Fix DB toggle

Fix icons
Add icons
2026-04-28 12:34:23 +00:00 · 2025-12-18 10:40:42 -05:00 · 2025-12-18 10:24:27 -05:00 · 2025-12-18 09:19:59 -05:00 · 2025-12-17 22:30:01 -05:00 · 2025-12-17 21:52:32 -05:00
637 changed files with 48959 additions and 15770 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -33,6 +33,7 @@

 # Notify PMC members of changes to extension-related files

+/docs/developer_portal/extensions/ @michael-s-molina @villebro @rusackas
 /superset-core/ @michael-s-molina @villebro @geido @eschutho @rusackas @kgabryje
 /superset-extensions-cli/ @michael-s-molina @villebro @geido @eschutho @rusackas @kgabryje
 /superset/core/ @michael-s-molina @villebro @geido @eschutho @rusackas @kgabryje
--- a/.github/workflows/bump-python-package.yml
+++ b/.github/workflows/bump-python-package.yml
@@ -32,7 +32,7 @@ jobs:
    steps:

      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: true
          ref: master
--- a/.github/workflows/cancel_duplicates.yml
+++ b/.github/workflows/cancel_duplicates.yml
@@ -31,7 +31,7 @@ jobs:

      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
        if: steps.check_queued.outputs.count >= 20
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6

      - name: Cancel duplicate workflow runs
        if: steps.check_queued.outputs.count >= 20
--- a/.github/workflows/check-python-deps.yml
+++ b/.github/workflows/check-python-deps.yml
@@ -18,7 +18,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/check_db_migration_confict.yml
+++ b/.github/workflows/check_db_migration_confict.yml
@@ -25,7 +25,7 @@ jobs:
      pull-requests: write
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Check and notify
        uses: actions/github-script@v8
        with:
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -71,7 +71,7 @@ jobs:
      id-token: write
    steps:
    - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
      with:
        fetch-depth: 1

--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -31,7 +31,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6

      - name: Check for file changes
        id: check
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -27,7 +27,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout Repository"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: "Dependency Review"
        uses: actions/dependency-review-action@v4
        continue-on-error: true
@@ -53,7 +53,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: "Checkout Repository"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6

      - name: Setup Python
        uses: ./.github/actions/setup-backend/
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -42,7 +42,7 @@ jobs:
    steps:

      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false

@@ -117,7 +117,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
      - name: Check for file changes
--- a/.github/workflows/embedded-sdk-release.yml
+++ b/.github/workflows/embedded-sdk-release.yml
@@ -28,8 +28,8 @@ jobs:
      run:
        working-directory: superset-embedded-sdk
    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
        with:
          node-version-file: './superset-embedded-sdk/.nvmrc'
          registry-url: 'https://registry.npmjs.org'
--- a/.github/workflows/embedded-sdk-test.yml
+++ b/.github/workflows/embedded-sdk-test.yml
@@ -18,8 +18,8 @@ jobs:
      run:
        working-directory: superset-embedded-sdk
    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
        with:
          node-version-file: './superset-embedded-sdk/.nvmrc'
          registry-url: 'https://registry.npmjs.org'
--- a/.github/workflows/ephemeral-env.yml
+++ b/.github/workflows/ephemeral-env.yml
@@ -160,7 +160,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ needs.ephemeral-env-label.outputs.sha }} : ${{steps.get-sha.outputs.sha}} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          ref: ${{ needs.ephemeral-env-label.outputs.sha }}
          persist-credentials: false
@@ -220,7 +220,7 @@ jobs:
      pull-requests: write

    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
        with:
          persist-credentials: false

--- a/.github/workflows/generate-FOSSA-report.yml
+++ b/.github/workflows/generate-FOSSA-report.yml
@@ -27,7 +27,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/github-action-validator.yml
+++ b/.github/workflows/github-action-validator.yml
@@ -14,10 +14,10 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout Repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6

      - name: Set up Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version: '20'

--- a/.github/workflows/issue_creation.yml
+++ b/.github/workflows/issue_creation.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false

--- a/.github/workflows/latest-release-tag.yml
+++ b/.github/workflows/latest-release-tag.yml
@@ -12,7 +12,7 @@ jobs:

    steps:
    - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
      with:
        persist-credentials: false
        submodules: recursive
--- a/.github/workflows/license-check.yml
+++ b/.github/workflows/license-check.yml
@@ -15,7 +15,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -16,7 +16,7 @@ jobs:
      pull-requests: write
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -21,7 +21,7 @@ jobs:
        python-version: ["current", "previous", "next"]
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
@@ -39,7 +39,7 @@ jobs:
          echo "HOMEBREW_REPOSITORY=$HOMEBREW_REPOSITORY" >>"${GITHUB_ENV}"
          brew install norwoodj/tap/helm-docs
      - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version: '20'

@@ -54,7 +54,7 @@ jobs:
          yarn install --immutable

      - name: Cache pre-commit environments
-        uses: actions/cache@v4
+        uses: actions/cache@v5
        with:
          path: ~/.cache/pre-commit
          key: pre-commit-v2-${{ runner.os }}-py${{ matrix.python-version }}-${{ hashFiles('.pre-commit-config.yaml') }}
@@ -71,7 +71,9 @@ jobs:
          GIT_DIFF_EXIT_CODE=$?
          if [ "${PRE_COMMIT_EXIT_CODE}" -ne 0 ] || [ "${GIT_DIFF_EXIT_CODE}" -ne 0 ]; then
            if [ "${PRE_COMMIT_EXIT_CODE}" -ne 0 ]; then
-              echo "❌ Pre-commit check failed (exit code: ${EXIT_CODE})."
+              echo "❌ Pre-commit check failed (exit code: ${PRE_COMMIT_EXIT_CODE})."
+              echo "🔍 Modified files:"
+              git diff --name-only
            else
              echo "❌ Git working directory is dirty."
              echo "📌 This likely means that pre-commit made changes that were not committed."
--- a/.github/workflows/prefer-typescript.yml
+++ b/.github/workflows/prefer-typescript.yml
@@ -27,7 +27,7 @@ jobs:
      pull-requests: write
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,7 +26,7 @@ jobs:
    name: Bump version and publish package(s)
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
        with:
          # pulls all commits (needed for lerna / semantic release to correctly version)
          fetch-depth: 0
@@ -42,13 +42,13 @@ jobs:

      - name: Install Node.js
        if: env.HAS_TAGS
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version-file: './superset-frontend/.nvmrc'

      - name: Cache npm
        if: env.HAS_TAGS
-        uses: actions/cache@v4
+        uses: actions/cache@v5
        with:
          path: ~/.npm # npm cache files are stored in `~/.npm` on Linux/macOS
          key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json') }}
@@ -62,7 +62,7 @@ jobs:
        run: echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT
      - name: Cache npm
        if: env.HAS_TAGS
-        uses: actions/cache@v4
+        uses: actions/cache@v5
        id: npm-cache # use this to check for `cache-hit` (`steps.npm-cache.outputs.cache-hit != 'true'`)
        with:
          path: ${{ steps.npm-cache-dir-path.outputs.dir }}
--- a/.github/workflows/showtime-trigger.yml
+++ b/.github/workflows/showtime-trigger.yml
@@ -147,7 +147,7 @@ jobs:

      - name: Checkout PR code (only if build needed)
        if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.build_needed == 'true'
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          ref: ${{ steps.check.outputs.target_sha }}
          persist-credentials: false
--- a/.github/workflows/superset-app-cli.yml
+++ b/.github/workflows/superset-app-cli.yml
@@ -37,7 +37,7 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/superset-applitool-cypress.yml
+++ b/.github/workflows/superset-applitool-cypress.yml
@@ -51,7 +51,7 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
@@ -63,7 +63,7 @@ jobs:
        with:
          run: testdata
      - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version-file: './superset-frontend/.nvmrc'
      - name: Install npm dependencies
--- a/.github/workflows/superset-applitools-storybook.yml
+++ b/.github/workflows/superset-applitools-storybook.yml
@@ -30,13 +30,13 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
          ref: master
      - name: Set up Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version-file: './superset-frontend/.nvmrc'
      - name: Install eyes-storybook dependencies
--- a/.github/workflows/superset-docs-deploy.yml
+++ b/.github/workflows/superset-docs-deploy.yml
@@ -31,12 +31,12 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
      - name: Set up Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version-file: './docs/.nvmrc'
      - name: Setup Python
--- a/.github/workflows/superset-docs-verify.yml
+++ b/.github/workflows/superset-docs-verify.yml
@@ -18,10 +18,10 @@ jobs:
    name: Link Checking
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
      # Do not bump this linkinator-action version without opening
      # an ASF Infra ticket to allow the new version first!
-      - uses: JustinBeckwith/linkinator-action@3d5ba091319fa7b0ac14703761eebb7d100e6f6d  # v1.11.0
+      - uses: JustinBeckwith/linkinator-action@af984b9f30f63e796ae2ea5be5e07cb587f1bbd9  # v2.3
        continue-on-error: true # This will make the job advisory (non-blocking, no red X)
        with:
          paths: "**/*.md, **/*.mdx"
@@ -58,12 +58,12 @@ jobs:
        working-directory: docs
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
      - name: Set up Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version-file: './docs/.nvmrc'
      - name: yarn install
--- a/.github/workflows/superset-e2e.yml
+++ b/.github/workflows/superset-e2e.yml
@@ -69,21 +69,21 @@ jobs:
      # Conditional checkout based on context
      - name: Checkout for push or pull_request event
        if: github.event_name == 'push' || github.event_name == 'pull_request'
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
      - name: Checkout using ref (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch' && github.event.inputs.ref != ''
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ github.event.inputs.ref }}
          submodules: recursive
      - name: Checkout using PR ID (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch' && github.event.inputs.pr_id != ''
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: refs/pull/${{ github.event.inputs.pr_id }}/merge
@@ -109,7 +109,7 @@ jobs:
          run: testdata
      - name: Setup Node.js
        if: steps.check.outputs.python || steps.check.outputs.frontend
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version-file: './superset-frontend/.nvmrc'
      - name: Install npm dependencies
@@ -146,7 +146,7 @@ jobs:
          SAFE_APP_ROOT=${APP_ROOT//\//_}
          echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT
      - name: Upload Artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
        if: failure()
        with:
          path: ${{ github.workspace }}/superset-frontend/cypress-base/cypress/screenshots
@@ -186,21 +186,21 @@ jobs:
      # Conditional checkout based on context (same as Cypress workflow)
      - name: Checkout for push or pull_request event
        if: github.event_name == 'push' || github.event_name == 'pull_request'
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
      - name: Checkout using ref (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch' && github.event.inputs.ref != ''
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ github.event.inputs.ref }}
          submodules: recursive
      - name: Checkout using PR ID (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch' && github.event.inputs.pr_id != ''
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: refs/pull/${{ github.event.inputs.pr_id }}/merge
@@ -226,7 +226,7 @@ jobs:
          run: testdata
      - name: Setup Node.js
        if: steps.check.outputs.python || steps.check.outputs.frontend
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version-file: './superset-frontend/.nvmrc'
      - name: Install npm dependencies
@@ -259,7 +259,7 @@ jobs:
          SAFE_APP_ROOT=${APP_ROOT//\//_}
          echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT
      - name: Upload Playwright Artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
        if: failure()
        with:
          path: |
--- a/.github/workflows/superset-extensions-cli.yml
+++ b/.github/workflows/superset-extensions-cli.yml
@@ -24,7 +24,7 @@ jobs:
        working-directory: superset-extensions-cli
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
@@ -58,7 +58,7 @@ jobs:

      - name: Upload HTML coverage report
        if: steps.check.outputs.superset-extensions-cli
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
        with:
          name: superset-extensions-cli-coverage-html
          path: htmlcov/
--- a/.github/workflows/superset-frontend.yml
+++ b/.github/workflows/superset-frontend.yml
@@ -23,7 +23,7 @@ jobs:
      should-run: ${{ steps.check.outputs.frontend }}
    steps:
      - name: Checkout Code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -58,7 +58,7 @@ jobs:

      - name: Upload Docker Image Artifact
        if: steps.check.outputs.frontend
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
        with:
          name: docker-image
          path: docker-image.tar.gz
@@ -73,7 +73,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Download Docker Image Artifact
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v7
        with:
          name: docker-image

@@ -90,7 +90,7 @@ jobs:
          "npm run test -- --coverage --shard=${{ matrix.shard }}/8 --coverageReporters=json-summary"

      - name: Upload Coverage Artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
        with:
          name: coverage-artifacts-${{ matrix.shard }}
          path: superset-frontend/coverage
@@ -101,7 +101,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Download Coverage Artifacts
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v7
        with:
          pattern: coverage-artifacts-*
          path: coverage/
@@ -127,7 +127,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Download Docker Image Artifact
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v7
        with:
          name: docker-image

@@ -151,7 +151,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Download Docker Image Artifact
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v7
        with:
          name: docker-image

--- a/.github/workflows/superset-helm-lint.yml
+++ b/.github/workflows/superset-helm-lint.yml
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/superset-helm-release.yml
+++ b/.github/workflows/superset-helm-release.yml
@@ -29,7 +29,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.ref || github.ref_name }}
          persist-credentials: true
--- a/.github/workflows/superset-playwright.yml
+++ b/.github/workflows/superset-playwright.yml
@@ -60,21 +60,21 @@ jobs:
      # Conditional checkout based on context (same as Cypress workflow)
      - name: Checkout for push or pull_request event
        if: github.event_name == 'push' || github.event_name == 'pull_request'
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
      - name: Checkout using ref (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch' && github.event.inputs.ref != ''
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ github.event.inputs.ref }}
          submodules: recursive
      - name: Checkout using PR ID (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch' && github.event.inputs.pr_id != ''
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: refs/pull/${{ github.event.inputs.pr_id }}/merge
@@ -100,7 +100,7 @@ jobs:
          run: testdata
      - name: Setup Node.js
        if: steps.check.outputs.python || steps.check.outputs.frontend
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version-file: './superset-frontend/.nvmrc'
      - name: Install npm dependencies
@@ -133,7 +133,7 @@ jobs:
          SAFE_APP_ROOT=${APP_ROOT//\//_}
          echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT
      - name: Upload Playwright Artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
        if: failure()
        with:
          path: |
--- a/.github/workflows/superset-python-integrationtest.yml
+++ b/.github/workflows/superset-python-integrationtest.yml
@@ -41,7 +41,7 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
@@ -99,7 +99,7 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
@@ -152,7 +152,7 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/superset-python-presto-hive.yml
+++ b/.github/workflows/superset-python-presto-hive.yml
@@ -48,7 +48,7 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
@@ -108,7 +108,7 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/superset-python-unittest.yml
+++ b/.github/workflows/superset-python-unittest.yml
@@ -24,7 +24,7 @@ jobs:
      PYTHONPATH: ${{ github.workspace }}
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/superset-translations.yml
+++ b/.github/workflows/superset-translations.yml
@@ -18,7 +18,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
@@ -31,7 +31,7 @@ jobs:

      - name: Setup Node.js
        if: steps.check.outputs.frontend
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version-file:  './superset-frontend/.nvmrc'
      - name: Install dependencies
@@ -49,7 +49,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/superset-websocket.yml
+++ b/.github/workflows/superset-websocket.yml
@@ -21,7 +21,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
      - name: Install dependencies
--- a/.github/workflows/supersetbot.yml
+++ b/.github/workflows/supersetbot.yml
@@ -38,7 +38,7 @@ jobs:
            });

      - name: "Checkout ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          persist-credentials: false

--- a/.github/workflows/tag-release.yml
+++ b/.github/workflows/tag-release.yml
@@ -47,7 +47,7 @@ jobs:
    steps:

      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0

@@ -60,7 +60,7 @@ jobs:
          build: "true"

      - name: Use Node.js 20
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version: 20

@@ -107,12 +107,12 @@ jobs:
    steps:

      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Use Node.js 20
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version: 20

--- a/.github/workflows/tech-debt.yml
+++ b/.github/workflows/tech-debt.yml
@@ -27,10 +27,10 @@ jobs:
    name: Generate Reports
    steps:
      - name: Checkout Repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6

      - name: Set up Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version-file: './superset-frontend/.nvmrc'

--- a/.gitignore
+++ b/.gitignore
@@ -33,6 +33,7 @@ cover
 .env
 .envrc
 .idea
+.roo
 .mypy_cache
 .python-version
 .tox
@@ -137,3 +138,4 @@ PROJECT.md
 .claude_rc*
 .env.local
 oxc-custom-build/
+*.code-workspace
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -106,12 +106,19 @@ repos:
        files: helm
        verbose: false
        args: ["--log-level", "error"]
-  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.9.7
+  # Using local hooks ensures ruff version matches requirements/development.txt
+  - repo: local
    hooks:
      - id: ruff-format
+        name: ruff-format
+        entry: ruff format
+        language: system
+        types: [python]
      - id: ruff
-        args: [--fix]
+        name: ruff
+        entry: ruff check --fix --show-fixes
+        language: system
+        types: [python]
  - repo: local
    hooks:
      - id: pylint
--- a/.pylintrc
+++ b/.pylintrc
@@ -53,7 +53,7 @@ extension-pkg-whitelist=pyarrow

 [MESSAGES CONTROL]
 disable=all
-enable=disallowed-json-import,disallowed-sql-import,consider-using-transaction
+enable=json-import,disallowed-sql-import,consider-using-transaction


 [REPORTS]
--- a/2
+++ b/2
@@ -18,7 +18,7 @@
 ######################################################################
 # Node stage to deal with static asset construction
 ######################################################################
-ARG PY_VER=3.11.13-slim-trixie
+ARG PY_VER=3.11.14-slim-trixie

 # If BUILDPLATFORM is null, set it to 'amd64' (or leave as is otherwise).
 ARG BUILDPLATFORM=${BUILDPLATFORM:-amd64}
--- a/README.md
+++ b/README.md
@@ -17,17 +17,6 @@ specific language governing permissions and limitations
 under the License.
 -->

-# Superset
-
-[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/license/apache-2-0)
-[![Latest Release on Github](https://img.shields.io/github/v/release/apache/superset?sort=semver)](https://github.com/apache/superset/releases/latest)
-[![Build Status](https://github.com/apache/superset/actions/workflows/superset-python-unittest.yml/badge.svg)](https://github.com/apache/superset/actions)
-[![PyPI version](https://badge.fury.io/py/apache_superset.svg)](https://badge.fury.io/py/apache_superset)
-[![Coverage Status](https://codecov.io/github/apache/superset/coverage.svg?branch=master)](https://codecov.io/github/apache/superset)
-[![PyPI](https://img.shields.io/pypi/pyversions/apache_superset.svg?maxAge=2592000)](https://pypi.python.org/pypi/apache_superset)
-[![Get on Slack](https://img.shields.io/badge/slack-join-orange.svg)](http://bit.ly/join-superset-slack)
-[![Documentation](https://img.shields.io/badge/docs-apache.org-blue.svg)](https://superset.apache.org)
-
 <picture width="500">
  <source
    width="600"
--- a/RESOURCES/FEATURE_FLAGS.md
+++ b/RESOURCES/FEATURE_FLAGS.md
@@ -68,7 +68,7 @@ These features flags are **safe for production**. They have been tested and will

 ### Flags retained for runtime configuration

-Currently some of our feature flags act as dynamic configurations that can changed
+Currently some of our feature flags act as dynamic configurations that can change
 on the fly. This acts in contradiction with the typical ephemeral feature flag use case,
 where the flag is used to mature a feature, and eventually deprecated once the feature is
 solid. Eventually we'll likely refactor these under a more formal "dynamic configurations" managed
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -23,6 +23,108 @@ This file documents any backwards-incompatible changes in Superset and
 assists people when migrating to a new version.

 ## Next
+
+### MCP Service
+
+The MCP (Model Context Protocol) service enables AI assistants and automation tools to interact programmatically with Superset.
+
+#### New Features
+- MCP service infrastructure with FastMCP framework
+- Tools for dashboards, charts, datasets, SQL Lab, and instance metadata
+- Optional dependency: install with `pip install apache-superset[fastmcp]`
+- Runs as separate process from Superset web server
+- JWT-based authentication for production deployments
+
+#### New Configuration Options
+
+**Development** (single-user, local testing):
+```python
+# superset_config.py
+MCP_DEV_USERNAME = "admin"  # User for MCP authentication
+MCP_SERVICE_HOST = "localhost"
+MCP_SERVICE_PORT = 5008
+```
+
+**Production** (JWT-based, multi-user):
+```python
+# superset_config.py
+MCP_AUTH_ENABLED = True
+MCP_JWT_ISSUER = "https://your-auth-provider.com"
+MCP_JWT_AUDIENCE = "superset-mcp"
+MCP_JWT_ALGORITHM = "RS256"  # or "HS256" for shared secrets
+
+# Option 1: Use JWKS endpoint (recommended for RS256)
+MCP_JWKS_URI = "https://auth.example.com/.well-known/jwks.json"
+
+# Option 2: Use static public key (RS256)
+MCP_JWT_PUBLIC_KEY = "-----BEGIN PUBLIC KEY-----..."
+
+# Option 3: Use shared secret (HS256)
+MCP_JWT_ALGORITHM = "HS256"
+MCP_JWT_SECRET = "your-shared-secret-key"
+
+# Optional overrides
+MCP_SERVICE_HOST = "0.0.0.0"
+MCP_SERVICE_PORT = 5008
+MCP_SESSION_CONFIG = {
+    "SESSION_COOKIE_SECURE": True,
+    "SESSION_COOKIE_HTTPONLY": True,
+    "SESSION_COOKIE_SAMESITE": "Strict",
+}
+```
+
+#### Running the MCP Service
+
+```bash
+# Development
+superset mcp run --port 5008 --debug
+
+# Production
+superset mcp run --port 5008
+
+# With factory config
+superset mcp run --port 5008 --use-factory-config
+```
+
+#### Deployment Considerations
+
+The MCP service runs as a **separate process** from the Superset web server.
+
+**Important**:
+- Requires same Python environment and configuration as Superset
+- Shares database connections with main Superset app
+- Can be scaled independently from web server
+- Requires `fastmcp` package (optional dependency)
+
+**Installation**:
+```bash
+# Install with MCP support
+pip install apache-superset[fastmcp]
+
+# Or add to requirements.txt
+apache-superset[fastmcp]>=X.Y.Z
+```
+
+**Process Management**:
+Use systemd, supervisord, or Kubernetes to manage the MCP service process.
+See `superset/mcp_service/PRODUCTION.md` for deployment guides.
+
+**Security**:
+- Development: Uses `MCP_DEV_USERNAME` for single-user access
+- Production: **MUST** configure JWT authentication
+- See `superset/mcp_service/SECURITY.md` for details
+
+#### Documentation
+
+- Architecture: `superset/mcp_service/ARCHITECTURE.md`
+- Security: `superset/mcp_service/SECURITY.md`
+- Production: `superset/mcp_service/PRODUCTION.md`
+- Developer Guide: `superset/mcp_service/CLAUDE.md`
+- Quick Start: `superset/mcp_service/README.md`
+
+---
+
+- [35621](https://github.com/apache/superset/pull/35621): The default hash algorithm has changed from MD5 to SHA-256 for improved security and FedRAMP compliance. This affects cache keys for thumbnails, dashboard digests, chart digests, and filter option names. Existing cached data will be invalidated upon upgrade. To opt out of this change and maintain backward compatibility, set `HASH_ALGORITHM = "md5"` in your `superset_config.py`.
 - [33055](https://github.com/apache/superset/pull/33055): Upgrades Flask-AppBuilder to 5.0.0. The AUTH_OID authentication type has been deprecated and is no longer available as an option in Flask-AppBuilder. OpenID (OID) is considered a deprecated authentication protocol - if you are using AUTH_OID, you will need to migrate to an alternative authentication method such as OAuth, LDAP, or database authentication before upgrading.
 - [35062](https://github.com/apache/superset/pull/35062): Changed the function signature of `setupExtensions` to `setupCodeOverrides` with options as arguments.
 - [34871](https://github.com/apache/superset/pull/34871): Fixed Jest test hanging issue from Ant Design v5 upgrade. MessageChannel is now mocked in test environment to prevent rc-overflow from causing Jest to hang. Test environment only - no production impact.
@@ -45,6 +147,31 @@ Note: Pillow is now a required dependency (previously optional) to support image
 - [32432](https://github.com/apache/superset/pull/31260) Moves the List Roles FAB view to the frontend and requires `FAB_ADD_SECURITY_API` to be enabled in the configuration and `superset init` to be executed.
 - [34319](https://github.com/apache/superset/pull/34319) Drill to Detail and Drill By is now supported in Embedded mode, and also with the `DASHBOARD_RBAC` FF. If you don't want to expose these features in Embedded / `DASHBOARD_RBAC`, make sure the roles used for Embedded / `DASHBOARD_RBAC`don't have the required permissions to perform D2D actions.

+### Breaking Changes
+
+#### CUSTOM_FONT_URLS removed
+
+The `CUSTOM_FONT_URLS` configuration option has been removed. Use the new per-theme `fontUrls` token in `THEME_DEFAULT` or database-managed themes instead.
+
+**Before (5.x):**
+```python
+CUSTOM_FONT_URLS = [
+    "https://fonts.example.com/myfont.css",
+]
+```
+
+**After (6.0):**
+```python
+THEME_DEFAULT = {
+    "token": {
+        "fontUrls": [
+            "https://fonts.example.com/myfont.css",
+        ],
+        # ... other tokens
+    }
+}
+```
+
 ## 5.0.0

 - [31976](https://github.com/apache/superset/pull/31976) Removed the `DISABLE_LEGACY_DATASOURCE_EDITOR` feature flag. The previous value of the feature flag was `True` and now the feature is permanently removed.
--- a/docker/docker-bootstrap.sh
+++ b/docker/docker-bootstrap.sh
@@ -80,7 +80,7 @@ case "${1}" in
    ;;
  app)
    echo "Starting web app (using development server)..."
-    flask run -p $PORT --reload --debugger --without-threads --host=0.0.0.0
+    flask run -p $PORT --reload --debugger --without-threads --host=0.0.0.0 --exclude-patterns "*/node_modules/*:*/.venv/*:*/build/*:*/__pycache__/*"
    ;;
  app-gunicorn)
    echo "Starting web app..."
--- a/docker/pythonpath_dev/superset_config.py
+++ b/docker/pythonpath_dev/superset_config.py
@@ -105,7 +105,7 @@ class CeleryConfig:

 CELERY_CONFIG = CeleryConfig

-FEATURE_FLAGS = {"ALERT_REPORTS": True}
+FEATURE_FLAGS = {"ALERT_REPORTS": True, "DATA_ACCESS_RULES": True}
 ALERT_REPORTS_NOTIFICATION_DRY_RUN = True
 WEBDRIVER_BASEURL = f"http://superset_app{os.environ.get('SUPERSET_APP_ROOT', '/')}/"  # When using docker compose baseurl should be http://superset_nginx{ENV{BASEPATH}}/  # noqa: E501
 # The base URL for the email report hyperlinks.
--- a/docker/pythonpath_dev/superset_config_docker_light.py
+++ b/docker/pythonpath_dev/superset_config_docker_light.py
@@ -19,6 +19,7 @@

 # Import all settings from the main config first
 from flask_caching.backends.filesystemcache import FileSystemCache
+
 from superset_config import *  # noqa: F403

 # Override caching to use simple in-memory cache instead of Redis
--- a/docs/developer_portal/extensions/architecture.md
+++ b/docs/developer_portal/extensions/architecture.md
@@ -248,6 +248,6 @@ This architecture provides several key benefits:

 Now that you understand the architecture, explore:

- **[Extension Project Structure](./extension-project-structure)** - How to organize your extension code
- **[Frontend Contribution Types](./frontend-contribution-types)** - What kinds of extensions you can build
 - **[Quick Start](./quick-start)** - Build your first extension
+- **[Contribution Types](./contribution-types)** - What kinds of extensions you can build
+- **[Development](./development)** - Project structure, APIs, and development workflow
--- a/docs/developer_portal/extensions/contribution-types.md
+++ b/docs/developer_portal/extensions/contribution-types.md
@@ -0,0 +1,130 @@
+---
+title: Contribution Types
+sidebar_position: 4
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# Contribution Types
+
+To facilitate the development of extensions, we define a set of well-defined contribution types that extensions can implement. These contribution types serve as the building blocks for extensions, allowing them to interact with the host application and provide new functionality.
+
+## Frontend
+
+Frontend contribution types allow extensions to extend Superset's user interface with new views, commands, and menu items.
+
+### Views
+
+Extensions can add new views or panels to the host application, such as custom SQL Lab panels, dashboards, or other UI components. Each view is registered with a unique ID and can be activated or deactivated as needed. Contribution areas are uniquely identified (e.g., `sqllab.panels` for SQL Lab panels), enabling seamless integration into specific parts of the application.
+
+``` json
+"frontend": {
+  "contributions": {
+    "views": {
+      "sqllab.panels": [
+        {
+          "id": "my_extension.main",
+          "name": "My Panel Name"
+        }
+      ]
+    }
+  }
+}
+```
+
+### Commands
+
+Extensions can define custom commands that can be executed within the host application, such as context-aware actions or menu options. Each command can specify properties like a unique command identifier, an icon, a title, and a description. These commands can be invoked by users through menus, keyboard shortcuts, or other UI elements, enabling extensions to add rich, interactive functionality to Superset.
+
+``` json
+"frontend": {
+  "contributions": {
+    "commands": [
+      {
+        "command": "my_extension.copy_query",
+        "icon": "CopyOutlined",
+        "title": "Copy Query",
+        "description": "Copy the current query to clipboard"
+      }
+    ]
+  }
+}
+```
+
+### Menus
+
+Extensions can contribute new menu items or context menus to the host application, providing users with additional actions and options. Each menu item can specify properties such as the target view, the command to execute, its placement (primary, secondary, or context), and conditions for when it should be displayed. Menu contribution areas are uniquely identified (e.g., `sqllab.editor` for the SQL Lab editor), allowing extensions to seamlessly integrate their functionality into specific menus and workflows within Superset.
+
+``` json
+"frontend": {
+  "contributions": {
+    "menus": {
+      "sqllab.editor": {
+        "primary": [
+          {
+            "view": "builtin.editor",
+            "command": "my_extension.copy_query"
+          }
+        ],
+        "secondary": [
+          {
+            "view": "builtin.editor",
+            "command": "my_extension.prettify"
+          }
+        ],
+        "context": [
+          {
+            "view": "builtin.editor",
+            "command": "my_extension.clear"
+          }
+        ]
+      }
+    }
+  }
+}
+```
+
+## Backend
+
+Backend contribution types allow extensions to extend Superset's server-side capabilities with new API endpoints, MCP tools, and MCP prompts.
+
+### REST API Endpoints
+
+Extensions can register custom REST API endpoints under the `/api/v1/extensions/` namespace. This dedicated namespace prevents conflicts with built-in endpoints and provides a clear separation between core and extension functionality.
+
+``` json
+"backend": {
+  "entryPoints": ["my_extension.entrypoint"],
+  "files": ["backend/src/my_extension/**/*.py"]
+}
+```
+
+The entry point module registers the API with Superset:
+
+``` python
+from superset_core.api.rest_api import add_extension_api
+from .api import MyExtensionAPI
+
+add_extension_api(MyExtensionAPI)
+```
+
+### MCP Tools and Prompts
+
+Extensions can contribute Model Context Protocol (MCP) tools and prompts that AI agents can discover and use. See [MCP Integration](./mcp) for detailed documentation.
--- a/docs/developer_portal/extensions/deploying-extension.md
+++ b/docs/developer_portal/extensions/deploying-extension.md
@@ -1,6 +1,6 @@
 ---
-title: Deploying an Extension
-sidebar_position: 8
+title: Deployment
+sidebar_position: 6
 ---

 <!--
@@ -22,7 +22,7 @@ specific language governing permissions and limitations
 under the License.
 -->

-# Deploying an Extension
+# Deployment

 Once an extension has been developed, the deployment process involves packaging and uploading it to the host application.

@@ -33,13 +33,17 @@ Packaging is handled by the `superset-extensions bundle` command, which:
 3. Generates a `manifest.json` with build-time metadata, including the contents of `extension.json` and references to built assets.
 4. Packages everything into a `.supx` file (a zip archive with a specific structure required by Superset).

-Uploading is accomplished through Superset's REST API at `/api/v1/extensions/import/`. The endpoint accepts the `.supx` file as form data and processes it by:
+To deploy an extension, place the `.supx` file in the extensions directory configured via `EXTENSIONS_PATH` in your `superset_config.py`:

-1. Extracting and validating the extension metadata and manifest.
-2. Storing extension assets in the metadata database for dynamic loading.
-3. Registering the extension in the metadata database, including its name, version, author, and capabilities.
-4. Automatically activating the extension, making it immediately available for use and management via the Superset UI or API.
+``` python
+EXTENSIONS_PATH = "/path/to/extensions"
+```

-This API-driven approach enables automated deployment workflows and simplifies extension management for administrators. Extensions can be uploaded through the Swagger UI, programmatically via scripts, or through the management interface:
+During application startup, Superset automatically discovers and loads all `.supx` files from this directory:

-https://github.com/user-attachments/assets/98b16cdd-8ec5-4812-9d5e-9915badd8f0d
+1. Scans the configured directory for `.supx` files.
+2. Validates each file is a properly formatted zip archive.
+3. Extracts and validates the extension manifest and metadata.
+4. Loads the extension, making it available for use.
+
+This file-based approach simplifies deployment in containerized environments and enables version control of extensions alongside infrastructure configuration.
--- a/docs/developer_portal/extensions/development-mode.md
+++ b/docs/developer_portal/extensions/development-mode.md
@@ -1,48 +0,0 @@
---
-title: Development Mode
-sidebar_position: 10
---
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one
-or more contributor license agreements.  See the NOTICE file
-distributed with this work for additional information
-regarding copyright ownership.  The ASF licenses this file
-to you under the Apache License, Version 2.0 (the
-"License"); you may not use this file except in compliance
-with the License.  You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing,
-software distributed under the License is distributed on an
-"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-KIND, either express or implied.  See the License for the
-specific language governing permissions and limitations
-under the License.
-->
-
-# Development Mode
-
-Development mode accelerates extension development by letting developers see changes in Superset quickly, without the need for repeated packaging and uploading. To enable development mode, set the `LOCAL_EXTENSIONS` configuration in your `superset_config.py`:
-
-``` python
-LOCAL_EXTENSIONS = [
-    "/path/to/your/extension1",
-    "/path/to/your/extension2",
-]
-```
-
-This instructs Superset to load and serve extensions directly from disk, so you can iterate quickly. Running `superset-extensions dev` watches for file changes and rebuilds assets automatically, while the Webpack development server (started separately with `npm run dev-server`) serves updated files as soon as they're modified. This enables immediate feedback for React components, styles, and other frontend code. Changes to backend files are also detected automatically and immediately synced, ensuring that both frontend and backend updates are reflected in your development environment.
-
-Example output when running in development mode:
-
-```
-superset-extensions dev
-
-⚙️  Building frontend assets…
-✅ Frontend rebuilt
-✅ Backend files synced
-✅ Manifest updated
-👀 Watching for changes in: /dataset_references/frontend, /dataset_references/backend
-```
--- a/docs/developer_portal/extensions/development.md
+++ b/docs/developer_portal/extensions/development.md
@@ -0,0 +1,239 @@
+---
+title: Development
+sidebar_position: 5
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# Development
+
+This guide covers everything you need to know about developing extensions for Superset, from project structure to development workflow.
+
+## Project Structure
+
+The [apache-superset-extensions-cli](https://github.com/apache/superset/tree/master/superset-extensions-cli) package provides a command-line interface (CLI) that streamlines the extension development workflow. It offers the following commands:
+
+```
+superset-extensions init: Generates the initial folder structure and scaffolds a new extension project.
+
+superset-extensions build: Builds extension assets.
+
+superset-extensions bundle: Packages the extension into a .supx file.
+
+superset-extensions dev: Automatically rebuilds the extension as files change.
+```
+
+When creating a new extension with `superset-extensions init <extension-name>`, the CLI generates a standardized folder structure:
+
+```
+dataset_references/
+├── extension.json
+├── frontend/
+│   ├── src/
+│   ├── webpack.config.js
+│   ├── tsconfig.json
+│   └── package.json
+├── backend/
+│   ├── src/
+│        └── dataset_references/
+│   ├── tests/
+│   ├── pyproject.toml
+│   └── requirements.txt
+├── dist/
+│   ├── manifest.json
+│   ├── frontend
+│        └── dist/
+│             ├── remoteEntry.d7a9225d042e4ccb6354.js
+│             └── 900.038b20cdff6d49cfa8d9.js
+│   └── backend
+│        └── dataset_references/
+│             ├── __init__.py
+│             ├── api.py
+│             └── entrypoint.py
+├── dataset_references-1.0.0.supx
+└── README.md
+```
+
+The `extension.json` file serves as the declared metadata for the extension, containing the extension's name, version, author, description, and a list of capabilities. This file is essential for the host application to understand how to load and manage the extension.
+
+The `frontend` directory contains the source code for the frontend components of the extension, including React components, styles, and assets. The `webpack.config.js` file is used to configure Webpack for building the frontend code, while the `tsconfig.json` file defines the TypeScript configuration for the project. The `package.json` file specifies the dependencies and scripts for building and testing the frontend code.
+
+The `backend` directory contains the source code for the backend components of the extension, including Python modules, tests, and configuration files. The `pyproject.toml` file is used to define the Python package and its dependencies, while the `requirements.txt` file lists the required Python packages for the extension. The `src` folder contains the functional backend source files, `tests` directory contains unit tests for the backend code, ensuring that the extension behaves as expected and meets the defined requirements.
+
+The `dist` directory is built when running the `build` or `dev` command, and contains the files that will be included in the bundle. The `manifest.json` file contains critical metadata about the extension, including the majority of the contents of the `extension.json` file, but also other build-time information, like the name of the built Webpack Module Federation remote entry file. The files in the `dist` directory will be zipped into the final `.supx` file. Although this file is technically a zip archive, the `.supx` extension makes it clear that it is a Superset extension package and follows a specific file layout. This packaged file can be distributed and installed in Superset instances.
+
+The `README.md` file provides documentation and instructions for using the extension, including how to install, configure, and use its functionality.
+
+## Extension Metadata
+
+The `extension.json` file contains all metadata necessary for the host application to understand and manage the extension:
+
+```json
+{
+  "name": "dataset_references",
+  "version": "1.0.0",
+  "frontend": {
+    "contributions": {
+      "views": {
+        "sqllab.panels": [
+          {
+            "id": "dataset_references.main",
+            "name": "Dataset references"
+          }
+        ]
+      }
+    },
+    "moduleFederation": {
+      "exposes": ["./index"]
+    }
+  },
+  "backend": {
+    "entryPoints": ["dataset_references.entrypoint"],
+    "files": ["backend/src/dataset_references/**/*.py"]
+  }
+}
+```
+
+The `contributions` section declares how the extension extends Superset's functionality through views, commands, menus, and other contribution types. The `backend` section specifies entry points and files to include in the bundle.
+
+## Interacting with the Host
+
+Extensions interact with Superset through well-defined, versioned APIs provided by the `@apache-superset/core` (frontend) and `apache-superset-core` (backend) packages. These APIs are designed to be stable, discoverable, and consistent for both built-in and external extensions.
+
+**Note**: The `superset_core.api` module provides abstract classes that are replaced with concrete implementations via dependency injection when Superset initializes. This allows extensions to use the same interfaces as the host application.
+
+### Frontend APIs
+
+The frontend extension APIs (via `@apache-superset/core`) are organized into logical namespaces such as `authentication`, `commands`, `extensions`, `sqlLab`, and others. Each namespace groups related functionality, making it easy for extension authors to discover and use the APIs relevant to their needs. For example, the `sqlLab` namespace provides events and methods specific to SQL Lab, allowing extensions to react to user actions and interact with the SQL Lab environment:
+
+```typescript
+export const getCurrentTab: () => Tab | undefined;
+
+export const getDatabases: () => Database[];
+
+export const getTabs: () => Tab[];
+
+export const onDidChangeEditorContent: Event<string>;
+
+export const onDidClosePanel: Event<Panel>;
+
+export const onDidChangeActivePanel: Event<Panel>;
+
+export const onDidChangeTabTitle: Event<string>;
+
+export const onDidQueryRun: Event<Editor>;
+
+export const onDidQueryStop: Event<Editor>;
+```
+
+The following code demonstrates more examples of the existing frontend APIs:
+
+```typescript
+import { core, commands, sqlLab, authentication, Button } from '@apache-superset/core';
+import MyPanel from './MyPanel';
+
+export function activate(context) {
+  // Register a new panel (view) in SQL Lab and use shared UI components in your extension's React code
+  const panelDisposable = core.registerView('my_extension.panel', <MyPanel><Button/></MyPanel>);
+
+  // Register a custom command
+  const commandDisposable = commands.registerCommand('my_extension.copy_query', {
+    title: 'Copy Query',
+    execute: () => {
+      // Command logic here
+    },
+  });
+
+  // Listen for query run events in SQL Lab
+  const eventDisposable = sqlLab.onDidQueryRun(editor => {
+    // Handle query execution event
+  });
+
+  // Access a CSRF token for secure API requests
+  authentication.getCSRFToken().then(token => {
+    // Use token as needed
+  });
+
+  // Add all disposables for automatic cleanup on deactivation
+  context.subscriptions.push(panelDisposable, commandDisposable, eventDisposable);
+}
+```
+
+### Backend APIs
+
+Backend APIs (via `apache-superset-core`) follow a similar pattern, providing access to Superset's models, sessions, and query capabilities. Extensions can register REST API endpoints, access the metadata database, and interact with Superset's core functionality.
+
+Extension endpoints are registered under a dedicated `/extensions` namespace to avoid conflicting with built-in endpoints and also because they don't share the same version constraints. By grouping all extension endpoints under `/extensions`, Superset establishes a clear boundary between core and extension functionality, making it easier to manage, document, and secure both types of APIs.
+
+```python
+from superset_core.api.models import Database, get_session
+from superset_core.api.daos import DatabaseDAO
+from superset_core.api.rest_api import add_extension_api
+from .api import DatasetReferencesAPI
+
+# Register a new extension REST API
+add_extension_api(DatasetReferencesAPI)
+
+# Fetch Superset entities via the DAO to apply base filters that filter out entities
+# that the user doesn't have access to
+databases = DatabaseDAO.find_all()
+
+# ..or apply simple filters on top of base filters
+databases = DatabaseDAO.filter_by(uuid=database.uuid)
+if not databases:
+    raise Exception("Database not found")
+
+return databases[0]
+
+# Perform complex queries using SQLAlchemy Query, also filtering out
+# inaccessible entities
+session = get_session()
+databases_query = session.query(Database).filter(
+    Database.database_name.ilike("%abc%")
+)
+return DatabaseDAO.query(databases_query)
+```
+
+In the future, we plan to expand the backend APIs to support configuring security models, database engines, SQL Alchemy dialects, etc.
+
+## Development Mode
+
+Development mode accelerates extension development by letting developers see changes in Superset quickly, without the need for repeated packaging and uploading. To enable development mode, set the `LOCAL_EXTENSIONS` configuration in your `superset_config.py`:
+
+```python
+LOCAL_EXTENSIONS = [
+    "/path/to/your/extension1",
+    "/path/to/your/extension2",
+]
+```
+
+This instructs Superset to load and serve extensions directly from disk, so you can iterate quickly. Running `superset-extensions dev` watches for file changes and rebuilds assets automatically, while the Webpack development server (started separately with `npm run dev-server`) serves updated files as soon as they're modified. This enables immediate feedback for React components, styles, and other frontend code. Changes to backend files are also detected automatically and immediately synced, ensuring that both frontend and backend updates are reflected in your development environment.
+
+Example output when running in development mode:
+
+```
+superset-extensions dev
+
+⚙️  Building frontend assets…
+✅ Frontend rebuilt
+✅ Backend files synced
+✅ Manifest updated
+👀 Watching for changes in: /dataset_references/frontend, /dataset_references/backend
+```
--- a/docs/developer_portal/extensions/extension-metadata.md
+++ b/docs/developer_portal/extensions/extension-metadata.md
@@ -1,55 +0,0 @@
---
-title: Extension Metadata
-sidebar_position: 4
---
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one
-or more contributor license agreements.  See the NOTICE file
-distributed with this work for additional information
-regarding copyright ownership.  The ASF licenses this file
-to you under the Apache License, Version 2.0 (the
-"License"); you may not use this file except in compliance
-with the License.  You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing,
-software distributed under the License is distributed on an
-"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-KIND, either express or implied.  See the License for the
-specific language governing permissions and limitations
-under the License.
-->
-
-# Extension Metadata
-
-The `extension.json` file contains all metadata necessary for the host application to understand and manage the extension:
-
-``` json
-{
-  "name": "dataset_references",
-  "version": "1.0.0",
-  "frontend": {
-    "contributions": {
-      "views": {
-        "sqllab.panels": [
-          {
-            "id": "dataset_references.main",
-            "name": "Dataset references"
-          }
-        ]
-      }
-    },
-    "moduleFederation": {
-      "exposes": ["./index"]
-    }
-  },
-  "backend": {
-    "entryPoints": ["dataset_references.entrypoint"],
-    "files": ["backend/src/dataset_references/**/*.py"]
-  },
-}
-```
-
-The `contributions` section declares how the extension extends Superset's functionality through views, commands, menus, and other contribution types. The `backend` section specifies entry points and files to include in the bundle.
--- a/docs/developer_portal/extensions/extension-points/sqllab.md
+++ b/docs/developer_portal/extensions/extension-points/sqllab.md
@@ -0,0 +1,209 @@
+---
+title: SQL Lab
+sidebar_position: 1
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# SQL Lab Extension Points
+
+SQL Lab provides 5 extension points where extensions can contribute custom UI components. Each area serves a specific purpose and can be customized to add new functionality.
+
+## Layout Overview
+
+```
+┌──────────┬─────────────────────────────────────────┬─────────────┐
+│          │                                         │             │
+│          │                                         │             │
+│          │                Editor                   │             │
+│          │                                         │             │
+│   Left   │                                         │    Right    │
+│  Sidebar ├─────────────────────────────────────────┤   Sidebar   │
+│          │                                         │             │
+│          │                Panels                   │             │
+│          │                                         │             │
+│          │                                         │             │
+│          │                                         │             │
+├──────────┴─────────────────────────────────────────┴─────────────┤
+│                          Status Bar                              │
+└──────────────────────────────────────────────────────────────────┘
+```
+
+| Extension Point   | ID                    | Description                                                |
+| ----------------- | --------------------- | ---------------------------------------------------------- |
+| **Left Sidebar**  | `sqllab.leftSidebar`  | Navigation and browsing (database explorer, saved queries) |
+| **Editor**        | `sqllab.editor`       | SQL query editor workspace                                 |
+| **Right Sidebar** | `sqllab.rightSidebar` | Contextual tools (AI assistants, query analysis)           |
+| **Panels**        | `sqllab.panels`       | Results and related views (visualizations, data profiling) |
+| **Status Bar**    | `sqllab.statusBar`    | Connection status and query metrics                        |
+
+## Area Customizations
+
+Each extension point area supports three types of action customizations:
+
+```
+┌───────────────────────────────────────────────────────────────┐
+│  Area Title                         [Button] [Button]   [•••] │
+├───────────────────────────────────────────────────────────────┤
+│                                                               │
+│                                                               │
+│                          Area Content                         │
+│                                                               │
+│                  (right-click for context menu)               │
+│                                                               │
+│                                                               │
+└───────────────────────────────────────────────────────────────┘
+```
+
+| Action Type           | Location          | Use Case                                              |
+| --------------------- | ----------------- | ----------------------------------------------------- |
+| **Primary Actions**   | Top-right buttons | Frequently used actions (e.g., run, refresh, add new) |
+| **Secondary Actions** | 3-dot menu (•••)  | Less common actions (e.g., export, settings)          |
+| **Context Actions**   | Right-click menu  | Context-sensitive actions on content                  |
+
+## Examples
+
+### Adding a Panel
+
+This example adds a "Data Profiler" panel to SQL Lab:
+
+```json
+{
+  "name": "data_profiler",
+  "version": "1.0.0",
+  "frontend": {
+    "contributions": {
+      "views": {
+        "sqllab.panels": [
+          {
+            "id": "data_profiler.main",
+            "name": "Data Profiler"
+          }
+        ]
+      }
+    }
+  }
+}
+```
+
+```typescript
+import { core } from '@apache-superset/core';
+import DataProfilerPanel from './DataProfilerPanel';
+
+export function activate(context) {
+  // Register the panel view with the ID declared in extension.json
+  const disposable = core.registerView('data_profiler.main', <DataProfilerPanel />);
+  context.subscriptions.push(disposable);
+}
+```
+
+### Adding Actions to the Editor
+
+This example adds primary, secondary, and context actions to the editor:
+
+```json
+{
+  "name": "query_tools",
+  "version": "1.0.0",
+  "frontend": {
+    "contributions": {
+      "commands": [
+        {
+          "command": "query_tools.format",
+          "title": "Format Query",
+          "icon": "FormatPainterOutlined"
+        },
+        {
+          "command": "query_tools.explain",
+          "title": "Explain Query"
+        },
+        {
+          "command": "query_tools.copy_as_cte",
+          "title": "Copy as CTE"
+        }
+      ],
+      "menus": {
+        "sqllab.editor": {
+          "primary": [
+            {
+              "view": "builtin.editor",
+              "command": "query_tools.format"
+            }
+          ],
+          "secondary": [
+            {
+              "view": "builtin.editor",
+              "command": "query_tools.explain"
+            }
+          ],
+          "context": [
+            {
+              "view": "builtin.editor",
+              "command": "query_tools.copy_as_cte"
+            }
+          ]
+        }
+      }
+    }
+  }
+}
+```
+
+```typescript
+import { commands, sqlLab } from '@apache-superset/core';
+
+export function activate(context) {
+  // Register the commands declared in extension.json
+  const formatCommand = commands.registerCommand('query_tools.format', {
+    execute: () => {
+      const tab = sqlLab.getCurrentTab();
+      if (tab?.editor) {
+        // Format the SQL query
+      }
+    },
+  });
+
+  const explainCommand = commands.registerCommand('query_tools.explain', {
+    execute: () => {
+      const tab = sqlLab.getCurrentTab();
+      if (tab?.editor) {
+        // Show query explanation
+      }
+    },
+  });
+
+  const copyAsCteCommand = commands.registerCommand('query_tools.copy_as_cte', {
+    execute: () => {
+      const tab = sqlLab.getCurrentTab();
+      if (tab?.editor) {
+        // Copy selected text as CTE
+      }
+    },
+  });
+
+  context.subscriptions.push(formatCommand, explainCommand, copyAsCteCommand);
+}
+```
+
+## Next Steps
+
+- **[Contribution Types](../contribution-types)** - Learn about other contribution types (commands, menus)
+- **[Development](../development)** - Set up your development environment
+- **[Quick Start](../quick-start)** - Build a complete extension
--- a/docs/developer_portal/extensions/extension-project-structure.md
+++ b/docs/developer_portal/extensions/extension-project-structure.md
@@ -1,78 +0,0 @@
---
-title: Extension Project Structure
-sidebar_position: 3
---
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one
-or more contributor license agreements.  See the NOTICE file
-distributed with this work for additional information
-regarding copyright ownership.  The ASF licenses this file
-to you under the Apache License, Version 2.0 (the
-"License"); you may not use this file except in compliance
-with the License.  You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing,
-software distributed under the License is distributed on an
-"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-KIND, either express or implied.  See the License for the
-specific language governing permissions and limitations
-under the License.
-->
-
-# Extension Project Structure
-
-The `apache-superset-extensions-cli` package provides a command-line interface (CLI) that streamlines the extension development workflow. It offers the following commands:
-
-```
-superset-extensions init: Generates the initial folder structure and scaffolds a new extension project.
-
-superset-extensions build: Builds extension assets.
-
-superset-extensions bundle: Packages the extension into a .supx file.
-
-superset-extensions dev: Automatically rebuilds the extension as files change.
-```
-
-When creating a new extension with `superset-extensions init <extension-name>`, the CLI generates a standardized folder structure:
-
-```
-dataset_references/
-├── extension.json
-├── frontend/
-│   ├── src/
-│   ├── webpack.config.js
-│   ├── tsconfig.json
-│   └── package.json
-├── backend/
-│   ├── src/
-│        └── dataset_references/
-│   ├── tests/
-│   ├── pyproject.toml
-│   └── requirements.txt
-├── dist/
-│   ├── manifest.json
-│   ├── frontend
-│        └── dist/
-│             ├── remoteEntry.d7a9225d042e4ccb6354.js
-│             └── 900.038b20cdff6d49cfa8d9.js
-│   └── backend
-│        └── dataset_references/
-│             ├── __init__.py
-│             ├── api.py
-│             └── entrypoint.py
-├── dataset_references-1.0.0.supx
-└── README.md
-```
-
-The `extension.json` file serves as the declared metadata for the extension, containing the extension's name, version, author, description, and a list of capabilities. This file is essential for the host application to understand how to load and manage the extension.
-
-The `frontend` directory contains the source code for the frontend components of the extension, including React components, styles, and assets. The `webpack.config.js` file is used to configure Webpack for building the frontend code, while the `tsconfig.json` file defines the TypeScript configuration for the project. The `package.json` file specifies the dependencies and scripts for building and testing the frontend code.
-
-The `backend` directory contains the source code for the backend components of the extension, including Python modules, tests, and configuration files. The `pyproject.toml` file is used to define the Python package and its dependencies, while the r`equirements.txt` file lists the required Python packages for the extension. The `src` folder contains the functional backend source files, `tests` directory contains unit tests for the backend code, ensuring that the extension behaves as expected and meets the defined requirements.
-
-The `dist` directory is built when running the `build` or `dev` command, and contains the files that will be included in the bundle. The `manifest.json` file contains critical metadata about the extension, including the majority of the contents of the `extension.json` file, but also other build-time information, like the name of the built Webpack Module Federation remote entry file. The files in the `dist` directory will be zipped into the final `.supx` file. Although this file is technically a zip archive, the `.supx` extension makes it clear that it is a Superset extension package and follows a specific file layout. This packaged file can be distributed and installed in Superset instances.
-
-The `README.md` file provides documentation and instructions for using the extension, including how to install, configure, and use its functionality.
--- a/docs/developer_portal/extensions/frontend-contribution-types.md
+++ b/docs/developer_portal/extensions/frontend-contribution-types.md
@@ -1,90 +0,0 @@
---
-title: Frontend Contribution Types
-sidebar_position: 5
---
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one
-or more contributor license agreements.  See the NOTICE file
-distributed with this work for additional information
-regarding copyright ownership.  The ASF licenses this file
-to you under the Apache License, Version 2.0 (the
-"License"); you may not use this file except in compliance
-with the License.  You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing,
-software distributed under the License is distributed on an
-"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-KIND, either express or implied.  See the License for the
-specific language governing permissions and limitations
-under the License.
-->
-
-# Frontend Contribution Types
-
-To facilitate the development of extensions, we will define a set of well-defined contribution types that extensions can implement. These contribution types will serve as the building blocks for extensions, allowing them to interact with the host application and provide new functionality. The initial set of contribution types will include:
-
-## Views
-
-Extensions can add new views or panels to the host application, such as custom SQL Lab panels, dashboards, or other UI components. Each view is registered with a unique ID and can be activated or deactivated as needed. Contribution areas are uniquely identified (e.g., `sqllab.panels` for SQL Lab panels), enabling seamless integration into specific parts of the application.
-
-``` json
-"views": {
-  "sqllab.panels": [
-    {
-      "id": "dataset_references.main",
-      "name": "Table references"
-    }
-  ]
-},
-```
-
-## Commands
-
-Extensions can define custom commands that can be executed within the host application, such as context-aware actions or menu options. Each command can specify properties like a unique command identifier, an icon, a title, and a description. These commands can be invoked by users through menus, keyboard shortcuts, or other UI elements, enabling extensions to add rich, interactive functionality to Superset.
-
-``` json
-"commands": [
-  {
-    "command": "extension1.copy_query",
-    "icon": "CopyOutlined",
-    "title": "Copy Query",
-    "description": "Copy the current query to clipboard"
-  },
-]
-```
-
-## Menus
-
-Extensions can contribute new menu items or context menus to the host application, providing users with additional actions and options. Each menu item can specify properties such as the target view, the command to execute, its placement (primary, secondary, or context), and conditions for when it should be displayed. Menu contribution areas are uniquely identified (e.g., `sqllab.editor` for the SQL Lab editor), allowing extensions to seamlessly integrate their functionality into specific menus and workflows within Superset.
-
-``` json
-"menus": {
-  "sqllab.editor": {
-    "primary": [
-      {
-        "view": "builtin.editor",
-        "command": "extension1.copy_query"
-      }
-    ],
-    "secondary": [
-      {
-        "view": "builtin.editor",
-        "command": "extension1.prettify"
-      }
-    ],
-    "context": [
-      {
-        "view": "builtin.editor",
-        "command": "extension1.clear"
-      },
-      {
-        "view": "builtin.editor",
-     "command": "extension1.refresh"
-      }
-    ]
-  },
-}
-```
--- a/docs/developer_portal/extensions/interacting-with-host.md
+++ b/docs/developer_portal/extensions/interacting-with-host.md
@@ -1,120 +0,0 @@
---
-title: Interacting with the Host
-sidebar_position: 6
---
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one
-or more contributor license agreements.  See the NOTICE file
-distributed with this work for additional information
-regarding copyright ownership.  The ASF licenses this file
-to you under the Apache License, Version 2.0 (the
-"License"); you may not use this file except in compliance
-with the License.  You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing,
-software distributed under the License is distributed on an
-"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-KIND, either express or implied.  See the License for the
-specific language governing permissions and limitations
-under the License.
-->
-
-# Interacting with the Host
-
-Extensions interact with Superset through well-defined, versioned APIs provided by the `@apache-superset/core` (frontend) and `apache-superset-core` (backend) packages. These APIs are designed to be stable, discoverable, and consistent for both built-in and external extensions.
-
-**Frontend APIs** (via `@apache-superset/core)`:
-
-The frontend extension APIs in Superset are organized into logical namespaces such as `authentication`, `commands`, `extensions`, `sqlLab`, and others. Each namespace groups related functionality, making it easy for extension authors to discover and use the APIs relevant to their needs. For example, the `sqlLab` namespace provides events and methods specific to SQL Lab, allowing extensions to react to user actions and interact with the SQL Lab environment:
-
-``` typescript
-export const getCurrentTab: () => Tab | undefined;
-
-export const getDatabases: () => Database[];
-
-export const getTabs: () => Tab[];
-
-export const onDidChangeEditorContent: Event<string>;
-
-export const onDidClosePanel: Event<Panel>;
-
-export const onDidChangeActivePanel: Event<Panel>;
-
-export const onDidChangeTabTitle: Event<string>;
-
-export const onDidQueryRun: Event<Editor>;
-
-export const onDidQueryStop: Event<Editor>;
-```
-
-The following code demonstrates more examples of the existing frontend APIs:
-
-``` typescript
-import { core, commands, sqlLab, authentication, Button } from '@apache-superset/core';
-import MyPanel from './MyPanel';
-
-export function activate(context) {
-  // Register a new panel (view) in SQL Lab and use shared UI components in your extension's React code
-  const panelDisposable = core.registerView('my_extension.panel', <MyPanel><Button/></MyPanel>);
-
-  // Register a custom command
-  const commandDisposable = commands.registerCommand('my_extension.copy_query', {
-    title: 'Copy Query',
-    execute: () => {
-      // Command logic here
-    },
-  });
-
-  // Listen for query run events in SQL Lab
-  const eventDisposable = sqlLab.onDidQueryRun(editor => {
-    // Handle query execution event
-  });
-
-  // Access a CSRF token for secure API requests
-  authentication.getCSRFToken().then(token => {
-    // Use token as needed
-  });
-
-  // Add all disposables for automatic cleanup on deactivation
-  context.subscriptions.push(panelDisposable, commandDisposable, eventDisposable);
-}
-```
-
-**Backend APIs** (via `apache-superset-core`):
-
-Backend APIs follow a similar pattern, providing access to Superset's models, sessions, and query capabilities. Extensions can register REST API endpoints, access the metadata database, and interact with Superset's core functionality.
-
-Extension endpoints are registered under a dedicated `/extensions` namespace to avoid conflicting with built-in endpoints and also because they don't share the same version constraints. By grouping all extension endpoints under `/extensions`, Superset establishes a clear boundary between core and extension functionality, making it easier to manage, document, and secure both types of APIs.
-
-``` python
-from superset_core.api import rest_api, models, query
-from .api import DatasetReferencesAPI
-
-# Register a new extension REST API
-rest_api.add_extension_api(DatasetReferencesAPI)
-
-# Access Superset models with simple queries that filter out entities that
-# the user doesn't have access to
-databases = models.get_databases(id=database_id)
-if not databases:
-    return self.response_404()
-
-database = databases[0]
-
-# Perform complex queries using SQLAlchemy BaseQuery, also filtering
-# out inaccessible entities
-session = models.get_session()
-db_model = models.get_database_model())
-database_query = session.query(db_model.database_name.ilike("%abc%")
-databases_containing_abc = models.get_databases(query)
-
-# Bypass security model for highly custom use cases
-session = models.get_session()
-db_model = models.get_database_model())
-all_databases_containg_abc = session.query(db_model.database_name.ilike("%abc%").all()
-```
-
-In the future, we plan to expand the backend APIs to support configuring security models, database engines, SQL Alchemy dialects, etc.
--- a/docs/developer_portal/extensions/mcp.md
+++ b/docs/developer_portal/extensions/mcp.md
@@ -0,0 +1,459 @@
+---
+title: MCP Integration
+hide_title: true
+sidebar_position: 7
+version: 1
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# MCP Integration
+
+Model Context Protocol (MCP) integration allows extensions to register custom AI agent capabilities that integrate seamlessly with Superset's MCP service. Extensions can provide both **tools** (executable functions) and **prompts** (interactive guidance) that AI agents can discover and use.
+
+## What is MCP?
+
+MCP enables extensions to extend Superset's AI capabilities in two ways:
+
+### MCP Tools
+Tools are Python functions that AI agents can call to perform specific tasks. They provide executable functionality that extends Superset's capabilities.
+
+**Examples of MCP tools:**
+- Data processing and transformation functions
+- Custom analytics calculations
+- Integration with external APIs
+- Specialized report generation
+- Business-specific operations
+
+### MCP Prompts
+Prompts provide interactive guidance and context to AI agents. They help agents understand how to better assist users with specific workflows or domain knowledge.
+
+**Examples of MCP prompts:**
+- Step-by-step workflow guidance
+- Domain-specific context and knowledge
+- Interactive troubleshooting assistance
+- Template generation helpers
+- Best practices recommendations
+
+## Getting Started
+
+## MCP Tools
+
+### Basic Tool Registration
+
+The simplest way to create an MCP tool is using the `@tool` decorator:
+
+```python
+from superset_core.mcp import tool
+
+@tool
+def hello_world() -> dict:
+    """A simple greeting tool."""
+    return {"message": "Hello from my extension!"}
+```
+
+This creates a tool that AI agents can call by name. The tool name defaults to the function name.
+
+### Decorator Parameters
+
+The `@tool` decorator accepts several optional parameters:
+
+**Parameter details:**
+- **`name`**: Tool identifier (AI agents use this to call your tool)
+- **`description`**: Explains what the tool does (helps AI agents decide when to use it)
+- **`tags`**: Categories for organization and discovery
+- **`protect`**: Whether the tool requires user authentication (defaults to `True`)
+
+### Naming Your Tools
+
+For extensions, include your extension ID in tool names to avoid conflicts:
+
+## Complete Example
+
+Here's a more comprehensive example showing best practices:
+
+```python
+# backend/mcp_tools.py
+import random
+from datetime import datetime, timezone
+from pydantic import BaseModel, Field
+from superset_core.mcp import tool
+
+class RandomNumberRequest(BaseModel):
+    """Request schema for random number generation."""
+
+    min_value: int = Field(
+        description="Minimum value (inclusive) for random number generation",
+        ge=-2147483648,
+        le=2147483647
+    )
+    max_value: int = Field(
+        description="Maximum value (inclusive) for random number generation",
+        ge=-2147483648,
+        le=2147483647
+    )
+
+@tool(
+    name="example_extension.random_number",
+    tags=["extension", "utility", "random", "generator"]
+)
+def random_number_generator(request: RandomNumberRequest) -> dict:
+    """
+    Generate a random integer between specified bounds.
+
+    This tool validates input ranges and provides detailed error messages
+    for invalid requests.
+    """
+
+    # Validate business logic (Pydantic handles type/range validation)
+    if request.min_value > request.max_value:
+        return {
+            "status": "error",
+            "error": f"min_value ({request.min_value}) cannot be greater than max_value ({request.max_value})",
+            "timestamp": datetime.now(timezone.utc).isoformat()
+        }
+
+    # Generate random number
+    result = random.randint(request.min_value, request.max_value)
+
+    return {
+        "status": "success",
+        "random_number": result,
+        "min_value": request.min_value,
+        "max_value": request.max_value,
+        "range_size": request.max_value - request.min_value + 1,
+        "timestamp": datetime.now(timezone.utc).isoformat()
+    }
+```
+
+## Best Practices
+
+### Response Format
+
+Use consistent response structures:
+
+```python
+# Success response
+{
+    "status": "success",
+    "result": "your_data_here",
+    "timestamp": "2024-01-01T00:00:00Z"
+}
+
+# Error response
+{
+    "status": "error",
+    "error": "Clear error message",
+    "timestamp": "2024-01-01T00:00:00Z"
+}
+```
+
+### Documentation
+
+Write clear descriptions and docstrings:
+
+```python
+@tool(
+    name="my_extension.process_data",
+    description="Process customer data and generate insights. Requires valid customer ID and date range.",
+    tags=["analytics", "customer", "reporting"]
+)
+def process_data(customer_id: int, start_date: str, end_date: str) -> dict:
+    """
+    Process customer data for the specified date range.
+
+    This tool analyzes customer behavior patterns and generates
+    actionable insights for business decision-making.
+
+    Args:
+        customer_id: Unique customer identifier
+        start_date: Analysis start date (YYYY-MM-DD format)
+        end_date: Analysis end date (YYYY-MM-DD format)
+
+    Returns:
+        Dictionary containing analysis results and recommendations
+    """
+    # Implementation here
+    pass
+```
+
+### Tool Naming
+
+- **Extension tools**: Use prefixed names like `my_extension.tool_name`
+- **Descriptive names**: `calculate_tax_amount` vs `calculate`
+- **Consistent naming**: Follow patterns within your extension
+
+## How AI Agents Use Your Tools
+
+Once registered, AI agents can discover and use your tools automatically:
+
+```
+User: "Generate a random number between 1 and 100"
+Agent: I'll use the random number generator tool.
+→ Calls: example_extension.random_number(min_value=1, max_value=100)
+← Returns: {"status": "success", "random_number": 42, ...}
+Agent: I generated the number 42 for you.
+```
+
+The AI agent sees your tool's:
+- **Name**: How to call it
+- **Description**: What it does and when to use it
+- **Parameters**: What inputs it expects (from Pydantic schema)
+- **Tags**: Categories for discovery
+
+## Troubleshooting
+
+### Tool Not Available to AI Agents
+
+1. **Check extension registration**: Verify your tool module is listed in extension entrypoints
+2. **Verify decorator**: Ensure `@tool` is correctly applied
+3. **Extension loading**: Confirm your extension is installed and enabled
+
+### Input Validation Errors
+
+1. **Pydantic models**: Ensure field types match expected inputs
+2. **Field constraints**: Check min/max values and string lengths are reasonable
+3. **Required fields**: Verify which parameters are required vs optional
+
+### Runtime Issues
+
+1. **Error handling**: Add try/catch blocks with clear error messages
+2. **Response format**: Use consistent status/error/timestamp structure
+3. **Testing**: Test your tools with various input scenarios
+
+### Development Tips
+
+1. **Start simple**: Begin with basic tools, add complexity gradually
+2. **Test locally**: Use MCP clients (like Claude Desktop) to test your tools
+3. **Clear descriptions**: Write tool descriptions as if explaining to a new user
+4. **Meaningful tags**: Use tags that help categorize and discover tools
+5. **Error messages**: Provide specific, actionable error messages
+
+## MCP Prompts
+
+### Basic Prompt Registration
+
+Create interactive prompts using the `@prompt` decorator:
+
+```python
+from superset_core.mcp import prompt
+from fastmcp import Context
+
+@prompt("my_extension.workflow_guide")
+async def workflow_guide(ctx: Context) -> str:
+    """Interactive guide for data analysis workflows."""
+    return """
+    # Data Analysis Workflow Guide
+
+    Here's a step-by-step approach to effective data analysis in Superset:
+
+    ## 1. Data Discovery
+    - Start by exploring your datasets using the dataset browser
+    - Check data quality and identify key metrics
+    - Look for patterns and relationships in your data
+
+    ## 2. Chart Creation
+    - Choose appropriate visualizations for your data types
+    - Apply filters to focus on relevant subsets
+    - Configure proper aggregations and groupings
+
+    ## 3. Dashboard Assembly
+    - Combine related charts into coherent dashboards
+    - Use filters and parameters for interactivity
+    - Add markdown components for context and explanations
+
+    Would you like guidance on any specific step?
+    """
+```
+
+### Advanced Prompt Examples
+
+#### Domain-Specific Context
+
+```python
+@prompt(
+    "sales_extension.sales_analysis_guide",
+    title="Sales Analysis Guide",
+    description="Specialized guidance for sales data analysis workflows"
+)
+async def sales_analysis_guide(ctx: Context) -> str:
+    """Provides sales-specific analysis guidance and best practices."""
+    return """
+    # Sales Data Analysis Best Practices
+
+    ## Key Metrics to Track
+    - **Revenue Growth**: Month-over-month and year-over-year trends
+    - **Conversion Rates**: Lead-to-opportunity-to-close ratios
+    - **Customer Lifetime Value**: Total value per customer segment
+    - **Sales Cycle Length**: Time from lead to close by product/region
+
+    ## Recommended Chart Types
+    - **Time Series**: Revenue trends, seasonal patterns
+    - **Funnel Charts**: Conversion analysis across sales stages
+    - **Geographic Maps**: Regional performance comparison
+    - **Cohort Analysis**: Customer retention and growth patterns
+
+    ## Common Pitfalls to Avoid
+    - Don't mix different time granularities without proper context
+    - Always normalize for business days when comparing periods
+    - Consider external factors (holidays, market events) in analysis
+    - Segment by relevant dimensions (product, region, channel)
+
+    ## Next Steps
+    1. Identify your primary sales KPIs
+    2. Create baseline trend charts for each metric
+    3. Build comparative views across segments
+    4. Set up automated alerts for significant changes
+    """
+```
+
+#### Interactive Troubleshooting
+
+```python
+@prompt("support_extension.troubleshoot_charts")
+async def troubleshoot_charts(ctx: Context) -> str:
+    """Interactive troubleshooting assistant for chart issues."""
+    return """
+    # Chart Troubleshooting Assistant
+
+    Let's diagnose your chart issue step by step:
+
+    ## Common Issues and Solutions
+
+    ### 🚫 No Data Showing
+    **Possible causes:**
+    - Filters are too restrictive
+    - Date range doesn't match your data
+    - Database connection issues
+    - Missing permissions
+
+    **Check:** Try removing all filters and expanding the date range first.
+
+    ### 📊 Unexpected Aggregation Results
+    **Possible causes:**
+    - Incorrect grouping dimensions
+    - Wrong aggregation function (SUM vs COUNT vs AVG)
+    - Data quality issues (duplicates, nulls)
+    - Time zone mismatches
+
+    **Check:** Verify your GROUP BY columns and aggregation logic.
+
+    ### 🐌 Slow Performance
+    **Possible causes:**
+    - Large dataset without proper indexing
+    - Complex joins or calculations
+    - Missing query optimizations
+    - Resource constraints
+
+    **Check:** Simplify the query and add appropriate filters first.
+
+    ## Debug Steps
+    1. **Start Simple**: Create a basic count query first
+    2. **Add Gradually**: Introduce complexity step by step
+    3. **Check SQL**: Review the generated SQL for issues
+    4. **Test Data**: Verify with a small sample first
+
+    What specific issue are you experiencing?
+    """
+```
+
+### Prompt Best Practices
+
+#### Content Structure
+- **Use clear headings** and sections for easy navigation
+- **Provide actionable steps** rather than just theory
+- **Include examples** relevant to the user's domain
+- **Offer next steps** to continue the workflow
+
+#### Interactive Design
+- **Ask questions** to engage the user
+- **Provide options** for different scenarios
+- **Reference specific Superset features** by name
+- **Link to related tools** when appropriate
+
+#### Context Awareness
+```python
+@prompt("analytics_extension.context_aware_guide")
+async def context_aware_guide(ctx: Context) -> str:
+    """Provides guidance based on current user context."""
+    # Access user information if available
+    user_info = getattr(ctx, 'user', None)
+
+    guidance = """# Personalized Analytics Guide\n\n"""
+
+    if user_info:
+        guidance += f"Welcome back! Here's guidance tailored for your role:\n\n"
+
+    guidance += """
+    ## Getting Started
+    Based on your previous activity, here are recommended next steps:
+
+    1. **Review Recent Dashboards**: Check your most-used dashboards for updates
+    2. **Explore New Data**: Look for recently added datasets in your domain
+    3. **Share Insights**: Consider sharing successful analyses with your team
+
+    ## Advanced Techniques
+    - Set up automated alerts for key metrics
+    - Create parameterized dashboards for different audiences
+    - Use SQL Lab for complex custom analyses
+    """
+
+    return guidance
+```
+
+## Combining Tools and Prompts
+
+Extensions can provide both tools and prompts that work together:
+
+```python
+# Tool for data processing
+@tool("analytics_extension.calculate_metrics")
+def calculate_metrics(data: dict) -> dict:
+    """Calculate advanced analytics metrics."""
+    # Implementation here
+    pass
+
+# Prompt that guides users to the tool
+@prompt("analytics_extension.metrics_guide")
+async def metrics_guide(ctx: Context) -> str:
+    """Guide users through advanced metrics calculation."""
+    return """
+    # Advanced Metrics Calculation
+
+    Use the `calculate_metrics` tool to compute specialized analytics:
+
+    ## Available Metrics
+    - Customer Lifetime Value (CLV)
+    - Cohort Retention Rates
+    - Statistical Significance Tests
+    - Predictive Trend Analysis
+
+    ## Usage
+    Call the tool with your dataset to get detailed calculations
+    and recommendations for visualization approaches.
+
+    Would you like to calculate metrics for your current dataset?
+    """
+```
+
+## Next Steps
+
+- **[Development](./development)** - Project structure, APIs, and dev workflow
+- **[Security](./security)** - Security best practices for extensions
--- a/docs/developer_portal/extensions/overview.md
+++ b/docs/developer_portal/extensions/overview.md
@@ -24,53 +24,30 @@ under the License.

 # Overview

-Apache Superset's extension system allows developers to enhance and customize Superset's functionality through a modular, plugin-based architecture. Extensions can add new visualization types, custom UI components, data processing capabilities, and integration points.
+Apache Superset's extension system enables organizations to build custom features without modifying the core codebase. Inspired by the [VS Code extension model](https://code.visualstudio.com/api), this architecture addresses a long-standing challenge: teams previously had to fork Superset or make invasive modifications to add capabilities like query optimizers, custom panels, or specialized integrations—resulting in maintenance overhead and codebase fragmentation.
+
+The extension system introduces a modular, plugin-based architecture where both built-in features and external extensions use the same well-defined APIs. This "lean core" approach ensures that any capability available to Superset's internal features is equally accessible to community-developed extensions, fostering a vibrant ecosystem while reducing the maintenance burden on core contributors.

 ## What are Superset Extensions?

-Superset extensions are self-contained packages that extend the core platform's capabilities. They follow a standardized architecture that ensures compatibility, security, and maintainability while providing powerful customization options.
-
-## Extension Architecture
-
- **[Architecture](./architecture)** - Architectural principles and high-level system overview
- **[Extension Project Structure](./extension-project-structure)** - Standard project layout and organization
- **[Extension Metadata](./extension-metadata)** - Configuration and manifest structure
-
-## Development Guide
-
- **[Frontend Contribution Types](./frontend-contribution-types)** - Types of UI contributions available
- **[Interacting with Host](./interacting-with-host)** - Communication patterns with Superset core
- **[Development Mode](./development-mode)** - Tools and workflows for extension development
-
-For information about runtime loading and dependency management, see the [Dynamic Module Loading](./architecture#dynamic-module-loading) section in the Architecture page.
-
-## Deployment & Management
-
- **[Deploying Extension](./deploying-extension)** - Packaging and distribution strategies
- **[Security Implications](./security-implications)** - Security considerations and best practices
-
-## Hands-on Examples
-
- **[Quick Start](./quick-start)** - Complete Hello World extension walkthrough
+Superset extensions are self-contained `.supx` packages that extend the platform's capabilities through standardized contribution points. Each extension can include both frontend (React/TypeScript) and backend (Python) components, bundled together and loaded dynamically at runtime using Webpack Module Federation.

 ## Extension Capabilities

 Extensions can provide:

- **Custom Visualizations**: New chart types and data visualization components
- **UI Enhancements**: Custom dashboards, panels, and interactive elements  
- **Data Connectors**: Integration with external data sources and APIs
- **Workflow Automation**: Custom actions and batch processing capabilities
- **Authentication Providers**: SSO and custom authentication mechanisms
- **Theme Customization**: Custom styling and branding options
+- **Custom UI Components**: New panels, views, and interactive elements
+- **Commands and Menus**: Custom actions accessible via menus and keyboard shortcuts
+- **REST API Endpoints**: Backend services under the `/api/v1/extensions/` namespace
+- **MCP Tools and Prompts**: AI agent capabilities for enhanced user assistance

-## Getting Started
+## Next Steps

-1. **Learn the Architecture**: Start with [Architecture](./architecture) to understand the design philosophy
-2. **Set up Development**: Follow the [Development Mode](./development-mode) guide to configure your environment
-3. **Build Your First Extension**: Complete the [Quick Start](./quick-start) tutorial
-4. **Deploy and Share**: Use the [Deploying Extension](./deploying-extension) guide to package your extension
-
-## Extension Ecosystem
-
-The extension system is designed to foster a vibrant ecosystem of community-contributed functionality. By following the established patterns and guidelines, developers can create extensions that seamlessly integrate with Superset while maintaining the platform's reliability and performance standards.
+- **[Quick Start](./quick-start)** - Build your first extension with a complete walkthrough
+- **[Architecture](./architecture)** - Design principles and system overview
+- **[Contribution Types](./contribution-types)** - Available extension points
+- **[Development](./development)** - Project structure, APIs, and development workflow
+- **[Deployment](./deployment)** - Packaging and deploying extensions
+- **[MCP Integration](./mcp)** - Adding AI agent capabilities using extensions
+- **[Security](./security)** - Security considerations and best practices
+- **[Community Extensions](./registry)** - Browse extensions shared by the community
--- a/docs/developer_portal/extensions/quick-start.md
+++ b/docs/developer_portal/extensions/quick-start.md
@@ -128,7 +128,7 @@ The CLI generated a basic `backend/src/hello_world/entrypoint.py`. We'll create
 ```python
 from flask import Response
 from flask_appbuilder.api import expose, protect, safe
-from superset_core.api.types.rest_api import RestApi
+from superset_core.api.rest_api import RestApi


 class HelloWorldAPI(RestApi):
@@ -191,7 +191,125 @@ This registers your API with Superset when the extension loads.

 ## Step 5: Create Frontend Component

-The CLI generated boilerplate files. The webpack config and package.json are already properly configured with Module Federation.
+The CLI generates the frontend configuration files. Below are the key configurations that enable Module Federation integration with Superset.
+
+**`frontend/package.json`**
+
+The `@apache-superset/core` package must be listed in both `peerDependencies` (to declare runtime compatibility) and `devDependencies` (to provide TypeScript types during build):
+
+```json
+{
+  "name": "hello_world",
+  "version": "0.1.0",
+  "private": true,
+  "license": "Apache-2.0",
+  "scripts": {
+    "start": "webpack serve --mode development",
+    "build": "webpack --stats-error-details --mode production"
+  },
+  "peerDependencies": {
+    "@apache-superset/core": "^x.x.x",
+    "react": "^x.x.x",
+    "react-dom": "^x.x.x"
+  },
+  "devDependencies": {
+    "@apache-superset/core": "^x.x.x",
+    "@types/react": "^x.x.x",
+    "ts-loader": "^x.x.x",
+    "typescript": "^x.x.x",
+    "webpack": "^5.x.x",
+    "webpack-cli": "^x.x.x",
+    "webpack-dev-server": "^x.x.x"
+  }
+}
+```
+
+**`frontend/webpack.config.js`**
+
+The webpack configuration requires specific settings for Module Federation. Key settings include `externalsType: "window"` and `externals` to map `@apache-superset/core` to `window.superset` at runtime, `import: false` for shared modules to use the host's React instead of bundling a separate copy, and `remoteEntry.[contenthash].js` for cache busting:
+
+```javascript
+const path = require("path");
+const { ModuleFederationPlugin } = require("webpack").container;
+const packageConfig = require("./package.json");
+
+module.exports = (env, argv) => {
+  const isProd = argv.mode === "production";
+
+  return {
+    entry: isProd ? {} : "./src/index.tsx",
+    mode: isProd ? "production" : "development",
+    devServer: {
+      port: 3001,
+      headers: {
+        "Access-Control-Allow-Origin": "*",
+      },
+    },
+    output: {
+      filename: isProd ? undefined : "[name].[contenthash].js",
+      chunkFilename: "[name].[contenthash].js",
+      clean: true,
+      path: path.resolve(__dirname, "dist"),
+      publicPath: `/api/v1/extensions/${packageConfig.name}/`,
+    },
+    resolve: {
+      extensions: [".ts", ".tsx", ".js", ".jsx"],
+    },
+    // Map @apache-superset/core imports to window.superset at runtime
+    externalsType: "window",
+    externals: {
+      "@apache-superset/core": "superset",
+    },
+    module: {
+      rules: [
+        {
+          test: /\.tsx?$/,
+          use: "ts-loader",
+          exclude: /node_modules/,
+        },
+      ],
+    },
+    plugins: [
+      new ModuleFederationPlugin({
+        name: packageConfig.name,
+        filename: "remoteEntry.[contenthash].js",
+        exposes: {
+          "./index": "./src/index.tsx",
+        },
+        shared: {
+          react: {
+            singleton: true,
+            requiredVersion: packageConfig.peerDependencies.react,
+            import: false, // Use host's React, don't bundle
+          },
+          "react-dom": {
+            singleton: true,
+            requiredVersion: packageConfig.peerDependencies["react-dom"],
+            import: false,
+          },
+        },
+      }),
+    ],
+  };
+};
+```
+
+**`frontend/tsconfig.json`**
+
+```json
+{
+  "compilerOptions": {
+    "baseUrl": ".",
+    "moduleResolution": "node",
+    "jsx": "react",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true
+  },
+  "include": ["src"]
+}
+```

 **Create `frontend/src/HelloWorldPanel.tsx`**

@@ -337,7 +455,7 @@ Add the following to your `superset_config.py`:
 ```python
 # Enable extensions feature
 FEATURE_FLAGS = {
-    "EXTENSIONS": True,
+    "ENABLE_EXTENSIONS": True,
 }

 # Set the directory where extensions are stored
@@ -388,10 +506,9 @@ Here's what happens when your extension loads:

 Now that you have a working extension, explore:

- **[Development Mode](./development-mode)** - Faster iteration with local development and watch mode
- **[Extension Project Structure](./extension-project-structure)** - Best practices for organizing larger extensions
- **[Frontend Contribution Types](./frontend-contribution-types)** - Other UI contribution points beyond panels
- **[Interacting with Host](./interacting-with-host)** - Advanced APIs for interacting with Superset
- **[Security Implications](./security-implications)** - Security best practices for extensions
+- **[Development](./development)** - Project structure, APIs, and development workflow
+- **[Contribution Types](./contribution-types)** - Other contribution points beyond panels
+- **[Deployment](./deployment)** - Packaging and deploying your extension
+- **[Security](./security)** - Security best practices for extensions

 For a complete real-world example, examine the query insights extension in the Superset codebase.
--- a/docs/developer_portal/extensions/registry.md
+++ b/docs/developer_portal/extensions/registry.md
@@ -0,0 +1,47 @@
+---
+title: Community Extensions
+sidebar_position: 9
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# Community Extensions
+
+This page serves as a registry of community-created Superset extensions. These extensions are developed and maintained by community members and are not officially supported or vetted by the Apache Superset project. **Before installing any community extension, administrators are responsible for evaluating the extension's source code for security vulnerabilities, performance impact, UI/UX quality, and compatibility with their Superset deployment.**
+
+## Extensions
+
+| Name                                                                                                      | Description                                                                                                                                                                                                                                         | Author            | Preview                                                                                                                                                 |
+| --------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [Extensions API Explorer](https://github.com/michael-s-molina/superset-extensions/tree/main/api_explorer) | A SQL Lab panel that demonstrates the Extensions API by providing an interactive explorer for testing commands like getTabs, getCurrentTab, and getDatabases. Useful for extension developers to understand and experiment with the available APIs. | Michael S. Molina | <a href="/img/extensions/api_explorer.png" target="_blank"><img src="/img/extensions/api_explorer.png" alt="Extensions API Explorer" width="120" /></a> |
+| [SQL Query Flow Visualizer](https://github.com/msyavuz/superset-sql-visualizer) | A SQL Lab panel that transforms SQL queries into interactive flow diagrams, helping developers and analysts understand query execution paths and data relationships.| Mehmet Salih Yavuz | <a href="/img/extensions/sql_flow_visualizer.png" target="_blank"><img src="/img/extensions/sql_flow_visualizer.png" alt="SQL Flow Visualizer" width="120" /></a> |
+## How to Add Your Extension
+
+To add your extension to this registry, submit a pull request to the [Apache Superset repository](https://github.com/apache/superset) with the following changes:
+
+1. Add a row to the **Extensions** table above using this format:
+
+```markdown
+| [Your Extension](https://github.com/your-username/your-repo) | A brief description of your extension. | Your Name | <a href="/img/extensions/your-screenshot.png" target="_blank"><img src="/img/extensions/your-screenshot.png" alt="Your Extension" width="120" /></a> |
+```
+
+2. Add a screenshot to `docs/static/img/extensions/` (recommended size: 800x450px, PNG or JPG format)
+
+3. Submit your PR with a title like "docs: Add [Extension Name] to community extensions registry"
--- a/docs/developer_portal/extensions/security-implications.md
+++ b/docs/developer_portal/extensions/security-implications.md
@@ -1,6 +1,6 @@
 ---
-title: Security Implications and Responsibilities
-sidebar_position: 12
+title: Security
+sidebar_position: 8
 ---

 <!--
@@ -22,12 +22,14 @@ specific language governing permissions and limitations
 under the License.
 -->

-# Security Implications and Responsibilities
+# Security

 By default, extensions are disabled and must be explicitly enabled by setting the `ENABLE_EXTENSIONS` feature flag. Built-in extensions are included as part of the Superset codebase and are held to the same security standards and review processes as the rest of the application.

 For external extensions, administrators are responsible for evaluating and verifying the security of any extensions they choose to install, just as they would when installing third-party NPM or PyPI packages. At this stage, all extensions run in the same context as the host application, without additional sandboxing. This means that external extensions can impact the security and performance of a Superset environment in the same way as any other installed dependency.

-We plan to introduce an optional sandboxed execution model for extensions in the future (as part of an additional SIP). Until then, administrators should exercise caution and follow best practices when selecting and deploying third-party extensions. A directory of known Superset extensions may be maintained in a means similar to [this page](https://github.com/apache/superset/wiki/Superset-Third%E2%80%90Party-Plugins-Directory) on the wiki. We also discussed the possibility of introducing a shared registry for vetted extensions but decided to leave it out of the initial scope of the project. We might introduce a registry at a later stage depending on the evolution of extensions created by the community.
+We plan to introduce an optional sandboxed execution model for extensions in the future (as part of an additional SIP). Until then, administrators should exercise caution and follow best practices when selecting and deploying third-party extensions. A directory of community extensions is available in the [Community Extensions](./registry) page. Note that these extensions are not vetted by the Apache Superset project—administrators must evaluate each extension before installation.

-Any performance or security vulnerabilities introduced by external extensions should be reported directly to the extension author, not as Superset vulnerabilities. Any security concerns regarding built-in extensions (included in Superset's monorepo) should be reported to the Superset Security mailing list for triage and resolution by maintainers.
+**Any performance or security vulnerabilities introduced by external extensions should be reported directly to the extension author, not as Superset vulnerabilities.**
+
+Any security concerns regarding built-in extensions (included in Superset's monorepo) should be reported to the Superset Security mailing list for triage and resolution by maintainers.
--- a/docs/developer_portal/sidebars.js
+++ b/docs/developer_portal/sidebars.js
@@ -36,13 +36,20 @@ module.exports = {
        'extensions/overview',
        'extensions/quick-start',
        'extensions/architecture',
-        'extensions/extension-project-structure',
-        'extensions/extension-metadata',
-        'extensions/frontend-contribution-types',
-        'extensions/interacting-with-host',
-        'extensions/deploying-extension',
-        'extensions/development-mode',
-        'extensions/security-implications',
+        'extensions/contribution-types',
+        {
+          type: 'category',
+          label: 'Extension Points',
+          collapsed: true,
+          items: [
+            'extensions/extension-points/sqllab',
+          ],
+        },
+        'extensions/development',
+        'extensions/deployment',
+        'extensions/mcp',
+        'extensions/security',
+        'extensions/registry',
      ],
    },
    {
--- a/docs/docs/configuration/alerts-reports.mdx
+++ b/docs/docs/configuration/alerts-reports.mdx
@@ -294,6 +294,14 @@ Check this by attempting to `curl` the URL of a report that you see in the error

 In a deployment with authentication measures enabled like HTTPS and Single Sign-On, it may make sense to have the worker navigate directly to the Superset application running in the same location, avoiding the need to sign in.  For instance, you could use `WEBDRIVER_BASEURL="http://superset_app:8088"` for a docker compose deployment, and set `"force_https": False,` in your `TALISMAN_CONFIG`.

+### Duplicate report deliveries
+
+In some deployment configurations a scheduled report can be delivered more than once around its planned time. This typically happens when more than one process is responsible for running the alerts & reports schedule (for example, multiple schedulers or Celery beat instances). To avoid duplicate emails or notifications:
+
+- Ensure that only a **single scheduler/beat process** is configured to trigger alerts and reports for a given environment.
+- If you run **multiple Celery workers**, verify that there is still only one component responsible for scheduling the report tasks (workers should execute tasks, not schedule them independently).
+- Review your deployment/orchestration setup (for example systemd, Docker, or Kubernetes) to make sure the alerts & reports scheduler is **not started from multiple places by accident**.
+
 ## Scheduling Queries as Reports

 You can optionally allow your users to schedule queries directly in SQL Lab. This is done by adding
--- a/docs/docs/configuration/async-queries-celery.mdx
+++ b/docs/docs/configuration/async-queries-celery.mdx
@@ -52,11 +52,11 @@ To start a job which schedules periodic background jobs, run the following comma
 celery --app=superset.tasks.celery_app:app beat
 ```

-To setup a result backend, you need to pass an instance of a derivative of from
-from flask_caching.backends.base import BaseCache to the RESULTS_BACKEND configuration key in your superset_config.py. You can
-use Memcached, Redis, S3 (https://pypi.python.org/pypi/s3werkzeugcache), memory or the file system
-(in a single server-type setup or for testing), or to write your own caching interface. Your
-`superset_config.py` may look something like:
+To setup a result backend, you need to pass an instance of a derivative of `BaseCache` (`from
+flask_caching.backends.base import BaseCache`) to the RESULTS_BACKEND configuration key in your
+superset_config.py. You can use Memcached, Redis, S3 (https://pypi.python.org/pypi/s3werkzeugcache),
+memory or the file system (in a single server-type setup or for testing), or to write your own
+caching interface. Your `superset_config.py` may look something like:

 ```python
 # On S3
--- a/docs/docs/configuration/databases.mdx
+++ b/docs/docs/configuration/databases.mdx
@@ -54,6 +54,7 @@ are compatible with Superset.
 | [Ascend.io](/docs/configuration/databases#ascendio)                       | `pip install impyla`                                                               | `ascend://{username}:{password}@{hostname}:{port}/{database}?auth_mechanism=PLAIN;use_ssl=true`                                                        |
 | [Azure MS SQL](/docs/configuration/databases#sql-server)                | `pip install pymssql`                                                              | `mssql+pymssql://UserName@presetSQL:TestPassword@presetSQL.database.windows.net:1433/TestSchema`                                                       |
 | [ClickHouse](/docs/configuration/databases#clickhouse)                  | `pip install clickhouse-connect`                                                   | `clickhousedb://{username}:{password}@{hostname}:{port}/{database}`                                                                                    |
+| [Cloudflare D1](/docs/configuration/databases#cloudflare-d1)                  | `pip install superset-engine-d1` or `pip install apache_superset[d1]`                                                  | `d1://{cloudflare_account_id}:{cloudflare_api_token}@{cloudflare_d1_database_id}`                                                                                    |
 | [CockroachDB](/docs/configuration/databases#cockroachdb)                | `pip install cockroachdb`                                                          | `cockroachdb://root@{hostname}:{port}/{database}?sslmode=disable`                                                                                      |
 | [Couchbase](/docs/configuration/databases#couchbase)                | `pip install couchbase-sqlalchemy`                                                          | `couchbase://{username}:{password}@{hostname}:{port}?truststorepath={ssl certificate path}`                                                                                      |
 | [CrateDB](/docs/configuration/databases#cratedb)                        | `pip install sqlalchemy-cratedb`                                                   | `crate://{username}:{password}@{hostname}:{port}`, often useful: `?ssl=true/false` or `?schema=testdrive`.                                             |
@@ -359,6 +360,20 @@ uses the default user without a password (and doesn't encrypt the connection):
 clickhousedb://localhost/default
 ```

+#### Cloudflare D1
+
+To use Cloudflare D1 with superset, install the [superset-engine-d1](https://github.com/sqlalchemy-cf-d1/superset-engine-d1) library.
+
+```
+pip install superset-engine-d1
+```
+
+The expected connection string is formatted as follows:
+
+```
+d1://{cloudflare_account_id}:{cloudflare_api_token}@{cloudflare_d1_database_id}
+```
+
 #### CockroachDB

 The recommended connector library for CockroachDB is
--- a/docs/docs/configuration/theming.mdx
+++ b/docs/docs/configuration/theming.mdx
@@ -110,18 +110,30 @@ To export a theme for use in configuration files or another instance:

 ## Custom Fonts

-Superset supports custom fonts through runtime configuration, allowing you to use branded or custom typefaces without rebuilding the application.
+Superset supports custom fonts through the theme configuration, allowing you to use branded or custom typefaces without rebuilding the application.
+
+### Default Fonts
+
+By default, Superset uses Inter and Fira Code fonts which are bundled with the application via `@fontsource` packages. These fonts work offline and require no external network calls.

 ### Configuring Custom Fonts

-Add font URLs to your `superset_config.py`:
+To use custom fonts, add font URLs to your theme configuration using the `fontUrls` token:

 ```python
-# Load fonts from Google Fonts, Adobe Fonts, or self-hosted sources
-CUSTOM_FONT_URLS = [
-    "https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap",
-    "https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500&display=swap",
-]
+THEME_DEFAULT = {
+    "token": {
+        # Load fonts from external sources (e.g., Google Fonts, Adobe Fonts)
+        "fontUrls": [
+            "https://fonts.googleapis.com/css2?family=Roboto:wght@400;500;600;700&display=swap",
+            "https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500&display=swap",
+        ],
+        # Reference the loaded fonts
+        "fontFamily": "Roboto, -apple-system, BlinkMacSystemFont, sans-serif",
+        "fontFamilyCode": "JetBrains Mono, Monaco, monospace",
+        # ... other theme tokens
+    }
+}

 # Update CSP to allow font sources
 TALISMAN_CONFIG = {
@@ -132,31 +144,24 @@ TALISMAN_CONFIG = {
 }
 ```

-### Using Custom Fonts in Themes
-
-Once configured, reference the fonts in your theme configuration:
-
-```python
-THEME_DEFAULT = {
-    "token": {
-        "fontFamily": "Inter, -apple-system, BlinkMacSystemFont, sans-serif",
-        "fontFamilyCode": "JetBrains Mono, Monaco, monospace",
-        # ... other theme tokens
-    }
-}
-```
-
 Or in the CRUD interface theme JSON:

 ```json
 {
  "token": {
-    "fontFamily": "Inter, -apple-system, BlinkMacSystemFont, sans-serif",
+    "fontUrls": [
+      "https://fonts.googleapis.com/css2?family=Roboto:wght@400;500;600;700&display=swap"
+    ],
+    "fontFamily": "Roboto, -apple-system, BlinkMacSystemFont, sans-serif",
    "fontFamilyCode": "JetBrains Mono, Monaco, monospace"
  }
 }
 ```

+:::note
+Font URLs are validated against a configurable allowlist. By default, fonts from `fonts.googleapis.com`, `fonts.gstatic.com`, and `use.typekit.net` are allowed. Configure `THEME_FONT_URL_ALLOWED_DOMAINS` to customize the allowed domains.
+:::
+
 ### Font Sources

 - **Google Fonts**: Free, CDN-hosted fonts with wide variety
--- a/docs/docs/contributing/pkg-resources-migration.md
+++ b/docs/docs/contributing/pkg-resources-migration.md
@@ -0,0 +1,101 @@
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# pkg_resources Deprecation and Migration Guide
+
+## Background
+
+As of setuptools 81.0.0 (scheduled for removal around 2025-11-30), the `pkg_resources` API is deprecated and will be removed. This affects several packages in the Python ecosystem.
+
+## Current Status
+
+### Superset Codebase ✅
+The Superset codebase has already migrated away from `pkg_resources` to the modern `importlib.metadata` API:
+
+- `superset/db_engine_specs/__init__.py:36` - Uses `from importlib.metadata import entry_points`
+- All entry point loading uses the modern API
+
+### Production Dependencies ⚠️
+Some third-party dependencies may still use `pkg_resources`:
+
+- **`clients` package** (Preset-specific): Uses `pkg_resources` in `const.py`
+- Error path: `/usr/local/lib/python3.10/site-packages/clients/const.py:1`
+
+## Migration Path
+
+### Short-term Solution (Current)
+Pin setuptools to version 80.x to prevent breaking changes:
+
+```python
+# requirements/base.in
+setuptools<81
+```
+
+This prevents the removal of `pkg_resources` while dependent packages are updated.
+
+### Long-term Solution
+Update all dependencies to use `importlib.metadata` instead of `pkg_resources`:
+
+#### Migration Example
+**Old (deprecated):**
+```python
+import pkg_resources
+
+version = pkg_resources.get_distribution("package_name").version
+entry_points = pkg_resources.iter_entry_points("group_name")
+```
+
+**New (recommended):**
+```python
+from importlib.metadata import version, entry_points
+
+pkg_version = version("package_name")
+eps = entry_points(group="group_name")
+```
+
+## Action Items
+
+### For Preset Team
+1. **Update `clients` package** to use `importlib.metadata` instead of `pkg_resources`
+2. **Review other internal packages** for `pkg_resources` usage
+3. **Test with setuptools >= 81.0.0** once all packages are migrated
+4. **Monitor Datadog logs** for similar deprecation warnings
+
+### For Superset Maintainers
+1. ✅ Already using `importlib.metadata`
+2. Monitor third-party dependencies for updates
+3. Update setuptools pin once ecosystem is ready
+
+## Timeline
+
+- **2025-11-30**: Expected removal of `pkg_resources` from setuptools
+- **Before then**: All dependencies must migrate to `importlib.metadata`
+
+## References
+
+- [setuptools pkg_resources deprecation notice](https://setuptools.pypa.io/en/latest/pkg_resources.html)
+- [importlib.metadata documentation](https://docs.python.org/3/library/importlib.metadata.html)
+- [Migration guide](https://setuptools.pypa.io/en/latest/deprecated/pkg_resources.html)
+
+## Monitoring
+
+Track this issue in production using Datadog:
+- Warning pattern: `pkg_resources is deprecated as an API`
+- Component: `@component:app`
+- Environment: `environment:production`
--- a/docs/docusaurus.config.ts
+++ b/docs/docusaurus.config.ts
@@ -487,7 +487,7 @@ const config: Config = {
      'data-project-name': 'Apache Superset',
      'data-project-color': '#FFFFFF',
      'data-project-logo':
-        'https://images.seeklogo.com/logo-png/50/2/superset-icon-logo-png_seeklogo-500354.png',
+        'https://superset.apache.org/img/superset-logo-icon-only.png',
      'data-modal-override-open-id': 'ask-ai-input',
      'data-modal-override-open-class': 'search-input',
      'data-modal-disclaimer':
--- a/docs/package.json
+++ b/docs/package.json
@@ -32,9 +32,9 @@
    "@docusaurus/plugin-client-redirects": "3.9.2",
    "@docusaurus/preset-classic": "3.9.2",
    "@docusaurus/theme-mermaid": "^3.9.2",
-    "@emotion/core": "^10.0.27",
+    "@emotion/core": "^11.0.0",
    "@emotion/react": "^11.13.3",
-    "@emotion/styled": "^10.0.27",
+    "@emotion/styled": "^11.14.1",
    "@mdx-js/react": "^3.1.1",
    "@saucelabs/theme-github-codeblock": "^0.3.0",
    "@storybook/addon-docs": "^8.6.11",
@@ -49,11 +49,11 @@
    "@storybook/preview-api": "^8.6.11",
    "@storybook/theming": "^8.6.11",
    "@superset-ui/core": "^0.20.4",
-    "antd": "^5.28.0",
-    "caniuse-lite": "^1.0.30001754",
+    "antd": "^6.1.0",
+    "caniuse-lite": "^1.0.30001760",
    "docusaurus-plugin-less": "^2.0.2",
    "json-bigint": "^1.0.0",
-    "less": "^4.4.2",
+    "less": "^4.5.1",
    "less-loader": "^12.3.0",
    "prism-react-renderer": "^2.4.1",
    "react": "^18.3.1",
@@ -63,26 +63,26 @@
    "remark-import-partial": "^0.0.2",
    "reselect": "^5.1.1",
    "storybook": "^8.6.11",
-    "swagger-ui-react": "^5.30.2",
+    "swagger-ui-react": "^5.31.0",
    "tinycolor2": "^1.4.2",
    "ts-loader": "^9.5.4"
  },
  "devDependencies": {
    "@docusaurus/module-type-aliases": "^3.9.1",
    "@docusaurus/tsconfig": "^3.9.2",
-    "@eslint/js": "^9.39.0",
+    "@eslint/js": "^9.39.2",
    "@types/react": "^19.1.8",
    "@typescript-eslint/eslint-plugin": "^8.37.0",
-    "@typescript-eslint/parser": "^8.46.0",
-    "eslint": "^9.39.0",
+    "@typescript-eslint/parser": "^8.49.0",
+    "eslint": "^9.39.2",
    "eslint-config-prettier": "^10.1.8",
    "eslint-plugin-prettier": "^5.5.3",
    "eslint-plugin-react": "^7.37.5",
    "globals": "^16.5.0",
-    "prettier": "^3.6.2",
+    "prettier": "^3.7.4",
    "typescript": "~5.9.3",
-    "typescript-eslint": "^8.46.2",
-    "webpack": "^5.102.1"
+    "typescript-eslint": "^8.49.0",
+    "webpack": "^5.103.0"
  },
  "browserslist": {
    "production": [
--- a/docs/sidebarTutorials.js
+++ b/docs/sidebarTutorials.js
@@ -80,13 +80,20 @@ const sidebars = {
        'extensions/overview',
        'extensions/quick-start',
        'extensions/architecture',
-        'extensions/extension-project-structure',
-        'extensions/extension-metadata',
-        'extensions/frontend-contribution-types',
-        'extensions/interacting-with-host',
-        'extensions/deploying-extension',
-        'extensions/development-mode',
-        'extensions/security-implications',
+        'extensions/contribution-types',
+        {
+          type: 'category',
+          label: 'Extension Points',
+          collapsed: true,
+          items: [
+            'extensions/extension-points/sqllab',
+          ],
+        },
+        'extensions/development',
+        'extensions/deployment',
+        'extensions/mcp',
+        'extensions/security',
+        'extensions/registry',
      ],
    },
    {
--- a/docs/static/img/extensions/api_explorer.png
+++ b/docs/static/img/extensions/api_explorer.png
--- a/docs/static/img/extensions/sql_flow_visualizer.png
+++ b/docs/static/img/extensions/sql_flow_visualizer.png
--- a/docs/static/img/superset-logo-icon-only.png
+++ b/docs/static/img/superset-logo-icon-only.png
--- a/docs/versioned_docs/version-6.0.0/configuration/theming.mdx
+++ b/docs/versioned_docs/version-6.0.0/configuration/theming.mdx
@@ -110,18 +110,30 @@ To export a theme for use in configuration files or another instance:

 ## Custom Fonts

-Superset supports custom fonts through runtime configuration, allowing you to use branded or custom typefaces without rebuilding the application.
+Superset supports custom fonts through the theme configuration, allowing you to use branded or custom typefaces without rebuilding the application.
+
+### Default Fonts
+
+By default, Superset uses Inter and Fira Code fonts which are bundled with the application via `@fontsource` packages. These fonts work offline and require no external network calls.

 ### Configuring Custom Fonts

-Add font URLs to your `superset_config.py`:
+To use custom fonts, add font URLs to your theme configuration using the `fontUrls` token:

 ```python
-# Load fonts from Google Fonts, Adobe Fonts, or self-hosted sources
-CUSTOM_FONT_URLS = [
-    "https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap",
-    "https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500&display=swap",
-]
+THEME_DEFAULT = {
+    "token": {
+        # Load fonts from external sources (e.g., Google Fonts, Adobe Fonts)
+        "fontUrls": [
+            "https://fonts.googleapis.com/css2?family=Roboto:wght@400;500;600;700&display=swap",
+            "https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500&display=swap",
+        ],
+        # Reference the loaded fonts
+        "fontFamily": "Roboto, -apple-system, BlinkMacSystemFont, sans-serif",
+        "fontFamilyCode": "JetBrains Mono, Monaco, monospace",
+        # ... other theme tokens
+    }
+}

 # Update CSP to allow font sources
 TALISMAN_CONFIG = {
@@ -132,31 +144,24 @@ TALISMAN_CONFIG = {
 }
 ```

-### Using Custom Fonts in Themes
-
-Once configured, reference the fonts in your theme configuration:
-
-```python
-THEME_DEFAULT = {
-    "token": {
-        "fontFamily": "Inter, -apple-system, BlinkMacSystemFont, sans-serif",
-        "fontFamilyCode": "JetBrains Mono, Monaco, monospace",
-        # ... other theme tokens
-    }
-}
-```
-
 Or in the CRUD interface theme JSON:

 ```json
 {
  "token": {
-    "fontFamily": "Inter, -apple-system, BlinkMacSystemFont, sans-serif",
+    "fontUrls": [
+      "https://fonts.googleapis.com/css2?family=Roboto:wght@400;500;600;700&display=swap"
+    ],
+    "fontFamily": "Roboto, -apple-system, BlinkMacSystemFont, sans-serif",
    "fontFamilyCode": "JetBrains Mono, Monaco, monospace"
  }
 }
 ```

+:::note
+Font URLs are validated against a configurable allowlist. By default, fonts from `fonts.googleapis.com`, `fonts.gstatic.com`, and `use.typekit.net` are allowed. Configure `THEME_FONT_URL_ALLOWED_DOMAINS` to customize the allowed domains.
+:::
+
 ### Font Sources

 - **Google Fonts**: Free, CDN-hosted fonts with wide variety
--- a/docs/yarn.lock
+++ b/docs/yarn.lock
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -48,7 +48,7 @@ dependencies = [
    "cryptography>=42.0.4, <45.0.0",
    "deprecation>=2.1.0, <2.2.0",
    "flask>=2.2.5, <3.0.0",
-    "flask-appbuilder>=5.0.0,<6",
+    "flask-appbuilder>=5.0.2,<6",
    "flask-caching>=2.1.0, <3",
    "flask-compress>=1.13, <2.0",
    "flask-talisman>=1.0.0, <2.0",
@@ -92,7 +92,7 @@ dependencies = [
    "pyarrow>=16.1.0, <19", # before upgrading pyarrow, check that all db dependencies support this, see e.g. https://github.com/apache/superset/pull/34693
    "pyyaml>=6.0.0, <7.0.0",
    "PyJWT>=2.4.0, <3.0",
-    "redis>=4.6.0, <5.0",
+    "redis>=5.0.0, <6.0",
    "selenium>=4.14.0, <5.0",
    "shillelagh[gsheetsapi]>=1.4.3, <2.0",
    "sshtunnel>=0.4.0, <0.5",
@@ -123,6 +123,11 @@ bigquery = [
 clickhouse = ["clickhouse-connect>=0.5.14, <1.0"]
 cockroachdb = ["cockroachdb>=0.3.5, <0.4"]
 crate = ["sqlalchemy-cratedb>=0.40.1, <1"]
+d1 = [
+    "superset-engine-d1>=0.1.0",
+    "sqlalchemy-d1>=0.1.0",
+    "dbapi-d1>=0.1.0",
+]
 databend = ["databend-sqlalchemy>=0.3.2, <1.0"]
 databricks = [
    "databricks-sql-connector==4.1.2",
@@ -133,14 +138,13 @@ denodo = ["denodo-sqlalchemy~=1.0.6"]
 dremio = ["sqlalchemy-dremio>=1.2.1, <4"]
 drill = ["sqlalchemy-drill>=1.1.4, <2"]
 druid = ["pydruid>=0.6.5,<0.7"]
-# DuckDB 1.x has type system incompatibilities with duckdb-engine.
-duckdb = ["duckdb>=0.10.2,<0.11", "duckdb-engine>=0.17.0"]
+duckdb = ["duckdb>=1.4.2,<2", "duckdb-engine>=0.17.0"]
 dynamodb = ["pydynamodb>=0.4.2"]
 solr = ["sqlalchemy-solr >= 0.2.0"]
 elasticsearch = ["elasticsearch-dbapi>=0.2.9, <0.3.0"]
 exasol = ["sqlalchemy-exasol >= 2.4.0, <3.0"]
 excel = ["xlrd>=1.2.0, <1.3"]
-fastmcp = ["fastmcp>=2.13.0.2"]
+fastmcp = ["fastmcp>=2.14.0"]
 firebird = ["sqlalchemy-firebird>=0.7.0, <0.8"]
 firebolt = ["firebolt-sqlalchemy>=1.0.0, <2"]
 gevent = ["gevent>=23.9.1"]
@@ -213,6 +217,7 @@ development = [
    "pyinstrument>=4.0.2,<5",
    "pylint",
    "pytest<8.0.0", # hairy issue with pytest >=8 where current_app proxies are not set in time
+    "pytest-asyncio",
    "pytest-cov",
    "pytest-mock",
    "python-ldap>=3.4.4",
@@ -352,6 +357,7 @@ dummy-variable-rgx = "^(_+|(_+[a-zA-Z0-9_]*[a-zA-Z0-9]+?))$"
 "superset/translations/utils.py" = ["TID251"]
 "superset/extensions/__init__.py" = ["TID251"]
 "superset/utils/json.py" = ["TID251"]
+"docker/*" = ["I"]  # Docker config files have non-standard imports that vary by environment

 [tool.ruff.lint.isort]
 case-sensitive = false
--- a/pytest.ini
+++ b/pytest.ini
@@ -19,3 +19,4 @@ testpaths =
    tests
 python_files = *_test.py test_*.py *_tests.py *viz/utils.py
 addopts = -p no:warnings
+asyncio_mode = auto
--- a/requirements/base.in
+++ b/requirements/base.in
@@ -16,7 +16,7 @@
 # specific language governing permissions and limitations
 # under the License.
 #
-urllib3==2.5.0
+urllib3>=2.6.0,<3.0.0
 werkzeug>=3.0.1
 numexpr>=2.9.0

@@ -36,3 +36,9 @@ marshmallow-sqlalchemy>=1.3.0,<1.4.1

 # needed for python 3.12 support
 openapi-schema-validator>=0.6.3
+
+# Pin setuptools <81 until all dependencies migrate from pkg_resources to importlib.metadata
+# pkg_resources is deprecated and will be removed in setuptools 81+ (around 2025-11-30)
+# Known affected packages: Preset's 'clients' package
+# See docs/docs/contributing/pkg-resources-migration.md for details
+setuptools<81
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -116,7 +116,7 @@ flask==2.3.3
    #   flask-session
    #   flask-sqlalchemy
    #   flask-wtf
-flask-appbuilder==5.0.0
+flask-appbuilder==5.0.2
    # via
    #   apache-superset (pyproject.toml)
    #   apache-superset-core
@@ -298,7 +298,9 @@ pyasn1-modules==0.4.2
 pycparser==2.22
    # via cffi
 pydantic==2.11.7
-    # via apache-superset (pyproject.toml)
+    # via
+    #   apache-superset (pyproject.toml)
+    #   apache-superset-core
 pydantic-core==2.33.2
    # via pydantic
 pygments==2.19.1
@@ -308,6 +310,7 @@ pyjwt==2.10.1
    #   apache-superset (pyproject.toml)
    #   flask-appbuilder
    #   flask-jwt-extended
+    #   redis
 pynacl==1.5.0
    # via paramiko
 pyopenssl==25.1.0
@@ -340,7 +343,7 @@ pyyaml==6.0.2
    # via
    #   apache-superset (pyproject.toml)
    #   apispec
-redis==4.6.0
+redis==5.3.1
    # via apache-superset (pyproject.toml)
 referencing==0.36.2
    # via
@@ -364,6 +367,8 @@ rsa==4.9.1
    # via google-auth
 selenium==4.32.0
    # via apache-superset (pyproject.toml)
+setuptools==80.9.0
+    # via -r requirements/base.in
 shillelagh==1.4.3
    # via apache-superset (pyproject.toml)
 simplejson==3.20.1
@@ -384,6 +389,7 @@ sqlalchemy==1.4.54
    # via
    #   apache-superset (pyproject.toml)
    #   alembic
+    #   apache-superset-core
    #   flask-appbuilder
    #   flask-sqlalchemy
    #   marshmallow-sqlalchemy
@@ -392,9 +398,12 @@ sqlalchemy==1.4.54
 sqlalchemy-utils==0.38.3
    # via
    #   apache-superset (pyproject.toml)
+    #   apache-superset-core
    #   flask-appbuilder
 sqlglot==27.15.2
-    # via apache-superset (pyproject.toml)
+    # via
+    #   apache-superset (pyproject.toml)
+    #   apache-superset-core
 sshtunnel==0.4.0
    # via apache-superset (pyproject.toml)
 tabulate==0.9.0
@@ -409,6 +418,7 @@ typing-extensions==4.15.0
    # via
    #   apache-superset (pyproject.toml)
    #   alembic
+    #   apache-superset-core
    #   cattrs
    #   limits
    #   pydantic
@@ -426,7 +436,7 @@ tzdata==2025.2
    #   pandas
 url-normalize==2.2.1
    # via requests-cache
-urllib3==2.5.0
+urllib3==2.6.0
    # via
    #   -r requirements/base.in
    #   requests
--- a/requirements/development.txt
+++ b/requirements/development.txt
@@ -48,7 +48,7 @@ attrs==25.3.0
    #   referencing
    #   requests-cache
    #   trio
-authlib==1.6.4
+authlib==1.6.5
    # via fastmcp
 babel==2.17.0
    # via
@@ -132,6 +132,7 @@ click==8.2.1
    #   click-repl
    #   flask
    #   flask-appbuilder
+    #   typer
    #   uvicorn
 click-didyoumean==0.3.1
    # via
@@ -149,6 +150,8 @@ click-repl==0.3.0
    # via
    #   -c requirements/base-constraint.txt
    #   celery
+cloudpickle==3.1.2
+    # via pydocket
 cmdstanpy==1.1.0
    # via prophet
 colorama==0.4.6
@@ -179,7 +182,7 @@ cryptography==44.0.3
    #   secretstorage
 cycler==0.12.1
    # via matplotlib
-cyclopts==3.24.0
+cyclopts==4.2.4
    # via fastmcp
 db-dtypes==1.3.1
    # via pandas-gbq
@@ -211,7 +214,7 @@ docstring-parser==0.17.0
    # via cyclopts
 docutils==0.22.2
    # via rich-rst
-duckdb==0.10.3
+duckdb==1.4.2
    # via
    #   apache-superset
    #   duckdb-engine
@@ -228,7 +231,9 @@ et-xmlfile==2.0.0
    #   openpyxl
 exceptiongroup==1.3.0
    # via fastmcp
-fastmcp==2.13.0.2
+fakeredis==2.32.1
+    # via pydocket
+fastmcp==2.14.0
    # via apache-superset
 filelock==3.12.2
    # via virtualenv
@@ -249,7 +254,7 @@ flask==2.3.3
    #   flask-sqlalchemy
    #   flask-testing
    #   flask-wtf
-flask-appbuilder==5.0.0
+flask-appbuilder==5.0.2
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
@@ -419,7 +424,9 @@ idna==3.10
    #   trio
    #   url-normalize
 importlib-metadata==8.7.0
-    # via keyring
+    # via
+    #   keyring
+    #   opentelemetry-api
 importlib-resources==6.5.2
    # via prophet
 iniconfig==2.0.0
@@ -471,7 +478,7 @@ jsonschema-specifications==2025.4.1
    #   -c requirements/base-constraint.txt
    #   jsonschema
    #   openapi-schema-validator
-keyring==25.6.0
+keyring==25.7.0
    # via py-key-value-aio
 kiwisolver==1.4.7
    # via matplotlib
@@ -485,6 +492,8 @@ limits==5.1.0
    # via
    #   -c requirements/base-constraint.txt
    #   flask-limiter
+lupa==2.6
+    # via fakeredis
 mako==1.3.10
    # via
    #   -c requirements/base-constraint.txt
@@ -524,7 +533,7 @@ matplotlib==3.9.0
    # via prophet
 mccabe==0.7.0
    # via pylint
-mcp==1.20.0
+mcp==1.24.0
    # via fastmcp
 mdurl==0.1.2
    # via
@@ -581,6 +590,18 @@ openpyxl==3.1.5
    # via
    #   -c requirements/base-constraint.txt
    #   pandas
+opentelemetry-api==1.39.1
+    # via
+    #   opentelemetry-exporter-prometheus
+    #   opentelemetry-sdk
+    #   opentelemetry-semantic-conventions
+    #   pydocket
+opentelemetry-exporter-prometheus==0.60b1
+    # via pydocket
+opentelemetry-sdk==1.39.1
+    # via opentelemetry-exporter-prometheus
+opentelemetry-semantic-conventions==0.60b1
+    # via opentelemetry-sdk
 ordered-set==4.1.0
    # via
    #   -c requirements/base-constraint.txt
@@ -668,6 +689,10 @@ prison==0.2.1
    #   flask-appbuilder
 progress==1.6
    # via apache-superset
+prometheus-client==0.23.1
+    # via
+    #   opentelemetry-exporter-prometheus
+    #   pydocket
 prompt-toolkit==3.0.51
    # via
    #   -c requirements/base-constraint.txt
@@ -689,9 +714,11 @@ psutil==6.1.0
    # via apache-superset
 psycopg2-binary==2.9.6
    # via apache-superset
-py-key-value-aio==0.2.8
-    # via fastmcp
-py-key-value-shared==0.2.8
+py-key-value-aio==0.3.0
+    # via
+    #   fastmcp
+    #   pydocket
+py-key-value-shared==0.3.0
    # via py-key-value-aio
 pyarrow==16.1.0
    # via
@@ -718,6 +745,7 @@ pydantic==2.11.7
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
+    #   apache-superset-core
    #   fastmcp
    #   mcp
    #   openapi-pydantic
@@ -730,6 +758,8 @@ pydantic-settings==2.10.1
    # via mcp
 pydata-google-auth==1.9.0
    # via pandas-gbq
+pydocket==0.15.4
+    # via fastmcp
 pydruid==0.6.9
    # via apache-superset
 pyfakefs==5.3.5
@@ -749,6 +779,7 @@ pyjwt==2.10.1
    #   flask-appbuilder
    #   flask-jwt-extended
    #   mcp
+    #   redis
 pylint==3.3.7
    # via apache-superset
 pynacl==1.5.0
@@ -774,8 +805,11 @@ pytest==7.4.4
    # via
    #   apache-superset
    #   apache-superset-extensions-cli
+    #   pytest-asyncio
    #   pytest-cov
    #   pytest-mock
+pytest-asyncio==0.23.8
+    # via apache-superset
 pytest-cov==6.0.0
    # via
    #   apache-superset
@@ -809,6 +843,8 @@ python-geohash==0.8.5
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
+python-json-logger==4.0.0
+    # via pydocket
 python-ldap==3.4.4
    # via apache-superset
 python-multipart==0.0.20
@@ -831,10 +867,13 @@ pyyaml==6.0.2
    #   apispec
    #   jsonschema-path
    #   pre-commit
-redis==4.6.0
+redis==5.3.1
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
+    #   fakeredis
+    #   py-key-value-aio
+    #   pydocket
 referencing==0.36.2
    # via
    #   -c requirements/base-constraint.txt
@@ -870,7 +909,9 @@ rich==13.9.4
    #   cyclopts
    #   fastmcp
    #   flask-limiter
+    #   pydocket
    #   rich-rst
+    #   typer
 rich-rst==1.3.1
    # via cyclopts
 rpds-py==0.25.0
@@ -882,9 +923,9 @@ rsa==4.9.1
    # via
    #   -c requirements/base-constraint.txt
    #   google-auth
-ruff==0.8.0
+ruff==0.9.7
    # via apache-superset
-secretstorage==3.4.0
+secretstorage==3.5.0
    # via keyring
 selenium==4.32.0
    # via
@@ -892,13 +933,16 @@ selenium==4.32.0
    #   apache-superset
 semver==3.0.4
    # via apache-superset-extensions-cli
-setuptools==80.7.1
+setuptools==80.9.0
    # via
+    #   -c requirements/base-constraint.txt
    #   nodeenv
    #   pandas-gbq
    #   pydata-google-auth
    #   zope-event
    #   zope-interface
+shellingham==1.5.4
+    # via typer
 shillelagh==1.4.3
    # via
    #   -c requirements/base-constraint.txt
@@ -926,12 +970,14 @@ sniffio==1.3.1
 sortedcontainers==2.4.0
    # via
    #   -c requirements/base-constraint.txt
+    #   fakeredis
    #   trio
 sqlalchemy==1.4.54
    # via
    #   -c requirements/base-constraint.txt
    #   alembic
    #   apache-superset
+    #   apache-superset-core
    #   duckdb-engine
    #   flask-appbuilder
    #   flask-sqlalchemy
@@ -945,11 +991,13 @@ sqlalchemy-utils==0.38.3
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
+    #   apache-superset-core
    #   flask-appbuilder
 sqlglot==27.15.2
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
+    #   apache-superset-core
 sqloxide==0.1.51
    # via apache-superset
 sse-starlette==3.0.2
@@ -983,27 +1031,37 @@ trio-websocket==0.12.2
    # via
    #   -c requirements/base-constraint.txt
    #   selenium
+typer==0.20.0
+    # via pydocket
 typing-extensions==4.15.0
    # via
    #   -c requirements/base-constraint.txt
    #   alembic
    #   anyio
    #   apache-superset
+    #   apache-superset-core
    #   cattrs
    #   exceptiongroup
    #   limits
+    #   mcp
+    #   opentelemetry-api
+    #   opentelemetry-sdk
+    #   opentelemetry-semantic-conventions
    #   py-key-value-shared
    #   pydantic
    #   pydantic-core
+    #   pydocket
    #   pyopenssl
    #   referencing
    #   selenium
    #   shillelagh
    #   starlette
+    #   typer
    #   typing-inspection
 typing-inspection==0.4.1
    # via
    #   -c requirements/base-constraint.txt
+    #   mcp
    #   pydantic
    #   pydantic-settings
 tzdata==2025.2
@@ -1017,7 +1075,7 @@ url-normalize==2.2.1
    # via
    #   -c requirements/base-constraint.txt
    #   requests-cache
-urllib3==2.5.0
+urllib3==2.6.0
    # via
    #   -c requirements/base-constraint.txt
    #   docker
@@ -1025,7 +1083,9 @@ urllib3==2.5.0
    #   requests-cache
    #   selenium
 uvicorn==0.37.0
-    # via mcp
+    # via
+    #   fastmcp
+    #   mcp
 vine==5.1.0
    # via
    #   -c requirements/base-constraint.txt
--- a/scripts/uv-pip-compile.sh
+++ b/scripts/uv-pip-compile.sh
@@ -19,6 +19,23 @@

 set -e

+# If not already running in Docker, run this script inside Docker
+if [ -z "$RUNNING_IN_DOCKER" ]; then
+  # Extract "current" Python version from CI config (single source of truth)
+  PYTHON_VERSION=$(grep -A 1 'if.*"current"' .github/actions/setup-backend/action.yml | grep 'PYTHON_VERSION=' | sed 's/.*PYTHON_VERSION=\([0-9.]*\).*/\1/')
+
+  echo "Running in Docker (Python ${PYTHON_VERSION} on Linux)..."
+
+  docker run --rm \
+    -v "$(pwd)":/app \
+    -w /app \
+    -e RUNNING_IN_DOCKER=1 \
+    python:${PYTHON_VERSION}-slim \
+    bash -c "pip install uv && ./scripts/uv-pip-compile.sh $*"
+
+  exit $?
+fi
+
 ADDITIONAL_ARGS="$@"

 # Generate the requirements/base.txt file
--- a/superset-core/README.md
+++ b/superset-core/README.md
@@ -49,7 +49,7 @@ The package is organized into logical modules, each providing specific functiona
 from flask import request, Response
 from flask_appbuilder.api import expose, permission_name, protect, safe
 from superset_core.api import models, query, rest_api
-from superset_core.api.types.rest_api import RestApi
+from superset_core.api.rest_api import RestApi

 class DatasetReferencesAPI(RestApi):
    """Example extension API demonstrating core functionality."""
--- a/superset-core/pyproject.toml
+++ b/superset-core/pyproject.toml
@@ -42,7 +42,12 @@ classifiers = [
    "Topic :: Software Development :: Libraries :: Python Modules",
 ]
 dependencies = [
-    "flask-appbuilder>=5.0.0,<6",
+    "flask-appbuilder>=5.0.2,<6",
+    "pydantic>=2.8.0",
+    "sqlalchemy>=1.4.0,<2.0",
+    "sqlalchemy-utils>=0.38.0",
+    "sqlglot>=27.15.2, <28",
+    "typing-extensions>=4.0.0",
 ]

 [project.urls]
--- a/superset-core/src/superset_core/init.py
+++ b/superset-core/src/superset_core/init.py
@@ -14,3 +14,7 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
+
+"""
+Apache Superset Core - Public API with core functions of Superset
+"""
--- a/superset-core/src/superset_core/api/init.py
+++ b/superset-core/src/superset_core/api/init.py
@@ -14,11 +14,3 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
-
-from .types.models import CoreModelsApi
-from .types.query import CoreQueryApi
-from .types.rest_api import CoreRestApi
-
-models: CoreModelsApi
-rest_api: CoreRestApi
-query: CoreQueryApi
--- a/superset-core/src/superset_core/api/daos.py
+++ b/superset-core/src/superset_core/api/daos.py
@@ -0,0 +1,262 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""
+Data Access Object API for superset-core.
+
+Provides dependency-injected DAO classes that will be replaced by
+host implementations during initialization.
+
+Usage:
+    from superset_core.api.daos import DatasetDAO, DatabaseDAO
+
+    # Use standard BaseDAO methods
+    datasets = DatasetDAO.find_all()
+    dataset = DatasetDAO.find_one_or_none(id=123)
+    DatasetDAO.create(attributes={"name": "New Dataset"})
+"""
+
+from abc import ABC, abstractmethod
+from typing import Any, ClassVar, Generic, TypeVar
+
+from flask_appbuilder.models.filters import BaseFilter
+from sqlalchemy.orm import Query as SQLAQuery
+
+from superset_core.api.models import (
+    Chart,
+    CoreModel,
+    Dashboard,
+    Database,
+    Dataset,
+    KeyValue,
+    Query,
+    SavedQuery,
+    Tag,
+    User,
+)
+
+# Type variable bound to our CoreModel
+T = TypeVar("T", bound=CoreModel)
+
+
+class BaseDAO(Generic[T], ABC):
+    """
+    Abstract base class for DAOs.
+
+    This ABC defines the base that all DAOs should implement,
+    providing consistent CRUD operations across Superset and extensions.
+    """
+
+    # Due to mypy limitations, we can't have `type[T]` here
+    model_cls: ClassVar[type[Any] | None]
+    base_filter: ClassVar[BaseFilter | None]
+    id_column_name: ClassVar[str]
+    uuid_column_name: ClassVar[str]
+
+    @classmethod
+    @abstractmethod
+    def find_all(cls) -> list[T]:
+        """Get all entities that fit the base_filter."""
+        ...
+
+    @classmethod
+    @abstractmethod
+    def find_one_or_none(cls, **filter_by: Any) -> T | None:
+        """Get the first entity that fits the base_filter."""
+        ...
+
+    @classmethod
+    @abstractmethod
+    def create(
+        cls,
+        item: T | None = None,
+        attributes: dict[str, Any] | None = None,
+    ) -> T:
+        """Create an object from the specified item and/or attributes."""
+        ...
+
+    @classmethod
+    @abstractmethod
+    def update(
+        cls,
+        item: T | None = None,
+        attributes: dict[str, Any] | None = None,
+    ) -> T:
+        """Update an object from the specified item and/or attributes."""
+        ...
+
+    @classmethod
+    @abstractmethod
+    def delete(cls, items: list[T]) -> None:
+        """Delete the specified items."""
+        ...
+
+    @classmethod
+    @abstractmethod
+    def query(cls, query: SQLAQuery) -> list[T]:
+        """Execute query with base_filter applied."""
+        ...
+
+    @classmethod
+    @abstractmethod
+    def filter_by(cls, **filter_by: Any) -> list[T]:
+        """Get all entries that fit the base_filter."""
+        ...
+
+
+class DatasetDAO(BaseDAO[Dataset]):
+    """
+    Abstract Dataset DAO interface.
+
+    Host implementations will replace this class during initialization
+    with a concrete implementation providing actual functionality.
+    """
+
+    # Class variables that will be set by host implementation
+    model_cls = None
+    base_filter = None
+    id_column_name = "id"
+    uuid_column_name = "uuid"
+
+
+class DatabaseDAO(BaseDAO[Database]):
+    """
+    Abstract Database DAO interface.
+
+    Host implementations will replace this class during initialization
+    with a concrete implementation providing actual functionality.
+    """
+
+    # Class variables that will be set by host implementation
+    model_cls = None
+    base_filter = None
+    id_column_name = "id"
+    uuid_column_name = "uuid"
+
+
+class ChartDAO(BaseDAO[Chart]):
+    """
+    Abstract Chart DAO interface.
+
+    Host implementations will replace this class during initialization
+    with a concrete implementation providing actual functionality.
+    """
+
+    # Class variables that will be set by host implementation
+    model_cls = None
+    base_filter = None
+    id_column_name = "id"
+    uuid_column_name = "uuid"
+
+
+class DashboardDAO(BaseDAO[Dashboard]):
+    """
+    Abstract Dashboard DAO interface.
+
+    Host implementations will replace this class during initialization
+    with a concrete implementation providing actual functionality.
+    """
+
+    # Class variables that will be set by host implementation
+    model_cls = None
+    base_filter = None
+    id_column_name = "id"
+    uuid_column_name = "uuid"
+
+
+class UserDAO(BaseDAO[User]):
+    """
+    Abstract User DAO interface.
+
+    Host implementations will replace this class during initialization
+    with a concrete implementation providing actual functionality.
+    """
+
+    # Class variables that will be set by host implementation
+    model_cls = None
+    base_filter = None
+    id_column_name = "id"
+
+
+class QueryDAO(BaseDAO[Query]):
+    """
+    Abstract Query DAO interface.
+
+    Host implementations will replace this class during initialization
+    with a concrete implementation providing actual functionality.
+    """
+
+    # Class variables that will be set by host implementation
+    model_cls = None
+    base_filter = None
+    id_column_name = "id"
+
+
+class SavedQueryDAO(BaseDAO[SavedQuery]):
+    """
+    Abstract SavedQuery DAO interface.
+
+    Host implementations will replace this class during initialization
+    with a concrete implementation providing actual functionality.
+    """
+
+    # Class variables that will be set by host implementation
+    model_cls = None
+    base_filter = None
+    id_column_name = "id"
+
+
+class TagDAO(BaseDAO[Tag]):
+    """
+    Abstract Tag DAO interface.
+
+    Host implementations will replace this class during initialization
+    with a concrete implementation providing actual functionality.
+    """
+
+    # Class variables that will be set by host implementation
+    model_cls = None
+    base_filter = None
+    id_column_name = "id"
+
+
+class KeyValueDAO(BaseDAO[KeyValue]):
+    """
+    Abstract KeyValue DAO interface.
+
+    Host implementations will replace this class during initialization
+    with a concrete implementation providing actual functionality.
+    """
+
+    # Class variables that will be set by host implementation
+    model_cls = None
+    base_filter = None
+    id_column_name = "id"
+
+
+__all__ = [
+    "BaseDAO",
+    "DatasetDAO",
+    "DatabaseDAO",
+    "ChartDAO",
+    "DashboardDAO",
+    "UserDAO",
+    "QueryDAO",
+    "SavedQueryDAO",
+    "TagDAO",
+    "KeyValueDAO",
+]
--- a/superset-core/src/superset_core/api/models.py
+++ b/superset-core/src/superset_core/api/models.py
@@ -0,0 +1,295 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""
+Model API for superset-core.
+
+Provides model classes that will be replaced by host implementations
+during initialization for extension developers to use.
+
+Usage:
+    from superset_core.api.models import Dataset, Database, get_session
+
+    # Use as regular model classes
+    dataset = Dataset(name="My Dataset")
+    db = Database(database_name="My DB")
+    session = get_session()
+"""
+
+from datetime import datetime
+from typing import Any
+from uuid import UUID
+
+from flask_appbuilder import Model
+from sqlalchemy.orm import scoped_session
+
+
+class CoreModel(Model):
+    """
+    Abstract base class that extends Flask-AppBuilder's Model.
+
+    This base class provides the interface contract for all Superset models.
+    The host package provides concrete implementations.
+    """
+
+    __abstract__ = True
+
+
+class Database(CoreModel):
+    """
+    Abstract class for Database models.
+
+    This abstract class defines the contract that database models should implement,
+    providing consistent database connectivity and metadata operations.
+    """
+
+    __abstract__ = True
+
+    id: int
+    verbose_name: str
+    database_name: str | None
+
+    @property
+    def name(self) -> str:
+        raise NotImplementedError
+
+    @property
+    def backend(self) -> str:
+        raise NotImplementedError
+
+    @property
+    def data(self) -> dict[str, Any]:
+        raise NotImplementedError
+
+
+class Dataset(CoreModel):
+    """
+    Abstract class for Dataset models.
+
+    This abstract class defines the contract that dataset models should implement,
+    providing consistent data source operations and metadata.
+
+    It provides the public API for Datasets implemented by the host application.
+    """
+
+    __abstract__ = True
+
+    # Type hints for expected attributes (no actual field definitions)
+    id: int
+    uuid: UUID | None
+    table_name: str | None
+    main_dttm_col: str | None
+    database_id: int | None
+    schema: str | None
+    catalog: str | None
+    sql: str | None  # For virtual datasets
+    description: str | None
+    default_endpoint: str | None
+    is_featured: bool
+    filter_select_enabled: bool
+    offset: int
+    cache_timeout: int
+    params: str
+    perm: str | None
+    schema_perm: str | None
+    catalog_perm: str | None
+    is_managed_externally: bool
+    external_url: str | None
+    fetch_values_predicate: str | None
+    is_sqllab_view: bool
+    template_params: str | None
+    extra: str | None  # JSON string
+    normalize_columns: bool
+    always_filter_main_dttm: bool
+    folders: str | None  # JSON string
+
+
+class Chart(CoreModel):
+    """
+    Abstract Chart/Slice model interface.
+
+    Host implementations will replace this class during initialization
+    with concrete implementation providing actual functionality.
+    """
+
+    __abstract__ = True
+
+    # Type hints for expected attributes (no actual field definitions)
+    id: int
+    uuid: UUID | None
+    slice_name: str | None
+    datasource_id: int | None
+    datasource_type: str | None
+    datasource_name: str | None
+    viz_type: str | None
+    params: str | None
+    query_context: str | None
+    description: str | None
+    cache_timeout: int
+    certified_by: str | None
+    certification_details: str | None
+    is_managed_externally: bool
+    external_url: str | None
+
+
+class Dashboard(CoreModel):
+    """
+    Abstract Dashboard model interface.
+
+    Host implementations will replace this class during initialization
+    with concrete implementation providing actual functionality.
+    """
+
+    __abstract__ = True
+
+    # Type hints for expected attributes (no actual field definitions)
+    id: int
+    uuid: UUID | None
+    dashboard_title: str | None
+    position_json: str | None
+    description: str | None
+    css: str | None
+    json_metadata: str | None
+    slug: str | None
+    published: bool
+    certified_by: str | None
+    certification_details: str | None
+    is_managed_externally: bool
+    external_url: str | None
+
+
+class User(CoreModel):
+    """
+    Abstract User model interface.
+
+    Host implementations will replace this class during initialization
+    with concrete implementation providing actual functionality.
+    """
+
+    __abstract__ = True
+
+    # Type hints for expected attributes (no actual field definitions)
+    id: int
+    username: str | None
+    email: str | None
+    first_name: str | None
+    last_name: str | None
+    active: bool
+
+
+class Query(CoreModel):
+    """
+    Abstract Query model interface.
+
+    Host implementations will replace this class during initialization
+    with concrete implementation providing actual functionality.
+    """
+
+    __abstract__ = True
+
+    # Type hints for expected attributes (no actual field definitions)
+    id: int
+    client_id: str | None
+    database_id: int | None
+    sql: str | None
+    status: str | None
+    user_id: int | None
+    progress: int
+    error_message: str | None
+
+
+class SavedQuery(CoreModel):
+    """
+    Abstract SavedQuery model interface.
+
+    Host implementations will replace this class during initialization
+    with concrete implementation providing actual functionality.
+    """
+
+    __abstract__ = True
+
+    # Type hints for expected attributes (no actual field definitions)
+    id: int
+    uuid: UUID | None
+    label: str | None
+    sql: str | None
+    database_id: int | None
+    description: str | None
+    user_id: int | None
+
+
+class Tag(CoreModel):
+    """
+    Abstract Tag model interface.
+
+    Host implementations will replace this class during initialization
+    with concrete implementation providing actual functionality.
+    """
+
+    __abstract__ = True
+
+    # Type hints for expected attributes (no actual field definitions)
+    id: int
+    name: str | None
+    type: str | None
+
+
+class KeyValue(CoreModel):
+    """
+    Abstract KeyValue model interface.
+
+    Host implementations will replace this class during initialization
+    with concrete implementation providing actual functionality.
+    """
+
+    __abstract__ = True
+
+    id: int
+    uuid: UUID | None
+    resource: str | None
+    value: str | None  # Encoded value
+    expires_on: datetime | None
+    created_by_fk: int | None
+    changed_by_fk: int | None
+
+
+def get_session() -> scoped_session:
+    """
+    Retrieve the SQLAlchemy session to directly interface with the
+    Superset models.
+
+    Host implementations will replace this function during initialization
+    with a concrete implementation providing actual functionality.
+
+    :returns: The SQLAlchemy scoped session instance.
+    """
+    raise NotImplementedError("Function will be replaced during initialization")
+
+
+__all__ = [
+    "Dataset",
+    "Database",
+    "Chart",
+    "Dashboard",
+    "User",
+    "Query",
+    "SavedQuery",
+    "Tag",
+    "KeyValue",
+    "CoreModel",
+    "get_session",
+]
--- a/superset-core/src/superset_core/api/query.py
+++ b/superset-core/src/superset_core/api/query.py
@@ -0,0 +1,51 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""
+Query API for superset-core.
+
+Provides dependency-injected query utility functions that will be replaced by
+host implementations during initialization.
+
+Usage:
+    from superset_core.api.query import get_sqlglot_dialect
+
+    dialect = get_sqlglot_dialect(database)
+"""
+
+from typing import TYPE_CHECKING
+
+from sqlglot import Dialects
+
+if TYPE_CHECKING:
+    from superset_core.api.models import Database
+
+
+def get_sqlglot_dialect(database: "Database") -> Dialects:
+    """
+    Get the SQLGlot dialect for the specified database.
+
+    Host implementations will replace this function during initialization
+    with a concrete implementation providing actual functionality.
+
+    :param database: The database instance to get the dialect for.
+    :returns: The SQLGlot dialect enum corresponding to the database.
+    """
+    raise NotImplementedError("Function will be replaced during initialization")
+
+
+__all__ = ["get_sqlglot_dialect"]
--- a/superset-core/src/superset_core/api/rest_api.py
+++ b/superset-core/src/superset_core/api/rest_api.py
@@ -0,0 +1,72 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""
+REST API functions for superset-core.
+
+Provides dependency-injected REST API utility functions that will be replaced by
+host implementations during initialization.
+
+Usage:
+    from superset_core.api.rest_api import add_api, add_extension_api
+
+    add_api(MyCustomAPI)
+    add_extension_api(MyExtensionAPI)
+"""
+
+from flask_appbuilder.api import BaseApi
+
+
+class RestApi(BaseApi):
+    """
+    Base REST API class for Superset with browser login support.
+
+    This class extends Flask-AppBuilder's BaseApi and enables browser-based
+    authentication by default.
+    """
+
+    allow_browser_login = True
+
+
+def add_api(api: type[RestApi]) -> None:
+    """
+    Add a REST API to the Superset API.
+
+    Host implementations will replace this function during initialization
+    with a concrete implementation providing actual functionality.
+
+    :param api: A REST API instance.
+    :returns: None.
+    """
+    raise NotImplementedError("Function will be replaced during initialization")
+
+
+def add_extension_api(api: type[RestApi]) -> None:
+    """
+    Add an extension REST API to the Superset API.
+
+    Host implementations will replace this function during initialization
+    with a concrete implementation providing actual functionality.
+
+    :param api: An extension REST API instance. These are placed under
+        the /extensions resource.
+    :returns: None.
+    """
+    raise NotImplementedError("Function will be replaced during initialization")
+
+
+__all__ = ["RestApi", "add_api", "add_extension_api"]
--- a/superset-core/src/superset_core/api/types/models.py
+++ b/superset-core/src/superset_core/api/types/models.py
@@ -1,90 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-from abc import ABC, abstractmethod
-from typing import Any, Type
-
-from flask_sqlalchemy import BaseQuery
-from sqlalchemy.orm import scoped_session
-
-
-class CoreModelsApi(ABC):
-    """
-    Abstract interface for accessing Superset data models.
-
-    This class defines the contract for retrieving SQLAlchemy sessions
-    and model instances for datasets and databases within Superset.
-    """
-
-    @staticmethod
-    @abstractmethod
-    def get_session() -> scoped_session:
-        """
-        Retrieve the SQLAlchemy session to directly interface with the
-        Superset models.
-
-        :returns: The SQLAlchemy scoped session instance.
-        """
-        ...
-
-    @staticmethod
-    @abstractmethod
-    def get_dataset_model() -> Type[Any]:
-        """
-        Retrieve the Dataset (SqlaTable) SQLAlchemy model.
-
-        :returns: The Dataset SQLAlchemy model class.
-        """
-        ...
-
-    @staticmethod
-    @abstractmethod
-    def get_database_model() -> Type[Any]:
-        """
-        Retrieve the Database SQLAlchemy model.
-
-        :returns: The Database SQLAlchemy model class.
-        """
-        ...
-
-    @staticmethod
-    @abstractmethod
-    def get_datasets(query: BaseQuery | None = None, **kwargs: Any) -> list[Any]:
-        """
-        Retrieve Dataset (SqlaTable) entities.
-
-        :param query: A query with the Dataset model as the primary entity for complex
-            queries.
-        :param kwargs: Optional keyword arguments to filter datasets using SQLAlchemy's
-            `filter_by()`.
-        :returns: SqlaTable entities.
-        """
-        ...
-
-    @staticmethod
-    @abstractmethod
-    def get_databases(query: BaseQuery | None = None, **kwargs: Any) -> list[Any]:
-        """
-        Retrieve Database entities.
-
-        :param query: A query with the Database model as the primary entity for complex
-            queries.
-        :param kwargs: Optional keyword arguments to filter databases using SQLAlchemy's
-            `filter_by()`.
-        :returns: Database entities.
-        """
-        ...
--- a/superset-core/src/superset_core/api/types/rest_api.py
+++ b/superset-core/src/superset_core/api/types/rest_api.py
@@ -1,64 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-from abc import ABC, abstractmethod
-from typing import Type
-
-from flask_appbuilder.api import BaseApi
-
-
-class RestApi(BaseApi):
-    """
-    Base REST API class for Superset with browser login support.
-
-    This class extends Flask-AppBuilder's BaseApi and enables browser-based
-    authentication by default.
-    """
-
-    allow_browser_login = True
-
-
-class CoreRestApi(ABC):
-    """
-    Abstract interface for managing REST APIs in Superset.
-
-    This class defines the contract for adding and managing REST APIs,
-    including both core APIs and extension APIs.
-    """
-
-    @staticmethod
-    @abstractmethod
-    def add_api(api: Type[RestApi]) -> None:
-        """
-        Add a REST API to the Superset API.
-
-        :param api: A REST API instance.
-        :returns: None.
-        """
-        ...
-
-    @staticmethod
-    @abstractmethod
-    def add_extension_api(api: Type[RestApi]) -> None:
-        """
-        Add an extension REST API to the Superset API.
-
-        :param api: An extension REST API instance. These are placed under
-            the /extensions resource.
-        :returns: None.
-        """
-        ...
--- a/superset-core/src/superset_core/mcp/init.py
+++ b/superset-core/src/superset_core/mcp/init.py
@@ -0,0 +1,161 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""
+MCP (Model Context Protocol) tool registration for Superset MCP server.
+
+This module provides a decorator interface to register MCP tools with the
+host application.
+
+Usage:
+    from superset_core.mcp import tool
+
+    @tool(name="my_tool", description="Custom business logic", tags=["extension"])
+    def my_extension_tool(param: str) -> dict:
+        return {"message": f"Hello {param}!"}
+
+    # Or use function name and docstring:
+    @tool
+    def another_tool(value: int) -> str:
+        '''Tool description from docstring'''
+        return str(value * 2)
+"""
+
+from typing import Any, Callable, TypeVar
+
+# Type variable for decorated functions
+F = TypeVar("F", bound=Callable[..., Any])
+
+
+def tool(
+    func_or_name: str | Callable[..., Any] | None = None,
+    *,
+    name: str | None = None,
+    description: str | None = None,
+    tags: list[str] | None = None,
+    protect: bool = True,
+) -> Any:  # Use Any to avoid mypy issues with dependency injection
+    """
+    Decorator to register an MCP tool with optional authentication.
+
+    This decorator combines FastMCP tool registration with optional authentication.
+
+    Can be used as:
+        @tool
+        def my_tool(): ...
+
+    Or:
+        @tool(name="custom_name", protect=False)
+        def my_tool(): ...
+
+    Args:
+        func_or_name: When used as @tool, this will be the function.
+                     When used as @tool("name"), this will be the name.
+        name: Tool name (defaults to function name, prefixed with extension ID)
+        description: Tool description (defaults to function docstring)
+        tags: List of tags for categorizing the tool (defaults to empty list)
+        protect: Whether to require Superset authentication (defaults to True)
+
+    Returns:
+        Decorator function that registers and wraps the tool, or the wrapped function
+
+    Raises:
+        NotImplementedError: If called before host implementation is initialized
+
+    Example:
+        @tool(name="my_tool", description="Does something useful", tags=["utility"])
+        def my_custom_tool(param: str) -> dict:
+            return {"result": param}
+
+        @tool  # Uses function name and docstring with auth
+        def simple_tool(value: int) -> str:
+            '''Doubles the input value'''
+            return str(value * 2)
+
+        @tool(protect=False)  # No authentication required
+        def public_tool() -> str:
+            '''Public tool accessible without auth'''
+            return "Hello world"
+    """
+    raise NotImplementedError(
+        "MCP tool decorator not initialized. "
+        "This decorator should be replaced during Superset startup."
+    )
+
+
+def prompt(
+    func_or_name: str | Callable[..., Any] | None = None,
+    *,
+    name: str | None = None,
+    title: str | None = None,
+    description: str | None = None,
+    tags: set[str] | None = None,
+    protect: bool = True,
+) -> Any:  # Use Any to avoid mypy issues with dependency injection
+    """
+    Decorator to register an MCP prompt with optional authentication.
+
+    This decorator combines FastMCP prompt registration with optional authentication.
+
+    Can be used as:
+        @prompt
+        async def my_prompt_handler(): ...
+
+    Or:
+        @prompt("my_prompt")
+        async def my_prompt_handler(): ...
+
+    Or:
+        @prompt("my_prompt", protected=False, title="Custom Title")
+        async def my_prompt_handler(): ...
+
+    Args:
+        func_or_name: When used as @prompt, this will be the function.
+                     When used as @prompt("name"), this will be the name.
+        name: Prompt name (defaults to function name if not provided)
+        title: Prompt title (defaults to function name)
+        description: Prompt description (defaults to function docstring)
+        tags: Set of tags for categorizing the prompt
+        protect: Whether to require Superset authentication (defaults to True)
+
+    Returns:
+        Decorator function that registers and wraps the prompt, or the wrapped function
+
+    Raises:
+        NotImplementedError: If called before host implementation is initialized
+
+    Example:
+        @prompt
+        async def my_prompt_handler(ctx: Context) -> str:
+            '''Interactive prompt for doing something.'''
+            return "Prompt instructions here..."
+
+        @prompt("custom_prompt", protect=False, title="Custom Title")
+        async def public_prompt_handler(ctx: Context) -> str:
+            '''Public prompt accessible without auth'''
+            return "Public prompt accessible without auth"
+    """
+    raise NotImplementedError(
+        "MCP prompt decorator not initialized. "
+        "This decorator should be replaced during Superset startup."
+    )
+
+
+__all__ = [
+    "tool",
+    "prompt",
+]
--- a/superset-embedded-sdk/package-lock.json
+++ b/superset-embedded-sdk/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "@superset-ui/embedded-sdk",
-  "version": "0.2.0",
+  "version": "0.3.0",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "@superset-ui/embedded-sdk",
-      "version": "0.2.0",
+      "version": "0.3.0",
      "license": "Apache-2.0",
      "dependencies": {
        "@superset-ui/switchboard": "^0.20.3",
@@ -6696,9 +6696,9 @@
      "license": "MIT"
    },
    "node_modules/js-yaml": {
-      "version": "3.14.1",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz",
-      "integrity": "sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==",
+      "version": "3.14.2",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz",
+      "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==",
      "dev": true,
      "dependencies": {
        "argparse": "^1.0.7",
@@ -12972,9 +12972,9 @@
      "dev": true
    },
    "js-yaml": {
-      "version": "3.14.1",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz",
-      "integrity": "sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==",
+      "version": "3.14.2",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz",
+      "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==",
      "dev": true,
      "requires": {
        "argparse": "^1.0.7",
--- a/superset-embedded-sdk/package.json
+++ b/superset-embedded-sdk/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@superset-ui/embedded-sdk",
-  "version": "0.2.0",
+  "version": "0.3.0",
  "description": "SDK for embedding resources from Superset into your own application",
  "access": "public",
  "keywords": [
--- a/superset-embedded-sdk/src/index.ts
+++ b/superset-embedded-sdk/src/index.ts
@@ -81,6 +81,8 @@ export type ObserveDataMaskCallbackFn = (
    nativeFiltersChanged: boolean;
  },
 ) => void;
+export type ThemeMode = 'default' | 'dark' | 'system';
+
 export type EmbeddedDashboard = {
  getScrollSize: () => Promise<Size>;
  unmount: () => void;
@@ -91,7 +93,9 @@ export type EmbeddedDashboard = {
  ) => void;
  getDataMask: () => Promise<Record<string, any>>;
  getChartStates: () => Promise<Record<string, any>>;
+  getChartDataPayloads: (params?: { chartId?: number }) => Promise<Record<string, any>>;
  setThemeConfig: (themeConfig: Record<string, any>) => void;
+  setThemeMode: (mode: ThemeMode) => void;
 };

 /**
@@ -246,6 +250,8 @@ export async function embedDashboard({
  const getActiveTabs = () => ourPort.get<string[]>('getActiveTabs');
  const getDataMask = () => ourPort.get<Record<string, any>>('getDataMask');
  const getChartStates = () => ourPort.get<Record<string, any>>('getChartStates');
+  const getChartDataPayloads = (params?: { chartId?: number }) =>
+    ourPort.get<Record<string, any>>('getChartDataPayloads', params);
  const observeDataMask = (
    callbackFn: ObserveDataMaskCallbackFn,
  ) => {
@@ -265,6 +271,18 @@ export async function embedDashboard({
    }
  };

+  const setThemeMode = (mode: ThemeMode): void => {
+    try {
+      ourPort.emit('setThemeMode', { mode });
+      log(`Theme mode set to: ${mode}`);
+    } catch (error) {
+      log(
+        'Error sending theme mode. Ensure the iframe side implements the "setThemeMode" method.',
+      );
+      throw error;
+    }
+  };
+
  return {
    getScrollSize,
    unmount,
@@ -273,6 +291,8 @@ export async function embedDashboard({
    observeDataMask,
    getDataMask,
    getChartStates,
-    setThemeConfig
+    getChartDataPayloads,
+    setThemeConfig,
+    setThemeMode,
  };
 }
--- a/Show More
+++ b/Show More