latest diagnostics (for push/dispatch triggers)
-        if: github.event_name != 'workflow_run'
-        uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
-        continue-on-error: true
-        with:
-          workflow: superset-python-integrationtest.yml
-          name: database-diagnostics
-          path: docs/src/data/
-          branch: master
-          search_artifacts: true
-          if_no_artifact_found: warn
-      - name: Use diagnostics artifact if available
-        working-directory: docs
-        run: |
-          if [ -f "src/data/databases-diagnostics.json" ]; then
-            echo "Using fresh diagnostics from integration tests"
-            mv src/data/databases-diagnostics.json src/data/databases.json
-          else
-            echo "Using committed databases.json (no artifact found)"
-          fi
       - name: yarn build
         working-directory: docs
         run: |
@@ -120,5 +71,5 @@ jobs:
           destination-github-username: "apache"
           destination-repository-name: "superset-site"
           target-branch: "asf-site"
-          commit-message: "deploying docs: ${{ github.event.head_commit.message || 'triggered by integration tests' }} (apache/superset@${{ github.event.workflow_run.head_sha || github.sha }})"
+          commit-message: "deploying docs: ${{ github.event.head_commit.message }} (apache/superset@${{ github.sha }})"
           user-email: dev@superset.apache.org

.github/workflows/superset-docs-verify.yml

@@ -4,30 +4,24 @@ on:
   pull_request:
     paths:
       - "docs/**"
-      - "superset/db_engine_specs/**"
       - ".github/workflows/superset-docs-verify.yml"
     types: [synchronize, opened, reopened, ready_for_review]
-  workflow_run:
-    workflows: ["Python-Integration"]
-    types: [completed]
 
 # cancel previous workflow jobs for PRs
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.workflow_run.head_sha || github.run_id }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
 jobs:
   linkinator:
     # See docs here: https://github.com/marketplace/actions/linkinator
-    # Only run on pull_request, not workflow_run
-    if: github.event_name == 'pull_request'
     name: Link Checking
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@v5
       # Do not bump this linkinator-action version without opening
       # an ASF Infra ticket to allow the new version first!
-      - uses: JustinBeckwith/linkinator-action@af984b9f30f63e796ae2ea5be5e07cb587f1bbd9  # v2.3
+      - uses: JustinBeckwith/linkinator-action@3d5ba091319fa7b0ac14703761eebb7d100e6f6d  # v1.11.0
         continue-on-error: true # This will make the job advisory (non-blocking, no red X)
         with:
           paths: "**/*.md, **/*.mdx"
@@ -56,23 +50,20 @@ jobs:
             https://timbr.ai/,
             https://opensource.org/license/apache-2-0,
             https://www.plaidcloud.com/
-
-  build-on-pr:
-    # Build docs when PR changes docs/** (uses committed databases.json)
-    if: github.event_name == 'pull_request'
-    name: Build (PR trigger)
+  build-deploy:
+    name: Build & Deploy
     runs-on: ubuntu-24.04
     defaults:
       run:
         working-directory: docs
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
       - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v5
         with:
           node-version-file: './docs/.nvmrc'
       - name: yarn install
@@ -84,51 +75,3 @@ jobs:
       - name: yarn build
         run: |
           yarn build
-
-  build-after-tests:
-    # Build docs after integration tests complete (uses fresh diagnostics)
-    # Only runs if integration tests succeeded
-    if: >
-      github.event_name == 'workflow_run' &&
-      github.event.workflow_run.conclusion == 'success'
-    name: Build (after integration tests)
-    runs-on: ubuntu-24.04
-    defaults:
-      run:
-        working-directory: docs
-    steps:
-      - name: "Checkout PR head: ${{ github.event.workflow_run.head_sha }}"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          ref: ${{ github.event.workflow_run.head_sha }}
-          persist-credentials: false
-          submodules: recursive
-      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
-        with:
-          node-version-file: './docs/.nvmrc'
-      - name: yarn install
-        run: |
-          yarn install --check-cache
-      - name: Download database diagnostics from integration tests
-        uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
-        with:
-          workflow: superset-python-integrationtest.yml
-          run_id: ${{ github.event.workflow_run.id }}
-          name: database-diagnostics
-          path: docs/src/data/
-          if_no_artifact_found: 'warning'
-      - name: Use fresh diagnostics
-        run: |
-          if [ -f "src/data/databases-diagnostics.json" ]; then
-            echo "Using fresh diagnostics from integration tests"
-            mv src/data/databases-diagnostics.json src/data/databases.json
-          else
-            echo "Warning: No diagnostics artifact found, using committed data"
-          fi
-      - name: yarn typecheck
-        run: |
-          yarn typecheck
-      - name: yarn build
-        run: |
-          yarn build

.github/workflows/superset-e2e.yml

@@ -54,7 +54,7 @@ jobs:
       USE_DASHBOARD: ${{ github.event.inputs.use_dashboard == 'true' || 'false' }}
     services:
       postgres:
-        image: postgres:17-alpine
+        image: postgres:16-alpine
         env:
           POSTGRES_USER: superset
           POSTGRES_PASSWORD: superset
@@ -69,21 +69,21 @@ jobs:
       # Conditional checkout based on context
       - name: Checkout for push or pull_request event
         if: github.event_name == 'push' || github.event_name == 'pull_request'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
           ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
       - name: Checkout using ref (workflow_dispatch)
         if: github.event_name == 'workflow_dispatch' && github.event.inputs.ref != ''
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           ref: ${{ github.event.inputs.ref }}
           submodules: recursive
       - name: Checkout using PR ID (workflow_dispatch)
         if: github.event_name == 'workflow_dispatch' && github.event.inputs.pr_id != ''
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           ref: refs/pull/${{ github.event.inputs.pr_id }}/merge
@@ -109,7 +109,7 @@ jobs:
           run: testdata
       - name: Setup Node.js
         if: steps.check.outputs.python || steps.check.outputs.frontend
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v5
         with:
           node-version-file: './superset-frontend/.nvmrc'
       - name: Install npm dependencies
@@ -146,7 +146,7 @@ jobs:
           SAFE_APP_ROOT=${APP_ROOT//\//_}
           echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT
       - name: Upload Artifacts
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v4
         if: failure()
         with:
           path: ${{ github.workspace }}/superset-frontend/cypress-base/cypress/screenshots
@@ -171,7 +171,7 @@ jobs:
       GITHUB_TOKEN: ${{ github.token }}
     services:
       postgres:
-        image: postgres:17-alpine
+        image: postgres:16-alpine
         env:
           POSTGRES_USER: superset
           POSTGRES_PASSWORD: superset
@@ -186,21 +186,21 @@ jobs:
       # Conditional checkout based on context (same as Cypress workflow)
       - name: Checkout for push or pull_request event
         if: github.event_name == 'push' || github.event_name == 'pull_request'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
           ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
       - name: Checkout using ref (workflow_dispatch)
         if: github.event_name == 'workflow_dispatch' && github.event.inputs.ref != ''
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           ref: ${{ github.event.inputs.ref }}
           submodules: recursive
       - name: Checkout using PR ID (workflow_dispatch)
         if: github.event_name == 'workflow_dispatch' && github.event.inputs.pr_id != ''
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           ref: refs/pull/${{ github.event.inputs.pr_id }}/merge
@@ -223,10 +223,10 @@ jobs:
         if: steps.check.outputs.python || steps.check.outputs.frontend
         uses: ./.github/actions/cached-dependencies
         with:
-          run: playwright_testdata
+          run: testdata
       - name: Setup Node.js
         if: steps.check.outputs.python || steps.check.outputs.frontend
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v5
         with:
           node-version-file: './superset-frontend/.nvmrc'
       - name: Install npm dependencies
@@ -259,7 +259,7 @@ jobs:
           SAFE_APP_ROOT=${APP_ROOT//\//_}
           echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT
       - name: Upload Playwright Artifacts
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v4
         if: failure()
         with:
           path: |

.github/workflows/superset-extensions-cli.yml

@@ -24,7 +24,7 @@ jobs:
         working-directory: superset-extensions-cli
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
@@ -49,7 +49,7 @@ jobs:
 
       - name: Upload coverage reports to Codecov
         if: steps.check.outputs.superset-extensions-cli
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+        uses: codecov/codecov-action@v5
         with:
           file: ./coverage.xml
           flags: superset-extensions-cli
@@ -58,7 +58,7 @@ jobs:
 
       - name: Upload HTML coverage report
         if: steps.check.outputs.superset-extensions-cli
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v4
         with:
           name: superset-extensions-cli-coverage-html
           path: htmlcov/

.github/workflows/superset-frontend.yml

@@ -23,7 +23,7 @@ jobs:
       should-run: ${{ steps.check.outputs.frontend }}
     steps:
       - name: Checkout Code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -54,14 +54,14 @@ jobs:
       - name: Save Docker Image as Artifact
         if: steps.check.outputs.frontend
         run: |
-          docker save $TAG | zstd -3 --threads=0 > docker-image.tar.zst
+          docker save $TAG | gzip > docker-image.tar.gz
 
       - name: Upload Docker Image Artifact
         if: steps.check.outputs.frontend
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v4
         with:
           name: docker-image
-          path: docker-image.tar.zst
+          path: docker-image.tar.gz
 
   sharded-jest-tests:
     needs: frontend-build
@@ -73,13 +73,12 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Download Docker Image Artifact
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v5
         with:
           name: docker-image
 
       - name: Load Docker Image
-        run: |
-          zstd -d < docker-image.tar.zst | docker load
+        run: docker load < docker-image.tar.gz
 
       - name: npm run test with coverage
         run: |
@@ -88,10 +87,10 @@ jobs:
           -v ${{ github.workspace }}/superset-frontend/coverage:/app/superset-frontend/coverage \
           --rm $TAG \
           bash -c \
-          "npm run test -- --coverage --shard=${{ matrix.shard }}/8 --coverageReporters=json"
+          "npm run test -- --coverage --shard=${{ matrix.shard }}/8 --coverageReporters=json-summary"
 
       - name: Upload Coverage Artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v4
         with:
           name: coverage-artifacts-${{ matrix.shard }}
           path: superset-frontend/coverage
@@ -100,40 +99,25 @@ jobs:
     needs: [sharded-jest-tests]
     if: needs.frontend-build.outputs.should-run == 'true'
     runs-on: ubuntu-24.04
-    permissions:
-      id-token: write
     steps:
-      - name: Checkout Code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          persist-credentials: false
-          fetch-depth: 0
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-
       - name: Download Coverage Artifacts
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v5
         with:
           pattern: coverage-artifacts-*
           path: coverage/
 
-      - name: Reorganize test result reports
-        run: |
-          find coverage/
-          for i in {1..8}; do
-            mv coverage/coverage-artifacts-${i}/coverage-final.json coverage/coverage-shard-${i}.json
-          done
-        shell: bash
+      - name: Show Files
+        run: find coverage/
 
       - name: Merge Code Coverage
         run: npx nyc merge coverage/ merged-output/coverage-summary.json
 
       - name: Upload Code Coverage
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+        uses: codecov/codecov-action@v5
         with:
           flags: javascript
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
           verbose: true
-          disable_search: true
           files: merged-output/coverage-summary.json
           slug: apache/superset
 
@@ -143,13 +127,13 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Download Docker Image Artifact
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v5
         with:
           name: docker-image
 
       - name: Load Docker Image
         run: |
-          zstd -d < docker-image.tar.zst | docker load
+          docker load < docker-image.tar.gz
 
       - name: lint
         run: |
@@ -167,34 +151,19 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Download Docker Image Artifact
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v5
         with:
           name: docker-image
 
       - name: Load Docker Image
-        run: |
-          zstd -d < docker-image.tar.zst | docker load
+        run: docker load < docker-image.tar.gz
 
       - name: Build Plugins Packages
         run: |
           docker run --rm $TAG bash -c \
           "npm run plugins:build"
 
-  test-storybook:
-    needs: frontend-build
-    if: needs.frontend-build.outputs.should-run == 'true'
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Download Docker Image Artifact
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
-        with:
-          name: docker-image
-
-      - name: Load Docker Image
-        run: |
-          zstd -d < docker-image.tar.zst | docker load
-
-      - name: Build Storybook and Run Tests
+      - name: Build Plugins Storybook
         run: |
           docker run --rm $TAG bash -c \
-          "npm run build-storybook && npx playwright install-deps && npx playwright install chromium && npm run test-storybook:ci"
+          "npm run plugins:build-storybook"

.github/workflows/superset-helm-lint.yml

@@ -16,14 +16,14 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@v4
         with:
           version: v3.16.4
 

.github/workflows/superset-helm-release.yml

@@ -29,7 +29,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           ref: ${{ inputs.ref || github.ref_name }}
           persist-credentials: true
@@ -42,7 +42,7 @@ jobs:
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
       - name: Install Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@v4
         with:
           version: v3.5.4
 
@@ -101,7 +101,7 @@ jobs:
           CR_RELEASE_NAME_TEMPLATE: "superset-helm-chart-{{ .Version }}"
 
       - name: Open Pull Request
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v8
         with:
           script: |
             const branchName = '${{ env.branch_name }}';

.github/workflows/superset-playwright.yml

@@ -45,7 +45,7 @@ jobs:
       GITHUB_TOKEN: ${{ github.token }}
     services:
       postgres:
-        image: postgres:17-alpine
+        image: postgres:16-alpine
         env:
           POSTGRES_USER: superset
           POSTGRES_PASSWORD: superset
@@ -60,21 +60,21 @@ jobs:
       # Conditional checkout based on context (same as Cypress workflow)
       - name: Checkout for push or pull_request event
         if: github.event_name == 'push' || github.event_name == 'pull_request'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
           ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
       - name: Checkout using ref (workflow_dispatch)
         if: github.event_name == 'workflow_dispatch' && github.event.inputs.ref != ''
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           ref: ${{ github.event.inputs.ref }}
           submodules: recursive
       - name: Checkout using PR ID (workflow_dispatch)
         if: github.event_name == 'workflow_dispatch' && github.event.inputs.pr_id != ''
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           ref: refs/pull/${{ github.event.inputs.pr_id }}/merge
@@ -97,10 +97,10 @@ jobs:
         if: steps.check.outputs.python || steps.check.outputs.frontend
         uses: ./.github/actions/cached-dependencies
         with:
-          run: playwright_testdata
+          run: testdata
       - name: Setup Node.js
         if: steps.check.outputs.python || steps.check.outputs.frontend
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v5
         with:
           node-version-file: './superset-frontend/.nvmrc'
       - name: Install npm dependencies
@@ -133,7 +133,7 @@ jobs:
           SAFE_APP_ROOT=${APP_ROOT//\//_}
           echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT
       - name: Upload Playwright Artifacts
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v4
         if: failure()
         with:
           path: |

.github/workflows/superset-python-integrationtest.yml

@@ -16,8 +16,6 @@ concurrency:
 jobs:
   test-mysql:
     runs-on: ubuntu-24.04
-    permissions:
-      id-token: write
     env:
       PYTHONPATH: ${{ github.workspace }}
       SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -43,7 +41,7 @@ jobs:
           - 16379:6379
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
@@ -70,46 +68,13 @@ jobs:
         run: |
           ./scripts/python_tests.sh
       - name: Upload code coverage
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+        uses: codecov/codecov-action@v5
         with:
           flags: python,mysql
+          token: ${{ secrets.CODECOV_TOKEN }}
           verbose: true
-          use_oidc: true
-          slug: apache/superset
-      - name: Generate database diagnostics for docs
-        if: steps.check.outputs.python
-        env:
-          SUPERSET_CONFIG: tests.integration_tests.superset_test_config
-          SUPERSET__SQLALCHEMY_DATABASE_URI: |
-            mysql+mysqldb://superset:superset@127.0.0.1:13306/superset?charset=utf8mb4&binary_prefix=true
-        run: |
-          python -c "
-          import json
-          from superset.app import create_app
-          from superset.db_engine_specs.lib import generate_yaml_docs
-          app = create_app()
-          with app.app_context():
-              docs = generate_yaml_docs()
-              # Wrap in the expected format
-              output = {
-                  'generated': '$(date -Iseconds)',
-                  'databases': docs
-              }
-              with open('databases-diagnostics.json', 'w') as f:
-                  json.dump(output, f, indent=2, default=str)
-              print(f'Generated diagnostics for {len(docs)} databases')
-          "
-      - name: Upload database diagnostics artifact
-        if: steps.check.outputs.python
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
-        with:
-          name: database-diagnostics
-          path: databases-diagnostics.json
-          retention-days: 7
   test-postgres:
     runs-on: ubuntu-24.04
-    permissions:
-      id-token: write
     strategy:
       matrix:
         python-version: ["current", "previous", "next"]
@@ -120,7 +85,7 @@ jobs:
       SUPERSET__SQLALCHEMY_DATABASE_URI: postgresql+psycopg2://superset:superset@127.0.0.1:15432/superset
     services:
       postgres:
-        image: postgres:17-alpine
+        image: postgres:16-alpine
         env:
           POSTGRES_USER: superset
           POSTGRES_PASSWORD: superset
@@ -134,7 +99,7 @@ jobs:
           - 16379:6379
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
@@ -164,17 +129,14 @@ jobs:
         run: |
           ./scripts/python_tests.sh
       - name: Upload code coverage
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+        uses: codecov/codecov-action@v5
         with:
           flags: python,postgres
+          token: ${{ secrets.CODECOV_TOKEN }}
           verbose: true
-          use_oidc: true
-          slug: apache/superset
 
   test-sqlite:
     runs-on: ubuntu-24.04
-    permissions:
-      id-token: write
     env:
       PYTHONPATH: ${{ github.workspace }}
       SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -190,7 +152,7 @@ jobs:
           - 16379:6379
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
@@ -219,9 +181,8 @@ jobs:
         run: |
           ./scripts/python_tests.sh
       - name: Upload code coverage
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+        uses: codecov/codecov-action@v5
         with:
           flags: python,sqlite
+          token: ${{ secrets.CODECOV_TOKEN }}
           verbose: true
-          use_oidc: true
-          slug: apache/superset

.github/workflows/superset-python-presto-hive.yml

@@ -17,8 +17,6 @@ concurrency:
 jobs:
   test-postgres-presto:
     runs-on: ubuntu-24.04
-    permissions:
-      id-token: write
     env:
       PYTHONPATH: ${{ github.workspace }}
       SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -27,7 +25,7 @@ jobs:
       SUPERSET__SQLALCHEMY_EXAMPLES_URI: presto://localhost:15433/memory/default
     services:
       postgres:
-        image: postgres:17-alpine
+        image: postgres:16-alpine
         env:
           POSTGRES_USER: superset
           POSTGRES_PASSWORD: superset
@@ -50,7 +48,7 @@ jobs:
           - 16379:6379
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
@@ -79,17 +77,14 @@ jobs:
         run: |
           ./scripts/python_tests.sh -m 'chart_data_flow or sql_json_flow'
       - name: Upload code coverage
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+        uses: codecov/codecov-action@v5
         with:
           flags: python,presto
+          token: ${{ secrets.CODECOV_TOKEN }}
           verbose: true
-          use_oidc: true
-          slug: apache/superset
 
   test-postgres-hive:
     runs-on: ubuntu-24.04
-    permissions:
-      id-token: write
     env:
       PYTHONPATH: ${{ github.workspace }}
       SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -99,7 +94,7 @@ jobs:
       UPLOAD_FOLDER: /tmp/.superset/uploads/
     services:
       postgres:
-        image: postgres:17-alpine
+        image: postgres:16-alpine
         env:
           POSTGRES_USER: superset
           POSTGRES_PASSWORD: superset
@@ -113,7 +108,7 @@ jobs:
           - 16379:6379
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
@@ -150,9 +145,8 @@ jobs:
           pip install -e .[hive]
           ./scripts/python_tests.sh -m 'chart_data_flow or sql_json_flow'
       - name: Upload code coverage
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+        uses: codecov/codecov-action@v5
         with:
           flags: python,hive
+          token: ${{ secrets.CODECOV_TOKEN }}
           verbose: true
-          use_oidc: true
-          slug: apache/superset

.github/workflows/superset-python-unittest.yml

@@ -17,8 +17,6 @@ concurrency:
 jobs:
   unit-tests:
     runs-on: ubuntu-24.04
-    permissions:
-      id-token: write
     strategy:
       matrix:
         python-version: ["previous", "current", "next"]
@@ -26,7 +24,7 @@ jobs:
       PYTHONPATH: ${{ github.workspace }}
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
@@ -54,11 +52,9 @@ jobs:
           SUPERSET_SECRET_KEY: not-a-secret
         run: |
           pytest --durations-min=0.5 --cov=superset/sql/ ./tests/unit_tests/sql/ --cache-clear --cov-fail-under=100
-          pytest --durations-min=0.5 --cov=superset/semantic_layers/ ./tests/unit_tests/semantic_layers/ --cache-clear --cov-fail-under=100
       - name: Upload code coverage
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+        uses: codecov/codecov-action@v5
         with:
           flags: python,unit
+          token: ${{ secrets.CODECOV_TOKEN }}
           verbose: true
-          use_oidc: true
-          slug: apache/superset

.github/workflows/superset-translations.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
@@ -31,7 +31,7 @@ jobs:
 
       - name: Setup Node.js
         if: steps.check.outputs.frontend
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v5
         with:
           node-version-file:  './superset-frontend/.nvmrc'
       - name: Install dependencies
@@ -49,7 +49,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
@@ -62,10 +62,6 @@ jobs:
       - name: Setup Python
         if: steps.check.outputs.python
         uses: ./.github/actions/setup-backend/
-
-      - name: Install msgcat
-        run: sudo apt update && sudo apt install gettext
-
       - name: Test babel extraction
         if: steps.check.outputs.python
         run: ./scripts/translations/babel_update.sh

.github/workflows/superset-websocket.yml

@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
       - name: Install dependencies

.github/workflows/supersetbot.yml

@@ -26,7 +26,7 @@ jobs:
     steps:
       - name: Quickly add thumbs up!
         if: github.event_name == 'issue_comment' && contains(github.event.comment.body, '@supersetbot')
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v8
         with:
           script: |
             const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/')
@@ -38,7 +38,7 @@ jobs:
             });
 
       - name: "Checkout ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
 

.github/workflows/tag-release.yml

@@ -31,12 +31,10 @@ jobs:
         id: check
         shell: bash
         run: |
-          if [ -n "${DOCKERHUB_USER}" ]; then
+          if [ -n "${{ (secrets.DOCKERHUB_USER != '' && secrets.DOCKERHUB_TOKEN != '') || '' }}" ]; then
             echo "has-secrets=1" >> "$GITHUB_OUTPUT"
           fi
 
-        env:
-          DOCKERHUB_USER: ${{ (secrets.DOCKERHUB_USER != '' && secrets.DOCKERHUB_TOKEN != '') || '' }}
   docker-release:
     needs: config
     if: needs.config.outputs.has-secrets
@@ -49,7 +47,7 @@ jobs:
     steps:
 
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -62,7 +60,7 @@ jobs:
           build: "true"
 
       - name: Use Node.js 20
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v5
         with:
           node-version: 20
 
@@ -74,20 +72,17 @@ jobs:
           DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
           DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          INPUT_RELEASE: ${{ github.event.inputs.release }}
-          INPUT_FORCE_LATEST: ${{ github.event.inputs.force-latest }}
-          INPUT_GIT_REF: ${{ github.event.inputs.git-ref }}
         run: |
           RELEASE="${{ github.event.release.tag_name }}"
           FORCE_LATEST=""
           EVENT="${{github.event_name}}"
           if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
             # in the case of a manually-triggered run, read release from input
-            RELEASE="${INPUT_RELEASE}"
-            if [ "${INPUT_FORCE_LATEST}" = "true" ]; then
+            RELEASE="${{ github.event.inputs.release }}"
+            if [ "${{ github.event.inputs.force-latest }}" = "true" ]; then
               FORCE_LATEST="--force-latest"
             fi
-            git checkout "${INPUT_GIT_REF}"
+            git checkout "${{ github.event.inputs.git-ref }}"
             EVENT="release"
           fi
 
@@ -112,12 +107,12 @@ jobs:
     steps:
 
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
       - name: Use Node.js 20
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v5
         with:
           node-version: 20
 
@@ -127,7 +122,6 @@ jobs:
       - name: Label the PRs with the right release-related labels
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          INPUT_RELEASE: ${{ github.event.inputs.release }}
         run: |
           export GITHUB_ACTOR=""
           git fetch --all --tags
@@ -135,6 +129,6 @@ jobs:
           RELEASE="${{ github.event.release.tag_name }}"
           if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
             # in the case of a manually-triggered run, read release from input
-            RELEASE="${INPUT_RELEASE}"
+            RELEASE="${{ github.event.inputs.release }}"
           fi
           supersetbot release-label $RELEASE

.github/workflows/tech-debt.yml

@@ -6,9 +6,6 @@ on:
       - master
       - "[0-9].[0-9]*"
 
-permissions:
-  contents: read
-
 jobs:
   config:
     runs-on: ubuntu-24.04
@@ -19,12 +16,10 @@ jobs:
         id: check
         shell: bash
         run: |
-          if [ -n "${GSHEET_KEY}" ]; then
+          if [ -n "${{ (secrets.GSHEET_KEY != '' ) || '' }}" ]; then
             echo "has-secrets=1" >> "$GITHUB_OUTPUT"
           fi
 
-        env:
-          GSHEET_KEY: ${{ (secrets.GSHEET_KEY != '' ) || '' }}
   process-and-upload:
     needs: config
     if: needs.config.outputs.has-secrets
@@ -32,10 +27,10 @@ jobs:
     name: Generate Reports
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v5
 
       - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v5
         with:
           node-version-file: './superset-frontend/.nvmrc'
 

.gitignore

@@ -61,19 +61,21 @@ tmp
 rat-results.txt
 superset/app/
 superset-websocket/config.json
-.direnv
-*.log
 
 # Node.js, webpack artifacts, storybook
 *.entry.js
 *.js.map
 node_modules
 npm-debug.log*
-superset/static/*
 superset/static/assets/*
 !superset/static/assets/.gitkeep
 superset/static/uploads/*
 !superset/static/uploads/.gitkeep
+superset/static/version_info.json
+superset-frontend/**/esm/*
+superset-frontend/**/lib/*
+superset-frontend/**/storybook-static/*
+superset-frontend/migration-storybook.log
 yarn-error.log
 *.map
 *.min.js
@@ -134,8 +136,5 @@ CLAUDE.local.md
 PROJECT.md
 .aider*
 .claude_rc*
-.claude/settings.local.json
 .env.local
 oxc-custom-build/
-*.code-workspace
-*.duckdb

.pre-commit-config.yaml

@@ -27,7 +27,6 @@ repos:
         args: [--check-untyped-defs]
         exclude: ^superset-extensions-cli/
         additional_dependencies: [
-            types-cachetools,
             types-simplejson,
             types-python-dateutil,
             types-requests,
@@ -50,12 +49,12 @@ repos:
     hooks:
       - id: check-docstring-first
       - id: check-added-large-files
-        exclude: ^.*\.(geojson)$|^docs/static/img/screenshots/.*|^superset-frontend/CHANGELOG\.md$|^superset/examples/.*/data\.parquet$
+        exclude: ^.*\.(geojson)$|^docs/static/img/screenshots/.*|^superset-frontend/CHANGELOG\.md$
       - id: check-yaml
         exclude: ^helm/superset/templates/
       - id: debug-statements
       - id: end-of-file-fixer
-        exclude: .*/lerna\.json$|^docs/static/img/logos/
+        exclude: .*/lerna\.json$
       - id: trailing-whitespace
         exclude: ^.*\.(snap)
         args: ["--markdown-linebreak-ext=md"]
@@ -83,7 +82,7 @@ repos:
         files: ^superset-frontend/.*\.(js|jsx|ts|tsx)$
       - id: eslint-docs
         name: eslint (docs)
-        entry: bash -c 'cd docs && FILES=$(printf "%s\n" "$@" | sed "s|^docs/||" | tr "\n" " ") && yarn eslint --fix --quiet $FILES'
+        entry: bash -c 'cd docs && FILES=$(echo "$@" | sed "s|docs/||g") && yarn eslint --fix --quiet $FILES'
         language: system
         pass_filenames: true
         files: ^docs/.*\.(js|jsx|ts|tsx)$
@@ -107,19 +106,12 @@ repos:
         files: helm
         verbose: false
         args: ["--log-level", "error"]
-  # Using local hooks ensures ruff version matches requirements/development.txt
-  - repo: local
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.9.7
     hooks:
       - id: ruff-format
-        name: ruff-format
-        entry: ruff format
-        language: system
-        types: [python]
       - id: ruff
-        name: ruff
-        entry: ruff check --fix --show-fixes
-        language: system
-        types: [python]
+        args: [--fix]
   - repo: local
     hooks:
       - id: pylint
@@ -143,18 +135,3 @@ repos:
             else
               echo "No Python files to lint."
             fi
-      - id: db-engine-spec-metadata
-        name: database engine spec metadata validation
-        entry: python superset/db_engine_specs/lint_metadata.py --strict
-        language: system
-        files: ^superset/db_engine_specs/.*\.py$
-        exclude: ^superset/db_engine_specs/(base|lib|lint_metadata|__init__)\.py$
-        pass_filenames: false
-  - repo: local
-    hooks:
-      - id: feature-flags-sync
-        name: feature flags documentation sync
-        entry: bash -c 'python scripts/extract_feature_flags.py > docs/static/feature-flags.json.tmp && if ! diff -q docs/static/feature-flags.json docs/static/feature-flags.json.tmp > /dev/null 2>&1; then mv docs/static/feature-flags.json.tmp docs/static/feature-flags.json && echo "Updated docs/static/feature-flags.json" && exit 1; else rm docs/static/feature-flags.json.tmp; fi'
-        language: system
-        files: ^superset/config\.py$
-        pass_filenames: false

.rat-excludes

@@ -43,9 +43,6 @@ _build/*
 _static/*
 .buildinfo
 searchindex.js
-# auto-generated by docs/scripts/convert-api-sidebar.mjs from openapi.json
-sidebar.js
-sidebar.ts
 # auto generated
 requirements/*
 # vendorized
@@ -70,19 +67,22 @@ temporary_superset_ui/*
 # skip license checks for auto-generated test snapshots
 .*snap
 
-# docs third-party logos (database logos, org logos, etc.)
-databases/*
-logos/*
+# docs overrides for third party logos we don't have the rights to
+google-big-query.svg
+google-sheets.svg
+ibm-db2.svg
+postgresql.svg
+snowflake.svg
+ydb.svg
+loading.svg
 
 # docs-related
 erd.puml
 erd.svg
 intro_header.txt
-TODO.md
 
 # for LLMs
 llm-context.md
-llms.txt
 AGENTS.md
 LLMS.md
 CLAUDE.md

AGENTS.md

@@ -2,27 +2,6 @@
 
 Apache Superset is a data visualization platform with Flask/Python backend and React/TypeScript frontend.
 
-## ⚠️ CRITICAL: Always Run Pre-commit Before Pushing
-
-**ALWAYS run `pre-commit run --all-files` before pushing commits.** CI will fail if pre-commit checks don't pass. This is non-negotiable.
-
-```bash
-# Stage your changes first
-git add .
-
-# Run pre-commit on all files
-pre-commit run --all-files
-
-# If there are auto-fixes, stage them and commit
-git add .
-git commit --amend  # or new commit
-```
-
-Common pre-commit failures:
-- **Formatting** - black, prettier, eslint will auto-fix
-- **Type errors** - mypy failures need manual fixes
-- **Linting** - ruff, pylint issues need manual fixes
-
 ## ⚠️ CRITICAL: Ongoing Refactors (What NOT to Do)
 
 **These migrations are actively happening - avoid deprecated patterns:**
@@ -101,30 +80,6 @@ superset/
 - **UPDATING.md**: Add breaking changes here
 - **Docstrings**: Required for new functions/classes
 
-## Developer Portal: Storybook-to-MDX Documentation
-
-The Developer Portal auto-generates MDX documentation from Storybook stories. **Stories are the single source of truth.**
-
-### Core Philosophy
-- **Fix issues in the STORY, not the generator** - When something doesn't render correctly, update the story file first
-- **Generator should be lightweight** - It extracts and passes through data; avoid special cases
-- **Stories define everything** - Props, controls, galleries, examples all come from story metadata
-
-### Story Requirements for Docs Generation
-- Use `export default { title: '...' }` (inline), not `const meta = ...; export default meta;`
-- Name interactive stories `Interactive${ComponentName}` (e.g., `InteractiveButton`)
-- Define `args` for default prop values
-- Define `argTypes` at the story level (not meta level) with control types and descriptions
-- Use `parameters.docs.gallery` for size×style variant grids
-- Use `parameters.docs.sampleChildren` for components that need children
-- Use `parameters.docs.liveExample` for custom live code blocks
-- Use `parameters.docs.staticProps` for complex object props that can't be parsed inline
-
-### Generator Location
-- Script: `docs/scripts/generate-superset-components.mjs`
-- Wrapper: `docs/src/components/StorybookWrapper.jsx`
-- Output: `docs/developer_portal/components/`
-
 ## Architecture Patterns
 
 ### Security & Features

CHANGELOG.md

@@ -49,4 +49,3 @@ under the License.
 - [4.1.3](./CHANGELOG/4.1.3.md)
 - [4.1.4](./CHANGELOG/4.1.4.md)
 - [5.0.0](./CHANGELOG/5.0.0.md)
-- [6.0.0](./CHANGELOG/6.0.0.md)

Dockerfile

@@ -26,10 +26,13 @@ ARG BUILDPLATFORM=${BUILDPLATFORM:-amd64}
 # Include translations in the final build
 ARG BUILD_TRANSLATIONS="false"
 
+# Build arg to pre-populate examples DuckDB file
+ARG LOAD_EXAMPLES_DUCKDB="false"
+
 ######################################################################
 # superset-node-ci used as a base for building frontend assets and CI
 ######################################################################
-FROM --platform=${BUILDPLATFORM} node:22-trixie-slim AS superset-node-ci
+FROM --platform=${BUILDPLATFORM} node:20-trixie-slim AS superset-node-ci
 ARG BUILD_TRANSLATIONS
 ENV BUILD_TRANSLATIONS=${BUILD_TRANSLATIONS}
 ARG DEV_MODE="false"           # Skip frontend build in dev mode
@@ -143,6 +146,9 @@ RUN if [ "${BUILD_TRANSLATIONS}" = "true" ]; then \
 ######################################################################
 FROM python-base AS python-common
 
+# Re-declare build arg to receive it in this stage
+ARG LOAD_EXAMPLES_DUCKDB
+
 ENV SUPERSET_HOME="/app/superset_home" \
     HOME="/app/superset_home" \
     SUPERSET_ENV="production" \
@@ -154,7 +160,7 @@ ENV SUPERSET_HOME="/app/superset_home" \
 COPY --chmod=755 docker/entrypoints /app/docker/entrypoints
 
 WORKDIR /app
-# Set up necessary directories
+# Set up necessary directories and user
 RUN mkdir -p \
       ${PYTHONPATH} \
       superset/static \
@@ -196,9 +202,17 @@ RUN /app/docker/apt-install.sh \
       libecpg-dev \
       libldap2-dev
 
-# Create data directory for DuckDB examples database
-# The database file will be created at runtime when examples are loaded from Parquet files
-RUN mkdir -p /app/data && chown -R superset:superset /app/data
+# Pre-load examples DuckDB file if requested
+RUN if [ "$LOAD_EXAMPLES_DUCKDB" = "true" ]; then \
+        mkdir -p /app/data && \
+        echo "Downloading pre-built examples.duckdb..." && \
+        curl -L -o /app/data/examples.duckdb \
+            "https://raw.githubusercontent.com/apache-superset/examples-data/master/examples.duckdb" && \
+        chown -R superset:superset /app/data; \
+    else \
+        mkdir -p /app/data && \
+        chown -R superset:superset /app/data; \
+    fi
 
 # Copy compiled things from previous stages
 COPY --from=superset-node /app/superset/static/assets superset/static/assets

INSTALL.md

@@ -16,20 +16,8 @@ KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
 -->
-# Installing Apache Superset
+# INSTALL / BUILD instructions for Apache Superset
 
-For comprehensive installation instructions, please see the Apache Superset documentation:
-
-**[📚 Installation Guide →](https://superset.apache.org/docs/installation/installation-methods)**
-
-The documentation covers:
-- [Docker Compose](https://superset.apache.org/docs/installation/docker-compose) (recommended for development)
-- [Kubernetes / Helm](https://superset.apache.org/docs/installation/kubernetes)
-- [PyPI](https://superset.apache.org/docs/installation/pypi)
-- [Docker Builds](https://superset.apache.org/docs/installation/docker-builds)
-- [Architecture Overview](https://superset.apache.org/docs/installation/architecture)
-
-## Building from Source
-
-For building from a source release tarball, see the Dockerfile at:
-`RELEASING/Dockerfile.from_local_tarball`
+At this time, the docker file at RELEASING/Dockerfile.from_local_tarball
+constitutes the recipe on how to get to a working release from a source
+release tarball.

LINTING_ARCHITECTURE.md

@@ -0,0 +1,121 @@
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# Superset Frontend Linting Architecture
+
+## Overview
+We use a hybrid linting approach combining OXC (fast, standard rules) with custom AST-based checks for Superset-specific patterns.
+
+## Components
+
+### 1. Primary Linter: OXC
+- **What**: Oxidation Compiler's linter (oxlint)
+- **Handles**: 95% of linting rules (standard ESLint rules, TypeScript, React, etc.)
+- **Speed**: ~50-100x faster than ESLint
+- **Config**: `oxlint.json`
+
+### 2. Custom Rule Checker
+- **What**: Node.js AST-based script
+- **Handles**: Superset-specific rules:
+  - No literal colors (use theme)
+  - No FontAwesome icons (use Icons component)
+  - No template vars in i18n
+- **Speed**: Fast enough for pre-commit
+- **Script**: `scripts/check-custom-rules.js`
+
+## Developer Workflow
+
+### Local Development
+```bash
+# Fast linting (OXC only)
+npm run lint
+
+# Full linting (OXC + custom rules)
+npm run lint:full
+
+# Auto-fix what's possible
+npm run lint-fix
+```
+
+### Pre-commit
+1. OXC runs first (via `scripts/oxlint.sh`)
+2. Custom rules check runs second (lightweight, AST-based)
+3. Both must pass for commit to succeed
+
+### CI Pipeline
+```yaml
+- name: Lint with OXC
+  run: npm run lint
+
+- name: Check custom rules
+  run: npm run check:custom-rules
+```
+
+## Why This Architecture?
+
+### ✅ Pros
+1. **No binary distribution issues** - ASF compatible
+2. **Fast performance** - OXC for bulk, lightweight script for custom
+3. **Maintainable** - Custom rules in JavaScript, not Rust
+4. **Flexible** - Can evolve as OXC adds plugin support
+5. **Cacheable** - Both OXC and Node.js are standard tools
+
+### ❌ Cons  
+1. **Two tools** - Slightly more complex than single linter
+2. **Duplicate parsing** - Files parsed twice (once by each tool)
+
+### 🔄 Migration Path
+When OXC supports JavaScript plugins:
+1. Convert `check-custom-rules.js` to OXC plugin format
+2. Consolidate back to single tool
+3. Keep same rules and developer experience
+
+## Implementation Checklist
+
+- [x] OXC for standard linting
+- [x] Pre-commit integration  
+- [ ] Custom rules script
+- [ ] Combine in npm scripts
+- [ ] Update CI pipeline
+- [ ] Developer documentation
+
+## Performance Targets
+
+| Operation | Target Time | Current |
+|-----------|------------|---------|
+| Pre-commit (changed files) | <2s | ✅ 1.5s |
+| Full lint (all files) | <10s | ✅ 8s |
+| Custom rules check | <5s | 🔄 TBD |
+
+## Caching Strategy
+
+### Local Development
+- OXC: Built-in incremental checking
+- Custom rules: Use file hash cache (similar to pytest cache)
+
+### CI
+- Cache `node_modules` (includes oxlint binary)
+- Cache custom rules results by commit hash
+- Skip unchanged files using git diff
+
+## Future Improvements
+
+1. **When OXC adds plugin support**: Migrate custom rules to OXC plugins
+2. **Consider Biome**: Another Rust-based linter with plugin support
+3. **AST sharing**: Investigate sharing AST between tools to avoid double parsing

Makefile

@@ -18,7 +18,7 @@
 # Python version installed; we need 3.10-3.11
 PYTHON=`command -v python3.11 || command -v python3.10`
 
-.PHONY: install superset venv pre-commit up down logs ps nuke ports open
+.PHONY: install superset venv pre-commit
 
 install: superset pre-commit
 
@@ -112,28 +112,3 @@ report-celery-beat:
 
 admin-user:
 	superset fab create-admin
-
-# Docker Compose with auto-assigned ports (for running multiple instances)
-up:
-	./scripts/docker-compose-up.sh
-
-up-detached:
-	./scripts/docker-compose-up.sh -d
-
-down:
-	./scripts/docker-compose-up.sh down
-
-logs:
-	./scripts/docker-compose-up.sh logs -f
-
-ps:
-	./scripts/docker-compose-up.sh ps
-
-nuke:
-	./scripts/docker-compose-up.sh nuke
-
-ports:
-	./scripts/docker-compose-up.sh ports
-
-open:
-	./scripts/docker-compose-up.sh open

README.md

@@ -23,12 +23,8 @@ under the License.
 [![Latest Release on Github](https://img.shields.io/github/v/release/apache/superset?sort=semver)](https://github.com/apache/superset/releases/latest)
 [![Build Status](https://github.com/apache/superset/actions/workflows/superset-python-unittest.yml/badge.svg)](https://github.com/apache/superset/actions)
 [![PyPI version](https://badge.fury.io/py/apache_superset.svg)](https://badge.fury.io/py/apache_superset)
+[![Coverage Status](https://codecov.io/github/apache/superset/coverage.svg?branch=master)](https://codecov.io/github/apache/superset)
 [![PyPI](https://img.shields.io/pypi/pyversions/apache_superset.svg?maxAge=2592000)](https://pypi.python.org/pypi/apache_superset)
-[![GitHub Stars](https://img.shields.io/github/stars/apache/superset?style=social)](https://github.com/apache/superset/stargazers)
-[![Contributors](https://img.shields.io/github/contributors/apache/superset)](https://github.com/apache/superset/graphs/contributors)
-[![Last Commit](https://img.shields.io/github/last-commit/apache/superset)](https://github.com/apache/superset/commits/master)
-[![Open Issues](https://img.shields.io/github/issues/apache/superset)](https://github.com/apache/superset/issues)
-[![Open PRs](https://img.shields.io/github/issues-pr/apache/superset)](https://github.com/apache/superset/pulls)
 [![Get on Slack](https://img.shields.io/badge/slack-join-orange.svg)](http://bit.ly/join-superset-slack)
 [![Documentation](https://img.shields.io/badge/docs-apache.org-blue.svg)](https://superset.apache.org)
 
@@ -48,18 +44,14 @@ under the License.
 
 A modern, enterprise-ready business intelligence web application.
 
-### Documentation
-
-- **[User Guide](https://superset.apache.org/user-docs/)** — For analysts and business users. Explore data, build charts, create dashboards, and connect databases.
-- **[Administrator Guide](https://superset.apache.org/admin-docs/)** — Install, configure, and operate Superset. Covers security, scaling, and database drivers.
-- **[Developer Guide](https://superset.apache.org/developer-docs/)** — Contribute to Superset or build on its REST API and extension framework.
-
 [**Why Superset?**](#why-superset) |
 [**Supported Databases**](#supported-databases) |
+[**Installation and Configuration**](#installation-and-configuration) |
 [**Release Notes**](https://github.com/apache/superset/blob/master/RELEASING/README.md#release-notes-for-recent-releases) |
 [**Get Involved**](#get-involved) |
+[**Contributor Guide**](#contributor-guide) |
 [**Resources**](#resources) |
-[**Organizations Using Superset**](https://superset.apache.org/inTheWild)
+[**Organizations Using Superset**](https://github.com/apache/superset/blob/master/RESOURCES/INTHEWILD.md)
 
 ## Why Superset?
 
@@ -93,7 +85,7 @@ Superset provides:
 
 **Craft Beautiful, Dynamic Dashboards**
 
-<kbd><img title="View Dashboards" src="https://superset.apache.org/img/screenshots/dashboard.jpg"/></kbd><br/>
+<kbd><img title="View Dashboards" src="https://superset.apache.org/img/screenshots/slack_dash.jpg"/></kbd><br/>
 
 **No-Code Chart Builder**
 
@@ -105,77 +97,51 @@ Superset provides:
 
 ## Supported Databases
 
-Superset can query data from any SQL-speaking datastore or data engine (Presto, Trino, Athena, [and more](https://superset.apache.org/docs/databases)) that has a Python DB-API driver and a SQLAlchemy dialect.
+Superset can query data from any SQL-speaking datastore or data engine (Presto, Trino, Athena, [and more](https://superset.apache.org/docs/configuration/databases)) that has a Python DB-API driver and a SQLAlchemy dialect.
 
 Here are some of the major database solutions that are supported:
 
-<!-- SUPPORTED_DATABASES_START -->
 <p align="center">
-  <a href="https://superset.apache.org/docs/databases/supported/amazon-athena" title="Amazon Athena"><img src="docs/static/img/databases/amazon-athena.jpg" alt="Amazon Athena" width="76" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/amazon-dynamodb" title="Amazon DynamoDB"><img src="docs/static/img/databases/aws.png" alt="Amazon DynamoDB" width="40" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/amazon-redshift" title="Amazon Redshift"><img src="docs/static/img/databases/redshift.png" alt="Amazon Redshift" width="100" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/apache-doris" title="Apache Doris"><img src="docs/static/img/databases/doris.png" alt="Apache Doris" width="103" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/apache-drill" title="Apache Drill"><img src="docs/static/img/databases/apache-drill.png" alt="Apache Drill" width="81" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/apache-druid" title="Apache Druid"><img src="docs/static/img/databases/druid.png" alt="Apache Druid" width="117" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/apache-hive" title="Apache Hive"><img src="docs/static/img/databases/apache-hive.svg" alt="Apache Hive" width="44" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/apache-impala" title="Apache Impala"><img src="docs/static/img/databases/apache-impala.png" alt="Apache Impala" width="21" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/apache-kylin" title="Apache Kylin"><img src="docs/static/img/databases/apache-kylin.png" alt="Apache Kylin" width="44" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/apache-pinot" title="Apache Pinot"><img src="docs/static/img/databases/apache-pinot.svg" alt="Apache Pinot" width="76" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/apache-solr" title="Apache Solr"><img src="docs/static/img/databases/apache-solr.png" alt="Apache Solr" width="79" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/apache-spark-sql" title="Apache Spark SQL"><img src="docs/static/img/databases/apache-spark.png" alt="Apache Spark SQL" width="75" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/ascend" title="Ascend"><img src="docs/static/img/databases/ascend.webp" alt="Ascend" width="117" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/aurora-mysql-data-api" title="Aurora MySQL (Data API)"><img src="docs/static/img/databases/mysql.png" alt="Aurora MySQL (Data API)" width="77" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/aurora-postgresql-data-api" title="Aurora PostgreSQL (Data API)"><img src="docs/static/img/databases/postgresql.svg" alt="Aurora PostgreSQL (Data API)" width="76" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/azure-data-explorer" title="Azure Data Explorer"><img src="docs/static/img/databases/kusto.png" alt="Azure Data Explorer" width="40" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/azure-synapse" title="Azure Synapse"><img src="docs/static/img/databases/azure.svg" alt="Azure Synapse" width="40" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/clickhouse" title="ClickHouse"><img src="docs/static/img/databases/clickhouse.png" alt="ClickHouse" width="150" height="37" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/cloudflare-d1" title="Cloudflare D1"><img src="docs/static/img/databases/cloudflare.png" alt="Cloudflare D1" width="40" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/cockroachdb" title="CockroachDB"><img src="docs/static/img/databases/cockroachdb.png" alt="CockroachDB" width="150" height="24" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/couchbase" title="Couchbase"><img src="docs/static/img/databases/couchbase.svg" alt="Couchbase" width="150" height="35" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/cratedb" title="CrateDB"><img src="docs/static/img/databases/cratedb.svg" alt="CrateDB" width="180" height="24" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/databend" title="Databend"><img src="docs/static/img/databases/databend.png" alt="Databend" width="100" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/databricks" title="Databricks"><img src="docs/static/img/databases/databricks.png" alt="Databricks" width="152" height="24" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/denodo" title="Denodo"><img src="docs/static/img/databases/denodo.png" alt="Denodo" width="138" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/dremio" title="Dremio"><img src="docs/static/img/databases/dremio.png" alt="Dremio" width="126" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/duckdb" title="DuckDB"><img src="docs/static/img/databases/duckdb.png" alt="DuckDB" width="52" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/elasticsearch" title="Elasticsearch"><img src="docs/static/img/databases/elasticsearch.png" alt="Elasticsearch" width="40" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/exasol" title="Exasol"><img src="docs/static/img/databases/exasol.png" alt="Exasol" width="72" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/firebird" title="Firebird"><img src="docs/static/img/databases/firebird.png" alt="Firebird" width="100" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/firebolt" title="Firebolt"><img src="docs/static/img/databases/firebolt.png" alt="Firebolt" width="100" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/google-bigquery" title="Google BigQuery"><img src="docs/static/img/databases/google-big-query.svg" alt="Google BigQuery" width="76" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/google-sheets" title="Google Sheets"><img src="docs/static/img/databases/google-sheets.svg" alt="Google Sheets" width="76" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/greenplum" title="Greenplum"><img src="docs/static/img/databases/greenplum.png" alt="Greenplum" width="124" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/hologres" title="Hologres"><img src="docs/static/img/databases/hologres.png" alt="Hologres" width="44" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/ibm-db2" title="IBM Db2"><img src="docs/static/img/databases/ibm-db2.svg" alt="IBM Db2" width="91" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/ibm-netezza-performance-server" title="IBM Netezza Performance Server"><img src="docs/static/img/databases/netezza.png" alt="IBM Netezza Performance Server" width="40" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/mariadb" title="MariaDB"><img src="docs/static/img/databases/mariadb.png" alt="MariaDB" width="150" height="37" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/microsoft-sql-server" title="Microsoft SQL Server"><img src="docs/static/img/databases/msql.png" alt="Microsoft SQL Server" width="50" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/monetdb" title="MonetDB"><img src="docs/static/img/databases/monet-db.png" alt="MonetDB" width="100" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/mongodb" title="MongoDB"><img src="docs/static/img/databases/mongodb.png" alt="MongoDB" width="150" height="38" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/motherduck" title="MotherDuck"><img src="docs/static/img/databases/motherduck.png" alt="MotherDuck" width="40" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/oceanbase" title="OceanBase"><img src="docs/static/img/databases/oceanbase.svg" alt="OceanBase" width="175" height="24" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/oracle" title="Oracle"><img src="docs/static/img/databases/oraclelogo.png" alt="Oracle" width="111" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/presto" title="Presto"><img src="docs/static/img/databases/presto-og.png" alt="Presto" width="127" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/risingwave" title="RisingWave"><img src="docs/static/img/databases/risingwave.svg" alt="RisingWave" width="147" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/sap-hana" title="SAP HANA"><img src="docs/static/img/databases/sap-hana.png" alt="SAP HANA" width="137" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/sap-sybase" title="SAP Sybase"><img src="docs/static/img/databases/sybase.png" alt="SAP Sybase" width="100" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/shillelagh" title="Shillelagh"><img src="docs/static/img/databases/shillelagh.png" alt="Shillelagh" width="40" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/singlestore" title="SingleStore"><img src="docs/static/img/databases/singlestore.png" alt="SingleStore" width="150" height="31" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/snowflake" title="Snowflake"><img src="docs/static/img/databases/snowflake.svg" alt="Snowflake" width="76" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/sqlite" title="SQLite"><img src="docs/static/img/databases/sqlite.png" alt="SQLite" width="84" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/starrocks" title="StarRocks"><img src="docs/static/img/databases/starrocks.png" alt="StarRocks" width="149" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/superset-meta-database" title="Superset meta database"><img src="docs/static/img/databases/superset.svg" alt="Superset meta database" width="150" height="39" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/tdengine" title="TDengine"><img src="docs/static/img/databases/tdengine.png" alt="TDengine" width="140" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/teradata" title="Teradata"><img src="docs/static/img/databases/teradata.png" alt="Teradata" width="124" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/timescaledb" title="TimescaleDB"><img src="docs/static/img/databases/timescale.png" alt="TimescaleDB" width="150" height="36" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/trino" title="Trino"><img src="docs/static/img/databases/trino.png" alt="Trino" width="89" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/vertica" title="Vertica"><img src="docs/static/img/databases/vertica.png" alt="Vertica" width="128" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/ydb" title="YDB"><img src="docs/static/img/databases/ydb.svg" alt="YDB" width="110" height="40" /></a> &nbsp;
-  <a href="https://superset.apache.org/docs/databases/supported/yugabytedb" title="YugabyteDB"><img src="docs/static/img/databases/yugabyte.png" alt="YugabyteDB" width="150" height="26" /></a>
+  <img src="https://superset.apache.org/img/databases/redshift.png" alt="redshift" border="0" width="200"/>
+  <img src="https://superset.apache.org/img/databases/google-biquery.png" alt="google-bigquery" border="0" width="200"/>
+  <img src="https://superset.apache.org/img/databases/snowflake.png" alt="snowflake" border="0" width="200"/>
+  <img src="https://superset.apache.org/img/databases/trino.png" alt="trino" border="0" width="150" />
+  <img src="https://superset.apache.org/img/databases/presto.png" alt="presto" border="0" width="200"/>
+  <img src="https://superset.apache.org/img/databases/databricks.png" alt="databricks" border="0" width="160" />
+  <img src="https://superset.apache.org/img/databases/druid.png" alt="druid" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/firebolt.png" alt="firebolt" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/timescale.png" alt="timescale" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/postgresql.png" alt="postgresql" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/mysql.png" alt="mysql" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/mssql-server.png" alt="mssql-server" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/ibm-db2.svg" alt="db2" border="0" width="220" />
+  <img src="https://superset.apache.org/img/databases/sqlite.png" alt="sqlite" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/sybase.png" alt="sybase" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/mariadb.png" alt="mariadb" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/vertica.png" alt="vertica" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/oracle.png" alt="oracle" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/firebird.png" alt="firebird" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/greenplum.png" alt="greenplum" border="0" width="200"  />
+  <img src="https://superset.apache.org/img/databases/clickhouse.png" alt="clickhouse" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/exasol.png" alt="exasol" border="0" width="160" />
+  <img src="https://superset.apache.org/img/databases/monet-db.png" alt="monet-db" border="0" width="200"  />
+  <img src="https://superset.apache.org/img/databases/apache-kylin.png" alt="apache-kylin" border="0" width="80"/>
+  <img src="https://superset.apache.org/img/databases/hologres.png" alt="hologres" border="0" width="80"/>
+  <img src="https://superset.apache.org/img/databases/netezza.png" alt="netezza" border="0" width="80"/>
+  <img src="https://superset.apache.org/img/databases/pinot.png" alt="pinot" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/teradata.png" alt="teradata" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/yugabyte.png" alt="yugabyte" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/databend.png" alt="databend" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/starrocks.png" alt="starrocks" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/doris.png" alt="doris" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/oceanbase.svg" alt="oceanbase" border="0" width="220" />
+  <img src="https://superset.apache.org/img/databases/sap-hana.png" alt="sap-hana" border="0" width="220" />
+  <img src="https://superset.apache.org/img/databases/denodo.png" alt="denodo" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/ydb.svg" alt="ydb" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/tdengine.png" alt="TDengine" border="0" width="200" />
 </p>
-<!-- SUPPORTED_DATABASES_END -->
 
-**A more comprehensive list of supported databases** along with the configuration instructions can be found [here](https://superset.apache.org/docs/databases).
+**A more comprehensive list of supported databases** along with the configuration instructions can be found [here](https://superset.apache.org/docs/configuration/databases).
 
 Want to add support for your datastore or data engine? Read more [here](https://superset.apache.org/docs/frequently-asked-questions#does-superset-work-with-insert-database-engine-here) about the technical requirements.
 
@@ -195,14 +161,14 @@ Try out Superset's [quickstart](https://superset.apache.org/docs/quickstart/) gu
 ## Contributor Guide
 
 Interested in contributing? Check out our
-[Developer Guide](https://superset.apache.org/developer-docs/)
+[CONTRIBUTING.md](https://github.com/apache/superset/blob/master/CONTRIBUTING.md)
 to find resources around contributing along with a detailed guide on
 how to set up a development environment.
 
 ## Resources
 
-- [Superset "In the Wild"](https://superset.apache.org/inTheWild) - see who's using Superset, and [add your organization](https://github.com/apache/superset/edit/master/RESOURCES/INTHEWILD.yaml) to the list!
-- [Feature Flags](https://superset.apache.org/docs/configuration/feature-flags) - the status of Superset's Feature Flags.
+- [Superset "In the Wild"](https://github.com/apache/superset/blob/master/RESOURCES/INTHEWILD.md) - open a PR to add your org to the list!
+- [Feature Flags](https://github.com/apache/superset/blob/master/RESOURCES/FEATURE_FLAGS.md) - the status of Superset's Feature Flags.
 - [Standard Roles](https://github.com/apache/superset/blob/master/RESOURCES/STANDARD_ROLES.md) - How RBAC permissions map to roles.
 - [Superset Wiki](https://github.com/apache/superset/wiki) - Tons of additional community resources: best practices, community content and other information.
 - [Superset SIPs](https://github.com/orgs/apache/projects/170) - The status of Superset's SIPs (Superset Improvement Proposals) for both consensus and implementation status.

RELEASING/README.md

@@ -458,7 +458,7 @@ cd ../
 sed -i '' "s/version_string = .*/version_string = \"$SUPERSET_VERSION\"/" setup.py
 
 # build the python distribution
-python -m build
+python setup.py sdist
 ```
 
 Publish to PyPI

RELEASING/release-notes-1-0/README.md

@@ -92,7 +92,7 @@ Some of the new features in this release are disabled by default. Each has a fea
 
 | Feature | Feature Flag | Dependencies | Documentation
 | --- | --- | --- | --- |
-| Global Async Queries | `GLOBAL_ASYNC_QUERIES: True` | Redis 5.0+, celery workers configured and running | [Extra documentation](https://superset.apache.org/docs/contributing/misc#async-chart-queries)
+| Global Async Queries | `GLOBAL_ASYNC_QUERIES: True` | Redis 5.0+, celery workers configured and running | [Extra documentation](https://github.com/apache/superset/blob/master/CONTRIBUTING.md#async-chart-queries )
 | Dashboard Native Filters | `DASHBOARD_NATIVE_FILTERS: True` | |
 | Alerts & Reporting | `ALERT_REPORTS: True` | [Celery workers configured & celery beat process](https://superset.apache.org/docs/installation/async-queries-celery) |
 | Homescreen Thumbnails | `THUMBNAILS: TRUE, THUMBNAIL_CACHE_CONFIG: CacheConfig = { "CACHE_TYPE": "null", "CACHE_NO_NULL_WARNING": True}`| selenium, pillow 7, celery |

RELEASING/verify_release.py

@@ -56,33 +56,8 @@ def verify_sha512(filename: str) -> str:
 # Part 2: Verify RSA key - this is the same as running `gpg --verify {release}.asc {release}` and comparing the RSA key and email address against the KEYS file  # noqa: E501
 
 
-KEYS_URL = "https://downloads.apache.org/superset/KEYS"
-
-
-def ensure_keys_imported() -> None:
-    """Import the Apache Superset KEYS file into the local GPG keyring.
-
-    Without this, `gpg --verify` returns "No public key" and the signature
-    cannot actually be verified — only the key ID in the signature metadata
-    is visible.
-    """
-    try:
-        keys = requests.get(KEYS_URL, timeout=30)
-    except requests.RequestException as exc:
-        print(f"Warning: could not fetch KEYS file for import: {exc}")
-        return
-    if keys.status_code != 200:
-        print(f"Warning: could not fetch KEYS file (HTTP {keys.status_code})")
-        return
-    subprocess.run(  # noqa: S603
-        ["gpg", "--import"],  # noqa: S607
-        input=keys.content,
-        capture_output=True,
-    )
-
-
 def get_gpg_info(filename: str) -> tuple[Optional[str], Optional[str]]:
-    """Run the GPG verify command and extract RSA/EDDSA key and email address."""
+    """Run the GPG verify command and extract RSA key and email address."""
     asc_filename = filename + ".asc"
     result = subprocess.run(  # noqa: S603
         ["gpg", "--verify", asc_filename, filename],  # noqa: S607
@@ -90,50 +65,25 @@ def get_gpg_info(filename: str) -> tuple[Optional[str], Optional[str]]:
     )
     output = result.stderr.decode()
 
-    # If no public key was available, import KEYS and retry so that
-    # `Good signature from "Name <email>"` appears in the output.
-    if "No public key" in output:
-        ensure_keys_imported()
-        result = subprocess.run(  # noqa: S603
-            ["gpg", "--verify", asc_filename, filename],  # noqa: S607
-            capture_output=True,  # noqa: S607
-        )
-        output = result.stderr.decode()
-
     rsa_key = re.search(r"RSA key ([0-9A-F]+)", output)
     eddsa_key = re.search(r"EDDSA key ([0-9A-F]+)", output)
-
-    # Try multiple patterns — `Good signature from` is the most reliable
-    # source of the email; `issuer` is a fallback for older gpg output.
-    email_patterns = (
-        r'Good signature from ".*?<([^>]+)>"',
-        r'aka ".*?<([^>]+)>"',
-        r'issuer "([^"]+)"',
-    )
-    email_result: Optional[str] = None
-    for pattern in email_patterns:
-        match = re.search(pattern, output)
-        if match:
-            email_result = match.group(1)
-            break
+    email = re.search(r'issuer "([^"]+)"', output)
 
     rsa_key_result = rsa_key.group(1) if rsa_key else None
     eddsa_key_result = eddsa_key.group(1) if eddsa_key else None
+    email_result = email.group(1) if email else None
+
     key_result = rsa_key_result or eddsa_key_result
 
+    # Debugging:
     if key_result:
         print("RSA or EDDSA Key found")
     else:
         print("Warning: No RSA or EDDSA key found in GPG verification output.")
     if email_result:
-        print(f"Email found: {email_result}")
+        print("email found")
     else:
         print("Warning: No email address found in GPG verification output.")
-        if "No public key" in output:
-            print(
-                "Hint: public key is not in your keyring. Import it with:\n"
-                f"  curl -s {KEYS_URL} | gpg --import"
-            )
 
     return key_result, email_result
 

RESOURCES/FEATURE_FLAGS.md

@@ -0,0 +1,103 @@
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# Superset Feature Flags
+
+This is a list of the current Superset optional features. See config.py for default values. These features can be turned on/off by setting your preferred values in superset_config.py to True/False respectively
+
+## In Development
+
+These features are considered **unfinished** and should only be used on development environments.
+
+[//]: # "PLEASE KEEP THE LIST SORTED ALPHABETICALLY"
+
+- ALERT_REPORT_TABS
+- DATE_RANGE_TIMESHIFTS_ENABLED
+- ENABLE_ADVANCED_DATA_TYPES
+- PRESTO_EXPAND_DATA
+- SHARE_QUERIES_VIA_KV_STORE
+- TAGGING_SYSTEM
+- CHART_PLUGINS_EXPERIMENTAL
+
+## In Testing
+
+These features are **finished** but currently being tested. They are usable, but may still contain some bugs.
+
+[//]: # "PLEASE KEEP THE LIST SORTED ALPHABETICALLY"
+
+- ALERT_REPORTS: [(docs)](https://superset.apache.org/docs/configuration/alerts-reports)
+- ALLOW_FULL_CSV_EXPORT
+- CACHE_IMPERSONATION
+- CONFIRM_DASHBOARD_DIFF
+- DYNAMIC_PLUGINS
+- DATE_FORMAT_IN_EMAIL_SUBJECT: [(docs)](https://superset.apache.org/docs/configuration/alerts-reports#commons)
+- ENABLE_SUPERSET_META_DB: [(docs)](https://superset.apache.org/docs/configuration/databases/#querying-across-databases)
+- ESTIMATE_QUERY_COST
+- GLOBAL_ASYNC_QUERIES [(docs)](https://github.com/apache/superset/blob/master/CONTRIBUTING.md#async-chart-queries)
+- IMPERSONATE_WITH_EMAIL_PREFIX
+- PLAYWRIGHT_REPORTS_AND_THUMBNAILS
+- RLS_IN_SQLLAB
+- SSH_TUNNELING [(docs)](https://superset.apache.org/docs/configuration/setup-ssh-tunneling)
+- USE_ANALAGOUS_COLORS
+
+## Stable
+
+These features flags are **safe for production**. They have been tested and will be supported for the at least the current major version cycle.
+
+[//]: # "PLEASE KEEP THESE LISTS SORTED ALPHABETICALLY"
+
+### Flags on the path to feature launch and flag deprecation/removal
+
+- DASHBOARD_VIRTUALIZATION
+
+### Flags retained for runtime configuration
+
+Currently some of our feature flags act as dynamic configurations that can changed
+on the fly. This acts in contradiction with the typical ephemeral feature flag use case,
+where the flag is used to mature a feature, and eventually deprecated once the feature is
+solid. Eventually we'll likely refactor these under a more formal "dynamic configurations" managed
+independently. This new framework will also allow for non-boolean configurations.
+
+- ALERTS_ATTACH_REPORTS
+- ALLOW_ADHOC_SUBQUERY
+- DASHBOARD_RBAC [(docs)](https://superset.apache.org/docs/using-superset/creating-your-first-dashboard#manage-access-to-dashboards)
+- DATAPANEL_CLOSED_BY_DEFAULT
+- DRILL_BY
+- DRUID_JOINS
+- EMBEDDABLE_CHARTS
+- EMBEDDED_SUPERSET
+- ENABLE_TEMPLATE_PROCESSING
+- ESCAPE_MARKDOWN_HTML
+- LISTVIEWS_DEFAULT_CARD_VIEW
+- SCHEDULED_QUERIES [(docs)](https://superset.apache.org/docs/configuration/alerts-reports)
+- SLACK_ENABLE_AVATARS (see `superset/config.py` for more information)
+- SQLLAB_BACKEND_PERSISTENCE
+- SQL_VALIDATORS_BY_ENGINE [(docs)](https://superset.apache.org/docs/configuration/sql-templating)
+- THUMBNAILS [(docs)](https://superset.apache.org/docs/configuration/cache)
+
+## Deprecated Flags
+
+These features flags currently default to True and **will be removed in a future major release**. For this current release you can turn them off by setting your config to False, but it is advised to remove or set these flags in your local configuration to **True** so that you do not experience any unexpected changes in a future release.
+
+[//]: # "PLEASE KEEP THE LIST SORTED ALPHABETICALLY"
+
+- AVOID_COLORS_COLLISION
+- DRILL_TO_DETAIL
+- ENABLE_JAVASCRIPT_CONTROLS
+- KV_STORE

RESOURCES/INTHEWILD.md

@@ -0,0 +1,226 @@
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+## Superset Users in the Wild
+
+Here's a list of organizations, broken down into broad industry categories, that have taken the time to send a PR to let
+the world know they are using Apache Superset. If you are a user and want to be recognized,
+all you have to do is file a simple PR [like this one](https://github.com/apache/superset/pull/10122) — [just click here](https://github.com/apache/superset/edit/master/RESOURCES/INTHEWILD.md) to do so. If you think
+the categorization is inaccurate, please file a PR with your correction as well.
+Join our growing community!
+
+### Sharing Economy
+
+- [Airbnb](https://github.com/airbnb)
+- [Faasos](https://faasos.com/) [@shashanksingh]
+- [Free2Move](https://www.free2move.com/) [@PaoloTerzi]
+- [Hostnfly](https://www.hostnfly.com/) [@alexisrosuel]
+- [Lime](https://www.li.me/) [@cxmcc]
+- [Lyft](https://www.lyft.com/)
+- [Ontruck](https://www.ontruck.com/)
+
+### Financial Services
+
+- [Aktia Bank plc](https://www.aktia.com)
+- [American Express](https://www.americanexpress.com) [@TheLastSultan]
+- [bumper](https://www.bumper.co/) [@vasu-ram, @JamiePercival]
+- [Cape Crypto](https://capecrypto.com)
+- [Capital Service S.A.](https://capitalservice.pl) [@pkonarzewski]
+- [Clark.de](https://clark.de/)
+- [Europace](https://europace.de)
+- [KarrotPay](https://www.daangnpay.com/)
+- [Remita](https://remita.net) [@mujibishola]
+- [Taveo](https://www.taveo.com) [@codek]
+- [Unit](https://www.unit.co/about-us) [@amitmiran137]
+- [Wise](https://wise.com) [@koszti]
+- [Xendit](https://xendit.co/) [@LieAlbertTriAdrian]
+- [Cover Genius](https://covergenius.com/)
+
+### Gaming
+
+- [Popoko VM Games Studio](https://popoko.live)
+
+### E-Commerce
+
+- [AiHello](https://www.aihello.com) [@ganeshkrishnan1]
+- [Bazaar Technologies](https://www.bazaartech.com) [@umair-abro]
+- [Dragonpass](https://www.dragonpass.com.cn/) [@zhxjdwh]
+- [Dropit Shopping](https://www.dropit.shop/) [@dropit-dev]
+- [Fanatics](https://www.fanatics.com/) [@coderfender]
+- [Fordeal](https://www.fordeal.com) [@Renkai]
+- [Fynd](https://www.fynd.com/) [@darpanjain07]
+- [GFG - Global Fashion Group](https://global-fashion-group.com) [@ksaagariconic]
+- [GoTo/Gojek](https://www.gojek.io/) [@gwthm-in]
+- [HuiShouBao](https://www.huishoubao.com/) [@Yukinoshita-Yukino]
+- [Now](https://www.now.vn/) [@davidkohcw]
+- [Qunar](https://www.qunar.com/) [@flametest]
+- [Rakuten Viki](https://www.viki.com)
+- [Shopee](https://shopee.sg) [@xiaohanyu]
+- [Shopkick](https://www.shopkick.com) [@LAlbertalli]
+- [ShopUp](https://www.shopup.org/) [@gwthm-in]
+- [Tails.com](https://tails.com/gb/) [@alanmcruickshank]
+- [THE ICONIC](https://theiconic.com.au/) [@ksaagariconic]
+- [Utair](https://www.utair.ru) [@utair-digital]
+- [VkusVill](https://vkusvill.ru/) [@ETselikov]
+- [Zalando](https://www.zalando.com) [@dmigo]
+- [Zalora](https://www.zalora.com) [@ksaagariconic]
+- [Zepto](https://www.zeptonow.com/) [@gwthm-in]
+
+### Enterprise Technology
+
+- [A3Data](https://a3data.com.br) [@neylsoncrepalde]
+- [Analytics Aura](https://analyticsaura.com/) [@Analytics-Aura]
+- [Apollo GraphQL](https://www.apollographql.com/) [@evans]
+- [Astronomer](https://www.astronomer.io) [@ryw]
+- [Avesta Technologies](https://avestatechnologies.com/) [@TheRum]
+- [Caizin](https://caizin.com/) [@tejaskatariya]
+- [Canonical](https://canonical.com)
+- [Careem](https://www.careem.com/) [@samraHanif0340]
+- [Cloudsmith](https://cloudsmith.io) [@alancarson]
+- [Cyberhaven](https://www.cyberhaven.com/) [@toliver-ch]
+- [Deepomatic](https://deepomatic.com/) [@Zanoellia]
+- [Dial Once](https://www.dial-once.com/)
+- [Dremio](https://dremio.com) [@narendrans]
+- [EFinance](https://www.efinance.com.eg) [@habeeb556]
+- [Elestio](https://elest.io/) [@kaiwalyakoparkar]
+- [ELMO Cloud HR & Payroll](https://elmosoftware.com.au/)
+- [Endress+Hauser](https://www.endress.com/) [@rumbin]
+- [FBK - ICT center](https://ict.fbk.eu)
+- [Formbricks](https://formbricks.com)
+- [Gavagai](https://gavagai.io) [@gavagai-corp]
+- [GfK Data Lab](https://www.gfk.com/home) [@mherr]
+- [HPE](https://www.hpe.com/in/en/home.html) [@anmol-hpe]
+- [Hydrolix](https://www.hydrolix.io/)
+- [Intercom](https://www.intercom.com/) [@kate-gallo]
+- [jampp](https://jampp.com/)
+- [Konfío](https://konfio.mx) [@uis-rodriguez]
+- [Mainstrat](https://mainstrat.com/)
+- [mishmash io](https://mishmash.io/) [@mishmash-io]
+- [Myra Labs](https://www.myralabs.com/) [@viksit]
+- [Nielsen](https://www.nielsen.com/) [@amitNielsen]
+- [Ona](https://ona.io) [@pld]
+- [Orange](https://www.orange.com) [@icsu]
+- [Oslandia](https://oslandia.com)
+- [Oxylabs](https://oxylabs.io/) [@rytis-ulys]
+- [Peak AI](https://www.peak.ai/) [@azhar22k]
+- [PeopleDoc](https://www.people-doc.com) [@rodo]
+- [PlaidCloud](https://www.plaidcloud.com)
+- [Preset, Inc.](https://preset.io)
+- [PubNub](https://pubnub.com) [@jzucker2]
+- [ReadyTech](https://www.readytech.io)
+- [Reward Gateway](https://www.rewardgateway.com)
+- [RIADVICE](https://riadvice.tn) [@riadvice]
+- [ScopeAI](https://www.getscopeai.com) [@iloveluce]
+- [shipmnts](https://shipmnts.com)
+- [Showmax](https://showmax.com) [@bobek]
+- [SingleStore](https://www.singlestore.com/)
+- [TechAudit](https://www.techaudit.info) [@ETselikov]
+- [Tenable](https://www.tenable.com) [@dflionis]
+- [Tentacle](https://www.linkedin.com/company/tentacle-cmi/) [@jdclarke5]
+- [timbr.ai](https://timbr.ai/) [@semantiDan]
+- [Tobii](https://www.tobii.com/) [@dwa]
+- [Tooploox](https://www.tooploox.com/) [@jakubczaplicki]
+- [Unvired](https://unvired.com) [@srinisubramanian]
+- [Virtuoso QA](https://www.virtuosoqa.com)
+- [Whale](https://whale.im)
+- [Windsor.ai](https://www.windsor.ai/) [@octaviancorlade]
+- [WinWin Network马上赢](https://brandct.cn/) [@wenbinye]
+- [Zeta](https://www.zeta.tech/) [@shaikidris]
+
+### Media & Entertainment
+
+- [6play](https://www.6play.fr) [@CoryChaplin]
+- [bilibili](https://www.bilibili.com) [@Moinheart]
+- [BurdaForward](https://www.burda-forward.de/en/)
+- [Douban](https://www.douban.com/) [@luchuan]
+- [Kuaishou](https://www.kuaishou.com/) [@zhaoyu89730105]
+- [Netflix](https://www.netflix.com/)
+- [Prensa Iberica](https://www.prensaiberica.es/) [@zamar-roura]
+- [TME QQMUSIC/WESING](https://www.tencentmusic.com/) [@shenyuanli,@marklaw]
+- [Xite](https://xite.com/) [@shashankkoppar]
+- [Zaihang](https://www.zaih.com/)
+
+### Education
+
+- [Aveti Learning](https://avetilearning.com/) [@TheShubhendra]
+- [Brilliant.org](https://brilliant.org/)
+- [Open edX](https://openedx.org/)
+- [Platzi.com](https://platzi.com/)
+- [Sunbird](https://www.sunbird.org/) [@eksteporg]
+- [The GRAPH Network](https://thegraphnetwork.org/) [@fccoelho]
+- [Udemy](https://www.udemy.com/) [@sungjuly]
+- [VIPKID](https://www.vipkid.com.cn/) [@illpanda]
+- [WikiMedia Foundation](https://wikimediafoundation.org) [@vg]
+
+### Energy
+
+- [Airboxlab](https://foobot.io) [@antoine-galataud]
+- [DouroECI](https://www.douroeci.com/) [@nunohelibeires]
+- [Safaricom](https://www.safaricom.co.ke/) [@mmutiso]
+- [Scoot](https://scoot.co/) [@haaspt]
+- [Wattbewerb](https://wattbewerb.de/) [@wattbewerb]
+
+### Healthcare
+
+- [Amino](https://amino.com) [@shkr]
+- [Bluesquare](https://www.bluesquarehub.com/) [@madewulf]
+- [Care](https://www.getcare.io/) [@alandao2021]
+- [Living Goods](https://www.livinggoods.org) [@chelule]
+- [Maieutical Labs](https://maieuticallabs.it) [@xrmx]
+- [Medic](https://medic.org) [@1yuv]
+- [REDCap Cloud](https://www.redcapcloud.com/)
+- [TrustMedis](https://trustmedis.com/) [@famasya]
+- [WeSure](https://www.wesure.cn/)
+- [2070Health](https://2070health.com/)
+
+### HR / Staffing
+
+- [Swile](https://www.swile.co/) [@PaoloTerzi]
+- [Symmetrics](https://www.symmetrics.fyi)
+- [bluquist](https://bluquist.com/)
+
+### Government
+
+- [City of Ann Arbor, MI](https://www.a2gov.org/) [@sfirke]
+- [RIS3 Strategy of CZ, MIT CR](https://www.ris3.cz/) [@RIS3CZ]
+- [NRLM - Sarathi, India](https://pib.gov.in/PressReleasePage.aspx?PRID=1999586)
+
+### Travel
+
+- [Agoda](https://www.agoda.com/) [@lostseaway, @maiake, @obombayo]
+- [HomeToGo](https://hometogo.com/) [@pedromartinsteenstrup]
+- [Skyscanner](https://www.skyscanner.net/) [@cleslie, @stanhoucke]
+
+### Others
+
+- [10Web](https://10web.io/)
+- [AI inside](https://inside.ai/en/)
+- [Automattic](https://automattic.com/) [@Khrol, @Usiel]
+- [Dropbox](https://www.dropbox.com/) [@bkyryliuk]
+- [Flowbird](https://flowbird.com) [@EmmanuelCbd]
+- [GEOTAB](https://www.geotab.com) [@JZ6]
+- [Grassroot](https://www.grassrootinstitute.org/)
+- [Increff](https://www.increff.com/) [@ishansinghania]
+- [komoot](https://www.komoot.com/) [@christophlingg]
+- [Let's Roam](https://www.letsroam.com/)
+- [Machrent SA](https://www.machrent.com/)
+- [Onebeat](https://1beat.com/) [@GuyAttia]
+- [X](https://x.com/)
+- [VLMedia](https://www.vlmedia.com.tr/) [@ibotheperfect]
+- [Yahoo!](https://yahoo.com/)

RESOURCES/INTHEWILD.yaml

@@ -1,703 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-# Apache Superset Users in the Wild
-#
-# To add your organization:
-# 1. Find the appropriate category (or add a new one)
-# 2. Add an entry with your organization details
-# 3. Optionally add a logo file to docs/static/img/logos/
-#
-# Required fields:
-#   - name: Your organization name
-#   - url: Link to your organization's website
-#
-# Optional fields:
-#   - logo: Filename of logo in docs/static/img/logos/ (e.g., "mycompany.svg")
-#   - contributors: List of GitHub usernames who contributed (e.g., ["@username"])
-
-categories:
-  Sharing Economy:
-    - name: Airbnb
-      url: https://github.com/airbnb
-
-    - name: Faasos
-      url: https://faasos.com/
-      contributors: ["@shashanksingh"]
-
-    - name: Free2Move
-      url: https://www.free2move.com/
-      contributors: ["@PaoloTerzi"]
-
-    - name: Hostnfly
-      url: https://www.hostnfly.com/
-      contributors: ["@alexisrosuel"]
-
-    - name: Lime
-      url: https://www.li.me/
-      contributors: ["@cxmcc"]
-
-    - name: Lyft
-      url: https://www.lyft.com/
-
-    - name: Ontruck
-      url: https://www.ontruck.com/
-
-  Financial Services:
-    - name: Aadhar Housing Finance Limited
-      url: https://www.aadharhousing.com
-      contributors: ["@thakerhardiks"]
-
-    - name: Aktia Bank plc
-      url: https://www.aktia.com
-
-    - name: American Express
-      url: https://www.americanexpress.com
-      contributors: ["@TheLastSultan"]
-
-    - name: bumper
-      url: https://www.bumper.co/
-      contributors: ["@vasu-ram", "@JamiePercival"]
-
-    - name: Cape Crypto
-      url: https://capecrypto.com
-
-    - name: Capital Service S.A.
-      url: https://capitalservice.pl
-      contributors: ["@pkonarzewski"]
-
-    - name: Clark.de
-      url: https://clark.de/
-
-    - name: EnquiryLabs
-      url: https://www.enquirylabs.co.uk
-
-    - name: Europace
-      url: https://europace.de
-
-    - name: KarrotPay
-      url: https://www.daangnpay.com/
-
-    - name: Remita
-      url: https://remita.net
-      contributors: ["@mujibishola"]
-
-    - name: Taveo
-      url: https://www.taveo.com
-      contributors: ["@codek"]
-
-    - name: Unit
-      url: https://www.unit.co/about-us
-      contributors: ["@amitmiran137"]
-
-    - name: Wise
-      url: https://wise.com
-      contributors: ["@koszti"]
-
-    - name: Xendit
-      url: https://xendit.co/
-      contributors: ["@LieAlbertTriAdrian"]
-
-    - name: Cover Genius
-      url: https://covergenius.com/
-
-  Gaming:
-    - name: Popoko VM Games Studio
-      url: https://popoko.live
-
-  E-Commerce:
-    - name: AiHello
-      url: https://www.aihello.com
-      contributors: ["@ganeshkrishnan1"]
-
-    - name: Bazaar Technologies
-      url: https://www.bazaartech.com
-      contributors: ["@umair-abro"]
-
-    - name: Blinkit
-      url: https://www.blinkit.com/
-      contributors: ["@amsharm2"]
-
-    - name: Dragonpass
-      url: https://www.dragonpass.com.cn/
-      contributors: ["@zhxjdwh"]
-
-    - name: Dropit Shopping
-      url: https://www.dropit.shop/
-      contributors: ["@dropit-dev"]
-
-    - name: Fordeal
-      url: https://www.fordeal.com
-      contributors: ["@Renkai"]
-
-    - name: Fynd
-      url: https://www.fynd.com/
-      contributors: ["@darpanjain07"]
-
-    - name: GFG - Global Fashion Group
-      url: https://global-fashion-group.com
-      contributors: ["@ksaagariconic"]
-
-    - name: GoTo/Gojek
-      url: https://www.gojek.io/
-      contributors: ["@gwthm-in"]
-
-    - name: HuiShouBao
-      url: https://www.huishoubao.com/
-      contributors: ["@Yukinoshita-Yukino"]
-
-    - name: Now
-      url: https://www.now.vn/
-      contributors: ["@davidkohcw"]
-
-    - name: Qunar
-      url: https://www.qunar.com/
-      contributors: ["@flametest"]
-
-    - name: Rakuten Viki
-      url: https://www.viki.com
-
-    - name: Shopee
-      url: https://shopee.sg
-      contributors: ["@xiaohanyu"]
-
-    - name: Shopkick
-      url: https://www.shopkick.com
-      contributors: ["@LAlbertalli"]
-
-    - name: ShopUp
-      url: https://www.shopup.org/
-      contributors: ["@gwthm-in"]
-
-    - name: Tails.com
-      url: https://tails.com/gb/
-      contributors: ["@alanmcruickshank"]
-
-    - name: THE ICONIC
-      url: https://theiconic.com.au/
-      contributors: ["@ksaagariconic"]
-
-    - name: Utair
-      url: https://www.utair.ru
-      contributors: ["@utair-digital"]
-
-    - name: VkusVill
-      url: https://vkusvill.ru/
-      contributors: ["@ETselikov"]
-
-    - name: Zalando
-      url: https://www.zalando.com
-      contributors: ["@dmigo"]
-
-    - name: Zalora
-      url: https://www.zalora.com
-      contributors: ["@ksaagariconic"]
-
-    - name: Zepto
-      url: https://www.zeptonow.com/
-      contributors: ["@gwthm-in"]
-
-  Enterprise Technology:
-    - name: A3Data
-      url: https://a3data.com.br
-      contributors: ["@neylsoncrepalde"]
-
-    - name: Analytics Aura
-      url: https://analyticsaura.com/
-      contributors: ["@Analytics-Aura"]
-
-    - name: Apollo GraphQL
-      url: https://www.apollographql.com/
-      contributors: ["@evans"]
-
-    - name: Astronomer
-      url: https://www.astronomer.io
-      contributors: ["@ryw"]
-
-    - name: Avesta Technologies
-      url: https://avestatechnologies.com/
-      contributors: ["@TheRum"]
-
-    - name: Caizin
-      url: https://caizin.com/
-      contributors: ["@tejaskatariya"]
-
-    - name: Canonical
-      url: https://canonical.com
-
-    - name: Careem
-      url: https://www.careem.com/
-      contributors: ["@samraHanif0340"]
-
-    - name: Cloudsmith
-      url: https://cloudsmith.io
-      contributors: ["@alancarson"]
-
-    - name: Cyberhaven
-      url: https://www.cyberhaven.com/
-      contributors: ["@toliver-ch"]
-
-    - name: Deepomatic
-      url: https://deepomatic.com/
-      contributors: ["@Zanoellia"]
-
-    - name: Dial Once
-      url: https://www.dial-once.com/
-
-    - name: Dremio
-      url: https://dremio.com
-      contributors: ["@narendrans"]
-
-    - name: EFinance
-      url: https://www.efinance.com.eg
-      contributors: ["@habeeb556"]
-
-    - name: Elestio
-      url: https://elest.io/
-      contributors: ["@kaiwalyakoparkar"]
-
-    - name: ELMO Cloud HR & Payroll
-      url: https://elmosoftware.com.au/
-
-    - name: Endress+Hauser
-      url: https://www.endress.com/
-      contributors: ["@rumbin"]
-
-    - name: FBK - ICT center
-      url: https://ict.fbk.eu
-
-    - name: Formbricks
-      url: https://formbricks.com
-
-    - name: Gavagai
-      url: https://gavagai.io
-      contributors: ["@gavagai-corp"]
-
-    - name: GfK Data Lab
-      url: https://www.gfk.com/home
-      contributors: ["@mherr"]
-
-    - name: Hifadih Business & Technology
-      url: https://hifadih.net/en
-      logo: hifadih.png
-      contributors: ["@saintLaurent00"]
-
-    # Logo approved by @anmol-hpe on behalf of HPE
-    - name: HPE
-      url: https://www.hpe.com/in/en/home.html
-      logo: hpe.png
-      contributors: ["@anmol-hpe"]
-
-    - name: Hydrolix
-      url: https://www.hydrolix.io/
-
-    - name: Intercom
-      url: https://www.intercom.com/
-      contributors: ["@kate-gallo"]
-
-    - name: jampp
-      url: https://jampp.com/
-
-    - name: Konfío
-      url: https://konfio.mx
-      contributors: ["@uis-rodriguez"]
-
-    - name: Mainstrat
-      url: https://mainstrat.com/
-
-    - name: mishmash io
-      url: https://mishmash.io/
-      contributors: ["@mishmash-io"]
-
-    - name: Myra Labs
-      url: https://www.myralabs.com/
-      contributors: ["@viksit"]
-
-    - name: Nielsen
-      url: https://www.nielsen.com/
-      contributors: ["@amitNielsen"]
-
-    - name: Ona
-      url: https://ona.io
-      contributors: ["@pld"]
-
-    - name: Orange
-      url: https://www.orange.com
-      contributors: ["@icsu"]
-
-    - name: Oslandia
-      url: https://oslandia.com
-
-    - name: Oxylabs
-      url: https://oxylabs.io/
-      contributors: ["@rytis-ulys"]
-
-    - name: Peak AI
-      url: https://www.peak.ai/
-      contributors: ["@azhar22k"]
-
-    - name: PeopleDoc
-      url: https://www.people-doc.com
-      contributors: ["@rodo"]
-
-    - name: PlaidCloud
-      url: https://plaidcloud.com
-      logo: plaidcloud.svg
-      contributors: ["@rad-pat"]
-
-    - name: Preset, Inc.
-      url: https://preset.io
-      logo: preset.svg
-      contributors: ["@mistercrunch", "@betodealmeida", "@dpgaspar", "@rusackas", "@sadpandajoe", "@Vitor-Avila", "@kgabryje", "@geido", "@eschutho", "@Antonio-RiveroMartnez", "@yousoph"]
-
-    - name: PubNub
-      url: https://pubnub.com
-      contributors: ["@jzucker2"]
-
-    - name: ReadyTech
-      url: https://www.readytech.io
-
-    - name: Reward Gateway
-      url: https://www.rewardgateway.com
-
-    - name: RIADVICE
-      url: https://riadvice.tn
-      contributors: ["@riadvice"]
-
-    - name: ScopeAI
-      url: https://www.getscopeai.com
-      contributors: ["@iloveluce"]
-
-    - name: shipmnts
-      url: https://shipmnts.com
-
-    - name: Showmax
-      url: https://showmax.com
-      contributors: ["@bobek"]
-
-    - name: SingleStore
-      url: https://www.singlestore.com/
-
-    - name: TechAudit
-      url: https://www.techaudit.info
-      contributors: ["@ETselikov"]
-
-    - name: Tenable
-      url: https://www.tenable.com
-      contributors: ["@dflionis"]
-
-    - name: Tentacle
-      url: https://www.linkedin.com/company/tentacle-cmi/
-      contributors: ["@jdclarke5"]
-
-    - name: timbr.ai
-      url: https://timbr.ai/
-      contributors: ["@semantiDan"]
-
-    - name: Tobii
-      url: https://www.tobii.com/
-      contributors: ["@dwa"]
-
-    - name: Tooploox
-      url: https://www.tooploox.com/
-      contributors: ["@jakubczaplicki"]
-
-    - name: Unvired
-      url: https://unvired.com
-      contributors: ["@srinisubramanian"]
-
-    - name: UserGuiding
-      url: https://userguiding.com/
-      logo: userguiding.svg
-      contributors: ["@tzercin"]
-
-    - name: Virtuoso QA
-      url: https://www.virtuosoqa.com
-
-    - name: Whale
-      url: https://whale.im
-
-    - name: Windsor.ai
-      url: https://www.windsor.ai/
-      contributors: ["@octaviancorlade"]
-
-    - name: WinWin Network马上赢
-      url: https://brandct.cn/
-      contributors: ["@wenbinye"]
-
-    - name: XNET
-      url: https://xnetmobile.com/
-      logo: xnet.png
-      contributors: ["@deuspt"]
-
-    - name: Zeta
-      url: https://www.zeta.tech/
-      contributors: ["@shaikidris"]
-
-  Media & Entertainment:
-    - name: 6play
-      url: https://www.6play.fr
-      contributors: ["@CoryChaplin"]
-
-    - name: bilibili
-      url: https://www.bilibili.com
-      contributors: ["@Moinheart"]
-
-    - name: BurdaForward
-      url: https://www.burda-forward.de/en/
-
-    - name: Douban
-      url: https://www.douban.com/
-      contributors: ["@luchuan"]
-
-    - name: Kuaishou
-      url: https://www.kuaishou.com/
-      contributors: ["@zhaoyu89730105"]
-
-    - name: Netflix
-      url: https://www.netflix.com/
-
-    - name: Prensa Iberica
-      url: https://www.prensaiberica.es/
-      contributors: ["@zamar-roura"]
-
-    - name: TME QQMUSIC/WESING
-      url: https://www.tencentmusic.com/
-      contributors: ["@shenyuanli", "@marklaw"]
-
-    - name: Xite
-      url: https://xite.com/
-      contributors: ["@shashankkoppar"]
-
-    - name: Zaihang
-      url: https://www.zaih.com/
-
-  Education:
-    - name: Aveti Learning
-      url: https://avetilearning.com/
-      contributors: ["@TheShubhendra"]
-
-    - name: Brilliant.org
-      url: https://brilliant.org/
-
-    - name: Cirrus Assessment
-      url: https://cirrusassessment.com/
-      logo: cirrus.svg
-      contributors: ["@jeroenhabets", "@ddmm-white", "@paulrocost"]
-
-    - name: Open edX
-      url: https://openedx.org/
-
-    - name: Platzi.com
-      url: https://platzi.com/
-
-    - name: Sunbird
-      url: https://www.sunbird.org/
-      contributors: ["@eksteporg"]
-
-    - name: The GRAPH Network
-      url: https://thegraphnetwork.org/
-      contributors: ["@fccoelho"]
-
-    - name: Udemy
-      url: https://www.udemy.com/
-      contributors: ["@sungjuly"]
-
-    - name: VIPKID
-      url: https://www.vipkid.com.cn/
-      contributors: ["@illpanda"]
-
-    - name: WikiMedia Foundation
-      url: https://wikimediafoundation.org
-      contributors: ["@vg"]
-
-  Energy:
-    - name: Airboxlab
-      url: https://foobot.io
-      contributors: ["@antoine-galataud"]
-
-    - name: DouroECI
-      url: https://www.douroeci.com/
-      contributors: ["@nunohelibeires"]
-
-    - name: Safaricom
-      url: https://www.safaricom.co.ke/
-      contributors: ["@mmutiso"]
-
-    - name: Scoot
-      url: https://scoot.co/
-      contributors: ["@haaspt"]
-
-    - name: Wattbewerb
-      url: https://wattbewerb.de/
-      contributors: ["@wattbewerb"]
-
-    - name: Rogow
-      url: https://rogow.com.br/
-      contributors: ["@nilmonto"]
-
-  Healthcare:
-    - name: Amino
-      url: https://amino.com
-      contributors: ["@shkr"]
-
-    - name: Bluesquare
-      url: https://www.bluesquarehub.com/
-      contributors: ["@madewulf"]
-
-    - name: Care
-      url: https://www.getcare.io/
-      contributors: ["@alandao2021"]
-
-    - name: Living Goods
-      url: https://www.livinggoods.org
-      contributors: ["@chelule"]
-
-    - name: Maieutical Labs
-      url: https://maieuticallabs.it
-      contributors: ["@xrmx"]
-
-    - name: Medic
-      url: https://medic.org
-      contributors: ["@1yuv"]
-
-    - name: REDCap Cloud
-      url: https://www.redcapcloud.com/
-
-    - name: TrustMedis
-      url: https://trustmedis.com/
-      contributors: ["@famasya"]
-
-    - name: WeSure
-      url: https://www.wesure.cn/
-
-    - name: 2070Health
-      url: https://2070health.com/
-
-  HR / Staffing:
-    - name: Swile
-      url: https://www.swile.co/
-      contributors: ["@PaoloTerzi"]
-
-    - name: Symmetrics
-      url: https://www.symmetrics.fyi
-
-    - name: bluquist
-      url: https://bluquist.com/
-
-  Government:
-    - name: City of Ann Arbor, MI
-      url: https://www.a2gov.org/
-      contributors: ["@sfirke"]
-
-    - name: RIS3 Strategy of CZ, MIT CR
-      url: https://www.ris3.cz/
-      contributors: ["@RIS3CZ"]
-
-    - name: NRLM - Sarathi, India
-      url: https://pib.gov.in/PressReleasePage.aspx?PRID=1999586
-
-  Mobile Software:
-    - name: VLMedia
-      url: https://www.vlmedia.com.tr
-      logo: vlmedia.svg
-      contributors: ["@iercan"]
-
-  Travel:
-    - name: Agoda
-      url: https://www.agoda.com/
-      contributors: ["@lostseaway", "@maiake", "@obombayo"]
-
-    - name: HomeToGo
-      url: https://hometogo.com/
-      contributors: ["@pedromartinsteenstrup"]
-
-    - name: Skyscanner
-      url: https://www.skyscanner.net/
-      contributors: ["@cleslie", "@stanhoucke"]
-
-  Logistics:
-    - name: Stockarea
-      url: https://stockarea.io
-
-    - name: VTG
-      url: https://www.vtg.de
-
-  Sports:
-    - name: Club 25 de Agosto (Femenino / Women's Team)
-      url: https://www.instagram.com/25deagosto.basketfemenino/
-      contributors: [ "@lion90" ]
-      logo: club25deagosto.svg
-
-    - name: Fanatics
-      url: https://www.fanatics.com/
-      contributors: [ "@coderfender" ]
-
-    - name: komoot
-      url: https://www.komoot.com/
-      contributors: [ "@christophlingg" ]
-
-  Others:
-    - name: 10Web
-      url: https://10web.io/
-
-    - name: AI inside
-      url: https://inside.ai/en/
-
-    - name: Automattic
-      url: https://automattic.com/
-      contributors: ["@Khrol", "@Usiel"]
-
-    - name: Dropbox
-      url: https://www.dropbox.com/
-      contributors: ["@bkyryliuk"]
-
-    - name: Flowbird
-      url: https://flowbird.com
-      contributors: ["@EmmanuelCbd"]
-
-    - name: GEOTAB
-      url: https://www.geotab.com
-      contributors: ["@JZ6"]
-
-    - name: Grassroot
-      url: https://www.grassrootinstitute.org/
-
-    - name: HOLLYLAND猛玛
-      url: https://www.hollyland.com
-      logo: hollyland猛玛.svg
-      contributors: ["@hlyda0601"]
-
-    - name: Increff
-      url: https://www.increff.com/
-      contributors: ["@ishansinghania"]
-
-    - name: Let's Roam
-      url: https://www.letsroam.com/
-
-    - name: Machrent SA
-      url: https://www.machrent.com/
-
-    - name: Onebeat
-      url: https://1beat.com/
-      contributors: ["@GuyAttia"]
-
-    - name: X
-      url: https://x.com/
-
-    - name: Yahoo!
-      url: https://yahoo.com/

RESOURCES/STANDARD_ROLES.md

@@ -17,193 +17,192 @@ specific language governing permissions and limitations
 under the License.
 -->
 
-|                                                  |Admin|Alpha|Gamma|Public|SQL_LAB|
-|--------------------------------------------------|---|---|---|---|---|
-| Permission/role description                      |Admins have all possible rights, including granting or revoking rights from other users and altering other people's slices and dashboards.|Alpha users have access to all data sources, but they cannot grant or revoke access from other users. They are also limited to altering the objects that they own. Alpha users can add and alter data sources.|Gamma users have limited access. They can only consume data coming from data sources they have been given access to through another complementary role. They only have access to view the slices and dashboards made from data sources that they have access to. Currently Gamma users are not able to alter or add data sources. We assume that they are mostly content consumers, though they can create slices and dashboards.|Public is the most restrictive built-in role, designed for anonymous/unauthenticated users viewing public dashboards. It provides minimal read-only access for dashboard viewing with interactive filters. Use `PUBLIC_ROLE_LIKE = "Public"` to apply these permissions to anonymous users.|The sql_lab role grants access to SQL Lab. Note that while Admin users have access to all databases by default, both Alpha and Gamma users need to be given access on a per database basis.||
-| can read on SavedQuery                           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| can write on SavedQuery                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| can read on CssTemplate                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can write on CssTemplate                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can read on ReportSchedule                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can write on ReportSchedule                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can read on Chart                                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can write on Chart                               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can read on Annotation                           |:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|O|
-| can write on Annotation                          |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
-| can read on AnnotationLayerRestApi               |:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|O|
-| can read on Dataset                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can write on Dataset                             |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
-| can read on Log                                  |:heavy_check_mark:|O|O|O|O|
-| can write on Log                                 |:heavy_check_mark:|O|O|O|O|
-| can read on Dashboard                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can write on Dashboard                           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can read on Database                             |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| can write on Database                            |:heavy_check_mark:|O|O|O|O|
-| can read on Query                                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| can this form get on ResetPasswordView           |:heavy_check_mark:|O|O|O|O|
-| can this form post on ResetPasswordView          |:heavy_check_mark:|O|O|O|O|
-| can this form get on ResetMyPasswordView         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can this form post on ResetMyPasswordView        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can this form get on UserInfoEditView            |:heavy_check_mark:|O|O|O|O|
-| can this form post on UserInfoEditView           |:heavy_check_mark:|O|O|O|O|
-| can show on UserDBModelView                      |:heavy_check_mark:|O|O|O|O|
-| can edit on UserDBModelView                      |:heavy_check_mark:|O|O|O|O|
-| can delete on UserDBModelView                    |:heavy_check_mark:|O|O|O|O|
-| can add on UserDBModelView                       |:heavy_check_mark:|O|O|O|O|
-| can list on UserDBModelView                      |:heavy_check_mark:|O|O|O|O|
-| can userinfo on UserDBModelView                  |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| resetmypassword on UserDBModelView               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| resetpasswords on UserDBModelView                |:heavy_check_mark:|O|O|O|O|
-| userinfoedit on UserDBModelView                  |:heavy_check_mark:|O|O|O|O|
-| can show on RoleModelView                        |:heavy_check_mark:|O|O|O|O|
-| can edit on RoleModelView                        |:heavy_check_mark:|O|O|O|O|
-| can delete on RoleModelView                      |:heavy_check_mark:|O|O|O|O|
-| can add on RoleModelView                         |:heavy_check_mark:|O|O|O|O|
-| can list on RoleModelView                        |:heavy_check_mark:|O|O|O|O|
-| copyrole on RoleModelView                        |:heavy_check_mark:|O|O|O|O|
-| can get on OpenApi                               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can show on SwaggerView                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can get on MenuApi                               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can list on AsyncEventsRestApi                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can invalidate on CacheRestApi                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can csv upload on Database                       |:heavy_check_mark:|O|O|O|O|
-| can excel upload on Database                     |:heavy_check_mark:|O|O|O|O|
-| can query form data on Api                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can query on Api                                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can time range on Api                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can external metadata on Datasource              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can save on Datasource                           |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
-| can get on Datasource                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can my queries on SqlLab                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| can log on Superset                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can import dashboards on Superset                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can schemas on Superset                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can sqllab history on Superset                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| can publish on Superset                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can csv on Superset                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| can slice on Superset                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can sync druid source on Superset                |:heavy_check_mark:|O|O|O|O|
-| can explore on Superset                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can approve on Superset                          |:heavy_check_mark:|O|O|O|O|
-| can explore json on Superset                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can fetch datasource metadata on Superset        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can csrf token on Superset                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can sqllab on Superset                           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| can select star on Superset                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can warm up cache on Superset                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can sqllab table viz on Superset                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| can available domains on Superset                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can request access on Superset                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can dashboard on Superset                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can post on TableSchemaView                      |:heavy_check_mark:|O|O|O|:heavy_check_mark:|
-| can expanded on TableSchemaView                  |:heavy_check_mark:|O|O|O|:heavy_check_mark:|
-| can delete on TableSchemaView                    |:heavy_check_mark:|O|O|O|:heavy_check_mark:|
-| can get on TabStateView                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| can post on TabStateView                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| can delete query on TabStateView                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| can migrate query on TabStateView                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| can activate on TabStateView                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| can delete on TabStateView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| can put on TabStateView                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| can read on SecurityRestApi                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| menu access on Security                          |:heavy_check_mark:|O|O|O|O|
-| menu access on List Users                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on List Roles                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on Action Log                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on Manage                            |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
-| menu access on Annotation Layers                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on CSS Templates                     |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
-| menu access on Import Dashboards                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on Data                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on Databases                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on Datasets                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on Charts                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on Dashboards                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on SQL Lab                           |:heavy_check_mark:|O|O|O|:heavy_check_mark:|
-| menu access on SQL Editor                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| menu access on Saved Queries                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| menu access on Query Search                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| all datasource access on all_datasource_access   |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
-| all database access on all_database_access       |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
-| all query access on all_query_access             |:heavy_check_mark:|O|O|O|O|
-| can write on DynamicPlugin                       |:heavy_check_mark:|O|O|O|O|
-| can edit on DynamicPlugin                        |:heavy_check_mark:|O|O|O|O|
-| can list on DynamicPlugin                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can show on DynamicPlugin                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can download on DynamicPlugin                    |:heavy_check_mark:|O|O|O|O|
-| can add on DynamicPlugin                         |:heavy_check_mark:|O|O|O|O|
-| can delete on DynamicPlugin                      |:heavy_check_mark:|O|O|O|O|
-| can external metadata by name on Datasource      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can get value on KV                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can store on KV                                  |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can tagged objects on TagView                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can suggestions on TagView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can get on TagView                               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can post on TagView                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can delete on TagView                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can edit on DashboardEmailScheduleView           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can list on DashboardEmailScheduleView           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can show on DashboardEmailScheduleView           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can add on DashboardEmailScheduleView            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can delete on DashboardEmailScheduleView         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| muldelete on DashboardEmailScheduleView          |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
-| can edit on SliceEmailScheduleView               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can list on SliceEmailScheduleView               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can show on SliceEmailScheduleView               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can add on SliceEmailScheduleView                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can delete on SliceEmailScheduleView             |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| muldelete on SliceEmailScheduleView              |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
-| can edit on AlertModelView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can list on AlertModelView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can show on AlertModelView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can add on AlertModelView                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can delete on AlertModelView                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can list on AlertLogModelView                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can show on AlertLogModelView                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can list on AlertObservationModelView            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can show on AlertObservationModelView            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on Row Level Security                |:heavy_check_mark:|O|O|O|O|
-| menu access on Access requests                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on Home                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on Plugins                           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on Dashboard Email Schedules         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on Chart Emails                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on Alerts                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on Alerts & Report                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on Scan New Datasources              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can share dashboard on Superset                  |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can share chart on Superset                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can this form get on ColumnarToDatabaseView      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can this form post on ColumnarToDatabaseView     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can export on Chart                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can write on DashboardFilterStateRestApi         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can read on DashboardFilterStateRestApi          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can write on DashboardPermalinkRestApi           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can read on DashboardPermalinkRestApi            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can delete embedded on Dashboard                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can set embedded on Dashboard                    |:heavy_check_mark:|O|O|O|O|
-| can export on Dashboard                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can get embedded on Dashboard                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can export on Database                           |:heavy_check_mark:|O|O|O|O|
-| can export on Dataset                            |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
-| can write on ExploreFormDataRestApi              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can read on ExploreFormDataRestApi               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can write on ExplorePermalinkRestApi             |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can read on ExplorePermalinkRestApi              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can export on ImportExportRestApi                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can import on ImportExportRestApi                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can export on SavedQuery                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
-| can dashboard permalink on Superset              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can grant guest token on SecurityRestApi         |:heavy_check_mark:|O|O|O|O|
-| can read on AdvancedDataType                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can read on EmbeddedDashboard                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can duplicate on Dataset                         |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
-| can read on Explore                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can samples on Datasource                        |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
-| can read on AvailableDomains                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can get or create dataset on Dataset             |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
-| can get column values on Datasource              |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
-| can export csv on SQLLab                         |:heavy_check_mark:|O|O|O|:heavy_check_mark:|
-| can get results on SQLLab                        |:heavy_check_mark:|O|O|O|:heavy_check_mark:|
-| can execute sql query on SQLLab                  |:heavy_check_mark:|O|O|O|:heavy_check_mark:|
-| can recent activity on Log                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+|                                                  |Admin|Alpha|Gamma|SQL_LAB|
+|--------------------------------------------------|---|---|---|---|
+| Permission/role description                      |Admins have all possible rights, including granting or revoking rights from other users and altering other people’s slices and dashboards.|Alpha users have access to all data sources, but they cannot grant or revoke access from other users. They are also limited to altering the objects that they own. Alpha users can add and alter data sources.|Gamma users have limited access. They can only consume data coming from data sources they have been given access to through another complementary role. They only have access to view the slices and dashboards made from data sources that they have access to. Currently Gamma users are not able to alter or add data sources. We assume that they are mostly content consumers, though they can create slices and dashboards.|The sql_lab role grants access to SQL Lab. Note that while Admin users have access to all databases by default, both Alpha and Gamma users need to be given access on a per database basis.||
+| can read on SavedQuery                           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| can write on SavedQuery                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| can read on CssTemplate                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can write on CssTemplate                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can read on ReportSchedule                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can write on ReportSchedule                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can read on Chart                                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can write on Chart                               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can read on Annotation                           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can write on Annotation                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can read on Dataset                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can write on Dataset                             |:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can read on Log                                  |:heavy_check_mark:|O|O|O|
+| can write on Log                                 |:heavy_check_mark:|O|O|O|
+| can read on Dashboard                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can write on Dashboard                           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can read on Database                             |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| can write on Database                            |:heavy_check_mark:|O|O|O|
+| can read on Query                                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| can this form get on ResetPasswordView           |:heavy_check_mark:|O|O|O|
+| can this form post on ResetPasswordView          |:heavy_check_mark:|O|O|O|
+| can this form get on ResetMyPasswordView         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can this form post on ResetMyPasswordView        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can this form get on UserInfoEditView            |:heavy_check_mark:|O|O|O|
+| can this form post on UserInfoEditView           |:heavy_check_mark:|O|O|O|
+| can show on UserDBModelView                      |:heavy_check_mark:|O|O|O|
+| can edit on UserDBModelView                      |:heavy_check_mark:|O|O|O|
+| can delete on UserDBModelView                    |:heavy_check_mark:|O|O|O|
+| can add on UserDBModelView                       |:heavy_check_mark:|O|O|O|
+| can list on UserDBModelView                      |:heavy_check_mark:|O|O|O|
+| can userinfo on UserDBModelView                  |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| resetmypassword on UserDBModelView               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| resetpasswords on UserDBModelView                |:heavy_check_mark:|O|O|O|
+| userinfoedit on UserDBModelView                  |:heavy_check_mark:|O|O|O|
+| can show on RoleModelView                        |:heavy_check_mark:|O|O|O|
+| can edit on RoleModelView                        |:heavy_check_mark:|O|O|O|
+| can delete on RoleModelView                      |:heavy_check_mark:|O|O|O|
+| can add on RoleModelView                         |:heavy_check_mark:|O|O|O|
+| can list on RoleModelView                        |:heavy_check_mark:|O|O|O|
+| copyrole on RoleModelView                        |:heavy_check_mark:|O|O|O|
+| can get on OpenApi                               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can show on SwaggerView                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can get on MenuApi                               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can list on AsyncEventsRestApi                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can invalidate on CacheRestApi                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can csv upload on Database                       |:heavy_check_mark:|O|O|O|
+| can excel upload on Database                     |:heavy_check_mark:|O|O|O|
+| can query form data on Api                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can query on Api                                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can time range on Api                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can external metadata on Datasource              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can save on Datasource                           |:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can get on Datasource                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can my queries on SqlLab                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| can log on Superset                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can import dashboards on Superset                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can schemas on Superset                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can sqllab history on Superset                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| can publish on Superset                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can csv on Superset                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| can slice on Superset                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can sync druid source on Superset                |:heavy_check_mark:|O|O|O|
+| can explore on Superset                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can approve on Superset                          |:heavy_check_mark:|O|O|O|
+| can explore json on Superset                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can fetch datasource metadata on Superset        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can csrf token on Superset                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can sqllab on Superset                           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| can select star on Superset                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can warm up cache on Superset                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can sqllab table viz on Superset                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| can available domains on Superset                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can request access on Superset                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can dashboard on Superset                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can post on TableSchemaView                      |:heavy_check_mark:|O|O|:heavy_check_mark:|
+| can expanded on TableSchemaView                  |:heavy_check_mark:|O|O|:heavy_check_mark:|
+| can delete on TableSchemaView                    |:heavy_check_mark:|O|O|:heavy_check_mark:|
+| can get on TabStateView                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| can post on TabStateView                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| can delete query on TabStateView                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| can migrate query on TabStateView                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| can activate on TabStateView                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| can delete on TabStateView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| can put on TabStateView                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| can read on SecurityRestApi                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| menu access on Security                          |:heavy_check_mark:|O|O|O|
+| menu access on List Users                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| menu access on List Roles                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| menu access on Action Log                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| menu access on Manage                            |:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on Annotation Layers                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| menu access on CSS Templates                     |:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on Import Dashboards                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| menu access on Data                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| menu access on Databases                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| menu access on Datasets                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| menu access on Charts                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| menu access on Dashboards                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| menu access on SQL Lab                           |:heavy_check_mark:|O|O|:heavy_check_mark:|
+| menu access on SQL Editor                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| menu access on Saved Queries                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| menu access on Query Search                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| all datasource access on all_datasource_access   |:heavy_check_mark:|:heavy_check_mark:|O|O|
+| all database access on all_database_access       |:heavy_check_mark:|:heavy_check_mark:|O|O|
+| all query access on all_query_access             |:heavy_check_mark:|O|O|O|
+| can write on DynamicPlugin                       |:heavy_check_mark:|O|O|O|
+| can edit on DynamicPlugin                        |:heavy_check_mark:|O|O|O|
+| can list on DynamicPlugin                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can show on DynamicPlugin                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can download on DynamicPlugin                    |:heavy_check_mark:|O|O|O|
+| can add on DynamicPlugin                         |:heavy_check_mark:|O|O|O|
+| can delete on DynamicPlugin                      |:heavy_check_mark:|O|O|O|
+| can external metadata by name on Datasource      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can get value on KV                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can store on KV                                  |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can tagged objects on TagView                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can suggestions on TagView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can get on TagView                               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can post on TagView                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can delete on TagView                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can edit on DashboardEmailScheduleView           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can list on DashboardEmailScheduleView           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can show on DashboardEmailScheduleView           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can add on DashboardEmailScheduleView            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can delete on DashboardEmailScheduleView         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| muldelete on DashboardEmailScheduleView          |:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can edit on SliceEmailScheduleView               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can list on SliceEmailScheduleView               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can show on SliceEmailScheduleView               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can add on SliceEmailScheduleView                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can delete on SliceEmailScheduleView             |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| muldelete on SliceEmailScheduleView              |:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can edit on AlertModelView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can list on AlertModelView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can show on AlertModelView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can add on AlertModelView                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can delete on AlertModelView                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can list on AlertLogModelView                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can show on AlertLogModelView                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can list on AlertObservationModelView            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can show on AlertObservationModelView            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| menu access on Row Level Security                |:heavy_check_mark:|O|O|O|
+| menu access on Access requests                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| menu access on Home                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| menu access on Plugins                           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| menu access on Dashboard Email Schedules         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| menu access on Chart Emails                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| menu access on Alerts                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| menu access on Alerts & Report                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| menu access on Scan New Datasources              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can share dashboard on Superset                  |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can share chart on Superset                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can this form get on ColumnarToDatabaseView      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can this form post on ColumnarToDatabaseView     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can export on Chart                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can write on DashboardFilterStateRestApi         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can read on DashboardFilterStateRestApi          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can write on DashboardPermalinkRestApi           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can read on DashboardPermalinkRestApi            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can delete embedded on Dashboard                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can set embedded on Dashboard                    |:heavy_check_mark:|O|O|O|
+| can export on Dashboard                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can get embedded on Dashboard                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can export on Database                           |:heavy_check_mark:|O|O|O|
+| can export on Dataset                            |:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can write on ExploreFormDataRestApi              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can read on ExploreFormDataRestApi               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can write on ExplorePermalinkRestApi             |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can read on ExplorePermalinkRestApi              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can export on ImportExportRestApi                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can import on ImportExportRestApi                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can export on SavedQuery                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+| can dashboard permalink on Superset              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can grant guest token on SecurityRestApi         |:heavy_check_mark:|O|O|O|
+| can read on AdvancedDataType                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can read on EmbeddedDashboard                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can duplicate on Dataset                         |:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can read on Explore                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can samples on Datasource                        |:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can read on AvailableDomains                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can get or create dataset on Dataset             |:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can get column values on Datasource              |:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can export csv on SQLLab                         |:heavy_check_mark:|O|O|:heavy_check_mark:|
+| can get results on SQLLab                        |:heavy_check_mark:|O|O|:heavy_check_mark:|
+| can execute sql query on SQLLab                  |:heavy_check_mark:|O|O|:heavy_check_mark:|
+| can recent activity on Log                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|

UPDATING.md

@@ -24,147 +24,6 @@ assists people when migrating to a new version.
 
 ## Next
 
-### Granular Export Controls
-
-A new feature flag `GRANULAR_EXPORT_CONTROLS` introduces three fine-grained permissions that replace the legacy `can_csv` permission:
-
-| Permission | Controls |
-|---|---|
-| `can_export_data` | CSV, Excel, JSON exports |
-| `can_export_image` | Screenshot/PDF exports |
-| `can_copy_clipboard` | Copy-to-clipboard operations |
-
-When the feature flag is enabled, these permissions are enforced on both the frontend (disabled buttons with tooltips) and backend (403 responses from API endpoints). When disabled, legacy `can_csv` behavior is preserved.
-
-**Migration behavior:** All three new permissions are granted to every role that currently has `can_csv`, preserving existing access. Admins can then selectively revoke individual export permissions from specific roles as needed.
-
-### Deck.gl MapBox viewport and opacity controls are functional
-
-The Deck.gl MapBox chart's **Opacity**, **Default longitude**, **Default latitude**, and **Zoom** controls were previously non-functional — changing them had no effect on the rendered map. These controls are now wired up correctly.
-
-**Behavior change for existing charts:** Previously, the viewport controls had hard-coded default values (`-122.405293`, `37.772123`, zoom `11` — San Francisco) that were stored in each chart's `form_data` but never applied. The map always used `fitBounds` to center on the data. With this fix, those stored values are now respected, which means existing MapBox charts may open centered on the old default coordinates instead of fitting to data bounds.
-
-**To restore fit-to-data behavior:** Open the chart in Explore, clear the **Default longitude**, **Default latitude**, and **Zoom** fields in the Viewport section, and re-save the chart.
-
-### Combined datasource list endpoint
-
-Added a new combined datasource list endpoint at `GET /api/v1/datasource/` to serve datasets and semantic views in one response.
-
-- The endpoint is available to users with at least one of `can_read` on `Dataset` or `SemanticView`.
-- Semantic views are included only when the `SEMANTIC_LAYERS` feature flag is enabled.
-- The endpoint enforces strict `order_column` validation and returns `400` for invalid sort columns.
-### ClickHouse minimum driver version bump
-
-The minimum required version of `clickhouse-connect` has been raised to `>=0.13.0`. If you are using the ClickHouse connector, please upgrade your `clickhouse-connect` package. The `_mutate_label` workaround that appended hash suffixes to column aliases has also been removed, as it is no longer needed with modern versions of the driver.
-
-### MCP Tool Observability
-
-MCP (Model Context Protocol) tools now include enhanced observability instrumentation for monitoring and debugging:
-
-**Two-layer instrumentation:**
-1. **Middleware layer** (`LoggingMiddleware`): Automatically logs all MCP tool calls with `duration_ms` and `success` status in the audit log (Action Log UI, logs table)
-2. **Sub-operation tracking**: All 19 MCP tools include granular `event_logger.log_context()` blocks for tracking individual operations like validation, database writes, and query execution
-
-**Action naming convention:**
-- Tool-level logs: `mcp_tool_call` (via middleware)
-- Sub-operation logs: `mcp.{tool_name}.{operation}` (e.g., `mcp.generate_chart.validation`, `mcp.execute_sql.query_execution`)
-
-**Querying MCP logs:**
-```sql
--- Top slowest MCP operations
-SELECT action, COUNT(*) as calls, AVG(duration_ms) as avg_ms
-FROM logs
-WHERE action LIKE 'mcp.%'
-GROUP BY action
-ORDER BY avg_ms DESC
-LIMIT 20;
-
--- MCP tool success rate
-SELECT
-    json_extract(curated_payload, '$.tool') as tool,
-    COUNT(*) as total_calls,
-    SUM(CASE WHEN json_extract(curated_payload, '$.success') = 'true' THEN 1 ELSE 0 END) as successful,
-    ROUND(100.0 * SUM(CASE WHEN json_extract(curated_payload, '$.success') = 'true' THEN 1 ELSE 0 END) / COUNT(*), 2) as success_rate
-FROM logs
-WHERE action = 'mcp_tool_call'
-GROUP BY tool
-ORDER BY total_calls DESC;
-```
-
-**Security note:** Sensitive parameters (passwords, API keys, tokens) are automatically redacted in logs as `[REDACTED]`.
-
-### Distributed Coordination Backend
-
-A new `DISTRIBUTED_COORDINATION_CONFIG` configuration provides a unified Redis-based backend for real-time coordination features in Superset. This backend enables:
-
-- **Pub/sub messaging** for real-time event notifications between workers
-- **Atomic distributed locking** using Redis SET NX EX (more performant than database-backed locks)
-- **Event-based coordination** for background task management
-
-The distributed coordination is used by the Global Task Framework (GTF) for abort notifications and task completion signaling, and will eventually replace `GLOBAL_ASYNC_QUERIES_CACHE_BACKEND` as the standard signaling backend. Configuring this is recommended for Redis enabled production deployments.
-
-Example configuration in `superset_config.py`:
-```python
-DISTRIBUTED_COORDINATION_CONFIG = {
-    "CACHE_TYPE": "RedisCache",
-    "CACHE_KEY_PREFIX": "signal_",
-    "CACHE_REDIS_URL": "redis://localhost:6379/1",
-    "CACHE_DEFAULT_TIMEOUT": 300,
-}
-```
-
-See `superset/config.py` for complete configuration options.
-
-### WebSocket config for GAQ with Docker
-
-[35896](https://github.com/apache/superset/pull/35896) and [37624](https://github.com/apache/superset/pull/37624) updated documentation on how to run and configure Superset with Docker. Specifically for the WebSocket configuration, a new `docker/superset-websocket/config.example.json` was added to the repo, so that users could copy it to create a `docker/superset-websocket/config.json` file. The existing `docker/superset-websocket/config.json` was removed and git-ignored, so if you're using GAQ / WebSocket make sure to:
-- Stash/backup your existing `config.json` file, to re-apply it after (will get git-ignored going forward)
-- Update the `volumes` configuration for the `superset-websocket` service in your `docker-compose.override.yml` file, to include the `docker/superset-websocket/config.json` file. For example:
-``` yaml
-services:
-  superset-websocket:
-    volumes:
-      - ./superset-websocket:/home/superset-websocket
-      - /home/superset-websocket/node_modules
-      - /home/superset-websocket/dist
-      - ./docker/superset-websocket/config.json:/home/superset-websocket/config.json:ro
-```
-
-### Example Data Loading Improvements
-
-#### New Directory Structure
-Examples are now organized by name with data and configs co-located:
-```
-superset/examples/
-├── _shared/              # Shared database & metadata configs
-├── birth_names/          # Each example is self-contained
-│   ├── data.parquet     # Dataset (Parquet format)
-│   ├── dataset.yaml     # Dataset metadata
-│   ├── dashboard.yaml   # Dashboard config (optional)
-│   └── charts/          # Chart configs (optional)
-└── ...
-```
-
-#### Simplified Parquet-based Loading
-- Auto-discovery: create `superset/examples/my_dataset/data.parquet` to add a new example
-- Parquet is an Apache project format: compressed (~27% smaller), self-describing schema
-- YAML configs define datasets, charts, and dashboards declaratively
-- Removed Python-based data generation from individual example files
-
-#### Test Data Reorganization
-- Moved `big_data.py` to `superset/cli/test_loaders.py` - better reflects its purpose as a test utility
-- Fixed inverted logic for `--load-test-data` flag (now correctly includes .test.yaml files when flag is set)
-- Clarified CLI flags:
-  - `--force` / `-f`: Force reload even if tables exist
-  - `--only-metadata` / `-m`: Create table metadata without loading data
-  - `--load-test-data` / `-t`: Include test dashboards and .test.yaml configs
-  - `--load-big-data` / `-b`: Generate synthetic stress-test data
-
-#### Bug Fixes
-- Fixed numpy array serialization for PostgreSQL (converts complex types to JSON strings)
-- Fixed KeyError for `allow_csv_upload` field in database configs (now optional with default)
-- Fixed test data loading logic that was incorrectly filtering files
-
 ### MCP Service
 
 The MCP (Model Context Protocol) service enables AI assistants and automation tools to interact programmatically with Superset.
@@ -265,53 +124,8 @@ See `superset/mcp_service/PRODUCTION.md` for deployment guides.
 
 ---
 
-- [35621](https://github.com/apache/superset/pull/35621): The default hash algorithm has changed from MD5 to SHA-256 for improved security and FedRAMP compliance. This affects cache keys for thumbnails, dashboard digests, chart digests, and filter option names. Existing cached data will be invalidated upon upgrade. To opt out of this change and maintain backward compatibility, set `HASH_ALGORITHM = "md5"` in your `superset_config.py`.
-- [35062](https://github.com/apache/superset/pull/35062): Changed the function signature of `setupExtensions` to `setupCodeOverrides` with options as arguments.
-
-### Breaking Changes
-- [37370](https://github.com/apache/superset/pull/37370): The `APP_NAME` configuration variable no longer controls the browser window/tab title or other frontend branding. Application names should now be configured using the theme system with the `brandAppName` token. The `APP_NAME` config is still used for backend contexts (MCP service, logs, etc.) and serves as a fallback if `brandAppName` is not set.
-  - **Migration:**
-  ```python
-  # Before (Superset 5.x)
-  APP_NAME = "My Custom App"
-
-  # After (Superset 6.x) - Option 1: Use theme system (recommended)
-  THEME_DEFAULT = {
-    "token": {
-      "brandAppName": "My Custom App",  # Window titles
-      "brandLogoAlt": "My Custom App",  # Logo alt text
-      "brandLogoUrl": "/static/assets/images/custom_logo.png"
-    }
-  }
-
-  # After (Superset 6.x) - Option 2: Temporary fallback
-  # Keep APP_NAME for now (will be used as fallback for brandAppName)
-  APP_NAME = "My Custom App"
-  # But you should migrate to THEME_DEFAULT.token.brandAppName
-  ```
-  - **Note:** For dark mode, set the same tokens in `THEME_DARK` configuration.
-
-- [36317](https://github.com/apache/superset/pull/36317): The `CUSTOM_FONT_URLS` configuration option has been removed. Use the new per-theme `fontUrls` token in `THEME_DEFAULT` or database-managed themes instead.
-  - **Before:**
-  ```python
-  CUSTOM_FONT_URLS = [
-    "https://fonts.example.com/myfont.css",
-  ]
-  ```
-  - **After:**
-  ```python
-  THEME_DEFAULT = {
-    "token": {
-      "fontUrls": [
-        "https://fonts.example.com/myfont.css",
-        ],
-        # ... other tokens
-    }
-  }
-  ```
-
-## 6.0.0
 - [33055](https://github.com/apache/superset/pull/33055): Upgrades Flask-AppBuilder to 5.0.0. The AUTH_OID authentication type has been deprecated and is no longer available as an option in Flask-AppBuilder. OpenID (OID) is considered a deprecated authentication protocol - if you are using AUTH_OID, you will need to migrate to an alternative authentication method such as OAuth, LDAP, or database authentication before upgrading.
+- [35062](https://github.com/apache/superset/pull/35062): Changed the function signature of `setupExtensions` to `setupCodeOverrides` with options as arguments.
 - [34871](https://github.com/apache/superset/pull/34871): Fixed Jest test hanging issue from Ant Design v5 upgrade. MessageChannel is now mocked in test environment to prevent rc-overflow from causing Jest to hang. Test environment only - no production impact.
 - [34782](https://github.com/apache/superset/pull/34782): Dataset exports now include the dataset ID in their file name (similar to charts and dashboards). If managing assets as code, make sure to rename existing dataset YAMLs to include the ID (and avoid duplicated files).
 - [34536](https://github.com/apache/superset/pull/34536): The `ENVIRONMENT_TAG_CONFIG` color values have changed to support only Ant Design semantic colors. Update your `superset_config.py`:
@@ -329,13 +143,13 @@ Note: Pillow is now a required dependency (previously optional) to support image
   There's a migration added that can potentially affect a significant number of existing charts.
 - [32317](https://github.com/apache/superset/pull/32317) The horizontal filter bar feature is now out of testing/beta development and its feature flag `HORIZONTAL_FILTER_BAR` has been removed.
 - [31590](https://github.com/apache/superset/pull/31590) Marks the beginning of intricate work around supporting dynamic Theming, and breaks support for [THEME_OVERRIDES](https://github.com/apache/superset/blob/732de4ac7fae88e29b7f123b6cbb2d7cd411b0e4/superset/config.py#L671) in favor of a new theming system based on AntD V5. Likely this will be in disrepair until settling over the 5.x lifecycle.
-- [32432](https://github.com/apache/superset/pull/32432) Moves the List Roles FAB view to the frontend and requires `FAB_ADD_SECURITY_API` to be enabled in the configuration and `superset init` to be executed.
+- [32432](https://github.com/apache/superset/pull/31260) Moves the List Roles FAB view to the frontend and requires `FAB_ADD_SECURITY_API` to be enabled in the configuration and `superset init` to be executed.
 - [34319](https://github.com/apache/superset/pull/34319) Drill to Detail and Drill By is now supported in Embedded mode, and also with the `DASHBOARD_RBAC` FF. If you don't want to expose these features in Embedded / `DASHBOARD_RBAC`, make sure the roles used for Embedded / `DASHBOARD_RBAC`don't have the required permissions to perform D2D actions.
 
 ## 5.0.0
 
 - [31976](https://github.com/apache/superset/pull/31976) Removed the `DISABLE_LEGACY_DATASOURCE_EDITOR` feature flag. The previous value of the feature flag was `True` and now the feature is permanently removed.
-- [32000](https://github.com/apache/superset/pull/32000) Removes CSV_UPLOAD_MAX_SIZE config, use your web server to control file upload size.
+- [31959](https://github.com/apache/superset/pull/32000) Removes CSV_UPLOAD_MAX_SIZE config, use your web server to control file upload size.
 - [31959](https://github.com/apache/superset/pull/31959) Removes the following endpoints from data uploads: `/api/v1/database/<id>/<file type>_upload` and `/api/v1/database/<file type>_metadata`, in favour of new one (Details on the PR). And simplifies permissions.
 - [31844](https://github.com/apache/superset/pull/31844) The `ALERT_REPORTS_EXECUTE_AS` and `THUMBNAILS_EXECUTE_AS` config parameters have been renamed to `ALERT_REPORTS_EXECUTORS` and `THUMBNAILS_EXECUTORS` respectively. A new config flag `CACHE_WARMUP_EXECUTORS` has also been introduced to be able to control which user is used to execute cache warmup tasks. Finally, the config flag `THUMBNAILS_SELENIUM_USER` has been removed. To use a fixed executor for async tasks, use the new `FixedExecutor` class. See the config and docs for more info on setting up different executor profiles.
 - [31894](https://github.com/apache/superset/pull/31894) Domain sharding is deprecated in favor of HTTP2. The `SUPERSET_WEBSERVER_DOMAINS` configuration will be removed in the next major version (6.0)
@@ -343,7 +157,7 @@ Note: Pillow is now a required dependency (previously optional) to support image
 - [31774](https://github.com/apache/superset/pull/31774): Fixes the spelling of the `USE-ANALAGOUS-COLORS` feature flag. Please update any scripts/configuration item to use the new/corrected `USE-ANALOGOUS-COLORS` flag spelling.
 - [31582](https://github.com/apache/superset/pull/31582) Removed the legacy Area, Bar, Event Flow, Heatmap, Histogram, Line, Sankey, and Sankey Loop charts. They were all automatically migrated to their ECharts counterparts with the exception of the Event Flow and Sankey Loop charts which were removed as they were not actively maintained and not widely used. If you were using the Event Flow or Sankey Loop charts, you will need to find an alternative solution.
 - [31198](https://github.com/apache/superset/pull/31198) Disallows by default the use of the following ClickHouse functions: "version", "currentDatabase", "hostName".
-- [29798](https://github.com/apache/superset/pull/29798) Since 3.1.0, the initial schedule for an alert or report was mistakenly offset by the specified timezone's relation to UTC. The initial schedule should now begin at the correct time.
+- [29798](https://github.com/apache/superset/pull/29798) Since 3.1.0, the intial schedule for an alert or report was mistakenly offset by the specified timezone's relation to UTC. The initial schedule should now begin at the correct time.
 - [30021](https://github.com/apache/superset/pull/30021) The `dev` layer in our Dockerfile no long includes firefox binaries, only Chromium to reduce bloat/docker-build-time.
 - [30099](https://github.com/apache/superset/pull/30099) Translations are no longer included in the default docker image builds. If your environment requires translations, you'll want to set the docker build arg `BUILD_TRANSLATIONS=true`.
 - [31262](https://github.com/apache/superset/pull/31262) NOTE: deprecated `pylint` in favor of `ruff` as our only python linter. Only affect development workflows positively (not the release itself). It should cover most important rules, be much faster, but some things linting rules that were enforced before may not be enforce in the exact same way as before.
@@ -356,7 +170,7 @@ Note: Pillow is now a required dependency (previously optional) to support image
 - [25166](https://github.com/apache/superset/pull/25166) Changed the default configuration of `UPLOAD_FOLDER` from `/app/static/uploads/` to `/static/uploads/`. It also removed the unused `IMG_UPLOAD_FOLDER` and `IMG_UPLOAD_URL` configuration options.
 - [30284](https://github.com/apache/superset/pull/30284) Deprecated GLOBAL_ASYNC_QUERIES_REDIS_CONFIG in favor of the new GLOBAL_ASYNC_QUERIES_CACHE_BACKEND configuration. To leverage Redis Sentinel, set CACHE_TYPE to RedisSentinelCache, or use RedisCache for standalone Redis
 - [31961](https://github.com/apache/superset/pull/31961) Upgraded React from version 16.13.1 to 17.0.2. If you are using custom frontend extensions or plugins, you may need to update them to be compatible with React 17.
-- [31260](https://github.com/apache/superset/pull/31260) Docker images now use `uv pip install` instead of `pip install` to manage the python environment. Most docker-based deployments will be affected, whether you derive one of the published images, or have custom bootstrap script that install python libraries (drivers)
+- [31260](https://github.com/apache/superset/pull/31260) Docker images now use `uv pip install` instead of `pip install` to manage the python envrionment. Most docker-based deployments will be affected, whether you derive one of the published images, or have custom bootstrap script that install python libraries (drivers)
 
 ### Potential Downtime
 
@@ -433,7 +247,7 @@ Note: Pillow is now a required dependency (previously optional) to support image
 - [26462](https://github.com/apache/superset/issues/26462): Removes the Profile feature given that it's not actively maintained and not widely used.
 - [26377](https://github.com/apache/superset/pull/26377): Removes the deprecated Redirect API that supported short URLs used before the permalink feature.
 - [26329](https://github.com/apache/superset/issues/26329): Removes the deprecated `DASHBOARD_NATIVE_FILTERS` feature flag. The previous value of the feature flag was `True` and now the feature is permanently enabled.
-- [25510](https://github.com/apache/superset/pull/25510): Reinforces that any newly defined Python data format (other than epoch) must adhere to the ISO 8601 standard (enforced by way of validation at the API and database level) after a previous relaxation to include slashes in addition to dashes. From now on when specifying new columns, dataset owners will need to use a SQL expression instead to convert their string columns of the form %Y/%m/%d etc. to a `DATE`, `DATETIME`, etc. type.
+- [25510](https://github.com/apache/superset/pull/25510): Reenforces that any newly defined Python data format (other than epoch) must adhere to the ISO 8601 standard (enforced by way of validation at the API and database level) after a previous relaxation to include slashes in addition to dashes. From now on when specifying new columns, dataset owners will need to use a SQL expression instead to convert their string columns of the form %Y/%m/%d etc. to a `DATE`, `DATETIME`, etc. type.
 - [26372](https://github.com/apache/superset/issues/26372): Removes the deprecated `GENERIC_CHART_AXES` feature flag. The previous value of the feature flag was `True` and now the feature is permanently enabled.
 
 ### Potential Downtime

docker-compose-image-tag.yml

@@ -45,7 +45,7 @@ services:
         required: true
       - path: docker/.env-local # optional override
         required: false
-    image: postgres:17
+    image: postgres:16
     container_name: superset_db
     restart: unless-stopped
     volumes:

docker-compose-light.yml

@@ -77,6 +77,7 @@ x-common-build: &common-build
     INCLUDE_CHROMIUM: ${INCLUDE_CHROMIUM:-false}
     INCLUDE_FIREFOX: ${INCLUDE_FIREFOX:-false}
     BUILD_TRANSLATIONS: ${BUILD_TRANSLATIONS:-false}
+    LOAD_EXAMPLES_DUCKDB: ${LOAD_EXAMPLES_DUCKDB:-true}
 
 services:
   db-light:
@@ -85,7 +86,7 @@ services:
         required: true
       - path: docker/.env-local # optional override
         required: false
-    image: postgres:17
+    image: postgres:16
     restart: unless-stopped
     volumes:
       - db_home_light:/var/lib/postgresql/data
@@ -115,10 +116,7 @@ services:
       DATABASE_HOST: db-light
       DATABASE_DB: superset_light
       POSTGRES_DB: superset_light
-      EXAMPLES_HOST: db-light
-      EXAMPLES_DB: superset_light
-      EXAMPLES_USER: superset
-      EXAMPLES_PASSWORD: superset
+      SUPERSET__SQLALCHEMY_EXAMPLES_URI: "duckdb:////app/data/examples.duckdb"
       SUPERSET_CONFIG_PATH: /app/docker/pythonpath_dev/superset_config_docker_light.py
       GITHUB_HEAD_REF: ${GITHUB_HEAD_REF:-}
       GITHUB_SHA: ${GITHUB_SHA:-}
@@ -141,10 +139,7 @@ services:
       DATABASE_HOST: db-light
       DATABASE_DB: superset_light
       POSTGRES_DB: superset_light
-      EXAMPLES_HOST: db-light
-      EXAMPLES_DB: superset_light
-      EXAMPLES_USER: superset
-      EXAMPLES_PASSWORD: superset
+      SUPERSET__SQLALCHEMY_EXAMPLES_URI: "duckdb:////app/data/examples.duckdb"
       SUPERSET_CONFIG_PATH: /app/docker/pythonpath_dev/superset_config_docker_light.py
     healthcheck:
       disable: true
@@ -165,11 +160,10 @@ services:
       BUILD_SUPERSET_FRONTEND_IN_DOCKER: true
       NPM_RUN_PRUNE: false
       SCARF_ANALYTICS: "${SCARF_ANALYTICS:-}"
-      DISABLE_TS_CHECKER: "${DISABLE_TS_CHECKER:-true}"
       # configuring the dev-server to use the host.docker.internal to connect to the backend
       superset: "http://superset-light:8088"
-      # Webpack dev server must bind to 0.0.0.0 to be accessible from outside the container
-      WEBPACK_DEVSERVER_HOST: "${WEBPACK_DEVSERVER_HOST:-0.0.0.0}"
+      # Webpack dev server configuration
+      WEBPACK_DEVSERVER_HOST: "${WEBPACK_DEVSERVER_HOST:-127.0.0.1}"
       WEBPACK_DEVSERVER_PORT: "${WEBPACK_DEVSERVER_PORT:-9000}"
     ports:
       - "${NODE_PORT:-9001}:9000"  # Parameterized port, accessible on all interfaces
@@ -202,6 +196,7 @@ services:
       DATABASE_DB: test
       POSTGRES_DB: test
       SUPERSET__SQLALCHEMY_DATABASE_URI: postgresql+psycopg2://superset:superset@db-light:5432/test
+      SUPERSET__SQLALCHEMY_EXAMPLES_URI: "duckdb:////app/data/examples.duckdb"
       SUPERSET_CONFIG: superset_test_config_light
       PYTHONPATH: /app/pythonpath:/app/docker/pythonpath_dev:/app
 

docker-compose-non-dev.yml

@@ -49,7 +49,7 @@ services:
         required: true
       - path: docker/.env-local # optional override
         required: false
-    image: postgres:17
+    image: postgres:16
     container_name: superset_db
     restart: unless-stopped
     volumes:

docker-compose.yml

@@ -44,6 +44,7 @@ x-common-build: &common-build
     INCLUDE_CHROMIUM: ${INCLUDE_CHROMIUM:-false}
     INCLUDE_FIREFOX: ${INCLUDE_FIREFOX:-false}
     BUILD_TRANSLATIONS: ${BUILD_TRANSLATIONS:-false}
+    LOAD_EXAMPLES_DUCKDB: ${LOAD_EXAMPLES_DUCKDB:-true}
 
 services:
   nginx:
@@ -53,9 +54,10 @@ services:
       - path: docker/.env-local # optional override
         required: false
     image: nginx:latest
+    container_name: superset_nginx
     restart: unless-stopped
     ports:
-      - "${NGINX_PORT:-80}:80"
+      - "80:80"
     extra_hosts:
       - "host.docker.internal:host-gateway"
     volumes:
@@ -64,9 +66,10 @@ services:
 
   redis:
     image: redis:7
+    container_name: superset_cache
     restart: unless-stopped
     ports:
-      - "127.0.0.1:${REDIS_PORT:-6379}:6379"
+      - "127.0.0.1:6379:6379"
     volumes:
       - redis:/data
 
@@ -76,10 +79,11 @@ services:
         required: true
       - path: docker/.env-local # optional override
         required: false
-    image: postgres:17
+    image: postgres:16
+    container_name: superset_db
     restart: unless-stopped
     ports:
-      - "127.0.0.1:${DATABASE_PORT:-5432}:5432"
+      - "127.0.0.1:5432:5432"
     volumes:
       - db_home:/var/lib/postgresql/data
       - ./docker/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
@@ -92,12 +96,13 @@ services:
         required: false
     build:
       <<: *common-build
+    container_name: superset_app
     command: ["/app/docker/docker-bootstrap.sh", "app"]
     restart: unless-stopped
     ports:
-      - ${SUPERSET_PORT:-8088}:8088
+      - 8088:8088
       # When in cypress-mode ->
-      - ${CYPRESS_PORT:-8081}:8081
+      - 8081:8081
     extra_hosts:
       - "host.docker.internal:host-gateway"
     user: *superset-user
@@ -105,11 +110,14 @@ services:
       superset-init:
         condition: service_completed_successfully
     volumes: *superset-volumes
+    environment:
+      SUPERSET__SQLALCHEMY_EXAMPLES_URI: "duckdb:////app/data/examples.duckdb"
 
   superset-websocket:
+    container_name: superset_websocket
     build: ./superset-websocket
     ports:
-      - ${WEBSOCKET_PORT:-8080}:8080
+      - 8080:8080
     extra_hosts:
       - "host.docker.internal:host-gateway"
     depends_on:
@@ -141,6 +149,7 @@ services:
   superset-init:
     build:
       <<: *common-build
+    container_name: superset_init
     command: ["/app/docker/docker-init.sh"]
     env_file:
       - path: docker/.env # default
@@ -154,6 +163,8 @@ services:
         condition: service_started
     user: *superset-user
     volumes: *superset-volumes
+    environment:
+      SUPERSET__SQLALCHEMY_EXAMPLES_URI: "duckdb:////app/data/examples.duckdb"
     healthcheck:
       disable: true
 
@@ -175,10 +186,9 @@ services:
       SCARF_ANALYTICS: "${SCARF_ANALYTICS:-}"
       # configuring the dev-server to use the host.docker.internal to connect to the backend
       superset: "http://superset:8088"
-      # Webpack dev server must bind to 0.0.0.0 to be accessible from outside the container
-      WEBPACK_DEVSERVER_HOST: "0.0.0.0"
     ports:
-      - "127.0.0.1:${NODE_PORT:-9000}:9000"  # exposing the dynamic webpack dev server
+      - "127.0.0.1:9000:9000"  # exposing the dynamic webpack dev server
+    container_name: superset_node
     command: ["/app/docker/docker-frontend.sh"]
     env_file:
       - path: docker/.env # default
@@ -190,6 +200,7 @@ services:
   superset-worker:
     build:
       <<: *common-build
+    container_name: superset_worker
     command: ["/app/docker/docker-bootstrap.sh", "worker"]
     env_file:
       - path: docker/.env # default
@@ -215,6 +226,7 @@ services:
   superset-worker-beat:
     build:
       <<: *common-build
+    container_name: superset_worker_beat
     command: ["/app/docker/docker-bootstrap.sh", "beat"]
     env_file:
       - path: docker/.env # default
@@ -232,6 +244,7 @@ services:
   superset-tests-worker:
     build:
       <<: *common-build
+    container_name: superset_tests_worker
     command: ["/app/docker/docker-bootstrap.sh", "worker"]
     env_file:
       - path: docker/.env # default

docker/.env

@@ -21,15 +21,6 @@ PYTHONUNBUFFERED=1
 COMPOSE_PROJECT_NAME=superset
 DEV_MODE=true
 
-# Port configuration (override in .env-local for multiple instances)
-# NGINX_PORT=80
-# SUPERSET_PORT=8088
-# NODE_PORT=9000
-# WEBSOCKET_PORT=8080
-# CYPRESS_PORT=8081
-# DATABASE_PORT=5432
-# REDIS_PORT=6379
-
 # database configurations (do not modify)
 DATABASE_DB=superset
 DATABASE_HOST=db

docker/.env-local.example

@@ -1,39 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# -----------------------------------------------------------------------
-# Example .env-local file for running multiple Superset instances
-# Copy this file to .env-local and customize for your setup
-# -----------------------------------------------------------------------
-
-# Unique project name prevents container/volume conflicts between clones
-# Each clone should have a different name (e.g., superset-pr123, superset-feature-x)
-COMPOSE_PROJECT_NAME=superset-dev2
-
-# Port offsets for running multiple instances simultaneously
-# Instance 1 (default): 80, 8088, 9000, 8080, 8081, 5432, 6379
-# Instance 2 example:   81, 8089, 9001, 8082, 8083, 5433, 6380
-NGINX_PORT=81
-SUPERSET_PORT=8089
-NODE_PORT=9001
-WEBSOCKET_PORT=8082
-CYPRESS_PORT=8083
-DATABASE_PORT=5433
-REDIS_PORT=6380
-
-# For verbose logging during development:
-# SUPERSET_LOG_LEVEL=debug

docker/README.md

@@ -77,34 +77,6 @@ To run the container, simply run: `docker compose up`
 After waiting several minutes for Superset initialization to finish, you can open a browser and view [`http://localhost:8088`](http://localhost:8088)
 to start your journey.
 
-### Running Multiple Instances
-
-If you need to run multiple Superset instances simultaneously (e.g., different branches or clones), use the make targets which automatically find available ports:
-
-```bash
-make up
-```
-
-This automatically:
-- Generates a unique project name from your directory
-- Finds available ports (incrementing from defaults if in use)
-- Displays the assigned URLs before starting
-
-Available commands (run from repo root):
-
-| Command | Description |
-|---------|-------------|
-| `make up` | Start services (foreground) |
-| `make up-detached` | Start services (background) |
-| `make down` | Stop all services |
-| `make ps` | Show running containers |
-| `make logs` | Follow container logs |
-| `make nuke` | Stop, remove volumes & local images |
-
-From a subdirectory, use: `make -C $(git rev-parse --show-toplevel) up`
-
-**Important**: Always use these commands instead of plain `docker compose down`, which won't know the correct project name.
-
 ## Developing
 
 While running, the container server will reload on modification of the Superset Python and JavaScript source code.

docker/docker-bootstrap.sh

@@ -80,7 +80,7 @@ case "${1}" in
     ;;
   app)
     echo "Starting web app (using development server)..."
-    flask run -p $PORT --reload --debugger --host=0.0.0.0 --exclude-patterns "*/node_modules/*:*/.venv/*:*/build/*:*/__pycache__/*:*/superset-frontend/*"
+    flask run -p $PORT --reload --debugger --without-threads --host=0.0.0.0 --exclude-patterns "*/node_modules/*:*/.venv/*:*/build/*:*/__pycache__/*"
     ;;
   app-gunicorn)
     echo "Starting web app..."

docker/docker-frontend.sh

@@ -28,11 +28,11 @@ if [ "$BUILD_SUPERSET_FRONTEND_IN_DOCKER" = "true" ]; then
     cd /app/superset-frontend
 
     if [ "$NPM_RUN_PRUNE" = "true" ]; then
-        echo "Running \"npm run prune\""
+        echo "Running `npm run prune`"
         npm run prune
     fi
 
-    echo "Running \"npm install\""
+    echo "Running `npm install`"
     npm install
 
     echo "Start webpack dev server"

docker/pythonpath_dev/superset_config.py

@@ -105,13 +105,7 @@ class CeleryConfig:
 
 CELERY_CONFIG = CeleryConfig
 
-FEATURE_FLAGS = {
-    "ALERT_REPORTS": True,
-    "DATASET_FOLDERS": True,
-    "ENABLE_EXTENSIONS": True,
-    "SEMANTIC_LAYERS": True,
-}
-EXTENSIONS_PATH = "/app/docker/extensions"
+FEATURE_FLAGS = {"ALERT_REPORTS": True}
 ALERT_REPORTS_NOTIFICATION_DRY_RUN = True
 WEBDRIVER_BASEURL = f"http://superset_app{os.environ.get('SUPERSET_APP_ROOT', '/')}/"  # When using docker compose baseurl should be http://superset_nginx{ENV{BASEPATH}}/  # noqa: E501
 # The base URL for the email report hyperlinks.

docker/pythonpath_dev/superset_config_docker_light.py

@@ -19,7 +19,6 @@
 
 # Import all settings from the main config first
 from flask_caching.backends.filesystemcache import FileSystemCache
-
 from superset_config import *  # noqa: F403
 
 # Override caching to use simple in-memory cache instead of Redis

docker/superset-websocket/config.json

@@ -0,0 +1,22 @@
+{
+  "port": 8080,
+  "logLevel": "info",
+  "logToFile": false,
+  "logFilename": "app.log",
+  "statsd": {
+    "host": "127.0.0.1",
+    "port": 8125,
+    "globalTags": []
+  },
+  "redis": {
+    "port": 6379,
+    "host": "127.0.0.1",
+    "password": "",
+    "db": 0,
+    "ssl": false
+  },
+  "redisStreamPrefix": "async-events-",
+  "jwtAlgorithms": ["HS256"],
+  "jwtSecret": "CHANGE-ME-IN-PRODUCTION-GOTTA-BE-LONG-AND-SECRET",
+  "jwtCookieName": "async-token"
+}

docs/.claude/instructions.md

@@ -1,115 +0,0 @@
-# Developer Portal Documentation Instructions
-
-## Core Principle: Stories Are the Single Source of Truth
-
-When working on the Storybook-to-MDX documentation system:
-
-**ALWAYS fix the story first. NEVER add workarounds to the generator.**
-
-## Why This Matters
-
-The generator (`scripts/generate-superset-components.mjs`) should be lightweight - it extracts data from stories and passes it through. When you add special cases to the generator:
-- It becomes harder to maintain
-- Stories diverge from their docs representation
-- Future stories need to know about generator quirks
-
-When you fix stories to match the expected patterns:
-- Stories work identically in Storybook and Docs
-- The generator stays simple and predictable
-- Patterns are consistent and learnable
-
-## Story Patterns for Docs Generation
-
-### Required Structure
-```tsx
-// Use inline export default (NOT const meta = ...; export default meta)
-export default {
-  title: 'Components/MyComponent',
-  component: MyComponent,
-};
-
-// Name interactive stories with Interactive prefix
-export const InteractiveMyComponent: Story = {
-  args: {
-    // Default prop values
-  },
-  argTypes: {
-    // Control definitions - MUST be at story level, not meta level
-    propName: {
-      control: { type: 'select' },
-      options: ['a', 'b', 'c'],
-      description: 'What this prop does',
-    },
-  },
-};
-```
-
-### For Components with Variants (size × style grids)
-```tsx
-const sizes = ['small', 'medium', 'large'];
-const variants = ['primary', 'secondary', 'danger'];
-
-InteractiveButton.parameters = {
-  docs: {
-    gallery: {
-      component: 'Button',
-      sizes,
-      styles: variants,
-      sizeProp: 'size',
-      styleProp: 'variant',
-    },
-  },
-};
-```
-
-### For Components Requiring Children
-```tsx
-InteractiveIconTooltip.parameters = {
-  docs: {
-    // Component descriptors with dot notation for nested components
-    sampleChildren: [{ component: 'Icons.InfoCircleOutlined', props: { iconSize: 'l' } }],
-  },
-};
-```
-
-### For Custom Live Code Examples
-```tsx
-InteractiveMyComponent.parameters = {
-  docs: {
-    liveExample: `function Demo() {
-  return <MyComponent prop="value">Content</MyComponent>;
-}`,
-  },
-};
-```
-
-### For Complex Props (objects, arrays)
-```tsx
-InteractiveMenu.parameters = {
-  docs: {
-    staticProps: {
-      items: [
-        { key: '1', label: 'Item 1' },
-        { key: '2', label: 'Item 2' },
-      ],
-    },
-  },
-};
-```
-
-## Common Issues and How to Fix Them (in the Story)
-
-| Issue | Wrong Approach | Right Approach |
-|-------|---------------|----------------|
-| Component not generated | Add pattern to generator | Change story to use inline `export default` |
-| Control shows as text instead of select | Add special case in generator | Add `argTypes` with `control: { type: 'select' }` |
-| Missing children/content | Modify StorybookWrapper | Add `parameters.docs.sampleChildren` |
-| Gallery not showing | Add to generator output | Add `parameters.docs.gallery` config |
-| Wrong live example | Hardcode in generator | Add `parameters.docs.liveExample` |
-
-## Files
-
-- **Generator**: `docs/scripts/generate-superset-components.mjs`
-- **Wrapper**: `docs/src/components/StorybookWrapper.jsx`
-- **Output**: `docs/developer_docs/components/`
-- **Stories**: `superset-frontend/packages/superset-ui-core/src/components/*/`

docs/.gitignore

@@ -23,24 +23,3 @@ docs/.zshrc
 
 # Gets copied from the root of the project at build time (yarn start / yarn build)
 docs/intro.md
-
-# Generated badge images (downloaded at build time by remark-localize-badges plugin)
-static/badges/
-
-# Generated database documentation MDX files (regenerated at build time)
-# Source of truth is in superset/db_engine_specs/*.py metadata attributes
-docs/databases/
-
-# Generated API documentation (regenerated at build time from openapi.json)
-# Source of truth is static/resources/openapi.json
-developer_docs/api/
-
-# Generated component documentation MDX files (regenerated at build time)
-# Source of truth is Storybook stories in superset-frontend/packages/superset-ui-core/src/components/
-developer_docs/components/
-
-# Note: src/data/databases.json is COMMITTED (not ignored) to preserve feature diagnostics
-# that require Flask context to generate. Update it locally with: npm run gen-db-docs
-
-# Generated component metadata JSON (regenerated by generate-superset-components.mjs)
-static/data/components.json

docs/.nvmrc

@@ -1 +1 @@
-v22.22.0
+v20.18.3

docs/DOCS_CLAUDE.md

@@ -31,9 +31,8 @@ You are currently in the `/docs` subdirectory of the Apache Superset repository.
 ├── superset-frontend/             # React/TypeScript frontend
 └── docs/                         # Documentation site (YOU ARE HERE)
     ├── docs/                     # Main documentation content
-    ├── admin_docs/               # Admin-focused guides
-    ├── developer_docs/           # Developer guides
-    ├── components/               # Component playground
+    ├── developer_portal/         # Developer guides (currently disabled)
+    ├── components/               # Component playground (currently disabled)
     └── docusaurus.config.ts      # Site configuration
 ```
 
@@ -47,19 +46,12 @@ yarn build                # Build production site
 yarn serve                # Serve built site locally
 
 # Version Management (USE THESE, NOT docusaurus commands)
-# The add scripts auto-run `generate:smart` so auto-gen content (database
-# pages, API reference, component pages) is fresh before snapshotting.
-# For maximum-detail databases.json, drop the `database-diagnostics`
-# artifact from Python-Integration CI at src/data/databases.json before
-# cutting. See README.md "Before You Cut".
 yarn version:add:docs <version>              # Add new docs version
-yarn version:add:admin_docs <version>        # Add admin docs version
-yarn version:add:developer_docs <version>    # Add developer docs version
+yarn version:add:developer_portal <version>  # Add developer portal version  
 yarn version:add:components <version>        # Add components version
 yarn version:remove:docs <version>           # Remove docs version
-yarn version:remove:admin_docs <version>     # Remove admin docs version
-yarn version:remove:developer_docs <version> # Remove developer docs version
-yarn version:remove:components <version>     # Remove components version
+yarn version:remove:developer_portal <version> # Remove developer portal version
+yarn version:remove:components <version>      # Remove components version
 
 # Quality Checks
 yarn typecheck            # TypeScript validation
@@ -103,14 +95,15 @@ docs/
     └── [security guides]
 ```
 
-### Admin Docs (`/admin_docs`)
-Admin-focused content: installation, configuration, security.
+### Developer Portal (`/developer_portal`) - Currently Disabled
+When enabled, contains developer-focused content:
+- API documentation
+- Architecture guides
+- CLI tools
+- Code examples
 
-### Developer Docs (`/developer_docs`)
-Developer-focused content: API documentation, architecture guides, CLI tools, code examples.
-
-### Component Playground (`/components`)
-Interactive component examples for UI development.
+### Component Playground (`/components`) - Currently Disabled
+When enabled, provides interactive component examples for UI development.
 
 ## 📝 Documentation Standards
 
@@ -423,7 +416,7 @@ If versions don't appear in dropdown:
 
 - [Docusaurus Documentation](https://docusaurus.io/docs)
 - [MDX Documentation](https://mdxjs.com/)
-- [Superset Developer Docs](https://superset.apache.org/developer-docs/)
+- [Superset Contributing Guide](../CONTRIBUTING.md)
 - [Main Superset Documentation](https://superset.apache.org/docs/intro)
 
 ## 📖 Real Examples and Patterns

docs/README.md

@@ -18,17 +18,16 @@ under the License.
 -->
 
 This is the public documentation site for Superset, built using
-[Docusaurus 3](https://docusaurus.io/). See the
-[Developer Docs](https://superset.apache.org/developer-docs/contributing/development-setup#documentation)
-for documentation on contributing to documentation.
+[Docusaurus 3](https://docusaurus.io/). See
+[CONTRIBUTING.md](../CONTRIBUTING.md#documentation) for documentation on
+contributing to documentation.
 
 ## Version Management
 
-The Superset documentation site uses Docusaurus versioning with four independent sections:
+The Superset documentation site uses Docusaurus versioning with three independent versioned sections:
 
-- **User Documentation** (`/user-docs/`) - End-user guides and tutorials
-- **Admin Documentation** (`/admin-docs/`) - Installation, configuration, and security
-- **Developer Docs** (`/developer-docs/`) - Developer guides, contributing, and extensions
+- **Main Documentation** (`/docs/`) - Core Superset documentation
+- **Developer Portal** (`/developer_portal/`) - Developer guides and tutorials  
 - **Component Playground** (`/components/`) - Interactive component examples (currently disabled)
 
 Each section maintains its own version history and can be versioned independently.
@@ -37,45 +36,23 @@ Each section maintains its own version history and can be versioned independentl
 
 To create a new version for any section, use the Docusaurus version command with the appropriate plugin ID or use our automated scripts:
 
-#### Before You Cut
-
-The cut snapshots whatever's on disk into a frozen historical version, including auto-generated content (database pages from `superset/db_engine_specs/`, API reference from `static/resources/openapi.json`, component pages from Storybook stories). The cut script refreshes these via `generate:smart` before snapshotting, but the **`databases.json` diagnostics file** needs special care to capture full detail:
-
-1. **Canonical release cut**: download the `database-diagnostics` artifact from a green `Python-Integration` run on master, place it at `docs/src/data/databases.json`, then run the cut script with `--skip-generate` to preserve it. This is what the production deploy uses and includes full Flask-context diagnostics (driver versions, feature support matrix, etc.).
-2. **Local dev cut**: just run the script normally. `generate:smart` will regenerate `databases.json` using your local Flask environment — accurate to whatever drivers/extras you have installed, but typically less complete than the CI artifact.
-3. **No Flask available**: also fine — the database generator falls back to AST parsing of engine spec files. The MDX pages are still correct; only the diagnostics JSON is leaner.
-
-Also: confirm `master` CI is green, and that your local checkout matches the SHA you intend to cut from.
-
 #### Using Automated Scripts (Required)
 
-**⚠️ Important:** Always use these custom commands instead of the native Docusaurus commands. These scripts ensure that both the Docusaurus versioning system AND the `versions-config.json` file are updated correctly, AND that auto-generated content is refreshed before snapshotting.
+**⚠️ Important:** Always use these custom commands instead of the native Docusaurus commands. These scripts ensure that both the Docusaurus versioning system AND the `versions-config.json` file are updated correctly.
 
 ```bash
 # Main Documentation
 yarn version:add:docs 1.2.0
 
-# Admin Docs
-yarn version:add:admin_docs 1.2.0
+# Developer Portal
+yarn version:add:developer_portal 1.2.0
 
-# Developer Docs
-yarn version:add:developer_docs 1.2.0
-
-# Component Playground
+# Component Playground (when enabled)
 yarn version:add:components 1.2.0
 ```
 
-What the script does:
-1. Refreshes auto-generated content via `generate:smart` (database pages, API reference, component pages).
-2. Calls `yarn docusaurus docs:version` (or the per-section equivalent) to snapshot the section.
-3. Freezes any data-file imports (`@site/static/*.json`, `../../data/*.json`) into a snapshot-local `_versioned_data/` dir so the historical version doesn't silently mutate when the source files change.
-4. Adjusts relative import paths (`../../src/...` → `../../../src/...`) for files now one directory deeper.
-5. Updates `versions-config.json` and `<section>_versions.json`.
-
 **Do NOT use** the native Docusaurus commands directly (`yarn docusaurus docs:version`), as they will:
 - ❌ Create version files but NOT update `versions-config.json`
-- ❌ Skip auto-gen refresh, freezing whatever was on disk
-- ❌ Skip data-import freezing, leaving the snapshot pointed at live data
 - ❌ Cause versions to not appear in dropdown menus
 - ❌ Require manual fixes to synchronize the configuration
 
@@ -113,11 +90,8 @@ If creating versions manually, you'll need to:
 # Main Documentation
 yarn version:remove:docs 1.0.0
 
-# Admin Docs
-yarn version:remove:admin_docs 1.0.0
-
-# Developer Docs
-yarn version:remove:developer_docs 1.0.0
+# Developer Portal
+yarn version:remove:developer_portal 1.0.0
 
 # Component Playground
 yarn version:remove:components 1.0.0
@@ -128,20 +102,17 @@ To manually remove a version:
 
 1. **Delete the version folder** from the appropriate location:
    - Main docs: `versioned_docs/version-X.X.X/` (no prefix for main)
-   - Admin Docs: `admin_docs_versioned_docs/version-X.X.X/`
-   - Developer Docs: `developer_docs_versioned_docs/version-X.X.X/`
+   - Developer Portal: `developer_portal_versioned_docs/version-X.X.X/`
    - Components: `components_versioned_docs/version-X.X.X/`
 
 2. **Delete the version metadata file**:
    - Main docs: `versioned_sidebars/version-X.X.X-sidebars.json` (no prefix)
-   - Admin Docs: `admin_docs_versioned_sidebars/version-X.X.X-sidebars.json`
-   - Developer Docs: `developer_docs_versioned_sidebars/version-X.X.X-sidebars.json`
+   - Developer Portal: `developer_portal_versioned_sidebars/version-X.X.X-sidebars.json`
    - Components: `components_versioned_sidebars/version-X.X.X-sidebars.json`
 
 3. **Update the versions list file**:
    - Main docs: `versions.json`
-   - Admin Docs: `admin_docs_versions.json`
-   - Developer Docs: `developer_docs_versions.json`
+   - Developer Portal: `developer_portal_versions.json`
    - Components: `components_versions.json`
 
 4. **Update configuration**:
@@ -173,12 +144,12 @@ docs: {
 }
 ```
 
-#### Developer Docs & Components (custom plugins)
+#### Developer Portal & Components (custom plugins)
 ```typescript
 {
-  id: 'developer_docs',
-  path: 'developer_docs',
-  routeBasePath: 'developer-docs',
+  id: 'developer_portal',
+  path: 'developer_portal',
+  routeBasePath: 'developer_portal',
   includeCurrentVersion: true,
   lastVersion: '1.1.0',  // Default version
   onlyIncludeVersions: ['current', '1.1.0', '1.0.0'],
@@ -222,7 +193,7 @@ For other issues:
 
 #### Broken Links in Versioned Documentation
 When creating a new version, links in the documentation are preserved as-is. Common issues:
-- **Cross-section links**: Links between sections (e.g., from developer_docs to docs) need to be version-aware
+- **Cross-section links**: Links between sections (e.g., from developer_portal to docs) need to be version-aware
 - **Absolute vs relative paths**: Use relative paths within the same section
 - **Version-specific URLs**: Update hardcoded URLs to use version variables
 

docs/admin_docs/configuration/alerts-reports.mdx

@@ -1,500 +0,0 @@
----
-title: Alerts and Reports
-hide_title: true
-sidebar_position: 2
-version: 2
----
-
-# Alerts and Reports
-
-Users can configure automated alerts and reports to send dashboards or charts to an email recipient or Slack channel.
-
-- *Alerts* are sent when a SQL condition is reached
-- *Reports* are sent on a schedule
-
-Alerts and reports are disabled by default. To turn them on, you'll need to change configuration settings and install a suitable headless browser in your environment.
-
-## Requirements
-
-### Commons
-
-#### In your `superset_config.py` or `superset_config_docker.py`
-
-- `"ALERT_REPORTS"` [feature flag](/admin-docs/configuration/configuring-superset#feature-flags) must be turned to True.
-- `beat_schedule` in CeleryConfig must contain schedule for `reports.scheduler`.
-- At least one of those must be configured, depending on what you want to use:
-  - emails: `SMTP_*` settings
-  - Slack messages: `SLACK_API_TOKEN`
-- Users can customize the email subject by including date code placeholders, which will automatically be replaced with the corresponding UTC date when the email is sent. To enable this functionality, activate the `"DATE_FORMAT_IN_EMAIL_SUBJECT"` [feature flag](/admin-docs/configuration/configuring-superset#feature-flags). This enables date formatting in email subjects, preventing all reporting emails from being grouped into the same thread (optional for the reporting feature).
-    - Use date codes from [strftime.org](https://strftime.org/) to create the email subject.
-    - If no date code is provided, the original string will be used as the email subject.
-
-##### Disable dry-run mode
-
-Screenshots will be taken but no messages actually sent as long as `ALERT_REPORTS_NOTIFICATION_DRY_RUN = True`, its default value in `docker/pythonpath_dev/superset_config.py`.  To disable dry-run mode and start receiving email/Slack notifications, set `ALERT_REPORTS_NOTIFICATION_DRY_RUN` to `False` in [superset config](https://github.com/apache/superset/blob/master/docker/pythonpath_dev/superset_config.py).
-
-#### In your `Dockerfile`
-
-You'll need to extend the Superset image to include a headless browser. Your options include:
-- Use Playwright with Chrome: this is the recommended approach as of version 4.1.x or greater. A working example of a Dockerfile that installs these tools is provided under "Building your own production Docker image" on the [Docker Builds](/admin-docs/installation/docker-builds#building-your-own-production-docker-image) page. Read the code comments there as you'll also need to change a feature flag in your config.
-- Use Firefox: you'll need to install geckodriver and Firefox.
-- Use Chrome without Playwright: you'll need to install Chrome and set the value of `WEBDRIVER_TYPE` to `"chrome"` in your `superset_config.py`.
-
-In Superset versions <=4.0x, users installed Firefox or Chrome and that was documented here.
-
-Only the worker container needs the browser.
-
-### Slack integration
-
-To send alerts and reports to Slack channels, you need to create a new Slack Application on your workspace.
-
-1. Connect to your Slack workspace, then head to [https://api.slack.com/apps].
-2. Create a new app.
-3. Go to "OAuth & Permissions" section, and give the following scopes to your app:
-   - `incoming-webhook`
-   - `files:write`
-   - `chat:write`
-   - `channels:read`
-   - `groups:read`
-4. At the top of the "OAuth and Permissions" section, click "install to workspace".
-5. Select a default channel for your app and continue.
-   (You can post to any channel by inviting your Superset app into that channel).
-6. The app should now be installed in your workspace, and a "Bot User OAuth Access Token" should have been created. Copy that token in the `SLACK_API_TOKEN` variable of your `superset_config.py`.
-7. Ensure the feature flag `ALERT_REPORT_SLACK_V2` is set to True in `superset_config.py`
-8. Restart the service (or run `superset init`) to pull in the new configuration.
-
-Note: when you configure an alert or a report, the Slack channel list takes channel names without the leading '#' e.g. use `alerts` instead of `#alerts`.
-
-#### Large Slack Workspaces (10k+ channels)
-
-For workspaces with many channels, fetching the complete channel list can take several minutes and may encounter Slack API rate limits. Add the following to your `superset_config.py`:
-
-```python
-from datetime import timedelta
-
-# Increase cache timeout to reduce API calls
-# Default: 1 day (86400 seconds)
-SLACK_CACHE_TIMEOUT = int(timedelta(days=2).total_seconds())
-
-# Increase retry count for rate limit errors
-# Default: 2
-SLACK_API_RATE_LIMIT_RETRY_COUNT = 5
-```
-
-### Webhook integration
-
-Superset can send alert and report notifications to any HTTP endpoint — useful for chat platforms, incident management tools, or custom automation.
-
-#### Enabling Webhooks
-
-Enable the feature flag in `superset_config.py`:
-
-```python
-FEATURE_FLAGS = {
-    "ALERT_REPORTS": True,
-    "ALERT_REPORT_WEBHOOK": True,
-}
-```
-
-#### Configuring a Webhook Recipient
-
-When creating or editing an alert or report, select **Webhook** as the notification method and enter your endpoint URL.
-
-#### Payload Format
-
-Superset sends an HTTP POST with `Content-Type: application/json`:
-
-```json
-{
-  "name": "My Alert",
-  "header": {
-    "notification_format": "JSON",
-    "notification_type": "Alert",
-    "notification_source": "Alert",
-    "chart_id": 42,
-    "dashboard_id": null
-  },
-  "text": "Alert condition met: value exceeded threshold",
-  "description": "Monthly revenue dropped below target",
-  "url": "https://your-superset-host/superset/dashboard/1/"
-}
-```
-
-When a report includes file attachments (CSV, PDF, or PNG screenshots), the request is sent as `multipart/form-data` instead. In that case, each top-level payload field (`name`, `text`, `description`, `url`) becomes its own form field, and nested structures like `header` are serialized as a JSON-encoded string in their own field. Every attachment is added as a repeated form field named `files`:
-
-```
-POST /webhook HTTP/1.1
-Content-Type: multipart/form-data; boundary=...
-
---...
-Content-Disposition: form-data; name="name"
-
-My Alert
---...
-Content-Disposition: form-data; name="header"
-
-{"notification_format": "JSON", "notification_type": "Alert", ...}
---...
-Content-Disposition: form-data; name="text"
-
-Alert condition met: value exceeded threshold
---...
-Content-Disposition: form-data; name="files"; filename="report.csv"
-Content-Type: text/csv
-
-<file bytes>
---...
-```
-
-Webhook consumers should branch on `Content-Type`: parse the body as JSON when `application/json`, or read the individual form fields (decoding `header` as JSON) when `multipart/form-data`.
-
-#### HTTPS Enforcement
-
-To require HTTPS webhook URLs (recommended for production), set:
-
-```python
-ALERT_REPORTS_WEBHOOK_HTTPS_ONLY = True
-```
-
-When enabled, Superset rejects webhook configurations that use `http://` URLs.
-
-#### Retry Behavior
-
-Superset automatically retries webhook deliveries on `429 Too Many Requests` and `5xx` server errors using exponential backoff.
-
-### Kubernetes-specific
-
-- You must have a `celery beat` pod running. If you're using the chart included in the GitHub repository under [helm/superset](https://github.com/apache/superset/tree/master/helm/superset), you need to put `supersetCeleryBeat.enabled = true` in your values override.
-- You can see the dedicated docs about [Kubernetes installation](/admin-docs/installation/kubernetes) for more details.
-
-### Docker Compose specific
-
-#### You must have in your `docker-compose.yml`
-
-- A Redis message broker
-- PostgreSQL DB instead of SQLlite
-- One or more `celery worker`
-- A single `celery beat`
-
-This process also works in a Docker swarm environment, you would just need to add `Deploy:` to the Superset, Redis and Postgres services along with your specific configs for your swarm.
-
-### Detailed config
-
-The following configurations need to be added to the `superset_config.py` file. This file is loaded when the image runs, and any configurations in it will override the default configurations found in the `config.py`.
-
-You can find documentation about each field in the default `config.py` in the GitHub repository under [superset/config.py](https://github.com/apache/superset/blob/master/superset/config.py).
-
-You need to replace default values with your custom Redis, Slack and/or SMTP config.
-
-Superset uses Celery beat and Celery worker(s) to send alerts and reports.
-
-- The beat is the scheduler that tells the worker when to perform its tasks. This schedule is defined when you create the alert or report.
-- The worker will process the  tasks that need to be performed when an alert or report is fired.
-
-In the `CeleryConfig`, only the `beat_schedule` is relevant to this feature, the rest of the `CeleryConfig` can be changed for your needs.
-
-```python
-from celery.schedules import crontab
-
-FEATURE_FLAGS = {
-    "ALERT_REPORTS": True
-}
-
-REDIS_HOST = "superset_cache"
-REDIS_PORT = "6379"
-
-class CeleryConfig:
-    broker_url = f"redis://{REDIS_HOST}:{REDIS_PORT}/0"
-    imports = (
-        "superset.sql_lab",
-        "superset.tasks.scheduler",
-    )
-    result_backend = f"redis://{REDIS_HOST}:{REDIS_PORT}/0"
-    worker_prefetch_multiplier = 10
-    task_acks_late = True
-    task_annotations = {
-        "sql_lab.get_sql_results": {
-            "rate_limit": "100/s",
-        },
-    }
-    beat_schedule = {
-        "reports.scheduler": {
-            "task": "reports.scheduler",
-            "schedule": crontab(minute="*", hour="*"),
-        },
-        "reports.prune_log": {
-            "task": "reports.prune_log",
-            "schedule": crontab(minute=0, hour=0),
-        },
-    }
-CELERY_CONFIG = CeleryConfig
-
-SCREENSHOT_LOCATE_WAIT = 100
-SCREENSHOT_LOAD_WAIT = 600
-
-# Slack configuration
-SLACK_API_TOKEN = "xoxb-"
-
-# Email configuration
-SMTP_HOST = "smtp.sendgrid.net" # change to your host
-SMTP_PORT = 2525 # your port, e.g. 587
-SMTP_STARTTLS = True
-SMTP_SSL_SERVER_AUTH = True # If you're using an SMTP server with a valid certificate
-SMTP_SSL = False
-SMTP_USER = "your_user" # use the empty string "" if using an unauthenticated SMTP server
-SMTP_PASSWORD = "your_password" # use the empty string "" if using an unauthenticated SMTP server
-SMTP_MAIL_FROM = "noreply@youremail.com"
-EMAIL_REPORTS_SUBJECT_PREFIX = "[Superset] " # optional - overwrites default value in config.py of "[Report] "
-
-# WebDriver configuration
-# If you use Firefox or Playwright with Chrome, you can stick with default values
-# If you use Chrome and are *not* using Playwright, then add the following WEBDRIVER_TYPE and WEBDRIVER_OPTION_ARGS
-WEBDRIVER_TYPE = "chrome"
-WEBDRIVER_OPTION_ARGS = [
-    "--force-device-scale-factor=2.0",
-    "--high-dpi-support=2.0",
-    "--headless",
-    "--disable-gpu",
-    "--disable-dev-shm-usage",
-    "--no-sandbox",
-    "--disable-setuid-sandbox",
-    "--disable-extensions",
-]
-
-# This is for internal use, you can keep http
-WEBDRIVER_BASEURL = "http://superset:8088" # When running using docker compose use "http://superset_app:8088'
-# This is the link sent to the recipient. Change to your domain, e.g. https://superset.mydomain.com
-WEBDRIVER_BASEURL_USER_FRIENDLY = "http://localhost:8088"
-```
-
-You also need
-to specify on behalf of which username to render the dashboards. In general, dashboards and charts
-are not accessible to unauthorized requests, that is why the worker needs to take over credentials
-of an existing user to take a snapshot.
-
-By default, Alerts and Reports are executed as the owner of the alert/report object. To use a fixed user account,
-just change the config as follows (`admin` in this example):
-
-```python
-from superset.tasks.types import FixedExecutor
-
-ALERT_REPORTS_EXECUTORS = [FixedExecutor("admin")]
-```
-
-Please refer to `ExecutorType` in the codebase for other executor types.
-
-**Important notes**
-
-- Be mindful of the concurrency setting for celery (using `-c 4`). Selenium/webdriver instances can
-  consume a lot of CPU / memory on your servers.
-- In some cases, if you notice a lot of leaked geckodriver processes, try running your celery
-  processes with `celery worker --pool=prefork --max-tasks-per-child=128 ...`
-- It is recommended to run separate workers for the `sql_lab` and `email_reports` tasks. This can be
-  done using the `queue` field in `task_annotations`.
-- Adjust `WEBDRIVER_BASEURL` in your configuration file if celery workers can’t access Superset via
-  its default value of `http://0.0.0.0:8080/`.
-
-It's also possible to specify a minimum interval between each report's execution through the config file:
-
-``` python
-# Set a minimum interval threshold between executions (for each Alert/Report)
-# Value should be an integer
-ALERT_MINIMUM_INTERVAL = int(timedelta(minutes=10).total_seconds())
-REPORT_MINIMUM_INTERVAL = int(timedelta(minutes=5).total_seconds())
-```
-
-Alternatively, you can assign a function to `ALERT_MINIMUM_INTERVAL` and/or `REPORT_MINIMUM_INTERVAL`. This is useful to dynamically retrieve a value as needed:
-
-``` python
-def alert_dynamic_minimal_interval(**kwargs) -> int:
-    """
-    Define logic here to retrieve the value dynamically
-    """
-
-ALERT_MINIMUM_INTERVAL = alert_dynamic_minimal_interval
-```
-
-## External Link Redirection
-
-For security, Superset rewrites external links in alert/report email HTML so
-they go through a warning page before the user is navigated to the external
-site.  Internal links (matching your configured base URL) are not affected.
-
-```python
-# Disable external link redirection entirely (default: True)
-ALERT_REPORTS_ENABLE_LINK_REDIRECT = False
-```
-
-The feature uses `WEBDRIVER_BASEURL_USER_FRIENDLY` (or `WEBDRIVER_BASEURL`)
-to determine which hosts are internal.
-
-## Troubleshooting
-
-There are many reasons that reports might not be working.  Try these steps to check for specific issues.
-
-### Confirm feature flag is enabled and you have sufficient permissions
-
-If you don't see "Alerts & Reports" under the *Manage* section of the Settings dropdown in the Superset UI, you need to enable the `ALERT_REPORTS` feature flag (see above). Enable another feature flag and check to see that it took effect, to verify that your config file is getting loaded.
-
-Log in as an admin user to ensure you have adequate permissions.
-
-### Check the logs of your Celery worker
-
-This is the best source of information about the problem.  In a docker compose deployment, you can do this with a command like `docker logs superset_worker --since 1h`.
-
-### Check web browser and webdriver installation
-
-To take a screenshot, the worker visits the dashboard or chart using a headless browser, then takes a screenshot. If you are able to send a chart as CSV or text but can't send as PNG, your problem may lie with the browser.
-
-If you are handling the installation of the headless browser on your own, do your own verification to ensure that the headless browser opens successfully in the worker environment.
-
-### Send a test email
-
-One symptom of an invalid connection to an email server is receiving an error of `[Errno 110] Connection timed out` in your logs when the report tries to send.
-
-Confirm via testing that your outbound email configuration is correct.  Here is the simplest test, for an un-authenticated email SMTP email service running on port 25.  If you are sending over SSL, for instance, study how [Superset's codebase sends emails](https://github.com/apache/superset/blob/master/superset/utils/core.py#L818) and then test with those commands and arguments.
-
-Start Python in your worker environment, replace all example values, and run:
-
-```python
-import smtplib
-from email.mime.multipart import MIMEMultipart
-from email.mime.text import MIMEText
-
-from_email = 'superset_emails@example.com'
-to_email = 'your_email@example.com'
-msg = MIMEMultipart()
-msg['From'] = from_email
-msg['To'] = to_email
-msg['Subject'] = 'Superset SMTP config test'
-message = 'It worked'
-msg.attach(MIMEText(message))
-mailserver = smtplib.SMTP('smtpmail.example.com', 25)
-mailserver.sendmail(from_email, to_email, msg.as_string())
-mailserver.quit()
-```
-
-This should send an email.
-
-Possible fixes:
-
-- Some cloud hosts disable outgoing unauthenticated SMTP email to prevent spam.  For instance, [Azure blocks port 25 by default on some machines](https://learn.microsoft.com/en-us/azure/virtual-network/troubleshoot-outbound-smtp-connectivity). Enable that port or use another sending method.
-- Use another set of SMTP credentials that you verify works in this setup.
-
-### Browse to your report from the worker
-
-The worker may be unable to reach the report. It will use the value of `WEBDRIVER_BASEURL` to browse to the report.  If that route is invalid, or presents an authentication challenge that the worker can't pass, the report screenshot will fail.
-
-Check this by attempting to `curl` the URL of a report that you see in the error logs of your worker. For instance, from the worker environment, run `curl http://superset_app:8088/superset/dashboard/1/`. You may get different responses depending on whether the dashboard exists - for example, you may need to change the `1` in that URL. If there's a URL in your logs from a failed report screenshot, that's a good place to start. The goal is to determine a valid value for `WEBDRIVER_BASEURL` and determine if an issue like HTTPS or authentication is redirecting your worker.
-
-In a deployment with authentication measures enabled like HTTPS and Single Sign-On, it may make sense to have the worker navigate directly to the Superset application running in the same location, avoiding the need to sign in.  For instance, you could use `WEBDRIVER_BASEURL="http://superset_app:8088"` for a docker compose deployment, and set `"force_https": False,` in your `TALISMAN_CONFIG`.
-
-### Duplicate report deliveries
-
-In some deployment configurations a scheduled report can be delivered more than once around its planned time. This typically happens when more than one process is responsible for running the alerts & reports schedule (for example, multiple schedulers or Celery beat instances). To avoid duplicate emails or notifications:
-
-- Ensure that only a **single scheduler/beat process** is configured to trigger alerts and reports for a given environment.
-- If you run **multiple Celery workers**, verify that there is still only one component responsible for scheduling the report tasks (workers should execute tasks, not schedule them independently).
-- Review your deployment/orchestration setup (for example systemd, Docker, or Kubernetes) to make sure the alerts & reports scheduler is **not started from multiple places by accident**.
-
-## Scheduling Queries as Reports
-
-You can optionally allow your users to schedule queries directly in SQL Lab. This is done by adding
-extra metadata to saved queries, which are then picked up by an external scheduled (like
-[Apache Airflow](https://airflow.apache.org/)).
-
-To allow scheduled queries, add the following to `SCHEDULED_QUERIES` in your configuration file:
-
-```python
-SCHEDULED_QUERIES = {
-    # This information is collected when the user clicks "Schedule query",
-    # and saved into the `extra` field of saved queries.
-    # See: https://github.com/mozilla-services/react-jsonschema-form
-    'JSONSCHEMA': {
-        'title': 'Schedule',
-        'description': (
-            'In order to schedule a query, you need to specify when it '
-            'should start running, when it should stop running, and how '
-            'often it should run. You can also optionally specify '
-            'dependencies that should be met before the query is '
-            'executed. Please read the documentation for best practices '
-            'and more information on how to specify dependencies.'
-        ),
-        'type': 'object',
-        'properties': {
-            'output_table': {
-                'type': 'string',
-                'title': 'Output table name',
-            },
-            'start_date': {
-                'type': 'string',
-                'title': 'Start date',
-                # date-time is parsed using the chrono library, see
-                # https://www.npmjs.com/package/chrono-node#usage
-                'format': 'date-time',
-                'default': 'tomorrow at 9am',
-            },
-            'end_date': {
-                'type': 'string',
-                'title': 'End date',
-                # date-time is parsed using the chrono library, see
-                # https://www.npmjs.com/package/chrono-node#usage
-                'format': 'date-time',
-                'default': '9am in 30 days',
-            },
-            'schedule_interval': {
-                'type': 'string',
-                'title': 'Schedule interval',
-            },
-            'dependencies': {
-                'type': 'array',
-                'title': 'Dependencies',
-                'items': {
-                    'type': 'string',
-                },
-            },
-        },
-    },
-    'UISCHEMA': {
-        'schedule_interval': {
-            'ui:placeholder': '@daily, @weekly, etc.',
-        },
-        'dependencies': {
-            'ui:help': (
-                'Check the documentation for the correct format when '
-                'defining dependencies.'
-            ),
-        },
-    },
-    'VALIDATION': [
-        # ensure that start_date <= end_date
-        {
-            'name': 'less_equal',
-            'arguments': ['start_date', 'end_date'],
-            'message': 'End date cannot be before start date',
-            # this is where the error message is shown
-            'container': 'end_date',
-        },
-    ],
-    # link to the scheduler; this example links to an Airflow pipeline
-    # that uses the query id and the output table as its name
-    'linkback': (
-        'https://airflow.example.com/admin/airflow/tree?'
-        'dag_id=query_${id}_${extra_json.schedule_info.output_table}'
-    ),
-}
-```
-
-This configuration is based on
-[react-jsonschema-form](https://github.com/mozilla-services/react-jsonschema-form) and will add a
-menu item called “Schedule” to SQL Lab. When the menu item is clicked, a modal will show up where
-the user can add the metadata required for scheduling the query.
-
-This information can then be retrieved from the endpoint `/api/v1/saved_query/` and used to
-schedule the queries that have `schedule_info` in their JSON metadata. For schedulers other than
-Airflow, additional fields can be easily added to the configuration file above.
-
-:::resources
-- [Tutorial: Automated Alerts and Reporting via Slack/Email in Superset](https://dev.to/ngtduc693/apache-superset-topic-5-automated-alerts-and-reporting-via-slackemail-in-superset-2gbe)
-- [Blog: Integrating Slack alerts and Apache Superset for better data observability](https://medium.com/affinityanswers-tech/integrating-slack-alerts-and-apache-superset-for-better-data-observability-fd2f9a12c350)
-:::

docs/admin_docs/configuration/async-queries-celery.mdx

@@ -1,108 +0,0 @@
----
-title: Async Queries via Celery
-hide_title: true
-sidebar_position: 4
-version: 1
----
-
-# Async Queries via Celery
-
-## Celery
-
-On large analytic databases, it’s common to run queries that execute for minutes or hours. To enable
-support for long running queries that execute beyond the typical web request’s timeout (30-60
-seconds), it is necessary to configure an asynchronous backend for Superset which consists of:
-
-- one or many Superset workers (which is implemented as a Celery worker), and can be started with
-  the `celery worker` command, run `celery worker --help` to view the related options.
-- a celery broker (message queue) for which we recommend using Redis or RabbitMQ
-- a results backend that defines where the worker will persist the query results
-
-Configuring Celery requires defining a `CELERY_CONFIG` in your `superset_config.py`. Both the worker
-and web server processes should have the same configuration.
-
-```python
-class CeleryConfig(object):
-    broker_url = "redis://localhost:6379/0"
-    imports = (
-        "superset.sql_lab",
-        "superset.tasks.scheduler",
-    )
-    result_backend = "redis://localhost:6379/0"
-    worker_prefetch_multiplier = 10
-    task_acks_late = True
-    task_annotations = {
-        "sql_lab.get_sql_results": {
-            "rate_limit": "100/s",
-        },
-    }
-
-CELERY_CONFIG = CeleryConfig
-```
-
-To start a Celery worker to leverage the configuration, run the following command:
-
-```bash
-celery --app=superset.tasks.celery_app:app worker --pool=prefork -O fair -c 4
-```
-
-To start a job which schedules periodic background jobs, run the following command:
-
-```bash
-celery --app=superset.tasks.celery_app:app beat
-```
-
-To setup a result backend, you need to pass an instance of a derivative of `BaseCache` (`from
-flask_caching.backends.base import BaseCache`) to the RESULTS_BACKEND configuration key in your
-superset_config.py. You can use Memcached, Redis, S3 (https://pypi.python.org/pypi/s3werkzeugcache),
-memory or the file system (in a single server-type setup or for testing), or to write your own
-caching interface. Your `superset_config.py` may look something like:
-
-```python
-# On S3
-from s3cache.s3cache import S3Cache
-S3_CACHE_BUCKET = 'foobar-superset'
-S3_CACHE_KEY_PREFIX = 'sql_lab_result'
-RESULTS_BACKEND = S3Cache(S3_CACHE_BUCKET, S3_CACHE_KEY_PREFIX)
-
-# On Redis
-from flask_caching.backends.rediscache import RedisCache
-RESULTS_BACKEND = RedisCache(
-    host='localhost', port=6379, key_prefix='superset_results')
-```
-
-For performance gains, [MessagePack](https://github.com/msgpack/msgpack-python) and
-[PyArrow](https://arrow.apache.org/docs/python/) are now used for results serialization. This can be
-disabled by setting `RESULTS_BACKEND_USE_MSGPACK = False` in your `superset_config.py`, should any
-issues arise. Please clear your existing results cache store when upgrading an existing environment.
-
-**Important Notes**
-
-- It is important that all the worker nodes and web servers in the Superset cluster _share a common
-  metadata database_. This means that SQLite will not work in this context since it has limited
-  support for concurrency and typically lives on the local file system.
-
-- There should _only be one instance of celery beat running_ in your entire setup. If not,
-  background jobs can get scheduled multiple times resulting in weird behaviors like duplicate
-  delivery of reports, higher than expected load / traffic etc.
-
-- SQL Lab will _only run your queries asynchronously if_ you enable **Asynchronous Query Execution**
-  in your database settings (Sources > Databases > Edit record).
-
-## Celery Flower
-
-Flower is a web based tool for monitoring the Celery cluster which you can install from pip:
-
-```bash
-pip install flower
-```
-
-You can run flower using:
-
-```bash
-celery --app=superset.tasks.celery_app:app flower
-```
-
-:::resources
-- [Blog: How to Set Up Global Async Queries (GAQ) in Apache Superset](https://medium.com/@ngigilevis/how-to-set-up-global-async-queries-gaq-in-apache-superset-a-complete-guide-9d2f4a047559)
-:::

docs/admin_docs/configuration/aws-iam.mdx

@@ -1,162 +0,0 @@
-{/*
-Licensed to the Apache Software Foundation (ASF) under one
-or more contributor license agreements.  See the NOTICE file
-distributed with this work for additional information
-regarding copyright ownership.  The ASF licenses this file
-to you under the Apache License, Version 2.0 (the
-"License"); you may not use this file except in compliance
-with the License.  You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing,
-software distributed under the License is distributed on an
-"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-KIND, either express or implied.  See the License for the
-specific language governing permissions and limitations
-under the License.
-*/}
-
----
-title: AWS IAM Authentication
-sidebar_label: AWS IAM Authentication
-sidebar_position: 15
----
-
-# AWS IAM Authentication for AWS Databases
-
-Superset supports IAM-based authentication for **Amazon Aurora** (PostgreSQL and MySQL) and **Amazon Redshift**. IAM auth eliminates the need for database passwords — Superset generates a short-lived auth token using temporary AWS credentials instead.
-
-Cross-account IAM role assumption via STS `AssumeRole` is supported, allowing a Superset deployment in one AWS account to connect to databases in a different account.
-
-## Prerequisites
-
-- Enable the `AWS_DATABASE_IAM_AUTH` feature flag in `superset_config.py`. IAM authentication is gated behind this flag; if it is disabled, connections using `aws_iam` fail with *"AWS IAM database authentication is not enabled."*
-  ```python
-  FEATURE_FLAGS = {
-      "AWS_DATABASE_IAM_AUTH": True,
-  }
-  ```
-- `boto3` must be installed in your Superset environment:
-  ```bash
-  pip install boto3
-  ```
-- The Superset server's IAM role (or static credentials) must have permission to call `sts:AssumeRole` (for cross-account) or the same-account permissions for the target service:
-  - **Aurora (RDS)**: `rds-db:connect`
-  - **Redshift provisioned**: `redshift:GetClusterCredentials`
-  - **Redshift Serverless**: `redshift-serverless:GetCredentials` and `redshift-serverless:GetWorkgroup`
-- SSL must be enabled on the Aurora / Redshift endpoint (required for IAM token auth).
-
-## Configuration
-
-IAM authentication is configured via the **encrypted_extra** field of the database connection. Access this field in the **Advanced** → **Security** section of the database connection form, under **Secure Extra**.
-
-### Aurora PostgreSQL or Aurora MySQL
-
-```json
-{
-  "aws_iam": {
-    "enabled": true,
-    "role_arn": "arn:aws:iam::222222222222:role/SupersetDatabaseAccess",
-    "external_id": "superset-prod-12345",
-    "region": "us-east-1",
-    "db_username": "superset_iam_user",
-    "session_duration": 3600
-  }
-}
-```
-
-| Field | Required | Description |
-|-------|----------|-------------|
-| `enabled` | Yes | Set to `true` to activate IAM auth |
-| `role_arn` | No | ARN of the cross-account IAM role to assume via STS. Omit for same-account auth |
-| `external_id` | No | External ID for the STS `AssumeRole` call, if required by the target role's trust policy |
-| `region` | Yes | AWS region of the database cluster |
-| `db_username` | Yes | The database username associated with the IAM identity |
-| `session_duration` | No | STS session duration in seconds (default: `3600`) |
-
-### Redshift (Serverless)
-
-```json
-{
-  "aws_iam": {
-    "enabled": true,
-    "role_arn": "arn:aws:iam::222222222222:role/SupersetRedshiftAccess",
-    "region": "us-east-1",
-    "workgroup_name": "my-workgroup",
-    "db_name": "dev"
-  }
-}
-```
-
-### Redshift (Provisioned Cluster)
-
-```json
-{
-  "aws_iam": {
-    "enabled": true,
-    "role_arn": "arn:aws:iam::222222222222:role/SupersetRedshiftAccess",
-    "region": "us-east-1",
-    "cluster_identifier": "my-cluster",
-    "db_username": "superset_iam_user",
-    "db_name": "dev"
-  }
-}
-```
-
-## Cross-Account IAM Setup
-
-To connect to a database in Account B from a Superset deployment in Account A:
-
-**1. In Account B — create a database-access role:**
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": ["rds-db:connect"],
-      "Resource": "arn:aws:rds-db:us-east-1:222222222222:dbuser/db-XXXXXXXXXXXX/superset_iam_user"
-    }
-  ]
-}
-```
-
-**Trust policy** (allows Account A's Superset role to assume it):
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::111111111111:role/SupersetInstanceRole"
-      },
-      "Action": "sts:AssumeRole",
-      "Condition": {
-        "StringEquals": {
-          "sts:ExternalId": "superset-prod-12345"
-        }
-      }
-    }
-  ]
-}
-```
-
-**2. In Account A — grant Superset's role permission to assume the Account B role:**
-
-```json
-{
-  "Effect": "Allow",
-  "Action": "sts:AssumeRole",
-  "Resource": "arn:aws:iam::222222222222:role/SupersetDatabaseAccess"
-}
-```
-
-**3. Configure the database connection in Superset** using the `role_arn` and `external_id` from the trust policy (as shown in the configuration example above).
-
-## Credential Caching
-
-STS credentials are cached in memory keyed by `(role_arn, region, external_id)` with a 10-minute TTL. This reduces the number of STS API calls when multiple queries are executed with the same connection. Tokens are refreshed automatically before expiry.

docs/admin_docs/configuration/cache.mdx

@@ -1,276 +0,0 @@
----
-title: Caching
-hide_title: true
-sidebar_position: 3
-version: 1
----
-
-# Caching
-
-:::note
-When a cache backend is configured, Superset expects it to remain available. Operations will
-fail if the configured backend becomes unavailable rather than silently degrading. This
-fail-fast behavior ensures operators are immediately aware of infrastructure issues.
-:::
-
-Superset uses [Flask-Caching](https://flask-caching.readthedocs.io/) for caching purposes.
-Flask-Caching supports various caching backends, including Redis (recommended), Memcached,
-SimpleCache (in-memory), or the local filesystem.
-[Custom cache backends](https://flask-caching.readthedocs.io/en/latest/#custom-cache-backends)
-are also supported.
-
-Caching can be configured by providing dictionaries in
-`superset_config.py` that comply with [the Flask-Caching config specifications](https://flask-caching.readthedocs.io/en/latest/#configuring-flask-caching).
-
-The following cache configurations can be customized in this way:
-
-- Dashboard filter state (required): `FILTER_STATE_CACHE_CONFIG`.
-- Explore chart form data (required): `EXPLORE_FORM_DATA_CACHE_CONFIG`
-- Metadata cache (optional): `CACHE_CONFIG`
-- Charting data queried from datasets (optional): `DATA_CACHE_CONFIG`
-
-For example, to configure the filter state cache using Redis:
-
-```python
-FILTER_STATE_CACHE_CONFIG = {
-    'CACHE_TYPE': 'RedisCache',
-    'CACHE_DEFAULT_TIMEOUT': 86400,
-    'CACHE_KEY_PREFIX': 'superset_filter_cache',
-    'CACHE_REDIS_URL': 'redis://localhost:6379/0'
-}
-```
-
-## Dependencies
-
-In order to use dedicated cache stores, additional python libraries must be installed
-
-- For Redis: we recommend the [redis](https://pypi.python.org/pypi/redis) Python package
-- Memcached: we recommend using [pylibmc](https://pypi.org/project/pylibmc/) client library as
-  `python-memcached` does not handle storing binary data correctly.
-
-These libraries can be installed using pip.
-
-## Fallback Metastore Cache
-
-Note, that some form of Filter State and Explore caching are required. If either of these caches
-are undefined, Superset falls back to using a built-in cache that stores data in the metadata
-database. While it is recommended to use a dedicated cache, the built-in cache can also be used
-to cache other data.
-
-For example, to use the built-in cache to store chart data, use the following config:
-
-```python
-DATA_CACHE_CONFIG = {
-    "CACHE_TYPE": "SupersetMetastoreCache",
-    "CACHE_KEY_PREFIX": "superset_results",  # make sure this string is unique to avoid collisions
-    "CACHE_DEFAULT_TIMEOUT": 86400,  # 60 seconds * 60 minutes * 24 hours
-}
-```
-
-## Chart Cache Timeout
-
-The cache timeout for charts may be overridden by the settings for an individual chart, dataset, or
-database. Each of these configurations will be checked in order before falling back to the default
-value defined in `DATA_CACHE_CONFIG`.
-
-Note, that by setting the cache timeout to `-1`, caching for charting data can be disabled, either
-per chart, dataset or database, or by default if set in `DATA_CACHE_CONFIG`.
-
-## SQL Lab Query Results
-
-Caching for SQL Lab query results is used when async queries are enabled and is configured using
-`RESULTS_BACKEND`.
-
-Note that this configuration does not use a flask-caching dictionary for its configuration, but
-instead requires a cachelib object.
-
-See [Async Queries via Celery](/admin-docs/configuration/async-queries-celery) for details.
-
-## Caching Thumbnails
-
-This is an optional feature that can be turned on by activating its [feature flag](/admin-docs/configuration/configuring-superset#feature-flags) on config:
-
-```
-FEATURE_FLAGS = {
-    "THUMBNAILS": True,
-    "THUMBNAILS_SQLA_LISTENERS": True,
-}
-```
-
-By default thumbnails are rendered per user, and will fall back to the Selenium user for anonymous users.
-To always render thumbnails as a fixed user (`admin` in this example), use the following configuration:
-
-```python
-from superset.tasks.types import FixedExecutor
-
-THUMBNAIL_EXECUTORS = [FixedExecutor("admin")]
-```
-
-For this feature you will need a cache system and celery workers. All thumbnails are stored on cache
-and are processed asynchronously by the workers.
-
-An example config where images are stored on S3 could be:
-
-```python
-from flask import Flask
-from s3cache.s3cache import S3Cache
-
-...
-
-class CeleryConfig(object):
-    broker_url = "redis://localhost:6379/0"
-    imports = (
-        "superset.sql_lab",
-        "superset.tasks.thumbnails",
-    )
-    result_backend = "redis://localhost:6379/0"
-    worker_prefetch_multiplier = 10
-    task_acks_late = True
-
-
-CELERY_CONFIG = CeleryConfig
-
-def init_thumbnail_cache(app: Flask) -> S3Cache:
-    return S3Cache("bucket_name", 'thumbs_cache/')
-
-
-THUMBNAIL_CACHE_CONFIG = init_thumbnail_cache
-```
-
-Using the above example cache keys for dashboards will be `superset_thumb__dashboard__{ID}`. You can
-override the base URL for Selenium using:
-
-```
-WEBDRIVER_BASEURL = "https://superset.company.com"
-```
-
-To control which user account is used for rendering thumbnails and warming up caches, configure
-`THUMBNAIL_EXECUTORS` and `CACHE_WARMUP_EXECUTORS`. Each accepts a list of executor types (which
-resolve to an owner, creator, modifier, or the currently-logged-in user) and/or a `FixedExecutor`
-pinned to a specific username. By default, thumbnails render as the current user
-(`ExecutorType.CURRENT_USER`) and cache warmup runs as the chart/dashboard owner
-(`ExecutorType.OWNER`).
-
-To force both to run as a dedicated service account (`admin` in this example):
-
-```python
-from superset.tasks.types import ExecutorType, FixedExecutor
-
-THUMBNAIL_EXECUTORS = [FixedExecutor("admin")]
-CACHE_WARMUP_EXECUTORS = [FixedExecutor("admin")]
-```
-
-Use a dedicated read-only service account here rather than a personal admin account, so that
-thumbnail rendering and cache warmup tasks don't fail if a specific user's credentials change.
-
-Additional Selenium WebDriver configuration can be set using `WEBDRIVER_CONFIGURATION`. You can
-implement a custom function to authenticate Selenium. The default function uses the `flask-login`
-session cookie. Here's an example of a custom function signature:
-
-```python
-def auth_driver(driver: WebDriver, user: "User") -> WebDriver:
-    pass
-```
-
-Then on configuration:
-
-```
-WEBDRIVER_AUTH_FUNC = auth_driver
-```
-
-## ETag Support for Thumbnails
-
-Thumbnail and screenshot endpoints return `ETag` response headers based on the cached content digest. Clients can use conditional requests to avoid downloading unchanged images:
-
-```
-GET /api/v1/chart/42/thumbnail/
-If-None-Match: "abc123..."
-
-→ 304 Not Modified  (if unchanged)
-→ 200 OK            (with new image if changed)
-```
-
-This is particularly useful for embedded dashboards and external integrations that periodically poll for updated screenshots — unchanged thumbnails return immediately with no payload.
-
-## Distributed Coordination Backend
-
-Superset supports an optional distributed coordination (`DISTRIBUTED_COORDINATION_CONFIG`) for
-high-performance distributed operations. This configuration enables:
-
-- **Distributed locking**: Moves lock operations from the metadata database to Redis, improving
-  performance and reducing metastore load
-- **Real-time event notifications**: Enables instant pub/sub messaging for task abort signals and
-  completion notifications instead of polling-based approaches
-
-:::note
-This requires Redis or Valkey specifically—it uses Redis-specific features (pub/sub, `SET NX EX`)
-that are not available in general Flask-Caching backends.
-:::
-
-### Configuration
-
-The distributed coordination uses Flask-Caching style configuration for consistency with other cache
-backends. Configure `DISTRIBUTED_COORDINATION_CONFIG` in `superset_config.py`:
-
-```python
-DISTRIBUTED_COORDINATION_CONFIG = {
-    "CACHE_TYPE": "RedisCache",
-    "CACHE_REDIS_HOST": "localhost",
-    "CACHE_REDIS_PORT": 6379,
-    "CACHE_REDIS_DB": 0,
-    "CACHE_REDIS_PASSWORD": "",  # Optional
-}
-```
-
-For Redis Sentinel deployments:
-
-```python
-DISTRIBUTED_COORDINATION_CONFIG = {
-    "CACHE_TYPE": "RedisSentinelCache",
-    "CACHE_REDIS_SENTINELS": [("sentinel1", 26379), ("sentinel2", 26379)],
-    "CACHE_REDIS_SENTINEL_MASTER": "mymaster",
-    "CACHE_REDIS_SENTINEL_PASSWORD": None,  # Sentinel password (if different)
-    "CACHE_REDIS_PASSWORD": "",  # Redis password
-    "CACHE_REDIS_DB": 0,
-}
-```
-
-For SSL/TLS connections:
-
-```python
-DISTRIBUTED_COORDINATION_CONFIG = {
-    "CACHE_TYPE": "RedisCache",
-    "CACHE_REDIS_HOST": "redis.example.com",
-    "CACHE_REDIS_PORT": 6380,
-    "CACHE_REDIS_SSL": True,
-    "CACHE_REDIS_SSL_CERTFILE": "/path/to/client.crt",
-    "CACHE_REDIS_SSL_KEYFILE": "/path/to/client.key",
-    "CACHE_REDIS_SSL_CA_CERTS": "/path/to/ca.crt",
-}
-```
-
-### Distributed Lock TTL
-
-You can configure the default lock TTL (time-to-live) in seconds. Locks automatically expire after
-this duration to prevent deadlocks from crashed processes:
-
-```python
-DISTRIBUTED_LOCK_DEFAULT_TTL = 30  # Default: 30 seconds
-```
-
-Individual lock acquisitions can override this value when needed.
-
-### Database-Only Mode
-
-When `DISTRIBUTED_COORDINATION_CONFIG` is not configured, Superset uses database-backed operations:
-
-- **Locking**: Uses the KeyValue table with periodic cleanup of expired entries
-- **Event notifications**: Uses database polling instead of pub/sub
-
-While database-backed operations work reliably, the Redis backend is recommended for production
-deployments where low latency and reduced database load are important.
-
-:::resources
-- [Blog: The Data Engineer's Guide to Lightning-Fast Superset Dashboards](https://preset.io/blog/the-data-engineers-guide-to-lightning-fast-apache-superset-dashboards/)
-- [Blog: Accelerating Dashboards with Materialized Views](https://preset.io/blog/accelerating-apache-superset-dashboards-with-materialized-views/)
-:::

docs/admin_docs/configuration/configuring-superset.mdx

@@ -1,509 +0,0 @@
----
-title: Configuring Superset
-hide_title: true
-sidebar_position: 1
-version: 1
----
-
-# Configuring Superset
-
-## superset_config.py
-
-Superset exposes hundreds of configurable parameters through its
-[config.py module](https://github.com/apache/superset/blob/master/superset/config.py). The
-variables and objects exposed act as a public interface of the bulk of what you may want
-to configure, alter and interface with. In this python module, you'll find all these
-parameters, sensible defaults, as well as rich documentation in the form of comments
-
-To configure your application, you need to create your own configuration module, which
-will allow you to override few or many of these parameters. Instead of altering the core module,
-you'll want to define your own module (typically a file named `superset_config.py`).
-Add this file to your `PYTHONPATH` or create an environment variable
-`SUPERSET_CONFIG_PATH` specifying the full path of the `superset_config.py`.
-
-For example, if deploying on Superset directly on a Linux-based system where your
-`superset_config.py` is under `/app` directory, you can run:
-
-```bash
-export SUPERSET_CONFIG_PATH=/app/superset_config.py
-```
-
-If you are using your own custom Dockerfile with the official Superset image as base image,
-then you can add your overrides as shown below:
-
-```bash
-COPY --chown=superset superset_config.py /app/
-ENV SUPERSET_CONFIG_PATH /app/superset_config.py
-```
-
-Docker compose deployments handle application configuration differently using specific conventions.
-Refer to the [docker compose tips & configuration](/admin-docs/installation/docker-compose#docker-compose-tips--configuration)
-for details.
-
-The following is an example of just a few of the parameters you can set in your `superset_config.py` file:
-
-```
-# Superset specific config
-ROW_LIMIT = 5000
-
-# Flask App Builder configuration
-# Your App secret key will be used for securely signing the session cookie
-# and encrypting sensitive information on the database
-# Make sure you are changing this key for your deployment with a strong key.
-# Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.
-# You MUST set this for production environments or the server will refuse
-# to start and you will see an error in the logs accordingly.
-SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
-
-# The SQLAlchemy connection string to your database backend
-# This connection defines the path to the database that stores your
-# superset metadata (slices, connections, tables, dashboards, ...).
-# Note that the connection information to connect to the datasources
-# you want to explore are managed directly in the web UI
-# The check_same_thread=false property ensures the sqlite client does not attempt
-# to enforce single-threaded access, which may be problematic in some edge cases
-SQLALCHEMY_DATABASE_URI = 'sqlite:////path/to/superset.db?check_same_thread=false'
-
-# Flask-WTF flag for CSRF
-WTF_CSRF_ENABLED = True
-# Add endpoints that need to be exempt from CSRF protection
-WTF_CSRF_EXEMPT_LIST = []
-# A CSRF token that expires in 1 year
-WTF_CSRF_TIME_LIMIT = 60 * 60 * 24 * 365
-
-# Set this API key to enable Mapbox visualizations
-MAPBOX_API_KEY = ''
-```
-
-:::tip
-Note that it is typical to copy and paste [only] the portions of the
-core [superset/config.py](https://github.com/apache/superset/blob/master/superset/config.py) that
-you want to alter, along with the related comments into your own `superset_config.py` file.
-:::
-
-All the parameters and default values defined
-in [superset/config.py](https://github.com/apache/superset/blob/master/superset/config.py)
-can be altered in your local `superset_config.py`. Administrators will want to read through the file
-to understand what can be configured locally as well as the default values in place.
-
-Since `superset_config.py` acts as a Flask configuration module, it can be used to alter the
-settings of Flask itself, as well as Flask extensions that Superset bundles like
-`flask-wtf`, `flask-caching`, `flask-migrate`,
-and `flask-appbuilder`. Each one of these extensions offers intricate configurability.
-Flask App Builder, the web framework used by Superset, also offers many
-configuration settings. Please consult the
-[Flask App Builder Documentation](https://flask-appbuilder.readthedocs.org/en/latest/config.html)
-for more information on how to configure it.
-
-At the very least, you'll want to change `SECRET_KEY` and `SQLALCHEMY_DATABASE_URI`. Continue reading for more about each of these.
-
-## Specifying a SECRET_KEY
-
-### Adding an initial SECRET_KEY
-
-Superset requires a user-specified SECRET_KEY to start up. This requirement was [added in version 2.1.0 to force secure configurations](https://preset.io/blog/superset-security-update-default-secret_key-vulnerability/). Add a strong SECRET_KEY to your `superset_config.py` file like:
-
-```python
-SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
-```
-
-You can generate a strong secure key with `openssl rand -base64 42`.
-
-Alternatively, you can set the secret key using `SUPERSET_SECRET_KEY` environment variable:
-
-On a Unix-based system, such as Linux or macOS, you can do so by running the following command in your terminal:
-
-```bash
-export SUPERSET_SECRET_KEY=$(openssl rand -base64 42)
-```
-
-:::caution Use a strong secret key
-This key will be used for securely signing session cookies and encrypting sensitive information stored in Superset's application metadata database.
-Your deployment must use a complex, unique key.
-:::
-
-### Rotating to a newer SECRET_KEY
-
-If you wish to change your existing SECRET_KEY, add the existing SECRET_KEY to your `superset_config.py` file as
-`PREVIOUS_SECRET_KEY =`and provide your new key as `SECRET_KEY =`. You can find your current SECRET_KEY with these
-commands - if running Superset with Docker, execute from within the Superset application container:
-
-```python
-superset shell
-from flask import current_app; print(current_app.config["SECRET_KEY"])
-```
-
-Save your `superset_config.py` with these values and then run `superset re-encrypt-secrets`.
-
-## Setting up a production metadata database
-
-Superset needs a database to store the information it manages, like the definitions of
-charts, dashboards, and many other things.
-
-By default, Superset is configured to use [SQLite](https://www.sqlite.org/),
-a self-contained, single-file database that offers a simple and fast way to get started
-(without requiring any installation). However, for production environments,
-using SQLite is highly discouraged due to security, scalability, and data integrity reasons.
-It's important to use only the supported database engines and consider using a different
-database engine on a separate host or container.
-
-Superset supports the following database engines/versions:
-
-| Database Engine                           | Supported Versions                       |
-| ----------------------------------------- | ---------------------------------------- |
-| [PostgreSQL](https://www.postgresql.org/) | 10.X, 11.X, 12.X, 13.X, 14.X, 15.X, 16.X |
-| [MySQL](https://www.mysql.com/)           | 5.7, 8.X                                 |
-
-Use the following database drivers and connection strings:
-
-| Database                                  | PyPI package              | Connection String                                                      |
-| ----------------------------------------- | ------------------------- | ---------------------------------------------------------------------- |
-| [PostgreSQL](https://www.postgresql.org/) | `pip install psycopg2`    | `postgresql://<UserName>:<DBPassword>@<Database Host>/<Database Name>` |
-| [MySQL](https://www.mysql.com/)           | `pip install mysqlclient` | `mysql://<UserName>:<DBPassword>@<Database Host>/<Database Name>`      |
-
-:::tip
-Properly setting up metadata store is beyond the scope of this documentation. We recommend
-using a hosted managed service such as [Amazon RDS](https://aws.amazon.com/rds/) or
-[Google Cloud Databases](https://cloud.google.com/products/databases?hl=en) to handle
-service and supporting infrastructure and backup strategy.
-:::
-
-To configure Superset metastore set `SQLALCHEMY_DATABASE_URI` config key on `superset_config`
-to the appropriate connection string.
-
-## Running on a WSGI HTTP Server
-
-While you can run Superset on NGINX or Apache, we recommend using Gunicorn in async mode. This
-enables impressive concurrency even and is fairly easy to install and configure. Please refer to the
-documentation of your preferred technology to set up this Flask WSGI application in a way that works
-well in your environment. Here’s an async setup known to work well in production:
-
-```
-      -w 10 \
-      -k gevent \
-      --worker-connections 1000 \
-      --timeout 120 \
-      -b  0.0.0.0:6666 \
-      --limit-request-line 0 \
-      --limit-request-field_size 0 \
-      --statsd-host localhost:8125 \
-      "superset.app:create_app()"
-```
-
-Refer to the [Gunicorn documentation](https://docs.gunicorn.org/en/stable/design.html) for more
-information. _Note that the development web server (`superset run` or `flask run`) is not intended
-for production use._
-
-If you're not using Gunicorn, you may want to disable the use of `flask-compress` by setting
-`COMPRESS_REGISTER = False` in your `superset_config.py`.
-
-Currently, the Google BigQuery Python SDK is not compatible with `gevent`, due to some dynamic monkeypatching on python core library by `gevent`.
-So, when you use `BigQuery` datasource on Superset, you have to use `gunicorn` worker type except `gevent`.
-
-## HTTPS Configuration
-
-You can configure HTTPS upstream via a load balancer or a reverse proxy (such as nginx) and do SSL/TLS Offloading before traffic reaches the Superset application. In this setup, local traffic from a Celery worker taking a snapshot of a chart for Alerts & Reports can access Superset at a `http://` URL, from behind the ingress point.
-You can also configure [SSL in Gunicorn](https://docs.gunicorn.org/en/stable/settings.html#ssl) (the Python webserver) if you are using an official Superset Docker image.
-
-## Configuration Behind a Load Balancer
-
-If you are running superset behind a load balancer or reverse proxy (e.g. NGINX or ELB on AWS), you
-may need to utilize a healthcheck endpoint so that your load balancer knows if your superset
-instance is running. This is provided at `/health` which will return a 200 response containing “OK”
-if the webserver is running.
-
-If the load balancer is inserting `X-Forwarded-For/X-Forwarded-Proto` headers, you should set
-`ENABLE_PROXY_FIX = True` in the superset config file (`superset_config.py`) to extract and use the
-headers.
-
-In case the reverse proxy is used for providing SSL encryption, an explicit definition of the
-`X-Forwarded-Proto` may be required. For the Apache webserver this can be set as follows:
-
-```
-RequestHeader set X-Forwarded-Proto "https"
-```
-
-## Configuring the application root
-
-*Please be advised that this feature is in BETA.*
-
-Superset supports running the application under a non-root path. The root path
-prefix can be specified in one of three ways:
-
-- Customizing the [Flask entrypoint](https://github.com/apache/superset/blob/master/superset/app.py#L29)
-  by passing the `superset_app_root` variable; or
-- Setting the `SUPERSET_APP_ROOT` environment variable to the desired prefix; or
-- Setting the `APPLICATION_ROOT` config in your `superset_config.py` file.
-
-Note, the prefix should start with a `/`.
-
-### Customizing the Flask entrypoint
-
-To configure a prefix, e.g `/analytics`, pass the `superset_app_root` argument to
-`create_app` when calling flask run either through the `FLASK_APP`
-environment variable:
-
-```sh
-FLASK_APP="superset:create_app(superset_app_root='/analytics')"
-```
-
-or as part of the `--app` argument to `flask run`:
-
-```sh
-flask --app "superset.app:create_app(superset_app_root='/analytics')"
-```
-
-### Docker builds
-
-The [docker compose](/admin-docs/installation/docker-compose#configuring-further) developer
-configuration includes an additional environmental variable,
-[`SUPERSET_APP_ROOT`](https://github.com/apache/superset/blob/master/docker/.env),
-to simplify the process of setting up a non-default root path across the services.
-
-In `docker/.env-local` set `SUPERSET_APP_ROOT` to the desired prefix and then bring the
-services up with `docker compose up --detach`.
-
-## Custom OAuth2 Configuration
-
-Superset is built on Flask-AppBuilder (FAB), which supports many providers out of the box
-(GitHub, Twitter, LinkedIn, Google, Azure, etc). Beyond those, Superset can be configured to connect
-with other OAuth2 Authorization Server implementations that support “code” authorization.
-
-Make sure the pip package [`Authlib`](https://authlib.org/) is installed on the webserver.
-
-First, configure authorization in Superset `superset_config.py`.
-
-```python
-from flask_appbuilder.security.manager import AUTH_OAUTH
-
-# Set the authentication type to OAuth
-AUTH_TYPE = AUTH_OAUTH
-
-OAUTH_PROVIDERS = [
-    {   'name':'egaSSO',
-        'token_key':'access_token', # Name of the token in the response of access_token_url
-        'icon':'fa-address-card',   # Icon for the provider
-        'remote_app': {
-            'client_id':'myClientId',  # Client Id (Identify Superset application)
-            'client_secret':'MySecret', # Secret for this Client Id (Identify Superset application)
-            'client_kwargs':{
-                'scope': 'read'               # Scope for the Authorization
-            },
-            'access_token_method':'POST',    # HTTP Method to call access_token_url
-            'access_token_params':{        # Additional parameters for calls to access_token_url
-                'client_id':'myClientId'
-            },
-            'jwks_uri':'https://myAuthorizationServe/adfs/discovery/keys', # may be required to generate token
-            'access_token_headers':{    # Additional headers for calls to access_token_url
-                'Authorization': 'Basic Base64EncodedClientIdAndSecret'
-            },
-            'api_base_url':'https://myAuthorizationServer/oauth2AuthorizationServer/',
-            'access_token_url':'https://myAuthorizationServer/oauth2AuthorizationServer/token',
-            'authorize_url':'https://myAuthorizationServer/oauth2AuthorizationServer/authorize'
-        }
-    }
-]
-
-# Will allow user self registration, allowing to create Flask users from Authorized User
-AUTH_USER_REGISTRATION = True
-
-# The default user self registration role
-AUTH_USER_REGISTRATION_ROLE = "Public"
-```
-
-In case you want to assign the `Admin` role on new user registration, it can be assigned as follows:
-```python
-AUTH_USER_REGISTRATION_ROLE = "Admin"
-```
-If you encounter the [issue](https://github.com/apache/superset/issues/13243) of not being able to list users from the Superset main page settings, although a newly registered user has an `Admin` role, please re-run `superset init` to sync the required permissions. Below is the command to re-run `superset init` using docker compose.
-```
-docker-compose exec superset superset init
-```
-
-Then, create a `CustomSsoSecurityManager` that extends `SupersetSecurityManager` and overrides
-`oauth_user_info`:
-
-```python
-import logging
-from superset.security import SupersetSecurityManager
-
-class CustomSsoSecurityManager(SupersetSecurityManager):
-
-    def oauth_user_info(self, provider, response=None):
-        logging.debug("Oauth2 provider: {0}.".format(provider))
-        if provider == 'egaSSO':
-            # As example, this line request a GET to base_url + '/' + userDetails with Bearer  Authentication,
-    # and expects that authorization server checks the token, and response with user details
-            me = self.appbuilder.sm.oauth_remotes[provider].get('userDetails').data
-            logging.debug("user_data: {0}".format(me))
-            return { 'name' : me['name'], 'email' : me['email'], 'id' : me['user_name'], 'username' : me['user_name'], 'first_name':'', 'last_name':''}
-    ...
-```
-
-This file must be located in the same directory as `superset_config.py` with the name
-`custom_sso_security_manager.py`. Finally, add the following 2 lines to `superset_config.py`:
-
-```
-from custom_sso_security_manager import CustomSsoSecurityManager
-CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
-```
-
-**Notes**
-
-- The redirect URL will be `https://<superset-webserver>/oauth-authorized/<provider-name>`
-  When configuring an OAuth2 authorization provider if needed. For instance, the redirect URL will
-  be `https://<superset-webserver>/oauth-authorized/egaSSO` for the above configuration.
-
-- If an OAuth2 authorization server supports OpenID Connect 1.0, you could configure its configuration
-  document URL only without providing `api_base_url`, `access_token_url`, `authorize_url` and other
-  required options like user info endpoint, jwks uri etc. For instance:
-
-  ```python
-  OAUTH_PROVIDERS = [
-    {   'name':'egaSSO',
-        'token_key':'access_token', # Name of the token in the response of access_token_url
-        'icon':'fa-address-card',   # Icon for the provider
-        'remote_app': {
-            'client_id':'myClientId',  # Client Id (Identify Superset application)
-            'client_secret':'MySecret', # Secret for this Client Id (Identify Superset application)
-            'server_metadata_url': 'https://myAuthorizationServer/.well-known/openid-configuration'
-        }
-    }
-  ]
-  ```
-
-### PKCE Support
-
-For public OAuth2 clients that cannot securely store a client secret, enable Proof Key for Code Exchange (PKCE) by adding `code_challenge_method` to the `remote_app` configuration:
-
-```python
-OAUTH_PROVIDERS = [
-    {
-        'name': 'myProvider',
-        'remote_app': {
-            'client_id': 'myClientId',
-            'client_secret': 'mySecret',  # may be empty for pure public clients
-            'code_challenge_method': 'S256',  # enables PKCE
-            'server_metadata_url': 'https://myAuthorizationServer/.well-known/openid-configuration'
-        }
-    }
-]
-```
-
-PKCE (`S256`) is recommended for all OAuth2 flows, even when a client secret is present, as it protects against authorization code interception attacks.
-
-## LDAP Authentication
-
-FAB supports authenticating user credentials against an LDAP server.
-To use LDAP you must install the [python-ldap](https://www.python-ldap.org/en/latest/installing.html) package.
-See [FAB's LDAP documentation](https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-ldap)
-for details.
-
-## Mapping LDAP or OAUTH groups to Superset roles
-
-AUTH_ROLES_MAPPING in Flask-AppBuilder is a dictionary that maps from LDAP/OAUTH group names to FAB roles.
-It is used to assign roles to users who authenticate using LDAP or OAuth.
-
-### Mapping OAUTH groups to Superset roles
-
-The following `AUTH_ROLES_MAPPING` dictionary would map the OAUTH group "superset_users" to the Superset roles "Gamma" as well as "Alpha", and the OAUTH group "superset_admins" to the Superset role "Admin".
-
-```python
-AUTH_ROLES_MAPPING = {
-"superset_users": ["Gamma","Alpha"],
-"superset_admins": ["Admin"],
-}
-```
-
-### Mapping LDAP groups to Superset roles
-
-The following `AUTH_ROLES_MAPPING` dictionary would map the LDAP DN "cn=superset_users,ou=groups,dc=example,dc=com" to the Superset roles "Gamma" as well as "Alpha", and the LDAP DN "cn=superset_admins,ou=groups,dc=example,dc=com" to the Superset role "Admin".
-
-```python
-AUTH_ROLES_MAPPING = {
-"cn=superset_users,ou=groups,dc=example,dc=com": ["Gamma","Alpha"],
-"cn=superset_admins,ou=groups,dc=example,dc=com": ["Admin"],
-}
-```
-
-Note: This requires `AUTH_LDAP_SEARCH` to be set. For more details, please see the [FAB Security documentation](https://flask-appbuilder.readthedocs.io/en/latest/security.html).
-
-### Syncing roles at login
-
-You can also use the `AUTH_ROLES_SYNC_AT_LOGIN` configuration variable to control how often Flask-AppBuilder syncs the user's roles with the LDAP/OAUTH groups. If `AUTH_ROLES_SYNC_AT_LOGIN` is set to True, Flask-AppBuilder will sync the user's roles each time they log in. If `AUTH_ROLES_SYNC_AT_LOGIN` is set to False, Flask-AppBuilder will only sync the user's roles when they first register.
-
-## Flask app Configuration Hook
-
-`FLASK_APP_MUTATOR` is a configuration function that can be provided in your environment, receives
-the app object and can alter it in any way. For example, add `FLASK_APP_MUTATOR` into your
-`superset_config.py` to setup session cookie expiration time to 24 hours:
-
-```python
-from flask import session
-from flask import Flask
-
-
-def make_session_permanent():
-    '''
-    Enable maxAge for the cookie 'session'
-    '''
-    session.permanent = True
-
-# Set up max age of session to 24 hours
-PERMANENT_SESSION_LIFETIME = timedelta(hours=24)
-def FLASK_APP_MUTATOR(app: Flask) -> None:
-    app.before_request_funcs.setdefault(None, []).append(make_session_permanent)
-```
-
-## Feature Flags
-
-To support a diverse set of users, Superset has some features that are not enabled by default. For
-example, some users have stronger security restrictions, while some others may not. So Superset
-allows users to enable or disable some features by config. For feature owners, you can add optional
-functionalities in Superset, but will be only affected by a subset of users.
-
-You can enable or disable features with flag from `superset_config.py`:
-
-```python
-FEATURE_FLAGS = {
-    'PRESTO_EXPAND_DATA': False,
-}
-```
-
-A current list of feature flags can be found in the [Feature Flags](/admin-docs/configuration/feature-flags) documentation.
-
-## Security Configuration
-
-### HASH_ALGORITHM
-
-Controls the hashing algorithm used for internal checksums and cache keys (thumbnails, cache keys, etc.). The default is `sha256`, which satisfies environments with stricter compliance requirements (e.g., FedRAMP). Set it to `md5` to retain the legacy behavior from older Superset deployments:
-
-```python
-HASH_ALGORITHM = "sha256"  # default; set to "md5" for legacy behavior
-```
-
-A companion `HASH_ALGORITHM_FALLBACKS` list (default: `["md5"]`) lets UUID lookups fall back to older algorithms, which enables gradual migration without breaking existing entries. Set it to `[]` for strict mode (use only `HASH_ALGORITHM`).
-
-:::note
-This setting affects internal Superset operations only, not user passwords or authentication tokens. Changing it in an existing deployment may invalidate cached values but does not require a database migration.
-:::
-
-## SQL Lab Query History Pruning
-
-SQL Lab query history is stored in the metadata database and is **not** pruned by default. To trim older rows, enable the `prune_query` Celery beat task by uncommenting it in `CELERY_BEAT_SCHEDULE` and choosing a retention window:
-
-```python
-CELERY_BEAT_SCHEDULE = {
-    "prune_query": {
-        "task": "prune_query",
-        "schedule": crontab(minute=0, hour=0, day_of_month=1),
-        "kwargs": {"retention_period_days": 180},
-    },
-}
-```
-
-Adjust `retention_period_days` to control how long query rows are kept. Companion opt-in tasks (`prune_logs`, `prune_tasks`) exist for pruning the logs and tasks tables; see the commented-out examples in `superset/config.py`. Without enabling these tasks, the metadata database will grow unbounded over time.
-
-:::resources
-- [Blog: Feature Flags in Apache Superset](https://preset.io/blog/feature-flags-in-apache-superset-and-preset/)
-:::

docs/admin_docs/configuration/feature-flags.mdx

@@ -1,107 +0,0 @@
----
-title: Feature Flags
-hide_title: true
-sidebar_position: 2
-version: 1
----
-
-import featureFlags from '@site/static/feature-flags.json';
-
-export const FlagTable = ({flags}) => (
-  <table>
-    <thead>
-      <tr>
-        <th>Flag</th>
-        <th>Default</th>
-        <th>Description</th>
-      </tr>
-    </thead>
-    <tbody>
-      {flags.map((flag) => (
-        <tr key={flag.name}>
-          <td><code>{flag.name}</code></td>
-          <td><code>{flag.default ? 'True' : 'False'}</code></td>
-          <td>
-            {flag.description}
-            {flag.docs && (
-              <> (<a href={flag.docs}>docs</a>)</>
-            )}
-          </td>
-        </tr>
-      ))}
-    </tbody>
-  </table>
-);
-
-# Feature Flags
-
-Superset uses feature flags to control the availability of features. Feature flags allow
-gradual rollout of new functionality and provide a way to enable experimental features.
-
-To enable a feature flag, add it to your `superset_config.py`:
-
-```python
-FEATURE_FLAGS = {
-    "ENABLE_TEMPLATE_PROCESSING": True,
-}
-```
-
-## Lifecycle
-
-Feature flags progress through lifecycle stages:
-
-| Stage | Description |
-|-------|-------------|
-| **Development** | Experimental features under active development. May be incomplete or unstable. |
-| **Testing** | Feature complete but undergoing testing. Usable but may contain bugs. |
-| **Stable** | Production-ready features. Safe for all deployments. |
-| **Deprecated** | Features scheduled for removal. Migrate away from these. |
-
----
-
-## Development
-
-These features are experimental and under active development. Use only in development environments.
-
-<FlagTable flags={featureFlags.flags.development} />
-
----
-
-## Testing
-
-These features are complete but still being tested. They are usable but may have bugs.
-
-<FlagTable flags={featureFlags.flags.testing} />
-
----
-
-## Stable
-
-These features are production-ready and safe to enable.
-
-<FlagTable flags={featureFlags.flags.stable} />
-
----
-
-## Deprecated
-
-These features are scheduled for removal. Plan to migrate away from them.
-
-<FlagTable flags={featureFlags.flags.deprecated} />
-
----
-
-## Adding New Feature Flags
-
-When adding a new feature flag to `superset/config.py`, include the following annotations:
-
-```python
-# Description of what the feature does
-# @lifecycle: development | testing | stable | deprecated
-# @docs: https://superset.apache.org/docs/... (optional)
-# @category: runtime_config | path_to_deprecation (optional, for stable flags)
-"MY_NEW_FEATURE": False,
-```
-
-This documentation is auto-generated from the annotations in
-[config.py](https://github.com/apache/superset/blob/master/superset/config.py).

docs/admin_docs/configuration/importing-exporting-datasources.mdx

@@ -1,157 +0,0 @@
----
-title: Importing and Exporting Datasources
-hide_title: true
-sidebar_position: 11
-version: 1
----
-
-# Importing and Exporting Datasources
-
-The superset cli allows you to import and export datasources from and to YAML. Datasources include
-databases. The data is expected to be organized in the following hierarchy:
-
-:::info
-Superset's ZIP-based import/export also covers **dashboards**, **charts**, and **saved queries**, exercised through the UI and REST API. The [Dashboard Import Overwrite Behavior](#dashboard-import-overwrite-behavior) and [UUIDs in API Responses](#uuids-in-api-responses) sections below document the behavior shared across all asset types.
-:::
-
-```text
-├──databases
-|  ├──database_1
-|  |  ├──table_1
-|  |  |  ├──columns
-|  |  |  |  ├──column_1
-|  |  |  |  ├──column_2
-|  |  |  |  └──... (more columns)
-|  |  |  └──metrics
-|  |  |     ├──metric_1
-|  |  |     ├──metric_2
-|  |  |     └──... (more metrics)
-|  |  └── ... (more tables)
-|  └── ... (more databases)
-```
-
-:::note
-When you export a database connection, the `masked_encrypted_extra` field (used for sensitive connection parameters such as service account JSON, OAuth tokens, and other encrypted credentials) is included in the export. When importing on another instance, these values are decrypted and re-encrypted using the destination instance's `SECRET_KEY`. Ensure the receiving instance has a valid `SECRET_KEY` configured before importing.
-:::
-
-## Exporting Datasources to YAML
-
-You can print your current datasources to stdout by running:
-
-```bash
-superset export_datasources
-```
-
-To save your datasources to a ZIP file run:
-
-```bash
-superset export_datasources -f <filename>
-```
-
-By default, default (null) values will be omitted. Use the -d flag to include them. If you want back
-references to be included (e.g. a column to include the table id it belongs to) use the -b flag.
-
-Alternatively, you can export datasources using the UI:
-
-1. Open **Sources -> Databases** to export all tables associated to a single or multiple databases.
-   (**Tables** for one or more tables)
-2. Select the items you would like to export.
-3. Click **Actions -> Export** to YAML
-4. If you want to import an item that you exported through the UI, you will need to nest it inside
-   its parent element, e.g. a database needs to be nested under databases a table needs to be nested
-   inside a database element.
-
-In order to obtain an **exhaustive list of all fields** you can import using the YAML import run:
-
-```bash
-superset export_datasource_schema
-```
-
-As a reminder, you can use the `-b` flag to include back references.
-
-## Importing Datasources
-
-In order to import datasources from a ZIP file, run:
-
-```bash
-superset import_datasources -p <path / filename>
-```
-
-The optional username flag **-u** sets the user used for the datasource import. The default is 'admin'. Example:
-
-```bash
-superset import_datasources -p <path / filename> -u 'admin'
-```
-
-## Dashboard Import Overwrite Behavior
-
-When importing a dashboard ZIP with the **overwrite** option enabled, any existing charts that are part of the dashboard are **replaced** rather than duplicated. This applies to:
-
-- Charts whose UUID matches a chart already present in the target instance
-- The full chart configuration (query, visualization type, columns, metrics) is replaced by the imported version
-
-If you import without the overwrite flag, existing charts with conflicting UUIDs are left unchanged and the import skips those objects. Use overwrite when you want to push a fully updated dashboard (including chart definitions) from a development or staging environment to production.
-
-## UUIDs in API Responses
-
-The REST API POST endpoints for **datasets**, **charts**, and **dashboards** include the auto-generated `uuid` field in the response body:
-
-```json
-{
-  "id": 42,
-  "uuid": "b8a8d5c3-1234-4abc-8def-0123456789ab",
-  ...
-}
-```
-
-UUIDs remain stable across import/export cycles and can be used for cross-environment workflows — for example, recording a UUID when creating a chart in development and using it to identify the matching chart after importing into production.
-
-## Legacy Importing Datasources
-
-### From older versions of Superset to current version
-
-When using Superset version 4.x.x to import from an older version (2.x.x or 3.x.x) importing is supported as the command `legacy_import_datasources` and expects a JSON or directory of JSONs. The options are `-r` for recursive and `-u` for specifying a user. Example of legacy import without options:
-
-```bash
-superset legacy_import_datasources -p <path or filename>
-```
-
-### From older versions of Superset to older versions
-
-When using an older Superset version (2.x.x & 3.x.x) of Superset, the command is `import_datasources`. ZIP and YAML files are supported and to switch between them the feature flag `VERSIONED_EXPORT` is used. When `VERSIONED_EXPORT` is `True`, `import_datasources` expects a ZIP file, otherwise YAML. Example:
-
-```bash
-superset import_datasources -p <path or filename>
-```
-
-When `VERSIONED_EXPORT` is `False`, if you supply a path all files ending with **yaml** or **yml** will be parsed. You can apply
-additional flags (e.g. to search the supplied path recursively):
-
-```bash
-superset import_datasources -p <path> -r
-```
-
-The sync flag **-s** takes parameters in order to sync the supplied elements with your file. Be
-careful this can delete the contents of your meta database. Example:
-
-```bash
-superset import_datasources -p <path / filename> -s columns,metrics
-```
-
-This will sync all metrics and columns for all datasources found in the `<path /filename>` in the
-Superset meta database. This means columns and metrics not specified in YAML will be deleted. If you
-would add tables to columns,metrics those would be synchronised as well.
-
-If you don’t supply the sync flag (**-s**) importing will only add and update (override) fields.
-E.g. you can add a verbose_name to the column ds in the table random_time_series from the example
-datasets by saving the following YAML to file and then running the **import_datasources** command.
-
-```yaml
-databases:
-- database_name: main
-  tables:
-  - table_name: random_time_series
-    columns:
-    - column_name: ds
-      verbose_name: datetime
-```

docs/admin_docs/configuration/mcp-server.mdx

@@ -1,845 +0,0 @@
----
-title: MCP Server Deployment & Authentication
-hide_title: true
-sidebar_position: 14
-version: 1
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one
-or more contributor license agreements.  See the NOTICE file
-distributed with this work for additional information
-regarding copyright ownership.  The ASF licenses this file
-to you under the Apache License, Version 2.0 (the
-"License"); you may not use this file except in compliance
-with the License.  You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing,
-software distributed under the License is distributed on an
-"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-KIND, either express or implied.  See the License for the
-specific language governing permissions and limitations
-under the License.
--->
-
-# MCP Server Deployment & Authentication
-
-Superset includes a built-in [Model Context Protocol (MCP)](https://modelcontextprotocol.io/) server that lets AI assistants -- Claude, ChatGPT, and other MCP-compatible clients -- interact with your Superset instance. Through MCP, clients can list dashboards, query datasets, execute SQL, create charts, and more.
-
-This guide covers how to run, secure, and deploy the MCP server.
-
-:::tip Looking for user docs?
-See **[Using AI with Superset](/user-docs/using-superset/using-ai-with-superset)** for a guide on what AI can do with Superset and how to connect your AI client.
-:::
-
-```mermaid
-flowchart LR
-    A["AI Client<br/>(Claude, ChatGPT, etc.)"] -- "MCP protocol<br/>(HTTP + JSON-RPC)" --> B["MCP Server<br/>(:5008/mcp)"]
-    B -- "Superset context<br/>(app, db, RBAC)" --> C["Superset<br/>(:8088)"]
-    C --> D[("Database<br/>(Postgres)")]
-```
-
----
-
-## Quick Start
-
-Get the MCP server running locally and connect an AI client in three steps.
-
-### 1. Start the MCP server
-
-The MCP server runs as a separate process alongside Superset:
-
-```bash
-superset mcp run --host 127.0.0.1 --port 5008
-```
-
-| Flag | Default | Description |
-|------|---------|-------------|
-| `--host` | `127.0.0.1` | Host to bind to |
-| `--port` | `5008` | Port to bind to |
-| `--debug` | off | Enable debug logging |
-
-The endpoint is available at `http://<host>:<port>/mcp`.
-
-### 2. Set a development user
-
-For local development, tell the MCP server which Superset user to impersonate (the user must already exist in your database):
-
-```python
-# superset_config.py
-MCP_DEV_USERNAME = "admin"
-```
-
-### 3. Connect an AI client
-
-Point your MCP client at the server. For **Claude Desktop**, edit the config file:
-
-- **macOS**: `~/Library/Application Support/Claude/claude_desktop_config.json`
-- **Windows**: `%APPDATA%\Claude\claude_desktop_config.json`
-- **Linux**: `~/.config/Claude/claude_desktop_config.json`
-
-```json
-{
-  "mcpServers": {
-    "superset": {
-      "url": "http://localhost:5008/mcp"
-    }
-  }
-}
-```
-
-Restart Claude Desktop. The hammer icon in the chat bar confirms the connection.
-
-See [Connecting AI Clients](#connecting-ai-clients) for Claude Code, Claude Web, ChatGPT, and raw HTTP examples.
-
----
-
-## Prerequisites
-
-- Apache Superset 5.0+ running and accessible
-- Python 3.10+
-- The `fastmcp` package (`pip install fastmcp`)
-
----
-
-## Authentication
-
-The MCP server supports multiple authentication methods depending on your deployment scenario.
-
-```mermaid
-flowchart TD
-    R["Incoming MCP Request"] --> F{"MCP_AUTH_FACTORY<br/>set?"}
-    F -- Yes --> CF["Custom Auth Provider"]
-    F -- No --> AE{"MCP_AUTH_ENABLED?"}
-    AE -- "True" --> JWT["JWT Validation"]
-    AE -- "False" --> DU["Dev Mode<br/>(MCP_DEV_USERNAME)"]
-
-    JWT --> ALG{"MCP_JWT_ALGORITHM"}
-    ALG -- "RS256 + JWKS" --> JWKS["Fetch keys from<br/>MCP_JWKS_URI"]
-    ALG -- "RS256 + static" --> PK["Use<br/>MCP_JWT_PUBLIC_KEY"]
-    ALG -- "HS256" --> SEC["Use<br/>MCP_JWT_SECRET"]
-
-    JWKS --> V["Validate token<br/>(exp, iss, aud, scopes)"]
-    PK --> V
-    SEC --> V
-    V --> UR["Resolve Superset user<br/>from token claims"]
-    UR --> OK["Authenticated request"]
-    CF --> OK
-    DU --> OK
-```
-
-### Development Mode (No Auth)
-
-Disable authentication and use a fixed user:
-
-```python
-# superset_config.py
-MCP_AUTH_ENABLED = False
-MCP_DEV_USERNAME = "admin"
-```
-
-All operations run as the configured user.
-
-:::warning
-Never use development mode in production. Always enable authentication for any internet-facing deployment.
-:::
-
-### JWT Authentication
-
-For production, enable JWT-based authentication. The MCP server validates a Bearer token on every request.
-
-#### Option A: RS256 with JWKS endpoint
-
-The most common setup for OAuth 2.0 / OIDC providers that publish a JWKS (JSON Web Key Set) endpoint:
-
-```python
-# superset_config.py
-MCP_AUTH_ENABLED = True
-MCP_JWT_ALGORITHM = "RS256"
-MCP_JWKS_URI = "https://your-identity-provider.com/.well-known/jwks.json"
-MCP_JWT_ISSUER = "https://your-identity-provider.com/"
-MCP_JWT_AUDIENCE = "your-superset-instance"
-```
-
-#### Option B: RS256 with static public key
-
-Use this when you have a fixed RSA key pair (e.g., self-signed tokens):
-
-```python
-# superset_config.py
-MCP_AUTH_ENABLED = True
-MCP_JWT_ALGORITHM = "RS256"
-MCP_JWT_PUBLIC_KEY = """-----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
------END PUBLIC KEY-----"""
-MCP_JWT_ISSUER = "your-issuer"
-MCP_JWT_AUDIENCE = "your-audience"
-```
-
-#### Option C: HS256 with shared secret
-
-Use this when both the token issuer and the MCP server share a symmetric secret:
-
-```python
-# superset_config.py
-MCP_AUTH_ENABLED = True
-MCP_JWT_ALGORITHM = "HS256"
-MCP_JWT_SECRET = "your-shared-secret-key"
-MCP_JWT_ISSUER = "your-issuer"
-MCP_JWT_AUDIENCE = "your-audience"
-```
-
-:::warning
-Store `MCP_JWT_SECRET` securely. Never commit it to version control. Use environment variables:
-```python
-import os
-MCP_JWT_SECRET = os.environ.get("MCP_JWT_SECRET")
-```
-:::
-
-#### JWT claims
-
-The MCP server validates these standard claims:
-
-| Claim | Config Key | Description |
-|-------|-----------|-------------|
-| `exp` | -- | Expiration time (always validated) |
-| `iss` | `MCP_JWT_ISSUER` | Token issuer (optional but recommended) |
-| `aud` | `MCP_JWT_AUDIENCE` | Token audience (optional but recommended) |
-| `sub` | -- | Subject -- primary claim used to resolve the Superset user |
-
-#### User resolution
-
-After validating the token, the MCP server resolves a Superset username from the claims. It checks these in order, using the first non-empty value:
-
-1. `subject` -- the standard `sub` claim (via the access token object)
-2. `client_id` -- for machine-to-machine tokens
-3. `payload["sub"]` -- fallback to raw payload
-4. `payload["email"]` -- email-based lookup
-5. `payload["username"]` -- explicit username claim
-
-The resolved value must match a `username` in the Superset `ab_user` table.
-
-#### Scoped access
-
-Require specific scopes in the JWT to limit what MCP operations a token can perform:
-
-```python
-# superset_config.py
-MCP_REQUIRED_SCOPES = ["mcp:read", "mcp:write"]
-```
-
-Only tokens that include **all** required scopes are accepted.
-
-### Custom Auth Provider
-
-For advanced scenarios (e.g., a proprietary auth system), provide a factory function. This takes precedence over all built-in JWT configuration:
-
-```python
-# superset_config.py
-def my_custom_auth_factory(app):
-    """Return a FastMCP auth provider instance."""
-    from fastmcp.server.auth.providers.jwt import JWTVerifier
-    return JWTVerifier(
-        jwks_uri="https://my-auth.example.com/.well-known/jwks.json",
-        issuer="https://my-auth.example.com/",
-        audience="superset-mcp",
-    )
-
-MCP_AUTH_FACTORY = my_custom_auth_factory
-```
-
----
-
-## Connecting AI Clients
-
-### Claude Desktop
-
-**Local development (no auth):**
-
-```json
-{
-  "mcpServers": {
-    "superset": {
-      "url": "http://localhost:5008/mcp"
-    }
-  }
-}
-```
-
-**With JWT authentication:**
-
-```json
-{
-  "mcpServers": {
-    "superset": {
-      "command": "npx",
-      "args": [
-        "-y",
-        "mcp-remote@latest",
-        "http://your-superset-host:5008/mcp",
-        "--header",
-        "Authorization: Bearer YOUR_TOKEN"
-      ]
-    }
-  }
-}
-```
-
-### Claude Code (CLI)
-
-Add to your project's `.mcp.json`:
-
-```json
-{
-  "mcpServers": {
-    "superset": {
-      "type": "url",
-      "url": "http://localhost:5008/mcp"
-    }
-  }
-}
-```
-
-With authentication:
-
-```json
-{
-  "mcpServers": {
-    "superset": {
-      "type": "url",
-      "url": "http://localhost:5008/mcp",
-      "headers": {
-        "Authorization": "Bearer YOUR_TOKEN"
-      }
-    }
-  }
-}
-```
-
-### Claude Web (claude.ai)
-
-1. Open [claude.ai](https://claude.ai)
-2. Click the **+** button (or your profile icon)
-3. Select **Connectors**
-4. Click **Manage Connectors** > **Add custom connector**
-5. Enter a name and your MCP URL (e.g., `https://your-superset-host/mcp`)
-6. Click **Add**
-
-:::info
-Custom connectors on Claude Web require a Pro, Max, Team, or Enterprise plan.
-:::
-
-### ChatGPT
-
-1. Click your profile icon > **Settings** > **Apps and Connectors**
-2. Enable **Developer Mode** in Advanced Settings
-3. In the chat composer, press **+** > **Add sources** > **App** > **Connect more** > **Create app**
-4. Enter a name and your MCP server URL
-5. Click **I understand and continue**
-
-:::info
-ChatGPT MCP connectors require a Pro, Team, Enterprise, or Edu plan.
-:::
-
-### Direct HTTP requests
-
-Call the MCP server directly with any HTTP client:
-
-```bash
-curl -X POST http://localhost:5008/mcp \
-  -H 'Content-Type: application/json' \
-  -H 'Authorization: Bearer YOUR_JWT_TOKEN' \
-  -d '{"jsonrpc": "2.0", "method": "tools/list", "id": 1}'
-```
-
----
-
-## Deployment
-
-### Single Process
-
-The simplest setup: run the MCP server alongside Superset on the same host.
-
-```mermaid
-flowchart TD
-    subgraph host["Host / VM"]
-        direction TB
-        S["Superset<br/>:8088"] --> DB[("Postgres")]
-        M["MCP Server<br/>:5008"] --> DB
-    end
-    C["AI Client"] -- "HTTPS" --> P["Reverse Proxy<br/>(Nginx / Caddy)"]
-    U["Browser"] -- "HTTPS" --> P
-    P -- ":8088" --> S
-    P -- ":5008/mcp" --> M
-```
-
-**superset_config.py:**
-
-```python
-MCP_SERVICE_HOST = "0.0.0.0"
-MCP_SERVICE_PORT = 5008
-MCP_DEV_USERNAME = "admin"  # or enable JWT auth
-
-# If behind a reverse proxy, set the public-facing URL so
-# MCP-generated links (chart previews, SQL Lab URLs) resolve correctly:
-MCP_SERVICE_URL = "https://superset.example.com"
-```
-
-**Start both processes:**
-
-```bash
-# Terminal 1 -- Superset web server
-superset run -h 0.0.0.0 -p 8088
-
-# Terminal 2 -- MCP server
-superset mcp run --host 0.0.0.0 --port 5008
-```
-
-**Nginx reverse proxy with TLS:**
-
-```nginx
-server {
-    listen 443 ssl;
-    server_name superset.example.com;
-
-    ssl_certificate     /path/to/cert.pem;
-    ssl_certificate_key /path/to/key.pem;
-
-    # Superset web UI
-    location / {
-        proxy_pass http://127.0.0.1:8088;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-    }
-
-    # MCP endpoint
-    location /mcp {
-        proxy_pass http://127.0.0.1:5008/mcp;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header Authorization $http_authorization;
-    }
-}
-```
-
-### Docker Compose
-
-Run Superset and the MCP server as separate containers sharing the same config:
-
-```yaml
-# docker-compose.yml
-services:
-  superset:
-    image: apache/superset:latest
-    ports:
-      - "8088:8088"
-    volumes:
-      - ./superset_config.py:/app/superset_config.py
-    environment:
-      - SUPERSET_CONFIG_PATH=/app/superset_config.py
-
-  mcp:
-    image: apache/superset:latest
-    command: ["superset", "mcp", "run", "--host", "0.0.0.0", "--port", "5008"]
-    ports:
-      - "5008:5008"
-    volumes:
-      - ./superset_config.py:/app/superset_config.py
-    environment:
-      - SUPERSET_CONFIG_PATH=/app/superset_config.py
-    depends_on:
-      - superset
-```
-
-Both containers share the same `superset_config.py`, so authentication settings, database connections, and feature flags stay in sync.
-
-### Multi-Pod (Kubernetes)
-
-For high-availability deployments, configure Redis so that replicas share session state:
-
-```mermaid
-flowchart TD
-    LB["Load Balancer"] --> M1["MCP Pod 1"]
-    LB --> M2["MCP Pod 2"]
-    LB --> M3["MCP Pod 3"]
-    M1 --> R[("Redis<br/>(session store)")]
-    M2 --> R
-    M3 --> R
-    M1 --> DB[("Postgres")]
-    M2 --> DB
-    M3 --> DB
-```
-
-**superset_config.py:**
-
-```python
-MCP_STORE_CONFIG = {
-    "enabled": True,
-    "CACHE_REDIS_URL": "redis://redis-host:6379/0",
-    "event_store_max_events": 100,
-    "event_store_ttl": 3600,
-}
-```
-
-When `CACHE_REDIS_URL` is set, the MCP server uses a Redis-backed EventStore for session management, allowing replicas to share state. Without Redis, each pod manages its own in-memory sessions and stateful MCP interactions may fail when requests hit different replicas.
-
----
-
-## Configuration Reference
-
-All MCP settings go in `superset_config.py`. Defaults are defined in `superset/mcp_service/mcp_config.py`.
-
-### Core
-
-| Setting | Default | Description |
-|---------|---------|-------------|
-| `MCP_SERVICE_HOST` | `"localhost"` | Host the MCP server binds to |
-| `MCP_SERVICE_PORT` | `5008` | Port the MCP server binds to |
-| `MCP_SERVICE_URL` | `None` | Public base URL for MCP-generated links (set this when behind a reverse proxy) |
-| `MCP_DEBUG` | `False` | Enable debug logging |
-| `MCP_DEV_USERNAME` | -- | Superset username for development mode (no auth) |
-| `MCP_RBAC_ENABLED` | `True` | Enforce Superset's role-based access control on MCP tool calls. When `True`, each tool checks that the authenticated user has the required FAB permission before executing. Disable only for testing or trusted-network deployments. |
-
-### Authentication
-
-| Setting | Default | Description |
-|---------|---------|-------------|
-| `MCP_AUTH_ENABLED` | `False` | Enable JWT authentication |
-| `MCP_JWT_ALGORITHM` | `"RS256"` | JWT signing algorithm (`RS256` or `HS256`) |
-| `MCP_JWKS_URI` | `None` | JWKS endpoint URL (RS256) |
-| `MCP_JWT_PUBLIC_KEY` | `None` | Static RSA public key string (RS256) |
-| `MCP_JWT_SECRET` | `None` | Shared secret string (HS256) |
-| `MCP_JWT_ISSUER` | `None` | Expected `iss` claim |
-| `MCP_JWT_AUDIENCE` | `None` | Expected `aud` claim |
-| `MCP_REQUIRED_SCOPES` | `[]` | Required JWT scopes |
-| `MCP_JWT_DEBUG_ERRORS` | `False` | Log detailed JWT errors server-side (never exposed in HTTP responses per RFC 6750) |
-| `MCP_AUTH_FACTORY` | `None` | Custom auth provider factory `(flask_app) -> auth_provider`. Takes precedence over built-in JWT |
-| `MCP_USER_RESOLVER` | `None` | Custom function `(app, access_token) -> username` to extract a Superset username from a validated JWT token. When `None`, the default resolver checks `preferred_username`, `username`, `email`, and `sub` claims in that order. |
-
-### Response Size Guard
-
-Limits response sizes to prevent exceeding LLM context windows:
-
-```python
-MCP_RESPONSE_SIZE_CONFIG = {
-    "enabled": True,
-    "token_limit": 25000,
-    "warn_threshold_pct": 80,
-    "excluded_tools": [
-        "health_check",
-        "get_chart_preview",
-        "generate_explore_link",
-        "open_sql_lab_with_context",
-    ],
-}
-```
-
-| Key | Default | Description |
-|-----|---------|-------------|
-| `enabled` | `True` | Enable response size checking |
-| `token_limit` | `25000` | Maximum estimated token count per response |
-| `warn_threshold_pct` | `80` | Warn when response exceeds this percentage of the limit |
-| `excluded_tools` | See above | Tools exempt from size checking (e.g., tools that return URLs, not data) |
-
-### Caching
-
-Optional response caching for read-heavy workloads. Requires Redis when used with multiple replicas.
-
-```python
-MCP_CACHE_CONFIG = {
-    "enabled": False,
-    "CACHE_KEY_PREFIX": None,
-    "list_tools_ttl": 300,       # 5 min
-    "list_resources_ttl": 300,
-    "list_prompts_ttl": 300,
-    "read_resource_ttl": 3600,   # 1 hour
-    "get_prompt_ttl": 3600,
-    "call_tool_ttl": 3600,
-    "max_item_size": 1048576,    # 1 MB
-    "excluded_tools": [
-        "execute_sql",
-        "generate_dashboard",
-        "generate_chart",
-        "update_chart",
-    ],
-}
-```
-
-| Key | Default | Description |
-|-----|---------|-------------|
-| `enabled` | `False` | Enable response caching |
-| `CACHE_KEY_PREFIX` | `None` | Optional prefix for cache keys (useful for shared Redis) |
-| `list_tools_ttl` | `300` | Cache TTL in seconds for `tools/list` |
-| `list_resources_ttl` | `300` | Cache TTL for `resources/list` |
-| `list_prompts_ttl` | `300` | Cache TTL for `prompts/list` |
-| `read_resource_ttl` | `3600` | Cache TTL for `resources/read` |
-| `get_prompt_ttl` | `3600` | Cache TTL for `prompts/get` |
-| `call_tool_ttl` | `3600` | Cache TTL for `tools/call` |
-| `max_item_size` | `1048576` | Maximum cached item size in bytes (1 MB) |
-| `excluded_tools` | See above | Tools that are never cached (mutating or non-deterministic) |
-
-### Redis Store (Multi-Pod)
-
-Enables Redis-backed session and event storage for multi-replica deployments:
-
-```python
-MCP_STORE_CONFIG = {
-    "enabled": False,
-    "CACHE_REDIS_URL": None,
-    "event_store_max_events": 100,
-    "event_store_ttl": 3600,
-}
-```
-
-| Key | Default | Description |
-|-----|---------|-------------|
-| `enabled` | `False` | Enable Redis-backed store |
-| `CACHE_REDIS_URL` | `None` | Redis connection URL (e.g., `redis://redis-host:6379/0`) |
-| `event_store_max_events` | `100` | Maximum events retained per session |
-| `event_store_ttl` | `3600` | Event TTL in seconds |
-
-### Tool Search
-
-By default the MCP server exposes a lightweight tool-search interface instead of advertising every tool at once. This reduces the initial context sent to the LLM by ~70%, which lowers cost and latency. The AI client discovers tools on demand by calling `search_tools` and then invokes them via `call_tool`.
-
-```python
-MCP_TOOL_SEARCH_CONFIG = {
-    "enabled": True,
-    "strategy": "bm25",        # "bm25" (natural language) or "regex"
-    "max_results": 5,
-    "always_visible": [        # Tools always listed (pinned)
-        "health_check",
-        "get_instance_info",
-    ],
-    "search_tool_name": "search_tools",
-    "call_tool_name": "call_tool",
-    "include_schemas": False,  # False=summary mode (name + parameters_hint)
-    "compact_schemas": True,   # Strip $defs (only applies when include_schemas=True)
-    "max_description_length": 300,
-}
-```
-
-| Key | Default | Description |
-|-----|---------|-------------|
-| `enabled` | `True` | Enable tool search. When `False`, all tools are listed upfront |
-| `strategy` | `"bm25"` | Search ranking algorithm. `"bm25"` supports natural language; `"regex"` supports pattern matching |
-| `max_results` | `5` | Maximum tools returned per search query |
-| `always_visible` | See above | Tools that always appear in `list_tools`, regardless of search |
-| `include_schemas` | `False` | When `False` (default, "summary mode"), search results omit `inputSchema` entirely and include a lightweight `parameters_hint` listing top-level parameter names. Set to `True` to include the full `inputSchema` in search results. Full schemas are always used when a tool is actually invoked via `call_tool`. |
-| `compact_schemas` | `True` | Strip `$defs` / `$ref` and replace with `{"type": "object"}` in search results to reduce token cost. Only takes effect when `include_schemas=True` — ignored in summary mode. |
-| `max_description_length` | `300` | Truncate tool descriptions in search results (0 = no truncation). Applies in both summary and full-schema modes. |
-
-:::tip
-Set `enabled: False` to revert to the traditional "show all tools at once" behavior, which some clients or workflows may prefer.
-:::
-
-Tool search reduces the initial token cost from ~15–20K tokens (full catalog) down to ~4–5K tokens (pinned tools + search interface) — roughly 85% savings at the start of each conversation.
-
-### Session & CSRF
-
-These values are flat-merged into the Flask app config used by the MCP server process:
-
-```python
-MCP_SESSION_CONFIG = {
-    "SESSION_COOKIE_HTTPONLY": True,
-    "SESSION_COOKIE_SECURE": False,
-    "SESSION_COOKIE_SAMESITE": "Lax",
-    "SESSION_COOKIE_NAME": "superset_session",
-    "PERMANENT_SESSION_LIFETIME": 86400,
-}
-
-MCP_CSRF_CONFIG = {
-    "WTF_CSRF_ENABLED": True,
-    "WTF_CSRF_TIME_LIMIT": None,
-}
-```
-
----
-
-## Access Control
-
-### RBAC Enforcement
-
-The MCP server respects Superset's full role-based access control (RBAC). Every authenticated user can only access the data and operations their Superset roles permit — the same rules that apply in the Superset UI apply through MCP.
-
-Each tool declares one or more required FAB permissions. The table below maps tool groups to their permission requirements:
-
-| Tool group | Required FAB permission |
-|------------|------------------------|
-| `list_charts`, `get_chart_info`, `get_chart_data`, `get_chart_preview`, `generate_chart`, `update_chart` | `can_read` on `Chart` (read), `can_write` on `Chart` (mutate) |
-| `list_dashboards`, `get_dashboard_info`, `generate_dashboard`, `add_chart_to_existing_dashboard` | `can_read` on `Dashboard` (read), `can_write` on `Dashboard` (mutate) |
-| `list_datasets`, `get_dataset_info`, `create_virtual_dataset` | `can_read` on `Dataset` (read), `can_write` on `Dataset` (mutate) |
-| `list_databases`, `get_database_info` | `can_read` on `Database` |
-| `execute_sql` | `can_execute_sql_query` on `SQLLab` |
-| `open_sql_lab_with_context` | `can_read` on `SQLLab` |
-| `save_sql_query` | `can_write` on `SavedQuery` |
-| `health_check` | None (public) |
-
-To disable RBAC checking globally (for trusted-network deployments or testing), set:
-
-```python
-# superset_config.py
-MCP_RBAC_ENABLED = False
-```
-
-:::warning
-Disabling RBAC removes all permission checks from MCP tool calls. Only do this on isolated, internal deployments where all MCP users are trusted admins.
-:::
-
-### Audit Log
-
-All MCP tool calls are recorded in Superset's action log. You can view them at **Settings → Action Log** (admin only). Each log entry records:
-
-- The tool name (e.g., `mcp.generate_chart.db_write`)
-- The authenticated user
-- A timestamp
-
-This makes MCP activity fully auditable alongside regular Superset activity. The action log uses the same event logger as the rest of Superset, so existing log ingestion pipelines (e.g., sending logs to Elasticsearch or a SIEM) capture MCP events automatically.
-
-### Middleware Pipeline
-
-Every MCP request passes through a middleware stack before reaching the tool function. The default stack (assembled in `build_middleware_list()` in `server.py`) is:
-
-| Middleware | Purpose | Default |
-|------------|---------|---------|
-| `StructuredContentStripperMiddleware` | Strips `structuredContent` from responses for Claude.ai bridge compatibility | Enabled |
-| `LoggingMiddleware` | Logs each tool call with user, parameters, and duration | Enabled |
-| `GlobalErrorHandlerMiddleware` | Catches unhandled exceptions and sanitizes sensitive data before it reaches the client | Enabled |
-| `ResponseSizeGuardMiddleware` | Estimates token count, warns at 80% of limit, blocks at limit | Enabled (configurable via `MCP_RESPONSE_SIZE_CONFIG`) |
-| `ResponseCachingMiddleware` | Caches read-heavy tool responses (in-memory or Redis) | Disabled (enable via `MCP_CACHE_CONFIG`) |
-
-Additional middleware classes (`RateLimitMiddleware`, `FieldPermissionsMiddleware`, `PrivateToolMiddleware`) are implemented in `superset/mcp_service/middleware.py` but are not added to the default pipeline. They are available for operators who want to layer them in via a custom startup path.
-
-### Error Sanitization
-
-The `GlobalErrorHandlerMiddleware` automatically redacts sensitive information from all error messages before they reach the LLM client. The following are replaced with generic messages:
-
-- **Database connection strings** — replaced with a generic connection error message
-- **API keys and tokens** — redacted from error traces
-- **File system paths** — stripped to prevent information disclosure
-- **IP addresses** — removed from error context
-
-This ensures that a misconfigured database connection or an unexpected exception never leaks credentials or internal topology to the LLM or its users. All regex patterns used for redaction are bounded to prevent ReDoS attacks.
-
----
-
-## Performance
-
-### Connection Pooling
-
-Each MCP server process maintains its own SQLAlchemy connection pool to the database. For multi-worker deployments, total open connections = **workers × pool size**.
-
-```python
-# superset_config.py
-SQLALCHEMY_POOL_SIZE = 5
-SQLALCHEMY_MAX_OVERFLOW = 10
-SQLALCHEMY_POOL_TIMEOUT = 30
-SQLALCHEMY_POOL_RECYCLE = 3600  # Recycle connections after 1 hour
-```
-
-For a 3-pod Kubernetes deployment with the defaults above, expect up to 3 × (5 + 10) = 45 connections. Size your database's `max_connections` accordingly.
-
-### Response Caching
-
-Enable response caching for read-heavy workloads (dashboards/datasets that don't change frequently). With the in-memory backend (default when `MCP_STORE_CONFIG` is disabled), caching is per-process. Use Redis-backed caching for consistent cache hits across multiple pods:
-
-```python
-MCP_CACHE_CONFIG = {"enabled": True, "call_tool_ttl": 3600}
-MCP_STORE_CONFIG = {"enabled": True, "CACHE_REDIS_URL": "redis://redis:6379/0"}
-```
-
-Mutating tools (`generate_chart`, `update_chart`, `execute_sql`, `generate_dashboard`) are always excluded from caching regardless of this setting.
-
----
-
-## Troubleshooting
-
-### Server won't start
-
-- Verify `fastmcp` is installed: `pip install fastmcp`
-- Check that `MCP_DEV_USERNAME` is set if auth is disabled -- the server requires a user identity
-- Confirm the port is not already in use: `lsof -i :5008`
-
-### 401 Unauthorized
-
-- Verify your JWT token has not expired (`exp` claim)
-- Check that `MCP_JWT_ISSUER` and `MCP_JWT_AUDIENCE` match the token's `iss` and `aud` claims exactly
-- For RS256 with JWKS: confirm the JWKS URI is reachable from the MCP server
-- For RS256 with static key: confirm the public key string includes the `BEGIN`/`END` markers
-- For HS256: confirm the secret matches between the token issuer and `MCP_JWT_SECRET`
-- Enable `MCP_JWT_DEBUG_ERRORS = True` for detailed server-side logging (errors are never leaked to the client)
-
-### Tool not found
-
-- Ensure the MCP server and Superset share the same `superset_config.py`
-- Check server logs at startup -- tool registration errors are logged with the tool name and reason
-
-### Client can't connect
-
-- Verify the MCP server URL is reachable from the client machine
-- For Claude Desktop: fully quit the app (not just close the window) and restart after config changes
-- For remote access: ensure your firewall and reverse proxy allow traffic to the MCP port
-- Confirm the URL path ends with `/mcp` (e.g., `http://localhost:5008/mcp`)
-
-### Permission errors on tool calls
-
-- The MCP server enforces Superset's RBAC permissions -- the authenticated user must have the required roles
-- In development mode, ensure `MCP_DEV_USERNAME` maps to a user with appropriate roles (e.g., Admin)
-- Check `superset/security/manager.py` for the specific permission tuples required by each tool domain (e.g., `("can_execute_sql_query", "SQLLab")`)
-
-### Response too large
-
-- If a tool call returns an error about exceeding token limits, the response size guard is blocking an oversized result
-- Reduce `page_size` or `limit` parameters, use `select_columns` to exclude large fields, or add filters to narrow results
-- To adjust the threshold, change `token_limit` in `MCP_RESPONSE_SIZE_CONFIG`
-- To disable the guard entirely, set `MCP_RESPONSE_SIZE_CONFIG = {"enabled": False}`
-
----
-
-## Audit Events
-
-All MCP tool calls are logged to Superset's event logger, the same system used by the web UI (viewable at **Settings → Action Log**). Each event captures:
-
-- **Action**: `mcp.<tool_name>.<phase>` (e.g., `mcp.list_databases.query`)
-- **User**: the resolved Superset username from the JWT or dev config
-- **Timestamp**: when the operation ran
-
-This means MCP activity is auditable alongside normal user activity. No additional configuration is required — logging is on by default whenever the event logger is enabled in your Superset deployment.
-
-## Tool Pagination
-
-MCP list tools (`list_datasets`, `list_charts`, `list_dashboards`, `list_databases`) use **offset pagination** via `page` (1-based) and `page_size` parameters. Responses include `page`, `page_size`, `total_count`, `total_pages`, `has_previous`, and `has_next`. To iterate through all results:
-
-```python
-# Example: fetch all charts across pages
-all_charts = []
-page = 1
-while True:
-    result = mcp.list_charts(page=page, page_size=50)
-    all_charts.extend(result["charts"])
-    if not result.get("has_next"):
-        break
-    page += 1
-```
-
-## Security Best Practices
-
-- **Use TLS** for all production MCP endpoints -- place the server behind a reverse proxy with HTTPS
-- **Enable JWT authentication** for any internet-facing deployment
-- **RBAC enforcement** -- The MCP server respects Superset's role-based access control. Users can only access data their roles permit
-- **Secrets management** -- Store `MCP_JWT_SECRET`, database credentials, and API keys in environment variables or a secrets manager, never in config files committed to version control
-- **Scoped tokens** -- Use `MCP_REQUIRED_SCOPES` to limit what operations a token can perform
-- **Network isolation** -- In Kubernetes, restrict MCP pod network policies to only allow traffic from your AI client endpoints
-- Review the **[Security documentation](/developer-docs/extensions/security)** for additional extension security guidance
-
----
-
-## Next Steps
-
-- **[Using AI with Superset](/user-docs/using-superset/using-ai-with-superset)** -- What AI can do with Superset and how to get started
-- **[MCP Integration](/developer-docs/extensions/mcp)** -- Build custom MCP tools and prompts via Superset extensions
-- **[Security](/developer-docs/extensions/security)** -- Security best practices for extensions
-- **[Deployment](/developer-docs/extensions/deployment)** -- Package and deploy Superset extensions

docs/admin_docs/configuration/networking-settings.mdx

@@ -1,171 +0,0 @@
----
-title: Network and Security Settings
-sidebar_position: 7
-version: 1
----
-
-# Network and Security Settings
-
-## CORS
-
-
-:::note
-In Superset versions prior to `5.x` you have to install to install `flask-cors` with `pip install flask-cors` to enable CORS support.
-:::
-
-
-The following keys in `superset_config.py` can be specified to configure CORS:
-
-- `ENABLE_CORS`: Must be set to `True` in order to enable CORS
-- `CORS_OPTIONS`: options passed to Flask-CORS
-  ([documentation](https://flask-cors.readthedocs.io/en/latest/api.html#extension))
-
-## HTTP headers
-
-Note that Superset bundles [flask-talisman](https://pypi.org/project/talisman/)
-Self-described as a small Flask extension that handles setting HTTP headers that can help
-protect against a few common web application security issues.
-
-## HTML Embedding of Dashboards and Charts
-
-There are two ways to embed a dashboard: Using the [SDK](https://www.npmjs.com/package/@superset-ui/embedded-sdk) or embedding a direct link. Note that in the latter case everybody who knows the link is able to access the dashboard.
-
-### Embedding a Public Direct Link to a Dashboard
-
-This works by first changing the content security policy (CSP) of [flask-talisman](https://github.com/GoogleCloudPlatform/flask-talisman) to allow for certain domains to display Superset content. Then a dashboard can be made publicly accessible, i.e. **bypassing authentication**. Once made public, the dashboard's URL can be added to an iframe in another website's HTML code.
-
-#### Changing flask-talisman CSP
-
-Add to `superset_config.py` the entire `TALISMAN_CONFIG` section from `config.py` and include a `frame-ancestors` section:
-
-```python
-TALISMAN_ENABLED = True
-TALISMAN_CONFIG = {
-    "content_security_policy": {
-    ...
- "frame-ancestors": ["*.my-domain.com", "*.another-domain.com"],
-    ...
-```
-
-Restart Superset for this configuration change to take effect.
-
-#### Making a Dashboard Public
-
-There are two approaches to making dashboards publicly accessible:
-
-**Option 1: Dataset-based access (simpler)**
-1. Set `PUBLIC_ROLE_LIKE = "Public"` in `superset_config.py`
-2. Grant the Public role access to the relevant datasets (Menu → Security → List Roles → Public)
-3. All published dashboards using those datasets become visible to anonymous users
-
-**Option 2: Dashboard-level access (selective control)**
-1. Set `PUBLIC_ROLE_LIKE = "Public"` in `superset_config.py`
-2. Add the `'DASHBOARD_RBAC': True` [Feature Flag](/admin-docs/configuration/feature-flags)
-3. Edit each dashboard's properties and add the "Public" role
-4. Only dashboards with the Public role explicitly assigned are visible to anonymous users
-
-See the [Public role documentation](/admin-docs/security/#public) for more details.
-
-#### Embedding a Public Dashboard
-
-Now anybody can directly access the dashboard's URL. You can embed it in an iframe like so:
-
-```html
-<iframe
-  width="600"
-  height="400"
-  seamless
-  frameBorder="0"
-  scrolling="no"
-  src="https://superset.my-domain.com/superset/dashboard/10/?standalone=1&height=400"
->
-</iframe>
-```
-
-#### Embedding a Chart
-
-A chart's embed code can be generated by going to a chart's edit view and then clicking at the top right on `...` > `Share` > `Embed code`
-
-### Enabling Embedding via the SDK
-
-Clicking on `...` next to `EDIT DASHBOARD` on the top right of the dashboard's overview page should yield a drop-down menu including the entry "Embed dashboard".
-
-To enable this entry, add the following line to the `.env` file:
-
-```text
-SUPERSET_FEATURE_EMBEDDED_SUPERSET=true
-```
-
-### Hiding the Logout Button in Embedded Contexts
-
-When Superset is embedded in an application that manages authentication via SSO (OAuth2, SAML, or JWT), the logout button should be hidden since session management is handled by the parent application.
-
-To hide the logout button in embedded contexts, add to `superset_config.py`:
-
-```python
-FEATURE_FLAGS = {
-    "DISABLE_EMBEDDED_SUPERSET_LOGOUT": True,
-}
-```
-
-This flag only hides the logout button when Superset detects it is running inside an iframe. Users accessing Superset directly (not embedded) will still see the logout button regardless of this setting.
-
-:::note
-When embedding with SSO, also set `SESSION_COOKIE_SAMESITE = 'None'` and `SESSION_COOKIE_SECURE = True`. See [Security documentation](/admin-docs/security/securing_superset) for details.
-:::
-
-## CSRF settings
-
-Similarly, [flask-wtf](https://flask-wtf.readthedocs.io/en/0.15.x/config/) is used to manage
-some CSRF configurations. If you need to exempt endpoints from CSRF (e.g. if you are
-running a custom auth postback endpoint), you can add the endpoints to `WTF_CSRF_EXEMPT_LIST`:
-
-## SSH Tunneling
-
-1. Turn on feature flag
-    - Change [`SSH_TUNNELING`](https://github.com/apache/superset/blob/eb8386e3f0647df6d1bbde8b42073850796cc16f/superset/config.py#L489) to `True`
-    - If you want to add more security when establishing the tunnel we allow users to overwrite the `SSHTunnelManager` class [here](https://github.com/apache/superset/blob/eb8386e3f0647df6d1bbde8b42073850796cc16f/superset/config.py#L507)
-    - You can also set the [`SSH_TUNNEL_LOCAL_BIND_ADDRESS`](https://github.com/apache/superset/blob/eb8386e3f0647df6d1bbde8b42073850796cc16f/superset/config.py#L508) this the host address where the tunnel will be accessible on your VPC
-
-2. Create database w/ ssh tunnel enabled
-    - With the feature flag enabled you should now see ssh tunnel toggle.
-    - Click the toggle to enable SSH tunneling and add your credentials accordingly.
-        - Superset allows for two different types of authentication (Basic + Private Key). These credentials should come from your service provider.
-
-3. Verify data is flowing
-    - Once SSH tunneling has been enabled, go to SQL Lab and write a query to verify data is properly flowing.
-
-## Domain Sharding
-
-:::note
-Domain Sharding is deprecated as of Superset 5.0.0, and will be removed in Superset 6.0.0. Please Enable HTTP2 to keep more open connections per domain.
-:::
-
-Chrome allows up to 6 open connections per domain at a time. When there are more than 6 slices in
-dashboard, a lot of time fetch requests are queued up and wait for next available socket.
-[PR 5039](https://github.com/apache/superset/pull/5039) adds domain sharding to Superset,
-and this feature will be enabled by configuration only (by default Superset doesn’t allow
-cross-domain request).
-
-Add the following setting in your `superset_config.py` file:
-
-- `SUPERSET_WEBSERVER_DOMAINS`: list of allowed hostnames for domain sharding feature.
-
-Please create your domain shards as subdomains of your main domain for authorization to
-work properly on new domains. For Example:
-
-- `SUPERSET_WEBSERVER_DOMAINS=['superset-1.mydomain.com','superset-2.mydomain.com','superset-3.mydomain.com','superset-4.mydomain.com']`
-
-or add the following setting in your `superset_config.py` file if domain shards are not subdomains of main domain.
-
-- `SESSION_COOKIE_DOMAIN = '.mydomain.com'`
-
-## Middleware
-
-Superset allows you to add your own middleware. To add your own middleware, update the
-`ADDITIONAL_MIDDLEWARE` key in your `superset_config.py`. `ADDITIONAL_MIDDLEWARE` should be a list
-of your additional middleware classes.
-
-For example, to use `AUTH_REMOTE_USER` from behind a proxy server like nginx, you have to add a
-simple middleware class to add the value of `HTTP_X_PROXY_REMOTE_USER` (or any other custom header
-from the proxy) to Gunicorn’s `REMOTE_USER` environment variable.