chore: CHANGELOG.md for 6.1.0 RC3

chore: Bump core packages to 0.1.0 RC3 (#39823 )
(cherry picked from commit d23b0cad92)
2026-05-13 11:55:16 +00:00 · 2026-05-01 10:02:35 -03:00 · 2026-05-01 09:56:22 -03:00 · 2026-04-30 08:44:46 -03:00 · 2026-04-29 15:43:04 -03:00 · 2026-04-29 15:42:47 -03:00
1376 changed files with 47205 additions and 143310 deletions
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -24,9 +24,7 @@ notifications:
  discussions: notifications@superset.apache.org

 github:
-  pull_requests:
-    del_branch_on_merge: true
-    allow_update_branch: true
+  del_branch_on_merge: true
  description: "Apache Superset is a Data Visualization and Data Exploration Platform"
  homepage: https://superset.apache.org/
  labels:
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -22,11 +22,6 @@

 /.github/ @villebro @geido @eschutho @rusackas @betodealmeida @nytai @mistercrunch @craig-rueda @kgabryje @dpgaspar @sadpandajoe @hainenber

-# Notify PMC members of changes to CI-executed scripts (supply-chain risk:
-# scripts/ files run directly in CI workflows and can execute arbitrary code)
-
-/scripts/ @villebro @geido @eschutho @rusackas @betodealmeida @nytai @mistercrunch @craig-rueda @kgabryje @dpgaspar @sadpandajoe @hainenber
-
 # Notify PMC members of changes to required GitHub Actions

 /.asf.yaml @villebro @geido @eschutho @rusackas @betodealmeida @nytai @mistercrunch @craig-rueda @kgabryje @dpgaspar @Antonio-RiveroMartnez
@@ -36,10 +31,6 @@
 **/*.geojson @villebro @rusackas
 /superset-frontend/plugins/legacy-plugin-chart-country-map/ @villebro @rusackas

-# Notify translation maintainers of changes to translations
-
-/superset/translations/ @sfirke
-
 # Notify PMC members of changes to extension-related files

 /docs/developer_portal/extensions/ @michael-s-molina @villebro @rusackas
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -18,32 +18,10 @@ e-mail address [security@superset.apache.org](mailto:security@superset.apache.or
 More details can be found on the ASF website at
 [ASF vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability)

-**Submission Standards & AI Policy**
-
-To ensure engineering focus remains on verified risks and to manage high reporting volumes, all reports must meet the following criteria:
- Plain Text Format: In accordance with Apache guidelines, please provide all details in plain text within the email body. Avoid sending PDFs, Word documents, or password-protected archives.
- Mandatory AI Disclosure: If you utilized Large Language Models (LLMs) or AI tools to identify a flaw or assist in writing a report, you must disclose this in your submission so our triage team can contextualize the findings.
- Human-Verified PoC: All submissions must include a manual, step-by-step Proof of Concept (PoC) performed on a supported release. Raw AI outputs, hypothetical chat transcripts, or unverified scanner logs will be closed as Invalid.
-
-We kindly ask you to include the following information in your report to assist our developers in triaging and remediating issues efficiently:
- Version/Commit: The specific version of Apache Superset or the Git commit hash you are using.
- Configuration: A sanitized copy of your `superset_config.py` file or any config overrides.
- Environment: Your deployment method (e.g., Docker Compose, Helm, or source) and relevant OS/Browser details.
- Impacted Component: Identification of the affected area (e.g., Python backend, React frontend, or a specific database connector).
- Expected vs. Actual Behavior: A clear description of the intended system behavior versus the observed vulnerability.
- Detailed Reproduction Steps: Clear, manual steps to reproduce the vulnerability.
-
-**Out of Scope Vulnerabilities**
-
-To prioritize engineering efforts on genuine architectural risks, the following scenarios are explicitly out of scope and will not be issued a CVE:
- Attacks requiring Admin privileges: (e.g., CSS injection, template manipulation, dashboard ownership overrides, or modifying global system settings). Per the CVE vulnerability definition in CNA Operational Rules 4.1, a qualifying vulnerability must allow violation of a security policy. The Admin role is a fully trusted operational boundary defined by Apache Superset's security policy; actions within this boundary do not violate that policy and are therefore considered intended capabilities 'by design,' not vulnerabilities.
- Brute Force and Rate Limiting: Reports targeting a lack of resource exhaustion protections, generic rate-limiting, or volumetric Denial of Service (DoS) attempts.
- Theoretical attack vectors: Issues without a demonstrable, reproducible exploit path.
- Non-Exploitable Findings: Missing security headers, generic banner disclosures, or descriptive error messages that do not lead to a direct, documented exploit.
-
-**Outcome of Reports**
-
-Reports that are deemed out-of-scope for a CVE but represent valid security best practices or hardening opportunities may be converted into public GitHub issues. This allows the community to contribute to the general hardening of the platform even when a specific vulnerability threshold is not met.
+We kindly ask you to include the following information in your report:
+- Apache Superset version that you are using
+- A sanitized copy of your `superset_config.py` file or any config overrides
+- Detailed steps to reproduce the vulnerability

 Note that Apache Superset is not responsible for any third-party dependencies that may
 have security issues. Any vulnerabilities found in third-party dependencies should be
@@ -51,13 +29,6 @@ reported to the maintainers of those projects. Results from security scans of Ap
 Superset dependencies found on its official Docker image can be remediated at release time
 by extending the image itself.

-**Vulnerability Aggregation & CVE Attribution**
-
-In accordance with MITRE CNA Operational Rules (4.1.10, 4.1.11, and 4.2.13), Apache Superset issues CVEs based on the underlying architectural root cause rather than the number of affected endpoints or exploit payloads.
- Aggregation: If multiple exploit vectors stem from the same programmatic failure or shared vulnerable code, they must be aggregated into a single, comprehensive report.
- Independent Fixes: Separate CVEs will only be assigned if the vulnerabilities reside in decoupled architectural modules and can be fixed independently of one another.
-Reports that fail to aggregate related findings will be merged during triage to ensure an accurate and defensible CVE record.
-
 **Your responsible disclosure and collaboration are invaluable.**

 ## Extra Information
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,10 +4,6 @@ updates:

  - package-ecosystem: "github-actions"
    directory: "/"
-    ignore:
-      # Ignore temporarily as release schedule is too mentally taxing for dep-handling maintainers
-      # Additionally, very few PRs are reviewed by this action.
-      - dependency-name: anthropics/claude-code-action
    schedule:
      interval: "daily"

@@ -37,10 +33,6 @@ updates:
      # `just-handlerbars-helpers` library in plugin-chart-handlebars requires `currencyformatter`` to be < 2
      - dependency-name: "currencyformatter.js"
        update-types: ["version-update:semver-major"]
-      # TODO: remove below clause once https://github.com/pmmmwh/react-refresh-webpack-plugin/pull/940 lands onto a future release
-      # and confirm the issue https://github.com/apache/superset/issues/39600 is fixed
-      - dependency-name: "react-checkbox-tree"
-        update-types: ["version-update:semver-major"]
    groups:
      storybook:
        applies-to: version-updates
@@ -59,13 +51,15 @@ updates:
    versioning-strategy: increase


-  - package-ecosystem: "pip"
-    directory: "/"
+  # NOTE: `uv` support is in beta, more details here:
+  # https://github.com/dependabot/dependabot-core/pull/10040#issuecomment-2696978430
+  - package-ecosystem: "uv"
+    directory: "requirements/"
    open-pull-requests-limit: 10
    schedule:
      interval: "weekly"
    labels:
-      - pip
+      - uv
      - dependabot

  - package-ecosystem: "npm"
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -17,11 +17,6 @@
  - any-glob-to-any-file:
    - 'superset/migrations/**'

-"risk:ci-script":
- changed-files:
-  - any-glob-to-any-file:
-    - 'scripts/**'
-
 ############################################
 # Dependencies
 ############################################
@@ -77,11 +72,6 @@
  - any-glob-to-any-file:
    - 'superset/translations/zh/**'

-"i18n:czech":
- changed-files:
-  - any-glob-to-any-file:
-    - 'superset/translations/cs/**'
-
 "i18n:traditional-chinese":
 - changed-files:
  - any-glob-to-any-file:
@@ -127,11 +117,6 @@
  - any-glob-to-any-file:
    - 'superset/translations/sk/**'

-"i18n:latvian":
- changed-files:
-  - any-glob-to-any-file:
-    - 'superset/translations/lv/**'
-
 "i18n:ukrainian":
 - changed-files:
  - any-glob-to-any-file:
--- a/.github/workflows/bashlib.sh
+++ b/.github/workflows/bashlib.sh
@@ -127,20 +127,6 @@ playwright_testdata() {
  superset load_test_users
  superset load_examples
  superset init
-  # Enable DML on the examples database so Playwright tests can create/drop
-  # temporary tables via SQL Lab without depending on external data sources.
-  superset shell <<'PYEOF'
-import sys
-from superset.extensions import db
-from superset.models.core import Database
-examples_db = db.session.query(Database).filter_by(database_name='examples').first()
-if not examples_db:
-    sys.exit('ERROR: examples database not found. load_examples may have failed.')
-
-examples_db.allow_dml = True
-db.session.commit()
-print('Enabled allow_dml on examples database')
-PYEOF
  say "::endgroup::"
 }

--- a/.github/workflows/bump-python-package.yml
+++ b/.github/workflows/bump-python-package.yml
@@ -51,31 +51,27 @@ jobs:
      - name: supersetbot bump-python -p "${{ github.event.inputs.package }}"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          INPUT_PACKAGE: ${{ github.event.inputs.package }}
-          INPUT_GROUP: ${{ github.event.inputs.group }}
-          INPUT_EXTRA_FLAGS: ${{ github.event.inputs.extra-flags }}
-          INPUT_LIMIT: ${{ github.event.inputs.limit }}
        run: |
          git config --global user.email "action@github.com"
          git config --global user.name "GitHub Action"

          PACKAGE_OPT=""
-          if [ -n "${INPUT_PACKAGE}" ]; then
-            PACKAGE_OPT="-p ${INPUT_PACKAGE}"
+          if [ -n "${{ github.event.inputs.package }}" ]; then
+            PACKAGE_OPT="-p ${{ github.event.inputs.package }}"
          fi

          GROUP_OPT=""
-          if [ -n "${INPUT_GROUP}" ]; then
-            GROUP_OPT="-g ${INPUT_GROUP}"
+          if [ -n "${{ github.event.inputs.group }}" ]; then
+            GROUP_OPT="-g ${{ github.event.inputs.group }}"
          fi

-          EXTRA_FLAGS="${INPUT_EXTRA_FLAGS}"
+          EXTRA_FLAGS="${{ github.event.inputs.extra-flags }}"

          supersetbot bump-python \
            --verbose \
            --use-current-repo \
            --include-subpackages \
-            --limit ${INPUT_LIMIT} \
+            --limit ${{ github.event.inputs.limit }} \
            $PACKAGE_OPT \
            $GROUP_OPT \
            $EXTRA_FLAGS
--- a/.github/workflows/check_db_migration_confict.yml
+++ b/.github/workflows/check_db_migration_confict.yml
@@ -27,7 +27,7 @@ jobs:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - name: Check and notify
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        with:
          github-token: ${{ github.token }}
          script: |
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -17,12 +17,13 @@ jobs:
    steps:
      - name: Check if user is allowed
        id: check
-        env:
-          COMMENTER: ${{ github.event.comment.user.login }}
        run: |
          # List of allowed users
          ALLOWED_USERS="mistercrunch,rusackas"

+          # Get the commenter's username
+          COMMENTER="${{ github.event.comment.user.login }}"
+
          echo "Checking permissions for user: $COMMENTER"

          # Check if user is in allowed list
@@ -43,13 +44,10 @@ jobs:
      pull-requests: write
    steps:
      - name: Comment access denied
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        env:
-          COMMENTER_LOGIN: ${{ github.event.comment.user.login || github.event.review.user.login || github.event.issue.user.login }}
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        with:
          script: |
-            const commenter = process.env.COMMENTER_LOGIN;
-            const message = `👋 Hi @${commenter}!
+            const message = `👋 Hi @${{ github.event.comment.user.login || github.event.review.user.login || github.event.issue.user.login }}!

            Thanks for trying to use Claude Code, but currently only certain team members have access to this feature.

@@ -78,7 +76,7 @@ jobs:
        fetch-depth: 1

    - name: Run Claude PR Action
-      uses: anthropics/claude-code-action@5fb899572b81d2bb648d4d187173a2f423a9677c # beta
+      uses: anthropics/claude-code-action@28f83620103c48a57093dcc2837eec89e036bb9f # beta
      with:
        anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
        timeout_minutes: "60"
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -41,7 +41,7 @@ jobs:

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
+        uses: github/codeql-action/init@v4
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,6 +53,6 @@ jobs:

      - name: Perform CodeQL Analysis
        if: steps.check.outputs.python || steps.check.outputs.frontend
-        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
+        uses: github/codeql-action/analyze@v4
        with:
          category: "/language:${{matrix.language}}"
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -14,7 +14,6 @@ concurrency:
  cancel-in-progress: true

 jobs:
-
  setup_matrix:
    runs-on: ubuntu-24.04
    outputs:
@@ -40,7 +39,6 @@ jobs:
      IMAGE_TAG: apache/superset:GHA-${{ matrix.build_preset }}-${{ github.run_id }}

    steps:
-
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
@@ -91,7 +89,7 @@ jobs:
      # in the context of push (using multi-platform build), we need to pull the image locally
      - name: Docker pull
        if: github.event_name == 'push' && (steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker)
-        run:  docker pull $IMAGE_TAG
+        run: docker pull $IMAGE_TAG

      - name: Print docker stats
        if: steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker
--- a/.github/workflows/embedded-sdk-release.yml
+++ b/.github/workflows/embedded-sdk-release.yml
@@ -16,12 +16,10 @@ jobs:
        id: check
        shell: bash
        run: |
-          if [ -n "${NPM_TOKEN}" ]; then
+          if [ -n "${{ (secrets.NPM_TOKEN != '') || '' }}" ]; then
            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
          fi

-        env:
-          NPM_TOKEN: ${{ (secrets.NPM_TOKEN != '') || '' }}
  build:
    needs: config
    if: needs.config.outputs.has-secrets
@@ -31,7 +29,7 @@ jobs:
        working-directory: superset-embedded-sdk
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version-file: './superset-embedded-sdk/.nvmrc'
          registry-url: 'https://registry.npmjs.org'
--- a/.github/workflows/embedded-sdk-test.yml
+++ b/.github/workflows/embedded-sdk-test.yml
@@ -19,7 +19,7 @@ jobs:
        working-directory: superset-embedded-sdk
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version-file: './superset-embedded-sdk/.nvmrc'
          registry-url: 'https://registry.npmjs.org'
--- a/.github/workflows/ephemeral-env-pr-close.yml
+++ b/.github/workflows/ephemeral-env-pr-close.yml
@@ -20,12 +20,10 @@ jobs:
        id: check
        shell: bash
        run: |
-          if [ -n "${AWS_ACCESS_KEY_ID}" ]; then
+          if [ -n "${{ (secrets.AWS_ACCESS_KEY_ID != '' && secrets.AWS_SECRET_ACCESS_KEY != '') || '' }}" ]; then
            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
          fi

-        env:
-          AWS_ACCESS_KEY_ID: ${{ (secrets.AWS_ACCESS_KEY_ID != '' && secrets.AWS_SECRET_ACCESS_KEY != '') || '' }}
  ephemeral-env-cleanup:
    needs: config
    if: needs.config.outputs.has-secrets
@@ -35,7 +33,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6
+        uses: aws-actions/configure-aws-credentials@v6
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -58,7 +56,7 @@ jobs:
      - name: Login to Amazon ECR
        if: steps.describe-services.outputs.active == 'true'
        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2
+        uses: aws-actions/amazon-ecr-login@v2

      - name: Delete ECR image tag
        if: steps.describe-services.outputs.active == 'true'
@@ -71,7 +69,7 @@ jobs:

      - name: Comment (success)
        if: steps.describe-services.outputs.active == 'true'
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        with:
          github-token: ${{github.token}}
          script: |
--- a/.github/workflows/ephemeral-env.yml
+++ b/.github/workflows/ephemeral-env.yml
@@ -47,7 +47,7 @@ jobs:
        id: eval-label
        run: |
          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            LABEL_NAME="${INPUT_LABEL_NAME}"
+            LABEL_NAME="${{ github.event.inputs.label_name }}"
          else
            LABEL_NAME="${{ github.event.label.name }}"
          fi
@@ -60,12 +60,10 @@ jobs:
            echo "result=noop" >> $GITHUB_OUTPUT
          fi

-        env:
-          INPUT_LABEL_NAME: ${{ github.event.inputs.label_name }}
      - name: Get event SHA
        id: get-sha
        if: steps.eval-label.outputs.result == 'up'
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
@@ -96,7 +94,7 @@ jobs:
            core.setOutput("sha", prSha);

      - name: Looking for feature flags in PR description
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        id: eval-feature-flags
        if: steps.eval-label.outputs.result == 'up'
        with:
@@ -118,7 +116,7 @@ jobs:
            return results;

      - name: Reply with confirmation comment
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        if: steps.eval-label.outputs.result == 'up'
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -199,7 +197,7 @@ jobs:

      - name: Login to Amazon ECR
        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2
+        uses: aws-actions/amazon-ecr-login@c962da2960ed15f492addc26fffa274485265950 # v2

      - name: Load, tag and push image to ECR
        id: push-image
@@ -235,7 +233,7 @@ jobs:

      - name: Login to Amazon ECR
        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2
+        uses: aws-actions/amazon-ecr-login@c962da2960ed15f492addc26fffa274485265950 # v2

      - name: Check target image exists in ECR
        id: check-image
@@ -250,7 +248,7 @@ jobs:

      - name: Fail on missing container image
        if: steps.check-image.outcome == 'failure'
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        with:
          github-token: ${{ github.token }}
          script: |
@@ -265,7 +263,7 @@ jobs:

      - name: Fill in the new image ID in the Amazon ECS task definition
        id: task-def
-        uses: aws-actions/amazon-ecs-render-task-definition@6853cfae8c3a7d978fbf68b5a55453395541dfbb # v1
+        uses: aws-actions/amazon-ecs-render-task-definition@77954e213ba1f9f9cb016b86a1d4f6fcdea0d57e # v1
        with:
          task-definition: .github/workflows/ecs-task-definition.json
          container-name: superset-ci
@@ -278,9 +276,7 @@ jobs:
      - name: Describe ECS service
        id: describe-services
        run: |
-          echo "active=$(aws ecs describe-services --cluster superset-ci --services pr-${INPUT_ISSUE_NUMBER}-service | jq '.services[] | select(.status == "ACTIVE") | any')" >> $GITHUB_OUTPUT
-        env:
-          INPUT_ISSUE_NUMBER: ${{ github.event.inputs.issue_number || github.event.pull_request.number }}
+          echo "active=$(aws ecs describe-services --cluster superset-ci --services pr-${{ github.event.inputs.issue_number || github.event.pull_request.number }}-service | jq '.services[] | select(.status == "ACTIVE") | any')" >> $GITHUB_OUTPUT
      - name: Create ECS service
        id: create-service
        if: steps.describe-services.outputs.active != 'true'
@@ -300,7 +296,7 @@ jobs:
          --tags key=pr,value=$PR_NUMBER key=github_user,value=${{ github.actor }}
      - name: Deploy Amazon ECS task definition
        id: deploy-task
-        uses: aws-actions/amazon-ecs-deploy-task-definition@a310a830f5c14e583e35d84e4e1ec7dd177c3c9c # v2
+        uses: aws-actions/amazon-ecs-deploy-task-definition@cbf54ec46642b86ff78c2f5793da6746954cf8ff # v2
        with:
          task-definition: ${{ steps.task-def.outputs.task-definition }}
          service: pr-${{ github.event.inputs.issue_number || github.event.pull_request.number }}-service
@@ -311,9 +307,7 @@ jobs:
      - name: List tasks
        id: list-tasks
        run: |
-          echo "task=$(aws ecs list-tasks --cluster superset-ci --service-name pr-${INPUT_ISSUE_NUMBER}-service | jq '.taskArns | first')" >> $GITHUB_OUTPUT
-        env:
-          INPUT_ISSUE_NUMBER: ${{ github.event.inputs.issue_number || github.event.pull_request.number }}
+          echo "task=$(aws ecs list-tasks --cluster superset-ci --service-name pr-${{ github.event.inputs.issue_number || github.event.pull_request.number }}-service | jq '.taskArns | first')" >> $GITHUB_OUTPUT
      - name: Get network interface
        id: get-eni
        run: |
@@ -324,7 +318,7 @@ jobs:
          echo "ip=$(aws ec2 describe-network-interfaces --network-interface-ids ${{ steps.get-eni.outputs.eni }} | jq -r '.NetworkInterfaces | first | .Association.PublicIp')" >> $GITHUB_OUTPUT
      - name: Comment (success)
        if: ${{ success() }}
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        with:
          github-token: ${{github.token}}
          script: |
@@ -337,7 +331,7 @@ jobs:
            });
      - name: Comment (failure)
        if: ${{ failure() }}
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        with:
          github-token: ${{github.token}}
          script: |
--- a/.github/workflows/generate-FOSSA-report.yml
+++ b/.github/workflows/generate-FOSSA-report.yml
@@ -16,12 +16,10 @@ jobs:
        id: check
        shell: bash
        run: |
-          if [ -n "${FOSSA_API_KEY}" ]; then
+          if [ -n "${{ (secrets.FOSSA_API_KEY != '' ) || '' }}" ]; then
            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
          fi

-        env:
-          FOSSA_API_KEY: ${{ (secrets.FOSSA_API_KEY != '' ) || '' }}
  license_check:
    needs: config
    if: needs.config.outputs.has-secrets
--- a/.github/workflows/github-action-validator.yml
+++ b/.github/workflows/github-action-validator.yml
@@ -17,7 +17,7 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: '20'

--- a/.github/workflows/latest-release-tag.yml
+++ b/.github/workflows/latest-release-tag.yml
@@ -29,7 +29,7 @@ jobs:

    - name: Run latest-tag
      uses: ./.github/actions/latest-tag
-      if: steps.latest-tag.outputs.SKIP_TAG != 'true'
+      if: (! ${{ steps.latest-tag.outputs.SKIP_TAG }} )
      with:
        description: Superset latest release
        tag-name: latest
--- a/.github/workflows/no-hold-label.yml
+++ b/.github/workflows/no-hold-label.yml
@@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
    - name: Check for 'hold' label
-      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
      with:
        github-token: ${{secrets.GITHUB_TOKEN}}
        script: |
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -42,7 +42,7 @@ jobs:
          echo "HOMEBREW_REPOSITORY=$HOMEBREW_REPOSITORY" >>"${GITHUB_ENV}"
          brew install norwoodj/tap/helm-docs
      - name: Setup Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: '20'

@@ -57,24 +57,18 @@ jobs:
          yarn install --immutable

      - name: Cache pre-commit environments
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: ~/.cache/pre-commit
          key: pre-commit-v2-${{ runner.os }}-py${{ matrix.python-version }}-${{ hashFiles('.pre-commit-config.yaml') }}
          restore-keys: |
            pre-commit-v2-${{ runner.os }}-py${{ matrix.python-version }}-

-      - name: Get changed files
-        id: changed_files
-        uses: ./.github/actions/file-changes-action
-        with:
-          output: ' '
-
      - name: pre-commit
        run: |
          set +e  # Don't exit immediately on failure
-          export SKIP=type-checking-frontend
-          pre-commit run --files ${{ steps.changed_files.outputs.files }}
+          export SKIP=eslint-frontend,type-checking-frontend
+          pre-commit run --all-files
          PRE_COMMIT_EXIT_CODE=$?
          git diff --quiet --exit-code
          GIT_DIFF_EXIT_CODE=$?
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,12 +16,10 @@ jobs:
        id: check
        shell: bash
        run: |
-          if [ -n "${NPM_TOKEN}" ]; then
+          if [ -n "${{ (secrets.NPM_TOKEN != '' && secrets.GH_PERSONAL_ACCESS_TOKEN != '') || '' }}" ]; then
            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
          fi

-        env:
-          NPM_TOKEN: ${{ (secrets.NPM_TOKEN != '' && secrets.GH_PERSONAL_ACCESS_TOKEN != '') || '' }}
  build:
    needs: config
    if: needs.config.outputs.has-secrets
@@ -44,13 +42,13 @@ jobs:

      - name: Install Node.js
        if: env.HAS_TAGS
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version-file: './superset-frontend/.nvmrc'

      - name: Cache npm
        if: env.HAS_TAGS
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: ~/.npm # npm cache files are stored in `~/.npm` on Linux/macOS
          key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json') }}
@@ -64,7 +62,7 @@ jobs:
        run: echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT
      - name: Cache npm
        if: env.HAS_TAGS
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        id: npm-cache # use this to check for `cache-hit` (`steps.npm-cache.outputs.cache-hit != 'true'`)
        with:
          path: ${{ steps.npm-cache-dir-path.outputs.dir }}
--- a/.github/workflows/showtime-trigger.yml
+++ b/.github/workflows/showtime-trigger.yml
@@ -37,7 +37,7 @@ jobs:
    steps:
      - name: Security Check - Authorize Maintainers Only
        id: auth
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
@@ -102,12 +102,10 @@ jobs:
      - name: Install Superset Showtime
        if: steps.auth.outputs.authorized == 'true'
        run: |
-          echo "::notice::Maintainer ${{ github.actor }} triggered deploy for PR ${PULL_REQUEST_NUMBER}"
+          echo "::notice::Maintainer ${{ github.actor }} triggered deploy for PR ${{ github.event.pull_request.number || github.event.inputs.pr_number }}"
          pip install --upgrade superset-showtime
          showtime version

-        env:
-          PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number || github.event.inputs.pr_number }}
      - name: Check what actions are needed
        if: steps.auth.outputs.authorized == 'true'
        id: check
@@ -115,14 +113,12 @@ jobs:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          INPUT_PR_NUMBER: ${{ github.event.inputs.pr_number }}
-          INPUT_SHA: ${{ github.event.inputs.sha }}
        run: |
          # Bulletproof PR number extraction
          if [[ -n "${{ github.event.pull_request.number }}" ]]; then
            PR_NUM="${{ github.event.pull_request.number }}"
-          elif [[ -n "${INPUT_PR_NUMBER}" ]]; then
-            PR_NUM="${INPUT_PR_NUMBER}"
+          elif [[ -n "${{ github.event.inputs.pr_number }}" ]]; then
+            PR_NUM="${{ github.event.inputs.pr_number }}"
          else
            echo "❌ No PR number found in event or inputs"
            exit 1
@@ -131,8 +127,8 @@ jobs:
          echo "Using PR number: $PR_NUM"

          # Run sync check-only with optional SHA override
-          if [[ -n "${INPUT_SHA}" ]]; then
-            OUTPUT=$(python -m showtime sync $PR_NUM --check-only --sha "${INPUT_SHA}")
+          if [[ -n "${{ github.event.inputs.sha }}" ]]; then
+            OUTPUT=$(python -m showtime sync $PR_NUM --check-only --sha "${{ github.event.inputs.sha }}")
          else
            OUTPUT=$(python -m showtime sync $PR_NUM --check-only)
          fi
--- a/.github/workflows/superset-docs-deploy.yml
+++ b/.github/workflows/superset-docs-deploy.yml
@@ -17,16 +17,6 @@ on:

  workflow_dispatch: {}

-# Serialize deploys: the action pushes to apache/superset-site without
-# rebasing, so concurrent runs race on the final push and the loser fails
-# with `! [rejected] asf-site -> asf-site (fetch first)`. Cancel any
-# in-progress run as soon as a newer one starts — the destination repo
-# isn't touched until the final push step, so canceling mid-build is safe,
-# and the freshest content always wins.
-concurrency:
-  group: docs-deploy-asf-site
-  cancel-in-progress: true
-
 jobs:
  config:
    runs-on: ubuntu-24.04
@@ -37,12 +27,10 @@ jobs:
        id: check
        shell: bash
        run: |
-          if [ -n "${SUPERSET_SITE_BUILD}" ]; then
+          if [ -n "${{ (secrets.SUPERSET_SITE_BUILD != '' && secrets.SUPERSET_SITE_BUILD != '') || '' }}" ]; then
            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
          fi

-        env:
-          SUPERSET_SITE_BUILD: ${{ (secrets.SUPERSET_SITE_BUILD != '' && secrets.SUPERSET_SITE_BUILD != '') || '' }}
  build-deploy:
    needs: config
    if: needs.config.outputs.has-secrets
@@ -56,15 +44,15 @@ jobs:
          persist-credentials: false
          submodules: recursive
      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
-          node-version-file: './docs/.nvmrc'
+          node-version-file: "./docs/.nvmrc"
      - name: Setup Python
        uses: ./.github/actions/setup-backend/
      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
        with:
-          distribution: 'zulu'
-          java-version: '21'
+          distribution: "zulu"
+          java-version: "21"
      - name: Install Graphviz
        run: sudo apt-get install -y graphviz
      - name: Compute Entity Relationship diagram (ERD)
@@ -80,7 +68,7 @@ jobs:
          yarn install --check-cache
      - name: Download database diagnostics (if triggered by integration tests)
        if: github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success'
-        uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
+        uses: dawidd6/action-download-artifact@8a338493df3d275e4a7a63bcff3b8fe97e51a927 # v19
        continue-on-error: true
        with:
          workflow: superset-python-integrationtest.yml
@@ -89,7 +77,7 @@ jobs:
          path: docs/src/data/
      - name: Try to download latest diagnostics (for push/dispatch triggers)
        if: github.event_name != 'workflow_run'
-        uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
+        uses: dawidd6/action-download-artifact@8a338493df3d275e4a7a63bcff3b8fe97e51a927 # v19
        continue-on-error: true
        with:
          workflow: superset-python-integrationtest.yml
--- a/.github/workflows/superset-docs-verify.yml
+++ b/.github/workflows/superset-docs-verify.yml
@@ -27,7 +27,7 @@ jobs:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      # Do not bump this linkinator-action version without opening
      # an ASF Infra ticket to allow the new version first!
-      - uses: JustinBeckwith/linkinator-action@af984b9f30f63e796ae2ea5be5e07cb587f1bbd9  # v2.3
+      - uses: JustinBeckwith/linkinator-action@af984b9f30f63e796ae2ea5be5e07cb587f1bbd9 # v2.3
        continue-on-error: true # This will make the job advisory (non-blocking, no red X)
        with:
          paths: "**/*.md, **/*.mdx"
@@ -72,9 +72,9 @@ jobs:
          persist-credentials: false
          submodules: recursive
      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
-          node-version-file: './docs/.nvmrc'
+          node-version-file: "./docs/.nvmrc"
      - name: yarn install
        run: |
          yarn install --check-cache
@@ -104,20 +104,20 @@ jobs:
          persist-credentials: false
          submodules: recursive
      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
-          node-version-file: './docs/.nvmrc'
+          node-version-file: "./docs/.nvmrc"
      - name: yarn install
        run: |
          yarn install --check-cache
      - name: Download database diagnostics from integration tests
-        uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
+        uses: dawidd6/action-download-artifact@8a338493df3d275e4a7a63bcff3b8fe97e51a927 # v19
        with:
          workflow: superset-python-integrationtest.yml
          run_id: ${{ github.event.workflow_run.id }}
          name: database-diagnostics
          path: docs/src/data/
-          if_no_artifact_found: 'warning'
+          if_no_artifact_found: "warning"
      - name: Use fresh diagnostics
        run: |
          if [ -f "src/data/databases-diagnostics.json" ]; then
--- a/.github/workflows/superset-e2e.yml
+++ b/.github/workflows/superset-e2e.yml
@@ -109,7 +109,7 @@ jobs:
          run: testdata
      - name: Setup Node.js
        if: steps.check.outputs.python || steps.check.outputs.frontend
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version-file: './superset-frontend/.nvmrc'
      - name: Install npm dependencies
@@ -146,7 +146,7 @@ jobs:
          SAFE_APP_ROOT=${APP_ROOT//\//_}
          echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT
      - name: Upload Artifacts
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        if: failure()
        with:
          path: ${{ github.workspace }}/superset-frontend/cypress-base/cypress/screenshots
@@ -226,7 +226,7 @@ jobs:
          run: playwright_testdata
      - name: Setup Node.js
        if: steps.check.outputs.python || steps.check.outputs.frontend
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version-file: './superset-frontend/.nvmrc'
      - name: Install npm dependencies
@@ -259,7 +259,7 @@ jobs:
          SAFE_APP_ROOT=${APP_ROOT//\//_}
          echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT
      - name: Upload Playwright Artifacts
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        if: failure()
        with:
          path: |
--- a/.github/workflows/superset-extensions-cli.yml
+++ b/.github/workflows/superset-extensions-cli.yml
@@ -49,7 +49,7 @@ jobs:

      - name: Upload coverage reports to Codecov
        if: steps.check.outputs.superset-extensions-cli
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
        with:
          file: ./coverage.xml
          flags: superset-extensions-cli
@@ -58,7 +58,7 @@ jobs:

      - name: Upload HTML coverage report
        if: steps.check.outputs.superset-extensions-cli
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: superset-extensions-cli-coverage-html
          path: htmlcov/
--- a/.github/workflows/superset-frontend.yml
+++ b/.github/workflows/superset-frontend.yml
@@ -54,14 +54,14 @@ jobs:
      - name: Save Docker Image as Artifact
        if: steps.check.outputs.frontend
        run: |
-          docker save $TAG | zstd -3 --threads=0 > docker-image.tar.zst
+          docker save $TAG | gzip > docker-image.tar.gz

      - name: Upload Docker Image Artifact
        if: steps.check.outputs.frontend
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: docker-image
-          path: docker-image.tar.zst
+          path: docker-image.tar.gz

  sharded-jest-tests:
    needs: frontend-build
@@ -78,8 +78,7 @@ jobs:
          name: docker-image

      - name: Load Docker Image
-        run: |
-          zstd -d < docker-image.tar.zst | docker load
+        run: docker load < docker-image.tar.gz

      - name: npm run test with coverage
        run: |
@@ -91,7 +90,7 @@ jobs:
          "npm run test -- --coverage --shard=${{ matrix.shard }}/8 --coverageReporters=json"

      - name: Upload Coverage Artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: coverage-artifacts-${{ matrix.shard }}
          path: superset-frontend/coverage
@@ -128,7 +127,7 @@ jobs:
        run: npx nyc merge coverage/ merged-output/coverage-summary.json

      - name: Upload Code Coverage
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
        with:
          flags: javascript
          use_oidc: true
@@ -149,7 +148,7 @@ jobs:

      - name: Load Docker Image
        run: |
-          zstd -d < docker-image.tar.zst | docker load
+          docker load < docker-image.tar.gz

      - name: lint
        run: |
@@ -172,8 +171,7 @@ jobs:
          name: docker-image

      - name: Load Docker Image
-        run: |
-          zstd -d < docker-image.tar.zst | docker load
+        run: docker load < docker-image.tar.gz

      - name: Build Plugins Packages
        run: |
@@ -191,8 +189,7 @@ jobs:
          name: docker-image

      - name: Load Docker Image
-        run: |
-          zstd -d < docker-image.tar.zst | docker load
+        run: docker load < docker-image.tar.gz

      - name: Build Storybook and Run Tests
        run: |
--- a/.github/workflows/superset-helm-lint.yml
+++ b/.github/workflows/superset-helm-lint.yml
@@ -23,7 +23,7 @@ jobs:
          fetch-depth: 0

      - name: Set up Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
        with:
          version: v3.16.4

--- a/.github/workflows/superset-helm-release.yml
+++ b/.github/workflows/superset-helm-release.yml
@@ -42,7 +42,7 @@ jobs:
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"

      - name: Install Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
        with:
          version: v3.5.4

@@ -101,7 +101,7 @@ jobs:
          CR_RELEASE_NAME_TEMPLATE: "superset-helm-chart-{{ .Version }}"

      - name: Open Pull Request
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        with:
          script: |
            const branchName = '${{ env.branch_name }}';
--- a/.github/workflows/superset-playwright.yml
+++ b/.github/workflows/superset-playwright.yml
@@ -100,7 +100,7 @@ jobs:
          run: playwright_testdata
      - name: Setup Node.js
        if: steps.check.outputs.python || steps.check.outputs.frontend
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version-file: './superset-frontend/.nvmrc'
      - name: Install npm dependencies
@@ -133,7 +133,7 @@ jobs:
          SAFE_APP_ROOT=${APP_ROOT//\//_}
          echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT
      - name: Upload Playwright Artifacts
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        if: failure()
        with:
          path: |
--- a/.github/workflows/superset-python-integrationtest.yml
+++ b/.github/workflows/superset-python-integrationtest.yml
@@ -16,8 +16,6 @@ concurrency:
 jobs:
  test-mysql:
    runs-on: ubuntu-24.04
-    permissions:
-      id-token: write
    env:
      PYTHONPATH: ${{ github.workspace }}
      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -70,12 +68,11 @@ jobs:
        run: |
          ./scripts/python_tests.sh
      - name: Upload code coverage
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
        with:
          flags: python,mysql
+          token: ${{ secrets.CODECOV_TOKEN }}
          verbose: true
-          use_oidc: true
-          slug: apache/superset
      - name: Generate database diagnostics for docs
        if: steps.check.outputs.python
        env:
@@ -101,15 +98,13 @@ jobs:
          "
      - name: Upload database diagnostics artifact
        if: steps.check.outputs.python
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: database-diagnostics
          path: databases-diagnostics.json
          retention-days: 7
  test-postgres:
    runs-on: ubuntu-24.04
-    permissions:
-      id-token: write
    strategy:
      matrix:
        python-version: ["current", "previous", "next"]
@@ -164,17 +159,14 @@ jobs:
        run: |
          ./scripts/python_tests.sh
      - name: Upload code coverage
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
        with:
          flags: python,postgres
+          token: ${{ secrets.CODECOV_TOKEN }}
          verbose: true
-          use_oidc: true
-          slug: apache/superset

  test-sqlite:
    runs-on: ubuntu-24.04
-    permissions:
-      id-token: write
    env:
      PYTHONPATH: ${{ github.workspace }}
      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -219,9 +211,8 @@ jobs:
        run: |
          ./scripts/python_tests.sh
      - name: Upload code coverage
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
        with:
          flags: python,sqlite
+          token: ${{ secrets.CODECOV_TOKEN }}
          verbose: true
-          use_oidc: true
-          slug: apache/superset
--- a/.github/workflows/superset-python-presto-hive.yml
+++ b/.github/workflows/superset-python-presto-hive.yml
@@ -17,8 +17,6 @@ concurrency:
 jobs:
  test-postgres-presto:
    runs-on: ubuntu-24.04
-    permissions:
-      id-token: write
    env:
      PYTHONPATH: ${{ github.workspace }}
      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -79,17 +77,14 @@ jobs:
        run: |
          ./scripts/python_tests.sh -m 'chart_data_flow or sql_json_flow'
      - name: Upload code coverage
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
        with:
          flags: python,presto
+          token: ${{ secrets.CODECOV_TOKEN }}
          verbose: true
-          use_oidc: true
-          slug: apache/superset

  test-postgres-hive:
    runs-on: ubuntu-24.04
-    permissions:
-      id-token: write
    env:
      PYTHONPATH: ${{ github.workspace }}
      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -150,9 +145,8 @@ jobs:
          pip install -e .[hive]
          ./scripts/python_tests.sh -m 'chart_data_flow or sql_json_flow'
      - name: Upload code coverage
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
        with:
          flags: python,hive
+          token: ${{ secrets.CODECOV_TOKEN }}
          verbose: true
-          use_oidc: true
-          slug: apache/superset
--- a/.github/workflows/superset-python-unittest.yml
+++ b/.github/workflows/superset-python-unittest.yml
@@ -17,8 +17,6 @@ concurrency:
 jobs:
  unit-tests:
    runs-on: ubuntu-24.04
-    permissions:
-      id-token: write
    strategy:
      matrix:
        python-version: ["previous", "current", "next"]
@@ -54,11 +52,9 @@ jobs:
          SUPERSET_SECRET_KEY: not-a-secret
        run: |
          pytest --durations-min=0.5 --cov=superset/sql/ ./tests/unit_tests/sql/ --cache-clear --cov-fail-under=100
-          pytest --durations-min=0.5 --cov=superset/semantic_layers/ ./tests/unit_tests/semantic_layers/ --cache-clear --cov-fail-under=100
      - name: Upload code coverage
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
        with:
          flags: python,unit
+          token: ${{ secrets.CODECOV_TOKEN }}
          verbose: true
-          use_oidc: true
-          slug: apache/superset
--- a/.github/workflows/superset-translations.yml
+++ b/.github/workflows/superset-translations.yml
@@ -31,7 +31,7 @@ jobs:

      - name: Setup Node.js
        if: steps.check.outputs.frontend
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version-file:  './superset-frontend/.nvmrc'
      - name: Install dependencies
--- a/.github/workflows/supersetbot.yml
+++ b/.github/workflows/supersetbot.yml
@@ -26,7 +26,7 @@ jobs:
    steps:
      - name: Quickly add thumbs up!
        if: github.event_name == 'issue_comment' && contains(github.event.comment.body, '@supersetbot')
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        with:
          script: |
            const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/')
--- a/.github/workflows/tag-release.yml
+++ b/.github/workflows/tag-release.yml
@@ -31,12 +31,10 @@ jobs:
        id: check
        shell: bash
        run: |
-          if [ -n "${DOCKERHUB_USER}" ]; then
+          if [ -n "${{ (secrets.DOCKERHUB_USER != '' && secrets.DOCKERHUB_TOKEN != '') || '' }}" ]; then
            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
          fi

-        env:
-          DOCKERHUB_USER: ${{ (secrets.DOCKERHUB_USER != '' && secrets.DOCKERHUB_TOKEN != '') || '' }}
  docker-release:
    needs: config
    if: needs.config.outputs.has-secrets
@@ -62,7 +60,7 @@ jobs:
          build: "true"

      - name: Use Node.js 20
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: 20

@@ -74,20 +72,17 @@ jobs:
          DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          INPUT_RELEASE: ${{ github.event.inputs.release }}
-          INPUT_FORCE_LATEST: ${{ github.event.inputs.force-latest }}
-          INPUT_GIT_REF: ${{ github.event.inputs.git-ref }}
        run: |
          RELEASE="${{ github.event.release.tag_name }}"
          FORCE_LATEST=""
          EVENT="${{github.event_name}}"
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            # in the case of a manually-triggered run, read release from input
-            RELEASE="${INPUT_RELEASE}"
-            if [ "${INPUT_FORCE_LATEST}" = "true" ]; then
+            RELEASE="${{ github.event.inputs.release }}"
+            if [ "${{ github.event.inputs.force-latest }}" = "true" ]; then
              FORCE_LATEST="--force-latest"
            fi
-            git checkout "${INPUT_GIT_REF}"
+            git checkout "${{ github.event.inputs.git-ref }}"
            EVENT="release"
          fi

@@ -117,7 +112,7 @@ jobs:
          fetch-depth: 0

      - name: Use Node.js 20
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: 20

@@ -127,7 +122,6 @@ jobs:
      - name: Label the PRs with the right release-related labels
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          INPUT_RELEASE: ${{ github.event.inputs.release }}
        run: |
          export GITHUB_ACTOR=""
          git fetch --all --tags
@@ -135,6 +129,6 @@ jobs:
          RELEASE="${{ github.event.release.tag_name }}"
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            # in the case of a manually-triggered run, read release from input
-            RELEASE="${INPUT_RELEASE}"
+            RELEASE="${{ github.event.inputs.release }}"
          fi
          supersetbot release-label $RELEASE
--- a/.github/workflows/tech-debt.yml
+++ b/.github/workflows/tech-debt.yml
@@ -19,12 +19,10 @@ jobs:
        id: check
        shell: bash
        run: |
-          if [ -n "${GSHEET_KEY}" ]; then
+          if [ -n "${{ (secrets.GSHEET_KEY != '' ) || '' }}" ]; then
            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
          fi

-        env:
-          GSHEET_KEY: ${{ (secrets.GSHEET_KEY != '' ) || '' }}
  process-and-upload:
    needs: config
    if: needs.config.outputs.has-secrets
@@ -35,7 +33,7 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version-file: './superset-frontend/.nvmrc'

--- a/.gitignore
+++ b/.gitignore
@@ -62,7 +62,6 @@ rat-results.txt
 superset/app/
 superset-websocket/config.json
 .direnv
-*.log

 # Node.js, webpack artifacts, storybook
 *.entry.js
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -50,3 +50,4 @@ under the License.
 - [4.1.4](./CHANGELOG/4.1.4.md)
 - [5.0.0](./CHANGELOG/5.0.0.md)
 - [6.0.0](./CHANGELOG/6.0.0.md)
+- [6.1.0](./CHANGELOG/6.1.0.md)
--- a/CHANGELOG/6.1.0.md
+++ b/CHANGELOG/6.1.0.md
--- a/2
+++ b/2
@@ -29,7 +29,7 @@ ARG BUILD_TRANSLATIONS="false"
 ######################################################################
 # superset-node-ci used as a base for building frontend assets and CI
 ######################################################################
-FROM --platform=${BUILDPLATFORM} node:22-trixie-slim AS superset-node-ci
+FROM --platform=${BUILDPLATFORM} node:20-trixie-slim AS superset-node-ci
 ARG BUILD_TRANSLATIONS
 ENV BUILD_TRANSLATIONS=${BUILD_TRANSLATIONS}
 ARG DEV_MODE="false"           # Skip frontend build in dev mode
--- a/RELEASING/README.md
+++ b/RELEASING/README.md
@@ -458,7 +458,7 @@ cd ../
 sed -i '' "s/version_string = .*/version_string = \"$SUPERSET_VERSION\"/" setup.py

 # build the python distribution
-python -m build
+python setup.py sdist
 ```

 Publish to PyPI
--- a/RELEASING/verify_release.py
+++ b/RELEASING/verify_release.py
@@ -56,33 +56,8 @@ def verify_sha512(filename: str) -> str:
 # Part 2: Verify RSA key - this is the same as running `gpg --verify {release}.asc {release}` and comparing the RSA key and email address against the KEYS file  # noqa: E501


-KEYS_URL = "https://downloads.apache.org/superset/KEYS"
-
-
-def ensure_keys_imported() -> None:
-    """Import the Apache Superset KEYS file into the local GPG keyring.
-
-    Without this, `gpg --verify` returns "No public key" and the signature
-    cannot actually be verified — only the key ID in the signature metadata
-    is visible.
-    """
-    try:
-        keys = requests.get(KEYS_URL, timeout=30)
-    except requests.RequestException as exc:
-        print(f"Warning: could not fetch KEYS file for import: {exc}")
-        return
-    if keys.status_code != 200:
-        print(f"Warning: could not fetch KEYS file (HTTP {keys.status_code})")
-        return
-    subprocess.run(  # noqa: S603
-        ["gpg", "--import"],  # noqa: S607
-        input=keys.content,
-        capture_output=True,
-    )
-
-
 def get_gpg_info(filename: str) -> tuple[Optional[str], Optional[str]]:
-    """Run the GPG verify command and extract RSA/EDDSA key and email address."""
+    """Run the GPG verify command and extract RSA key and email address."""
    asc_filename = filename + ".asc"
    result = subprocess.run(  # noqa: S603
        ["gpg", "--verify", asc_filename, filename],  # noqa: S607
@@ -90,50 +65,25 @@ def get_gpg_info(filename: str) -> tuple[Optional[str], Optional[str]]:
    )
    output = result.stderr.decode()

-    # If no public key was available, import KEYS and retry so that
-    # `Good signature from "Name <email>"` appears in the output.
-    if "No public key" in output:
-        ensure_keys_imported()
-        result = subprocess.run(  # noqa: S603
-            ["gpg", "--verify", asc_filename, filename],  # noqa: S607
-            capture_output=True,  # noqa: S607
-        )
-        output = result.stderr.decode()
-
    rsa_key = re.search(r"RSA key ([0-9A-F]+)", output)
    eddsa_key = re.search(r"EDDSA key ([0-9A-F]+)", output)
-
-    # Try multiple patterns — `Good signature from` is the most reliable
-    # source of the email; `issuer` is a fallback for older gpg output.
-    email_patterns = (
-        r'Good signature from ".*?<([^>]+)>"',
-        r'aka ".*?<([^>]+)>"',
-        r'issuer "([^"]+)"',
-    )
-    email_result: Optional[str] = None
-    for pattern in email_patterns:
-        match = re.search(pattern, output)
-        if match:
-            email_result = match.group(1)
-            break
+    email = re.search(r'issuer "([^"]+)"', output)

    rsa_key_result = rsa_key.group(1) if rsa_key else None
    eddsa_key_result = eddsa_key.group(1) if eddsa_key else None
+    email_result = email.group(1) if email else None
+
    key_result = rsa_key_result or eddsa_key_result

+    # Debugging:
    if key_result:
        print("RSA or EDDSA Key found")
    else:
        print("Warning: No RSA or EDDSA key found in GPG verification output.")
    if email_result:
-        print(f"Email found: {email_result}")
+        print("email found")
    else:
        print("Warning: No email address found in GPG verification output.")
-        if "No public key" in output:
-            print(
-                "Hint: public key is not in your keyring. Import it with:\n"
-                f"  curl -s {KEYS_URL} | gpg --import"
-            )

    return key_result, email_result

--- a/RESOURCES/INTHEWILD.yaml
+++ b/RESOURCES/INTHEWILD.yaml
@@ -58,10 +58,6 @@ categories:
      url: https://www.ontruck.com/

  Financial Services:
-    - name: Aadhar Housing Finance Limited
-      url: https://www.aadharhousing.com
-      contributors: ["@thakerhardiks"]
-
    - name: Aktia Bank plc
      url: https://www.aktia.com

@@ -291,11 +287,6 @@ categories:
      url: https://www.gfk.com/home
      contributors: ["@mherr"]

-    - name: Hifadih Business & Technology
-      url: https://hifadih.net/en
-      logo: hifadih.png
-      contributors: ["@saintLaurent00"]
-
    # Logo approved by @anmol-hpe on behalf of HPE
    - name: HPE
      url: https://www.hpe.com/in/en/home.html
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -24,75 +24,12 @@ assists people when migrating to a new version.

 ## Next

-### Granular Export Controls
+## 6.1.0

-A new feature flag `GRANULAR_EXPORT_CONTROLS` introduces three fine-grained permissions that replace the legacy `can_csv` permission:
-
-| Permission | Controls |
-|---|---|
-| `can_export_data` | CSV, Excel, JSON exports |
-| `can_export_image` | Screenshot/PDF exports |
-| `can_copy_clipboard` | Copy-to-clipboard operations |
-
-When the feature flag is enabled, these permissions are enforced on both the frontend (disabled buttons with tooltips) and backend (403 responses from API endpoints). When disabled, legacy `can_csv` behavior is preserved.
-
-**Migration behavior:** All three new permissions are granted to every role that currently has `can_csv`, preserving existing access. Admins can then selectively revoke individual export permissions from specific roles as needed.
-
-### Deck.gl MapBox viewport and opacity controls are functional
-
-The Deck.gl MapBox chart's **Opacity**, **Default longitude**, **Default latitude**, and **Zoom** controls were previously non-functional — changing them had no effect on the rendered map. These controls are now wired up correctly.
-
-**Behavior change for existing charts:** Previously, the viewport controls had hard-coded default values (`-122.405293`, `37.772123`, zoom `11` — San Francisco) that were stored in each chart's `form_data` but never applied. The map always used `fitBounds` to center on the data. With this fix, those stored values are now respected, which means existing MapBox charts may open centered on the old default coordinates instead of fitting to data bounds.
-
-**To restore fit-to-data behavior:** Open the chart in Explore, clear the **Default longitude**, **Default latitude**, and **Zoom** fields in the Viewport section, and re-save the chart.
-
-### Combined datasource list endpoint
-
-Added a new combined datasource list endpoint at `GET /api/v1/datasource/` to serve datasets and semantic views in one response.
-
- The endpoint is available to users with at least one of `can_read` on `Dataset` or `SemanticView`.
- Semantic views are included only when the `SEMANTIC_LAYERS` feature flag is enabled.
- The endpoint enforces strict `order_column` validation and returns `400` for invalid sort columns.
 ### ClickHouse minimum driver version bump

 The minimum required version of `clickhouse-connect` has been raised to `>=0.13.0`. If you are using the ClickHouse connector, please upgrade your `clickhouse-connect` package. The `_mutate_label` workaround that appended hash suffixes to column aliases has also been removed, as it is no longer needed with modern versions of the driver.

-### MCP Tool Observability
-
-MCP (Model Context Protocol) tools now include enhanced observability instrumentation for monitoring and debugging:
-
-**Two-layer instrumentation:**
-1. **Middleware layer** (`LoggingMiddleware`): Automatically logs all MCP tool calls with `duration_ms` and `success` status in the audit log (Action Log UI, logs table)
-2. **Sub-operation tracking**: All 19 MCP tools include granular `event_logger.log_context()` blocks for tracking individual operations like validation, database writes, and query execution
-
-**Action naming convention:**
- Tool-level logs: `mcp_tool_call` (via middleware)
- Sub-operation logs: `mcp.{tool_name}.{operation}` (e.g., `mcp.generate_chart.validation`, `mcp.execute_sql.query_execution`)
-
-**Querying MCP logs:**
-```sql
-- Top slowest MCP operations
-SELECT action, COUNT(*) as calls, AVG(duration_ms) as avg_ms
-FROM logs
-WHERE action LIKE 'mcp.%'
-GROUP BY action
-ORDER BY avg_ms DESC
-LIMIT 20;
-
-- MCP tool success rate
-SELECT
-    json_extract(curated_payload, '$.tool') as tool,
-    COUNT(*) as total_calls,
-    SUM(CASE WHEN json_extract(curated_payload, '$.success') = 'true' THEN 1 ELSE 0 END) as successful,
-    ROUND(100.0 * SUM(CASE WHEN json_extract(curated_payload, '$.success') = 'true' THEN 1 ELSE 0 END) / COUNT(*), 2) as success_rate
-FROM logs
-WHERE action = 'mcp_tool_call'
-GROUP BY tool
-ORDER BY total_calls DESC;
-```
-
-**Security note:** Sensitive parameters (passwords, API keys, tokens) are automatically redacted in logs as `[REDACTED]`.
-
 ### Distributed Coordination Backend

 A new `DISTRIBUTED_COORDINATION_CONFIG` configuration provides a unified Redis-based backend for real-time coordination features in Superset. This backend enables:
@@ -104,6 +41,7 @@ A new `DISTRIBUTED_COORDINATION_CONFIG` configuration provides a unified Redis-b
 The distributed coordination is used by the Global Task Framework (GTF) for abort notifications and task completion signaling, and will eventually replace `GLOBAL_ASYNC_QUERIES_CACHE_BACKEND` as the standard signaling backend. Configuring this is recommended for Redis enabled production deployments.

 Example configuration in `superset_config.py`:
+
 ```python
 DISTRIBUTED_COORDINATION_CONFIG = {
    "CACHE_TYPE": "RedisCache",
@@ -118,9 +56,11 @@ See `superset/config.py` for complete configuration options.
 ### WebSocket config for GAQ with Docker

 [35896](https://github.com/apache/superset/pull/35896) and [37624](https://github.com/apache/superset/pull/37624) updated documentation on how to run and configure Superset with Docker. Specifically for the WebSocket configuration, a new `docker/superset-websocket/config.example.json` was added to the repo, so that users could copy it to create a `docker/superset-websocket/config.json` file. The existing `docker/superset-websocket/config.json` was removed and git-ignored, so if you're using GAQ / WebSocket make sure to:
+
 - Stash/backup your existing `config.json` file, to re-apply it after (will get git-ignored going forward)
 - Update the `volumes` configuration for the `superset-websocket` service in your `docker-compose.override.yml` file, to include the `docker/superset-websocket/config.json` file. For example:
-``` yaml
+
+```yaml
 services:
  superset-websocket:
    volumes:
@@ -133,7 +73,9 @@ services:
 ### Example Data Loading Improvements

 #### New Directory Structure
+
 Examples are now organized by name with data and configs co-located:
+
 ```
 superset/examples/
 ├── _shared/              # Shared database & metadata configs
@@ -145,31 +87,12 @@ superset/examples/
 └── ...
 ```

-#### Simplified Parquet-based Loading
- Auto-discovery: create `superset/examples/my_dataset/data.parquet` to add a new example
- Parquet is an Apache project format: compressed (~27% smaller), self-describing schema
- YAML configs define datasets, charts, and dashboards declaratively
- Removed Python-based data generation from individual example files
-
-#### Test Data Reorganization
- Moved `big_data.py` to `superset/cli/test_loaders.py` - better reflects its purpose as a test utility
- Fixed inverted logic for `--load-test-data` flag (now correctly includes .test.yaml files when flag is set)
- Clarified CLI flags:
-  - `--force` / `-f`: Force reload even if tables exist
-  - `--only-metadata` / `-m`: Create table metadata without loading data
-  - `--load-test-data` / `-t`: Include test dashboards and .test.yaml configs
-  - `--load-big-data` / `-b`: Generate synthetic stress-test data
-
-#### Bug Fixes
- Fixed numpy array serialization for PostgreSQL (converts complex types to JSON strings)
- Fixed KeyError for `allow_csv_upload` field in database configs (now optional with default)
- Fixed test data loading logic that was incorrectly filtering files
-
 ### MCP Service

 The MCP (Model Context Protocol) service enables AI assistants and automation tools to interact programmatically with Superset.

 #### New Features
+
 - MCP service infrastructure with FastMCP framework
 - Tools for dashboards, charts, datasets, SQL Lab, and instance metadata
 - Optional dependency: install with `pip install apache-superset[fastmcp]`
@@ -179,6 +102,7 @@ The MCP (Model Context Protocol) service enables AI assistants and automation to
 #### New Configuration Options

 **Development** (single-user, local testing):
+
 ```python
 # superset_config.py
 MCP_DEV_USERNAME = "admin"  # User for MCP authentication
@@ -187,6 +111,7 @@ MCP_SERVICE_PORT = 5008
 ```

 **Production** (JWT-based, multi-user):
+
 ```python
 # superset_config.py
 MCP_AUTH_ENABLED = True
@@ -232,12 +157,14 @@ superset mcp run --port 5008 --use-factory-config
 The MCP service runs as a **separate process** from the Superset web server.

 **Important**:
+
 - Requires same Python environment and configuration as Superset
 - Shares database connections with main Superset app
 - Can be scaled independently from web server
 - Requires `fastmcp` package (optional dependency)

 **Installation**:
+
 ```bash
 # Install with MCP support
 pip install apache-superset[fastmcp]
@@ -251,6 +178,7 @@ Use systemd, supervisord, or Kubernetes to manage the MCP service process.
 See `superset/mcp_service/PRODUCTION.md` for deployment guides.

 **Security**:
+
 - Development: Uses `MCP_DEV_USERNAME` for single-user access
 - Production: **MUST** configure JWT authentication
 - See `superset/mcp_service/SECURITY.md` for details
@@ -263,14 +191,50 @@ See `superset/mcp_service/PRODUCTION.md` for deployment guides.
 - Developer Guide: `superset/mcp_service/CLAUDE.md`
 - Quick Start: `superset/mcp_service/README.md`

---
+### MCP Tool Observability

- [35621](https://github.com/apache/superset/pull/35621): The default hash algorithm has changed from MD5 to SHA-256 for improved security and FedRAMP compliance. This affects cache keys for thumbnails, dashboard digests, chart digests, and filter option names. Existing cached data will be invalidated upon upgrade. To opt out of this change and maintain backward compatibility, set `HASH_ALGORITHM = "md5"` in your `superset_config.py`.
- [35062](https://github.com/apache/superset/pull/35062): Changed the function signature of `setupExtensions` to `setupCodeOverrides` with options as arguments.
+MCP (Model Context Protocol) tools now include enhanced observability instrumentation for monitoring and debugging:
+
+**Two-layer instrumentation:**
+
+1. **Middleware layer** (`LoggingMiddleware`): Automatically logs all MCP tool calls with `duration_ms` and `success` status in the audit log (Action Log UI, logs table)
+2. **Sub-operation tracking**: All 19 MCP tools include granular `event_logger.log_context()` blocks for tracking individual operations like validation, database writes, and query execution
+
+**Action naming convention:**
+
+- Tool-level logs: `mcp_tool_call` (via middleware)
+- Sub-operation logs: `mcp.{tool_name}.{operation}` (e.g., `mcp.generate_chart.validation`, `mcp.execute_sql.query_execution`)
+
+**Querying MCP logs:**
+
+```sql
+-- Top slowest MCP operations
+SELECT action, COUNT(*) as calls, AVG(duration_ms) as avg_ms
+FROM logs
+WHERE action LIKE 'mcp.%'
+GROUP BY action
+ORDER BY avg_ms DESC
+LIMIT 20;
+
+-- MCP tool success rate
+SELECT
+    json_extract(curated_payload, '$.tool') as tool,
+    COUNT(*) as total_calls,
+    SUM(CASE WHEN json_extract(curated_payload, '$.success') = 'true' THEN 1 ELSE 0 END) as successful,
+    ROUND(100.0 * SUM(CASE WHEN json_extract(curated_payload, '$.success') = 'true' THEN 1 ELSE 0 END) / COUNT(*), 2) as success_rate
+FROM logs
+WHERE action = 'mcp_tool_call'
+GROUP BY tool
+ORDER BY total_calls DESC;
+```
+
+**Security note:** Sensitive parameters (passwords, API keys, tokens) are automatically redacted in logs as `[REDACTED]`.
+
+### APP_NAME configuration

-### Breaking Changes
 - [37370](https://github.com/apache/superset/pull/37370): The `APP_NAME` configuration variable no longer controls the browser window/tab title or other frontend branding. Application names should now be configured using the theme system with the `brandAppName` token. The `APP_NAME` config is still used for backend contexts (MCP service, logs, etc.) and serves as a fallback if `brandAppName` is not set.
  - **Migration:**
+
  ```python
  # Before (Superset 5.x)
  APP_NAME = "My Custom App"
@@ -289,16 +253,22 @@ See `superset/mcp_service/PRODUCTION.md` for deployment guides.
  APP_NAME = "My Custom App"
  # But you should migrate to THEME_DEFAULT.token.brandAppName
  ```
+
  - **Note:** For dark mode, set the same tokens in `THEME_DARK` configuration.

+### CUSTOM_FONT_URLS configuration
+
 - [36317](https://github.com/apache/superset/pull/36317): The `CUSTOM_FONT_URLS` configuration option has been removed. Use the new per-theme `fontUrls` token in `THEME_DEFAULT` or database-managed themes instead.
  - **Before:**
+
  ```python
  CUSTOM_FONT_URLS = [
    "https://fonts.example.com/myfont.css",
  ]
  ```
+
  - **After:**
+
  ```python
  THEME_DEFAULT = {
    "token": {
@@ -310,7 +280,13 @@ See `superset/mcp_service/PRODUCTION.md` for deployment guides.
  }
  ```

+### Other
+
+- [35621](https://github.com/apache/superset/pull/35621): The default hash algorithm has changed from MD5 to SHA-256 for improved security and FedRAMP compliance. This affects cache keys for thumbnails, dashboard digests, chart digests, and filter option names. Existing cached data will be invalidated upon upgrade. To opt out of this change and maintain backward compatibility, set `HASH_ALGORITHM = "md5"` in your `superset_config.py`.
+- [35062](https://github.com/apache/superset/pull/35062): Changed the function signature of `setupExtensions` to `setupCodeOverrides` with options as arguments.
+
 ## 6.0.0
+
 - [33055](https://github.com/apache/superset/pull/33055): Upgrades Flask-AppBuilder to 5.0.0. The AUTH_OID authentication type has been deprecated and is no longer available as an option in Flask-AppBuilder. OpenID (OID) is considered a deprecated authentication protocol - if you are using AUTH_OID, you will need to migrate to an alternative authentication method such as OAuth, LDAP, or database authentication before upgrading.
 - [34871](https://github.com/apache/superset/pull/34871): Fixed Jest test hanging issue from Ant Design v5 upgrade. MessageChannel is now mocked in test environment to prevent rc-overflow from causing Jest to hang. Test environment only - no production impact.
 - [34782](https://github.com/apache/superset/pull/34782): Dataset exports now include the dataset ID in their file name (similar to charts and dashboards). If managing assets as code, make sure to rename existing dataset YAMLs to include the ID (and avoid duplicated files).
@@ -319,8 +295,8 @@ See `superset/mcp_service/PRODUCTION.md` for deployment guides.
  - Change any hex color values to one of: `"success"`, `"processing"`, `"error"`, `"warning"`, `"default"`
  - Custom colors are no longer supported to maintain consistency with Ant Design components
 - [34561](https://github.com/apache/superset/pull/34561) Added tiled screenshot functionality for Playwright-based reports to handle large dashboards more efficiently. When enabled (default: `SCREENSHOT_TILED_ENABLED = True`), dashboards with 20+ charts or height exceeding 5000px will be captured using multiple viewport-sized tiles and combined into a single image. This improves report generation performance and reliability for large dashboards.
-Note: Pillow is now a required dependency (previously optional) to support image processing for tiled screenshots.
-`thumbnails` optional dependency is now deprecated and will be removed in the next major release (7.0).
+  Note: Pillow is now a required dependency (previously optional) to support image processing for tiled screenshots.
+  `thumbnails` optional dependency is now deprecated and will be removed in the next major release (7.0).
 - [33084](https://github.com/apache/superset/pull/33084) The DISALLOWED_SQL_FUNCTIONS configuration now includes additional potentially sensitive database functions across PostgreSQL, MySQL, SQLite, MS SQL Server, and ClickHouse. Existing queries using these functions may now be blocked. Review your SQL Lab queries and dashboards if you encounter "disallowed function" errors after upgrading
 - [34235](https://github.com/apache/superset/pull/34235) CSV exports now use `utf-8-sig` encoding by default to include a UTF-8 BOM, improving compatibility with Excel.
 - [34258](https://github.com/apache/superset/pull/34258) changing the default in Dockerfile to INCLUDE_CHROMIUM="false" (from "true") in the past. This ensures the `lean` layer is lean by default, and people can opt-in to the `chromium` layer by setting the build arg `INCLUDE_CHROMIUM=true`. This is a breaking change for anyone using the `lean` layer, as it will no longer include Chromium by default.
@@ -328,14 +304,14 @@ Note: Pillow is now a required dependency (previously optional) to support image
 - [33116](https://github.com/apache/superset/pull/33116) In Echarts Series charts (e.g. Line, Area, Bar, etc.) charts, the `x_axis_sort_series` and `x_axis_sort_series_ascending` form data items have been renamed with `x_axis_sort` and `x_axis_sort_asc`.
  There's a migration added that can potentially affect a significant number of existing charts.
 - [32317](https://github.com/apache/superset/pull/32317) The horizontal filter bar feature is now out of testing/beta development and its feature flag `HORIZONTAL_FILTER_BAR` has been removed.
- [31590](https://github.com/apache/superset/pull/31590) Marks the beginning of intricate work around supporting dynamic Theming, and breaks support for [THEME_OVERRIDES](https://github.com/apache/superset/blob/732de4ac7fae88e29b7f123b6cbb2d7cd411b0e4/superset/config.py#L671) in favor of a new theming system based on AntD V5. Likely this will be in disrepair until settling over the 5.x lifecycle.
- [32432](https://github.com/apache/superset/pull/32432) Moves the List Roles FAB view to the frontend and requires `FAB_ADD_SECURITY_API` to be enabled in the configuration and `superset init` to be executed.
+- [31590](https://github.com/apache/superset/pull/31590) Marks the begining of intricate work around supporting dynamic Theming, and breaks support for [THEME_OVERRIDES](https://github.com/apache/superset/blob/732de4ac7fae88e29b7f123b6cbb2d7cd411b0e4/superset/config.py#L671) in favor of a new theming system based on AntD V5. Likely this will be in disrepair until settling over the 5.x lifecycle.
+- [32432](https://github.com/apache/superset/pull/31260) Moves the List Roles FAB view to the frontend and requires `FAB_ADD_SECURITY_API` to be enabled in the configuration and `superset init` to be executed.
 - [34319](https://github.com/apache/superset/pull/34319) Drill to Detail and Drill By is now supported in Embedded mode, and also with the `DASHBOARD_RBAC` FF. If you don't want to expose these features in Embedded / `DASHBOARD_RBAC`, make sure the roles used for Embedded / `DASHBOARD_RBAC`don't have the required permissions to perform D2D actions.

 ## 5.0.0

 - [31976](https://github.com/apache/superset/pull/31976) Removed the `DISABLE_LEGACY_DATASOURCE_EDITOR` feature flag. The previous value of the feature flag was `True` and now the feature is permanently removed.
- [32000](https://github.com/apache/superset/pull/32000) Removes CSV_UPLOAD_MAX_SIZE config, use your web server to control file upload size.
+- [31959](https://github.com/apache/superset/pull/32000) Removes CSV_UPLOAD_MAX_SIZE config, use your web server to control file upload size.
 - [31959](https://github.com/apache/superset/pull/31959) Removes the following endpoints from data uploads: `/api/v1/database/<id>/<file type>_upload` and `/api/v1/database/<file type>_metadata`, in favour of new one (Details on the PR). And simplifies permissions.
 - [31844](https://github.com/apache/superset/pull/31844) The `ALERT_REPORTS_EXECUTE_AS` and `THUMBNAILS_EXECUTE_AS` config parameters have been renamed to `ALERT_REPORTS_EXECUTORS` and `THUMBNAILS_EXECUTORS` respectively. A new config flag `CACHE_WARMUP_EXECUTORS` has also been introduced to be able to control which user is used to execute cache warmup tasks. Finally, the config flag `THUMBNAILS_SELENIUM_USER` has been removed. To use a fixed executor for async tasks, use the new `FixedExecutor` class. See the config and docs for more info on setting up different executor profiles.
 - [31894](https://github.com/apache/superset/pull/31894) Domain sharding is deprecated in favor of HTTP2. The `SUPERSET_WEBSERVER_DOMAINS` configuration will be removed in the next major version (6.0)
@@ -343,7 +319,7 @@ Note: Pillow is now a required dependency (previously optional) to support image
 - [31774](https://github.com/apache/superset/pull/31774): Fixes the spelling of the `USE-ANALAGOUS-COLORS` feature flag. Please update any scripts/configuration item to use the new/corrected `USE-ANALOGOUS-COLORS` flag spelling.
 - [31582](https://github.com/apache/superset/pull/31582) Removed the legacy Area, Bar, Event Flow, Heatmap, Histogram, Line, Sankey, and Sankey Loop charts. They were all automatically migrated to their ECharts counterparts with the exception of the Event Flow and Sankey Loop charts which were removed as they were not actively maintained and not widely used. If you were using the Event Flow or Sankey Loop charts, you will need to find an alternative solution.
 - [31198](https://github.com/apache/superset/pull/31198) Disallows by default the use of the following ClickHouse functions: "version", "currentDatabase", "hostName".
- [29798](https://github.com/apache/superset/pull/29798) Since 3.1.0, the initial schedule for an alert or report was mistakenly offset by the specified timezone's relation to UTC. The initial schedule should now begin at the correct time.
+- [29798](https://github.com/apache/superset/pull/29798) Since 3.1.0, the intial schedule for an alert or report was mistakenly offset by the specified timezone's relation to UTC. The initial schedule should now begin at the correct time.
 - [30021](https://github.com/apache/superset/pull/30021) The `dev` layer in our Dockerfile no long includes firefox binaries, only Chromium to reduce bloat/docker-build-time.
 - [30099](https://github.com/apache/superset/pull/30099) Translations are no longer included in the default docker image builds. If your environment requires translations, you'll want to set the docker build arg `BUILD_TRANSLATIONS=true`.
 - [31262](https://github.com/apache/superset/pull/31262) NOTE: deprecated `pylint` in favor of `ruff` as our only python linter. Only affect development workflows positively (not the release itself). It should cover most important rules, be much faster, but some things linting rules that were enforced before may not be enforce in the exact same way as before.
@@ -356,7 +332,7 @@ Note: Pillow is now a required dependency (previously optional) to support image
 - [25166](https://github.com/apache/superset/pull/25166) Changed the default configuration of `UPLOAD_FOLDER` from `/app/static/uploads/` to `/static/uploads/`. It also removed the unused `IMG_UPLOAD_FOLDER` and `IMG_UPLOAD_URL` configuration options.
 - [30284](https://github.com/apache/superset/pull/30284) Deprecated GLOBAL_ASYNC_QUERIES_REDIS_CONFIG in favor of the new GLOBAL_ASYNC_QUERIES_CACHE_BACKEND configuration. To leverage Redis Sentinel, set CACHE_TYPE to RedisSentinelCache, or use RedisCache for standalone Redis
 - [31961](https://github.com/apache/superset/pull/31961) Upgraded React from version 16.13.1 to 17.0.2. If you are using custom frontend extensions or plugins, you may need to update them to be compatible with React 17.
- [31260](https://github.com/apache/superset/pull/31260) Docker images now use `uv pip install` instead of `pip install` to manage the python environment. Most docker-based deployments will be affected, whether you derive one of the published images, or have custom bootstrap script that install python libraries (drivers)
+- [31260](https://github.com/apache/superset/pull/31260) Docker images now use `uv pip install` instead of `pip install` to manage the python envrionment. Most docker-based deployments will be affected, whether you derive one of the published images, or have custom bootstrap script that install python libraries (drivers)

 ### Potential Downtime

@@ -433,7 +409,7 @@ Note: Pillow is now a required dependency (previously optional) to support image
 - [26462](https://github.com/apache/superset/issues/26462): Removes the Profile feature given that it's not actively maintained and not widely used.
 - [26377](https://github.com/apache/superset/pull/26377): Removes the deprecated Redirect API that supported short URLs used before the permalink feature.
 - [26329](https://github.com/apache/superset/issues/26329): Removes the deprecated `DASHBOARD_NATIVE_FILTERS` feature flag. The previous value of the feature flag was `True` and now the feature is permanently enabled.
- [25510](https://github.com/apache/superset/pull/25510): Reinforces that any newly defined Python data format (other than epoch) must adhere to the ISO 8601 standard (enforced by way of validation at the API and database level) after a previous relaxation to include slashes in addition to dashes. From now on when specifying new columns, dataset owners will need to use a SQL expression instead to convert their string columns of the form %Y/%m/%d etc. to a `DATE`, `DATETIME`, etc. type.
+- [25510](https://github.com/apache/superset/pull/25510): Reenforces that any newly defined Python data format (other than epoch) must adhere to the ISO 8601 standard (enforced by way of validation at the API and database level) after a previous relaxation to include slashes in addition to dashes. From now on when specifying new columns, dataset owners will need to use a SQL expression instead to convert their string columns of the form %Y/%m/%d etc. to a `DATE`, `DATETIME`, etc. type.
 - [26372](https://github.com/apache/superset/issues/26372): Removes the deprecated `GENERIC_CHART_AXES` feature flag. The previous value of the feature flag was `True` and now the feature is permanently enabled.

 ### Potential Downtime
@@ -710,7 +686,6 @@ Note: Pillow is now a required dependency (previously optional) to support image

 - [11509](https://github.com/apache/superset/pull/12491): Dataset metadata updates check user ownership, only owners or an Admin are allowed.
 - Security simplification (SIP-19), the following permission domains were simplified:
-
  - [12072](https://github.com/apache/superset/pull/12072): `Query` with `can_read`, `can_write`
  - [12036](https://github.com/apache/superset/pull/12036): `Database` with `can_read`, `can_write`.
  - [12012](https://github.com/apache/superset/pull/12036): `Dashboard` with `can_read`, `can_write`.
--- a/docker-compose-light.yml
+++ b/docker-compose-light.yml
@@ -115,10 +115,6 @@ services:
      DATABASE_HOST: db-light
      DATABASE_DB: superset_light
      POSTGRES_DB: superset_light
-      EXAMPLES_HOST: db-light
-      EXAMPLES_DB: superset_light
-      EXAMPLES_USER: superset
-      EXAMPLES_PASSWORD: superset
      SUPERSET_CONFIG_PATH: /app/docker/pythonpath_dev/superset_config_docker_light.py
      GITHUB_HEAD_REF: ${GITHUB_HEAD_REF:-}
      GITHUB_SHA: ${GITHUB_SHA:-}
@@ -141,10 +137,6 @@ services:
      DATABASE_HOST: db-light
      DATABASE_DB: superset_light
      POSTGRES_DB: superset_light
-      EXAMPLES_HOST: db-light
-      EXAMPLES_DB: superset_light
-      EXAMPLES_USER: superset
-      EXAMPLES_PASSWORD: superset
      SUPERSET_CONFIG_PATH: /app/docker/pythonpath_dev/superset_config_docker_light.py
    healthcheck:
      disable: true
@@ -165,7 +157,6 @@ services:
      BUILD_SUPERSET_FRONTEND_IN_DOCKER: true
      NPM_RUN_PRUNE: false
      SCARF_ANALYTICS: "${SCARF_ANALYTICS:-}"
-      DISABLE_TS_CHECKER: "${DISABLE_TS_CHECKER:-true}"
      # configuring the dev-server to use the host.docker.internal to connect to the backend
      superset: "http://superset-light:8088"
      # Webpack dev server must bind to 0.0.0.0 to be accessible from outside the container
--- a/docker/docker-bootstrap.sh
+++ b/docker/docker-bootstrap.sh
@@ -80,7 +80,7 @@ case "${1}" in
    ;;
  app)
    echo "Starting web app (using development server)..."
-    flask run -p $PORT --reload --debugger --host=0.0.0.0 --exclude-patterns "*/node_modules/*:*/.venv/*:*/build/*:*/__pycache__/*:*/superset-frontend/*"
+    flask run -p $PORT --reload --debugger --without-threads --host=0.0.0.0 --exclude-patterns "*/node_modules/*:*/.venv/*:*/build/*:*/__pycache__/*"
    ;;
  app-gunicorn)
    echo "Starting web app..."
--- a/docker/pythonpath_dev/superset_config.py
+++ b/docker/pythonpath_dev/superset_config.py
@@ -105,13 +105,7 @@ class CeleryConfig:

 CELERY_CONFIG = CeleryConfig

-FEATURE_FLAGS = {
-    "ALERT_REPORTS": True,
-    "DATASET_FOLDERS": True,
-    "ENABLE_EXTENSIONS": True,
-    "SEMANTIC_LAYERS": True,
-}
-EXTENSIONS_PATH = "/app/docker/extensions"
+FEATURE_FLAGS = {"ALERT_REPORTS": True, "DATASET_FOLDERS": True}
 ALERT_REPORTS_NOTIFICATION_DRY_RUN = True
 WEBDRIVER_BASEURL = f"http://superset_app{os.environ.get('SUPERSET_APP_ROOT', '/')}/"  # When using docker compose baseurl should be http://superset_nginx{ENV{BASEPATH}}/  # noqa: E501
 # The base URL for the email report hyperlinks.
--- a/docs/admin_docs/configuration/alerts-reports.mdx
+++ b/docs/admin_docs/configuration/alerts-reports.mdx
@@ -81,87 +81,6 @@ SLACK_CACHE_TIMEOUT = int(timedelta(days=2).total_seconds())
 SLACK_API_RATE_LIMIT_RETRY_COUNT = 5
 ```

-### Webhook integration
-
-Superset can send alert and report notifications to any HTTP endpoint — useful for chat platforms, incident management tools, or custom automation.
-
-#### Enabling Webhooks
-
-Enable the feature flag in `superset_config.py`:
-
-```python
-FEATURE_FLAGS = {
-    "ALERT_REPORTS": True,
-    "ALERT_REPORT_WEBHOOK": True,
-}
-```
-
-#### Configuring a Webhook Recipient
-
-When creating or editing an alert or report, select **Webhook** as the notification method and enter your endpoint URL.
-
-#### Payload Format
-
-Superset sends an HTTP POST with `Content-Type: application/json`:
-
-```json
-{
-  "name": "My Alert",
-  "header": {
-    "notification_format": "JSON",
-    "notification_type": "Alert",
-    "notification_source": "Alert",
-    "chart_id": 42,
-    "dashboard_id": null
-  },
-  "text": "Alert condition met: value exceeded threshold",
-  "description": "Monthly revenue dropped below target",
-  "url": "https://your-superset-host/superset/dashboard/1/"
-}
-```
-
-When a report includes file attachments (CSV, PDF, or PNG screenshots), the request is sent as `multipart/form-data` instead. In that case, each top-level payload field (`name`, `text`, `description`, `url`) becomes its own form field, and nested structures like `header` are serialized as a JSON-encoded string in their own field. Every attachment is added as a repeated form field named `files`:
-
-```
-POST /webhook HTTP/1.1
-Content-Type: multipart/form-data; boundary=...
-
--...
-Content-Disposition: form-data; name="name"
-
-My Alert
--...
-Content-Disposition: form-data; name="header"
-
-{"notification_format": "JSON", "notification_type": "Alert", ...}
--...
-Content-Disposition: form-data; name="text"
-
-Alert condition met: value exceeded threshold
--...
-Content-Disposition: form-data; name="files"; filename="report.csv"
-Content-Type: text/csv
-
-<file bytes>
--...
-```
-
-Webhook consumers should branch on `Content-Type`: parse the body as JSON when `application/json`, or read the individual form fields (decoding `header` as JSON) when `multipart/form-data`.
-
-#### HTTPS Enforcement
-
-To require HTTPS webhook URLs (recommended for production), set:
-
-```python
-ALERT_REPORTS_WEBHOOK_HTTPS_ONLY = True
-```
-
-When enabled, Superset rejects webhook configurations that use `http://` URLs.
-
-#### Retry Behavior
-
-Superset automatically retries webhook deliveries on `429 Too Many Requests` and `5xx` server errors using exponential backoff.
-
 ### Kubernetes-specific

 - You must have a `celery beat` pod running. If you're using the chart included in the GitHub repository under [helm/superset](https://github.com/apache/superset/tree/master/helm/superset), you need to put `supersetCeleryBeat.enabled = true` in your values override.
--- a/docs/admin_docs/configuration/configuring-superset.mdx
+++ b/docs/admin_docs/configuration/configuring-superset.mdx
@@ -109,14 +109,6 @@ SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'

 You can generate a strong secure key with `openssl rand -base64 42`.

-Alternatively, you can set the secret key using `SUPERSET_SECRET_KEY` environment variable:
-
-On a Unix-based system, such as Linux or macOS, you can do so by running the following command in your terminal:
-
-```bash
-export SUPERSET_SECRET_KEY=$(openssl rand -base64 42)
-```
-
 :::caution Use a strong secret key
 This key will be used for securely signing session cookies and encrypting sensitive information stored in Superset's application metadata database.
 Your deployment must use a complex, unique key.
@@ -472,38 +464,6 @@ FEATURE_FLAGS = {

 A current list of feature flags can be found in the [Feature Flags](/admin-docs/configuration/feature-flags) documentation.

-## Security Configuration
-
-### HASH_ALGORITHM
-
-Controls the hashing algorithm used for internal checksums and cache keys (thumbnails, cache keys, etc.). The default is `sha256`, which satisfies environments with stricter compliance requirements (e.g., FedRAMP). Set it to `md5` to retain the legacy behavior from older Superset deployments:
-
-```python
-HASH_ALGORITHM = "sha256"  # default; set to "md5" for legacy behavior
-```
-
-A companion `HASH_ALGORITHM_FALLBACKS` list (default: `["md5"]`) lets UUID lookups fall back to older algorithms, which enables gradual migration without breaking existing entries. Set it to `[]` for strict mode (use only `HASH_ALGORITHM`).
-
-:::note
-This setting affects internal Superset operations only, not user passwords or authentication tokens. Changing it in an existing deployment may invalidate cached values but does not require a database migration.
-:::
-
-## SQL Lab Query History Pruning
-
-SQL Lab query history is stored in the metadata database and is **not** pruned by default. To trim older rows, enable the `prune_query` Celery beat task by uncommenting it in `CELERY_BEAT_SCHEDULE` and choosing a retention window:
-
-```python
-CELERY_BEAT_SCHEDULE = {
-    "prune_query": {
-        "task": "prune_query",
-        "schedule": crontab(minute=0, hour=0, day_of_month=1),
-        "kwargs": {"retention_period_days": 180},
-    },
-}
-```
-
-Adjust `retention_period_days` to control how long query rows are kept. Companion opt-in tasks (`prune_logs`, `prune_tasks`) exist for pruning the logs and tasks tables; see the commented-out examples in `superset/config.py`. Without enabling these tasks, the metadata database will grow unbounded over time.
-
 :::resources
 - [Blog: Feature Flags in Apache Superset](https://preset.io/blog/feature-flags-in-apache-superset-and-preset/)
 :::
--- a/docs/admin_docs/configuration/networking-settings.mdx
+++ b/docs/admin_docs/configuration/networking-settings.mdx
@@ -64,7 +64,7 @@ There are two approaches to making dashboards publicly accessible:
 3. Edit each dashboard's properties and add the "Public" role
 4. Only dashboards with the Public role explicitly assigned are visible to anonymous users

-See the [Public role documentation](/admin-docs/security/#public) for more details.
+See the [Public role documentation](/admin-docs/security/security#public) for more details.

 #### Embedding a Public Dashboard

@@ -111,7 +111,7 @@ FEATURE_FLAGS = {
 This flag only hides the logout button when Superset detects it is running inside an iframe. Users accessing Superset directly (not embedded) will still see the logout button regardless of this setting.

 :::note
-When embedding with SSO, also set `SESSION_COOKIE_SAMESITE = 'None'` and `SESSION_COOKIE_SECURE = True`. See [Security documentation](/admin-docs/security/securing_superset) for details.
+When embedding with SSO, also set `SESSION_COOKIE_SAMESITE = 'None'` and `SESSION_COOKIE_SECURE = True`. See [Security documentation](/docs/security/securing_superset) for details.
 :::

 ## CSRF settings
--- a/docs/admin_docs/configuration/sql-templating.mdx
+++ b/docs/admin_docs/configuration/sql-templating.mdx
@@ -22,15 +22,6 @@ While powerful, this feature executes template code on the server. Within the Su

 If you grant these permissions to untrusted users, this feature can be exploited as a **Server-Side Template Injection (SSTI)** vulnerability. Do not enable `ENABLE_TEMPLATE_PROCESSING` unless you fully understand and accept the associated security risks.

-Additionally:
-
- The `url_param()` macro allows URL parameters to influence the rendered SQL. Always validate or restrict `url_param()` values in your templates rather than interpolating them directly.
- `filter.get('val')` returns raw filter values without escaping. Use the safe helpers described below (`|where_in`, `| replace("'", "''")`) rather than concatenating values directly into SQL strings.
-
-:::
-
-:::tip
-`ENABLE_TEMPLATE_PROCESSING` defaults to `False`. Only enable it if your deployment requires Jinja templates and all users with dataset/chart edit access are administrators or fully trusted internal users.
 :::

 When templating is enabled, python code can be embedded in virtual datasets and
@@ -333,16 +324,6 @@ cache hit in the future and Superset can retrieve cached data.
 The `{{ url_param('custom_variable') }}` macro lets you define arbitrary URL
 parameters and reference them in your SQL code.

-:::warning
-Always treat `url_param()` values as untrusted input. Escaping behaviour varies by context and configuration, so do not rely on it. Restrict values to an explicit allowlist before using them in SQL:
-
-```sql
-{% set cc = url_param('countrycode') %}
-{% if cc not in ('US', 'ES', 'FR') %}{% set cc = 'US' %}{% endif %}
-WHERE country_code = '{{ cc }}'
-```
-:::
-
 Here's a concrete example:

 - You write the following query in SQL Lab:
@@ -417,16 +398,6 @@ This is useful if:
 - You want to handle generating custom SQL conditions for a filter
 - You want to have the ability to filter inside the main query for speed purposes

-:::warning
-`filter.get('val')` returns the raw filter value without escaping. For multi-value filters, use the `|where_in` Jinja filter, which handles quoting safely. For single-value operators like `LIKE`, escape single quotes before interpolating:
-
-```sql
-{%- if filter.get('op') == 'LIKE' -%}
-    AND full_name LIKE '{{ filter.get('val') | replace("'", "''") }}'
-{%- endif -%}
-```
-:::
-
 Here's a concrete example:

 ```sql
@@ -453,7 +424,7 @@ Here's a concrete example:

    {%- if filter.get('op') == 'LIKE' -%}
        AND
-        full_name LIKE '{{ filter.get('val') | replace("'", "''") }}'
+        full_name LIKE {{ "'" + filter.get('val') + "'" }}
    {%- endif -%}

    {%- endfor -%}
--- a/docs/admin_docs/configuration/theming.mdx
+++ b/docs/admin_docs/configuration/theming.mdx
@@ -122,17 +122,6 @@ When `ENABLE_UI_THEME_ADMINISTRATION = True`:
 3. Administrators can change system themes without restarting Superset
 4. Configuration file themes serve as fallbacks when no UI themes are set

-### Theme Validation and Fallback
-
-Superset validates theme JSON when it is saved, either through the UI or via configuration. If a theme contains invalid tokens or an unrecognized structure, Superset logs a warning and falls back to the built-in default theme rather than applying a broken configuration. This prevents a bad theme from rendering the application unusable.
-
-The fallback order is:
-1. **UI-configured system theme** (highest priority, if `ENABLE_UI_THEME_ADMINISTRATION = True`)
-2. **`THEME_DEFAULT` / `THEME_DARK`** from `superset_config.py`
-3. **Built-in Superset default theme** (always present as a safety net)
-
-If you see unexpected styling after a config change, check the Superset server logs for theme validation warnings.
-
 ### Copying Themes Between Systems

 To export a theme for use in configuration files or another instance:
@@ -154,11 +143,7 @@ Superset supports custom fonts through the theme configuration, allowing you to

 ### Default Fonts

-By default, Superset uses **Inter** for UI text and **IBM Plex Mono** for code (SQL editors, JSON fields, and other monospace contexts). Both fonts are bundled with the application via `@fontsource` packages and work offline without any external network calls.
-
-:::note
-IBM Plex Mono replaced Fira Code as the default code font in Superset 6.1. If you have an existing theme that explicitly sets `fontFamilyCode: "Fira Code, ..."`, you may want to update it.
-:::
+By default, Superset uses Inter and Fira Code fonts which are bundled with the application via `@fontsource` packages. These fonts work offline and require no external network calls.

 ### Configuring Custom Fonts

--- a/docs/admin_docs/configuration/timezones.mdx
+++ b/docs/admin_docs/configuration/timezones.mdx
@@ -20,7 +20,7 @@ To help make the problem somewhat tractable—given that Apache Superset has no

 To strive for data consistency (regardless of the timezone of the client) the Apache Superset backend tries to ensure that any timestamp sent to the client has an explicit (or semi-explicit as in the case with [Epoch time](https://en.wikipedia.org/wiki/Unix_time) which is always in reference to UTC) timezone encoded within.

-The challenge however lies with the slew of [database engines](/user-docs/databases#installing-drivers-in-docker) which Apache Superset supports and various inconsistencies between their [Python Database API (DB-API)](https://www.python.org/dev/peps/pep-0249/) implementations combined with the fact that we use [Pandas](https://pandas.pydata.org/) to read SQL into a DataFrame prior to serializing to JSON. Regrettably Pandas ignores the DB-API [type_code](https://www.python.org/dev/peps/pep-0249/#type-objects) relying by default on the underlying Python type returned by the DB-API. Currently only a subset of the supported database engines work correctly with Pandas, i.e., ensuring timestamps without an explicit timestamp are serialized to JSON with the server timezone, thus guaranteeing the client will display timestamps in a consistent manner irrespective of the client's timezone.
+The challenge however lies with the slew of [database engines](/admin-docs/databases#installing-drivers-in-docker) which Apache Superset supports and various inconsistencies between their [Python Database API (DB-API)](https://www.python.org/dev/peps/pep-0249/) implementations combined with the fact that we use [Pandas](https://pandas.pydata.org/) to read SQL into a DataFrame prior to serializing to JSON. Regrettably Pandas ignores the DB-API [type_code](https://www.python.org/dev/peps/pep-0249/#type-objects) relying by default on the underlying Python type returned by the DB-API. Currently only a subset of the supported database engines work correctly with Pandas, i.e., ensuring timestamps without an explicit timestamp are serializd to JSON with the server timezone, thus guaranteeing the client will display timestamps in a consistent manner irrespective of the client's timezone.

 For example the following is a comparison of MySQL and Presto,

--- a/docs/admin_docs/installation/kubernetes.mdx
+++ b/docs/admin_docs/installation/kubernetes.mdx
@@ -149,7 +149,7 @@ For production clusters it's recommended to build own image with this step done
 Superset requires a Python DB-API database driver and a SQLAlchemy
 dialect to be installed for each datastore you want to connect to.

-See [Install Database Drivers](/user-docs/databases#installing-database-drivers) for more information.
+See [Install Database Drivers](/admin-docs/databases#installing-database-drivers) for more information.
 It is recommended that you refer to versions listed in
 [pyproject.toml](https://github.com/apache/superset/blob/master/pyproject.toml)
 instead of hard-coding them in your bootstrap script, as seen below.
--- a/docs/admin_docs/security/security.mdx
+++ b/docs/admin_docs/security/security.mdx
@@ -24,14 +24,6 @@ A table with the permissions for these roles can be found at [/RESOURCES/STANDAR
 Admins have all possible rights, including granting or revoking rights from other
 users and altering other people’s slices and dashboards.

->#### Threat Model and Privilege Boundaries: The Admin Role
->
->Apache Superset is built with a granular permission model where users assigned the Admin role are considered fully trusted. Admins possess complete control over the application's configuration, UI rendering, and access controls.
->
->Consequently, actions performed by an Admin that alter the application's behavior or presentation—such as injecting custom CSS, modifying Jinja templates, or altering security flags—are intended administrative capabilities by design.
->
->In accordance with MITRE CNA Rule 4.1, a vulnerability must represent a violation of an explicit security policy. Because the Admin role is defined as a trusted operational boundary, actions executed with Admin privileges do not cross a security perimeter. Therefore, exploit vectors that strictly require Admin access are not classified as security vulnerabilities and are ineligible for CVE assignment.
-
 ### Alpha

 Alpha users have access to all data sources, but they cannot grant or revoke access
@@ -205,57 +197,6 @@ FAB_ADD_SECURITY_API = True

 Once configured, the documentation for additional "Security" endpoints will be visible in Swagger for you to explore.

-### API Key Authentication
-
-Superset supports long-lived API keys for service accounts, CI/CD pipelines, and programmatic integrations (including MCP clients).
-
-#### Enabling API Key Authentication
-
-API key authentication is **disabled by default**. To turn it on, set the Flask-AppBuilder config value in `superset_config.py` and also enable the matching feature flag so the management UI is exposed:
-
-```python
-FAB_API_KEY_ENABLED = True
-
-FEATURE_FLAGS = {
-    "FAB_API_KEY_ENABLED": True,
-}
-```
-
-The config value registers the `ApiKeyApi` blueprint on the backend; the feature flag controls whether the UI for managing keys appears for the user. See the [Feature Flags](/admin-docs/configuration/feature-flags) documentation for more on feature flag configuration.
-
-#### Creating an API Key
-
-Once enabled, each user manages their own keys from their profile page:
-
-1. Open the user menu (top-right) and click **Info** to navigate to the User Info page
-2. Expand the **API Keys** section
-3. Click **+ API Key**
-4. Enter a name and (optionally) an expiration date
-5. Copy the generated token — it is shown only once
-
-Only users with the `can_read` and `can_write` permissions on `ApiKey` (granted by default to Admins) can manage API keys.
-
-#### Using an API Key
-
-Pass the key as a Bearer token in the `Authorization` header:
-
-```
-Authorization: Bearer <your-api-key>
-```
-
-This works for all REST API endpoints and the MCP server. The request is executed with the permissions of the user who created the key.
-
-#### Use Cases
-
- **CI/CD pipelines** — automated chart/dashboard exports and imports
- **MCP integrations** — connect AI assistants without interactive login
- **External services** — dashboards embedded in other applications
- **Service accounts** — long-lived credentials that don't expire with session cookies
-
-:::caution
-Store API keys securely. Anyone with a valid key can make requests on behalf of the creating user. Revoke keys promptly if they are compromised by deleting them from the **API Keys** section of your User Info page.
-:::
-
 ### Customizing Permissions

 The permissions exposed by FAB are very granular and allow for a great level of
@@ -301,143 +242,26 @@ based on the roles and permissions that were attributed.
 ### Row Level Security

 Using Row Level Security filters (under the **Security** menu) you can create filters
-that are assigned to a particular dataset, as well as a set of roles.
+that are assigned to a particular table, as well as a set of roles.
 If you want members of the Finance team to only have access to
 rows where `department = "finance"`, you could:

 - Create a Row Level Security filter with that clause (`department = "finance"`)
- Then assign the clause to the **Finance** role and the dataset it applies to
+- Then assign the clause to the **Finance** role and the table it applies to

 The **clause** field, which can contain arbitrary text, is then added to the generated
-SQL statement's WHERE clause. So you could even do something like create a filter
+SQL statement’s WHERE clause. So you could even do something like create a filter
 for the last 30 days and apply it to a specific role, with a clause
 like `date_field > DATE_SUB(NOW(), INTERVAL 30 DAY)`. It can also support
 multiple conditions: `client_id = 6` AND `advertiser="foo"`, etc.

-RLS clauses also support **Jinja templating** when `ENABLE_TEMPLATE_PROCESSING` is enabled, so you can write dynamic filters such as
-`user_id = '{{ current_username() }}'` to restrict rows based on the logged-in user.
+All relevant Row level security filters will be combined together (under the hood,
+the different SQL clauses are combined using AND statements). This means it's
+possible to create a situation where two roles conflict in such a way as to limit a table subset to empty.

-#### Filter Types
-
-There are two types of RLS filters:
-
- **Regular** — The filter clause is applied when the querying user belongs to one of the
-  roles assigned to the filter. Use this to restrict what specific roles can see.
- **Base** — The filter clause is applied to **all** users _except_ those in the assigned
-  roles. Use this to define a default restriction that privileged roles (e.g. Admin) are
-  exempt from. For example, a Base filter with clause `1 = 0` and the Admin role would
-  hide all rows from everyone except Admin — useful as a deny-by-default baseline.
-
-#### Group Keys and Filter Combination
-
-All applicable RLS filters are combined before being added to the query. The combination
-rules are:
-
- Filters that share the **same group key** are combined with **OR** (any match within
-  the group is sufficient).
- Different filter groups (different group keys, or no group key) are combined with
-  **AND** (all groups must match).
- Filters with **no group key** are each treated as their own group and are always AND'd.
-
-For example, if a dataset has three filters:
-
-| Filter | Clause | Group Key |
-|--------|--------|-----------|
-| F1 | `department = 'Finance'` | `department` |
-| F2 | `department = 'Marketing'` | `department` |
-| F3 | `region = 'Europe'` | `region` |
-
-The resulting WHERE clause would be:
-
-```sql
-(department = 'Finance' OR department = 'Marketing') AND (region = 'Europe')
-```
-
-:::caution Conflicting filters
-It is possible to create filters that conflict and produce an empty result set. For
-example, the filters `client_id = 4` and `client_id = 5` **without a shared group key**
-will be AND'd together, producing `client_id = 4 AND client_id = 5`, which can never
-be true.
-
-If you intend for these to be alternatives, assign them the **same group key** so they
-are OR'd instead.
-:::
-
-#### RLS and Virtual (SQL-Based) Datasets
-
-RLS filters are assigned to **datasets**, not to underlying database tables directly. This
-has important implications when working with virtual (SQL-based) datasets:
-
- **Physical datasets** (backed directly by a table or view) — RLS filters assigned to
-  the dataset are added as WHERE clauses to the query.
- **Virtual datasets** (defined by a custom SQL query) — RLS filters assigned directly to
-  the virtual dataset are applied to the _outer_ query that wraps the dataset's SQL.
-  Additionally, RLS filters on the **underlying physical datasets** referenced by the
-  virtual dataset's SQL are injected into the inner subquery for each referenced table.
-
-For example, if you have:
-
-1. A physical dataset `orders` with RLS filter `region = 'US'`
-2. A virtual dataset defined as `SELECT * FROM orders WHERE status = 'active'`
-
-A user affected by the RLS filter will effectively see:
-
-```sql
-SELECT * FROM (
-  SELECT * FROM orders WHERE (region = 'US') AND status = 'active'
-) ...
-```
-
-**Key considerations for virtual datasets:**
-
- You generally do **not** need to duplicate RLS filters on both the physical and virtual
-  dataset — filters on the physical dataset are applied automatically at query time.
- If you assign an RLS filter directly to a virtual dataset, the clause must reference
-  columns available in the virtual dataset's _output_, not necessarily the underlying
-  table's columns.
- In **SQL Lab**, RLS is enforced only when the `RLS_IN_SQLLAB` feature flag is enabled:
-  queries run against tables that have associated datasets with RLS filters will then have
-  the appropriate predicates injected automatically.
-
-#### Checking RLS Filters via the API
-
-You can use the RLS REST API to audit which filters are configured and which datasets
-they affect. This requires the `can_read` permission on the `Row Level Security` resource.
-
-**List all RLS rules:**
-
-```
-GET /api/v1/rowlevelsecurity/
-```
-
-**Filter RLS rules for a specific dataset** (using [Rison](https://github.com/Nanonid/rison) query syntax):
-
-```
-GET /api/v1/rowlevelsecurity/?q=(filters:!((col:tables,opr:rel_m_m,value:<dataset_id>)))
-```
-
-**Filter RLS rules by role:**
-
-```
-GET /api/v1/rowlevelsecurity/?q=(filters:!((col:roles,opr:rel_m_m,value:<role_id>)))
-```
-
-**View details of a specific rule** (including clause, assigned datasets, and roles):
-
-```
-GET /api/v1/rowlevelsecurity/<id>
-```
-
-The response includes the filter's `name`, `filter_type` (Regular or Base), `clause`,
-`group_key`, assigned `tables` (with id, schema, and table\_name), and assigned `roles`
-(with id and name).
-
-:::tip Auditing RLS for virtual datasets
-To find all RLS rules that could affect a particular virtual dataset, query the list
-endpoint filtered by that dataset's ID for any directly-assigned rules. Then also check
-the physical datasets referenced in the virtual dataset's SQL, since their RLS filters
-are applied at query time too.
-:::
+For example, the filters `client_id=4` and `client_id=5`, applied to a role,
+will result in users of that role having `client_id=4` AND `client_id=5`
+added to their query, which can never be true.

 ### User Sessions

--- a/docs/developer_docs/api.mdx
+++ b/docs/developer_docs/api.mdx
@@ -59,7 +59,7 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
 #### Core Resources

 <details>
-<summary><strong>Dashboards</strong> (28 endpoints) — Create, read, update, and delete dashboards.</summary>
+<summary><strong>Dashboards</strong> (26 endpoints) — Create, read, update, and delete dashboards.</summary>

 | Method | Endpoint | Description |
 |--------|----------|-------------|
@@ -68,25 +68,23 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
 | `POST` | [Create a new dashboard](/developer-docs/api/create-a-new-dashboard) | `/api/v1/dashboard/` |
 | `GET` | [Get metadata information about this API resource (dashboard--info)](/developer-docs/api/get-metadata-information-about-this-api-resource-dashboard-info) | `/api/v1/dashboard/_info` |
 | `GET` | [Get a dashboard detail information](/developer-docs/api/get-a-dashboard-detail-information) | `/api/v1/dashboard/{id_or_slug}` |
-| `GET` | [Get a dashboard's chart definitions.](/developer-docs/api/get-a-dashboards-chart-definitions) | `/api/v1/dashboard/{id_or_slug}/charts` |
+| `GET` | [Get a dashboard's chart definitions.](/developer-docs/api/get-a-dashboard-s-chart-definitions) | `/api/v1/dashboard/{id_or_slug}/charts` |
 | `POST` | [Create a copy of an existing dashboard](/developer-docs/api/create-a-copy-of-an-existing-dashboard) | `/api/v1/dashboard/{id_or_slug}/copy/` |
-| `GET` | [Get dashboard's datasets](/developer-docs/api/get-dashboards-datasets) | `/api/v1/dashboard/{id_or_slug}/datasets` |
-| `DELETE` | [Delete a dashboard's embedded configuration](/developer-docs/api/delete-a-dashboards-embedded-configuration) | `/api/v1/dashboard/{id_or_slug}/embedded` |
-| `GET` | [Get the dashboard's embedded configuration](/developer-docs/api/get-the-dashboards-embedded-configuration) | `/api/v1/dashboard/{id_or_slug}/embedded` |
-| `POST` | [Set a dashboard's embedded configuration](/developer-docs/api/set-a-dashboards-embedded-configuration) | `/api/v1/dashboard/{id_or_slug}/embedded` |
+| `GET` | [Get dashboard's datasets](/developer-docs/api/get-dashboard-s-datasets) | `/api/v1/dashboard/{id_or_slug}/datasets` |
+| `DELETE` | [Delete a dashboard's embedded configuration](/developer-docs/api/delete-a-dashboard-s-embedded-configuration) | `/api/v1/dashboard/{id_or_slug}/embedded` |
+| `GET` | [Get the dashboard's embedded configuration](/developer-docs/api/get-the-dashboard-s-embedded-configuration) | `/api/v1/dashboard/{id_or_slug}/embedded` |
+| `POST` | [Set a dashboard's embedded configuration](/developer-docs/api/set-a-dashboard-s-embedded-configuration) | `/api/v1/dashboard/{id_or_slug}/embedded` |
 | `PUT` | [Update dashboard by id_or_slug embedded](/developer-docs/api/update-dashboard-by-id-or-slug-embedded) | `/api/v1/dashboard/{id_or_slug}/embedded` |
-| `GET` | [Get dashboard's tabs](/developer-docs/api/get-dashboards-tabs) | `/api/v1/dashboard/{id_or_slug}/tabs` |
+| `GET` | [Get dashboard's tabs](/developer-docs/api/get-dashboard-s-tabs) | `/api/v1/dashboard/{id_or_slug}/tabs` |
 | `DELETE` | [Delete a dashboard](/developer-docs/api/delete-a-dashboard) | `/api/v1/dashboard/{pk}` |
 | `PUT` | [Update a dashboard](/developer-docs/api/update-a-dashboard) | `/api/v1/dashboard/{pk}` |
 | `POST` | [Compute and cache a screenshot (dashboard-pk-cache-dashboard-screenshot)](/developer-docs/api/compute-and-cache-a-screenshot-dashboard-pk-cache-dashboard-screenshot) | `/api/v1/dashboard/{pk}/cache_dashboard_screenshot/` |
-| `PUT` | [Update chart customizations configuration for a dashboard.](/developer-docs/api/update-chart-customizations-configuration-for-a-dashboard) | `/api/v1/dashboard/{pk}/chart_customizations` |
 | `PUT` | [Update colors configuration for a dashboard.](/developer-docs/api/update-colors-configuration-for-a-dashboard) | `/api/v1/dashboard/{pk}/colors` |
-| `GET` | [Export dashboard as example bundle](/developer-docs/api/export-dashboard-as-example-bundle) | `/api/v1/dashboard/{pk}/export_as_example/` |
 | `DELETE` | [Remove the dashboard from the user favorite list](/developer-docs/api/remove-the-dashboard-from-the-user-favorite-list) | `/api/v1/dashboard/{pk}/favorites/` |
 | `POST` | [Mark the dashboard as favorite for the current user](/developer-docs/api/mark-the-dashboard-as-favorite-for-the-current-user) | `/api/v1/dashboard/{pk}/favorites/` |
 | `PUT` | [Update native filters configuration for a dashboard.](/developer-docs/api/update-native-filters-configuration-for-a-dashboard) | `/api/v1/dashboard/{pk}/filters` |
 | `GET` | [Get a computed screenshot from cache (dashboard-pk-screenshot-digest)](/developer-docs/api/get-a-computed-screenshot-from-cache-dashboard-pk-screenshot-digest) | `/api/v1/dashboard/{pk}/screenshot/{digest}/` |
-| `GET` | [Get dashboard's thumbnail](/developer-docs/api/get-dashboards-thumbnail) | `/api/v1/dashboard/{pk}/thumbnail/{digest}/` |
+| `GET` | [Get dashboard's thumbnail](/developer-docs/api/get-dashboard-s-thumbnail) | `/api/v1/dashboard/{pk}/thumbnail/{digest}/` |
 | `GET` | [Download multiple dashboards as YAML files](/developer-docs/api/download-multiple-dashboards-as-yaml-files) | `/api/v1/dashboard/export/` |
 | `GET` | [Check favorited dashboards for current user](/developer-docs/api/check-favorited-dashboards-for-current-user) | `/api/v1/dashboard/favorite_status/` |
 | `POST` | [Import dashboard(s) with associated charts/datasets/databases](/developer-docs/api/import-dashboard-s-with-associated-charts-datasets-databases) | `/api/v1/dashboard/import/` |
@@ -103,8 +101,8 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
 | `GET` | [Get a list of charts](/developer-docs/api/get-a-list-of-charts) | `/api/v1/chart/` |
 | `POST` | [Create a new chart](/developer-docs/api/create-a-new-chart) | `/api/v1/chart/` |
 | `GET` | [Get metadata information about this API resource (chart--info)](/developer-docs/api/get-metadata-information-about-this-api-resource-chart-info) | `/api/v1/chart/_info` |
-| `GET` | [Get a chart detail information](/developer-docs/api/get-a-chart-detail-information) | `/api/v1/chart/{id_or_uuid}` |
 | `DELETE` | [Delete a chart](/developer-docs/api/delete-a-chart) | `/api/v1/chart/{pk}` |
+| `GET` | [Get a chart detail information](/developer-docs/api/get-a-chart-detail-information) | `/api/v1/chart/{pk}` |
 | `PUT` | [Update a chart](/developer-docs/api/update-a-chart) | `/api/v1/chart/{pk}` |
 | `GET` | [Compute and cache a screenshot (chart-pk-cache-screenshot)](/developer-docs/api/compute-and-cache-a-screenshot-chart-pk-cache-screenshot) | `/api/v1/chart/{pk}/cache_screenshot/` |
 | `GET` | [Return payload data response for a chart](/developer-docs/api/return-payload-data-response-for-a-chart) | `/api/v1/chart/{pk}/data/` |
@@ -123,7 +121,7 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
 </details>

 <details>
-<summary><strong>Datasets</strong> (19 endpoints) — Manage datasets (tables) used for building charts.</summary>
+<summary><strong>Datasets</strong> (18 endpoints) — Manage datasets (tables) used for building charts.</summary>

 | Method | Endpoint | Description |
 |--------|----------|-------------|
@@ -131,14 +129,13 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
 | `GET` | [Get a list of datasets](/developer-docs/api/get-a-list-of-datasets) | `/api/v1/dataset/` |
 | `POST` | [Create a new dataset](/developer-docs/api/create-a-new-dataset) | `/api/v1/dataset/` |
 | `GET` | [Get metadata information about this API resource (dataset--info)](/developer-docs/api/get-metadata-information-about-this-api-resource-dataset-info) | `/api/v1/dataset/_info` |
-| `GET` | [Get a dataset](/developer-docs/api/get-a-dataset) | `/api/v1/dataset/{id_or_uuid}` |
-| `GET` | [Get charts and dashboards count associated to a dataset](/developer-docs/api/get-charts-and-dashboards-count-associated-to-a-dataset) | `/api/v1/dataset/{id_or_uuid}/related_objects` |
 | `DELETE` | [Delete a dataset](/developer-docs/api/delete-a-dataset) | `/api/v1/dataset/{pk}` |
+| `GET` | [Get a dataset](/developer-docs/api/get-a-dataset) | `/api/v1/dataset/{pk}` |
 | `PUT` | [Update a dataset](/developer-docs/api/update-a-dataset) | `/api/v1/dataset/{pk}` |
 | `DELETE` | [Delete a dataset column](/developer-docs/api/delete-a-dataset-column) | `/api/v1/dataset/{pk}/column/{column_id}` |
-| `GET` | [Get dataset drill info](/developer-docs/api/get-dataset-drill-info) | `/api/v1/dataset/{pk}/drill_info/` |
 | `DELETE` | [Delete a dataset metric](/developer-docs/api/delete-a-dataset-metric) | `/api/v1/dataset/{pk}/metric/{metric_id}` |
 | `PUT` | [Refresh and update columns of a dataset](/developer-docs/api/refresh-and-update-columns-of-a-dataset) | `/api/v1/dataset/{pk}/refresh` |
+| `GET` | [Get charts and dashboards count associated to a dataset](/developer-docs/api/get-charts-and-dashboards-count-associated-to-a-dataset) | `/api/v1/dataset/{pk}/related_objects` |
 | `GET` | [Get distinct values from field data (dataset-distinct-column-name)](/developer-docs/api/get-distinct-values-from-field-data-dataset-distinct-column-name) | `/api/v1/dataset/distinct/{column_name}` |
 | `POST` | [Duplicate a dataset](/developer-docs/api/duplicate-a-dataset) | `/api/v1/dataset/duplicate` |
 | `GET` | [Download multiple datasets as YAML files](/developer-docs/api/download-multiple-datasets-as-yaml-files) | `/api/v1/dataset/export/` |
@@ -150,7 +147,7 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
 </details>

 <details>
-<summary><strong>Database</strong> (30 endpoints) — Manage database connections and metadata.</summary>
+<summary><strong>Database</strong> (31 endpoints) — Manage database connections and metadata.</summary>

 | Method | Endpoint | Description |
 |--------|----------|-------------|
@@ -168,6 +165,7 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
 | `GET` | [Get all schemas from a database](/developer-docs/api/get-all-schemas-from-a-database) | `/api/v1/database/{pk}/schemas/` |
 | `GET` | [Get database select star for table (database-pk-select-star-table-name)](/developer-docs/api/get-database-select-star-for-table-database-pk-select-star-table-name) | `/api/v1/database/{pk}/select_star/{table_name}/` |
 | `GET` | [Get database select star for table (database-pk-select-star-table-name-schema-name)](/developer-docs/api/get-database-select-star-for-table-database-pk-select-star-table-name-schema-name) | `/api/v1/database/{pk}/select_star/{table_name}/{schema_name}/` |
+| `DELETE` | [Delete a SSH tunnel](/developer-docs/api/delete-a-ssh-tunnel) | `/api/v1/database/{pk}/ssh_tunnel/` |
 | `POST` | [Re-sync all permissions for a database connection](/developer-docs/api/re-sync-all-permissions-for-a-database-connection) | `/api/v1/database/{pk}/sync_permissions/` |
 | `GET` | [Get table extra metadata (database-pk-table-extra-table-name-schema-name)](/developer-docs/api/get-table-extra-metadata-database-pk-table-extra-table-name-schema-name) | `/api/v1/database/{pk}/table_extra/{table_name}/{schema_name}/` |
 | `GET` | [Get table metadata](/developer-docs/api/get-table-metadata) | `/api/v1/database/{pk}/table_metadata/` |
@@ -179,7 +177,7 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
 | `GET` | [Get names of databases currently available](/developer-docs/api/get-names-of-databases-currently-available) | `/api/v1/database/available/` |
 | `GET` | [Download database(s) and associated dataset(s) as a zip file](/developer-docs/api/download-database-s-and-associated-dataset-s-as-a-zip-file) | `/api/v1/database/export/` |
 | `POST` | [Import database(s) with associated datasets](/developer-docs/api/import-database-s-with-associated-datasets) | `/api/v1/database/import/` |
-| `GET` | [Receive personal access tokens from OAuth2](/developer-docs/api/receive-personal-access-tokens-from-o-auth-2) | `/api/v1/database/oauth2/` |
+| `GET` | [Receive personal access tokens from OAuth2](/developer-docs/api/receive-personal-access-tokens-from-oauth2) | `/api/v1/database/oauth2/` |
 | `GET` | [Get related fields data (database-related-column-name)](/developer-docs/api/get-related-fields-data-database-related-column-name) | `/api/v1/database/related/{column_name}` |
 | `POST` | [Test a database connection](/developer-docs/api/test-a-database-connection) | `/api/v1/database/test_connection/` |
 | `POST` | [Upload a file and returns file metadata](/developer-docs/api/upload-a-file-and-returns-file-metadata) | `/api/v1/database/upload_metadata/` |
@@ -199,14 +197,13 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
 </details>

 <details>
-<summary><strong>SQL Lab</strong> (7 endpoints) — Execute SQL queries and manage SQL Lab sessions.</summary>
+<summary><strong>SQL Lab</strong> (6 endpoints) — Execute SQL queries and manage SQL Lab sessions.</summary>

 | Method | Endpoint | Description |
 |--------|----------|-------------|
-| `GET` | [Get the bootstrap data for SqlLab page](/developer-docs/api/get-the-bootstrap-data-for-sql-lab-page) | `/api/v1/sqllab/` |
+| `GET` | [Get the bootstrap data for SqlLab page](/developer-docs/api/get-the-bootstrap-data-for-sqllab-page) | `/api/v1/sqllab/` |
 | `POST` | [Estimate the SQL query execution cost](/developer-docs/api/estimate-the-sql-query-execution-cost) | `/api/v1/sqllab/estimate/` |
 | `POST` | [Execute a SQL query](/developer-docs/api/execute-a-sql-query) | `/api/v1/sqllab/execute/` |
-| `POST` | [Export SQL query results to CSV with streaming](/developer-docs/api/export-sql-query-results-to-csv-with-streaming) | `/api/v1/sqllab/export_streaming/` |
 | `GET` | [Export the SQL query results to a CSV](/developer-docs/api/export-the-sql-query-results-to-a-csv) | `/api/v1/sqllab/export/{client_id}/` |
 | `POST` | [Format SQL code](/developer-docs/api/format-sql-code) | `/api/v1/sqllab/format_sql/` |
 | `GET` | [Get the result of a SQL query execution](/developer-docs/api/get-the-result-of-a-sql-query-execution) | `/api/v1/sqllab/results/` |
@@ -239,21 +236,20 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
 </details>

 <details>
-<summary><strong>Datasources</strong> (2 endpoints) — Query datasource metadata and column values.</summary>
+<summary><strong>Datasources</strong> (1 endpoints) — Query datasource metadata and column values.</summary>

 | Method | Endpoint | Description |
 |--------|----------|-------------|
 | `GET` | [Get possible values for a datasource column](/developer-docs/api/get-possible-values-for-a-datasource-column) | `/api/v1/datasource/{datasource_type}/{datasource_id}/column/{column_name}/values/` |
-| `POST` | [Validate a SQL expression against a datasource](/developer-docs/api/validate-a-sql-expression-against-a-datasource) | `/api/v1/datasource/{datasource_type}/{datasource_id}/validate_expression/` |

 </details>

 <details>
-<summary><strong>Advanced Data Type</strong> (2 endpoints) — Advanced data type operations and conversions.</summary>
+<summary><strong>Advanced Data Type</strong> (2 endpoints) — Endpoints for advanced data type operations and conversions.</summary>

 | Method | Endpoint | Description |
 |--------|----------|-------------|
-| `GET` | [Return an AdvancedDataTypeResponse](/developer-docs/api/return-an-advanced-data-type-response) | `/api/v1/advanced_data_type/convert` |
+| `GET` | [Return an AdvancedDataTypeResponse](/developer-docs/api/return-an-advanceddatatyperesponse) | `/api/v1/advanced_data_type/convert` |
 | `GET` | [Return a list of available advanced data types](/developer-docs/api/return-a-list-of-available-advanced-data-types) | `/api/v1/advanced_data_type/types` |

 </details>
@@ -324,32 +320,32 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
 #### Sharing & Embedding

 <details>
-<summary><strong>Dashboard Permanent Link</strong> (2 endpoints) — Permanent links to dashboard states.</summary>
+<summary><strong>Dashboard Permanent Link</strong> (2 endpoints) — Create and retrieve permanent links to dashboard states.</summary>

 | Method | Endpoint | Description |
 |--------|----------|-------------|
-| `POST` | [Create a new dashboard's permanent link](/developer-docs/api/create-a-new-dashboards-permanent-link) | `/api/v1/dashboard/{pk}/permalink` |
-| `GET` | [Get dashboard's permanent link state](/developer-docs/api/get-dashboards-permanent-link-state) | `/api/v1/dashboard/permalink/{key}` |
+| `POST` | [Create a new dashboard's permanent link](/developer-docs/api/create-a-new-dashboard-s-permanent-link) | `/api/v1/dashboard/{pk}/permalink` |
+| `GET` | [Get dashboard's permanent link state](/developer-docs/api/get-dashboard-s-permanent-link-state) | `/api/v1/dashboard/permalink/{key}` |

 </details>

 <details>
-<summary><strong>Explore Permanent Link</strong> (2 endpoints) — Permanent links to chart explore states.</summary>
+<summary><strong>Explore Permanent Link</strong> (2 endpoints) — Create and retrieve permanent links to chart explore states.</summary>

 | Method | Endpoint | Description |
 |--------|----------|-------------|
 | `POST` | [Create a new permanent link (explore-permalink)](/developer-docs/api/create-a-new-permanent-link-explore-permalink) | `/api/v1/explore/permalink` |
-| `GET` | [Get chart's permanent link state](/developer-docs/api/get-charts-permanent-link-state) | `/api/v1/explore/permalink/{key}` |
+| `GET` | [Get chart's permanent link state](/developer-docs/api/get-chart-s-permanent-link-state) | `/api/v1/explore/permalink/{key}` |

 </details>

 <details>
-<summary><strong>SQL Lab Permanent Link</strong> (2 endpoints) — Permanent links to SQL Lab states.</summary>
+<summary><strong>SQL Lab Permanent Link</strong> (2 endpoints) — Create and retrieve permanent links to SQL Lab states.</summary>

 | Method | Endpoint | Description |
 |--------|----------|-------------|
 | `POST` | [Create a new permanent link (sqllab-permalink)](/developer-docs/api/create-a-new-permanent-link-sqllab-permalink) | `/api/v1/sqllab/permalink` |
-| `GET` | [Get permanent link state for SQLLab editor.](/developer-docs/api/get-permanent-link-state-for-sql-lab-editor) | `/api/v1/sqllab/permalink/{key}` |
+| `GET` | [Get permanent link state for SQLLab editor.](/developer-docs/api/get-permanent-link-state-for-sqllab-editor) | `/api/v1/sqllab/permalink/{key}` |

 </details>

@@ -367,10 +363,10 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \

 | Method | Endpoint | Description |
 |--------|----------|-------------|
-| `POST` | [Create a dashboard's filter state](/developer-docs/api/create-a-dashboards-filter-state) | `/api/v1/dashboard/{pk}/filter_state` |
-| `DELETE` | [Delete a dashboard's filter state value](/developer-docs/api/delete-a-dashboards-filter-state-value) | `/api/v1/dashboard/{pk}/filter_state/{key}` |
-| `GET` | [Get a dashboard's filter state value](/developer-docs/api/get-a-dashboards-filter-state-value) | `/api/v1/dashboard/{pk}/filter_state/{key}` |
-| `PUT` | [Update a dashboard's filter state value](/developer-docs/api/update-a-dashboards-filter-state-value) | `/api/v1/dashboard/{pk}/filter_state/{key}` |
+| `POST` | [Create a dashboard's filter state](/developer-docs/api/create-a-dashboard-s-filter-state) | `/api/v1/dashboard/{pk}/filter_state` |
+| `DELETE` | [Delete a dashboard's filter state value](/developer-docs/api/delete-a-dashboard-s-filter-state-value) | `/api/v1/dashboard/{pk}/filter_state/{key}` |
+| `GET` | [Get a dashboard's filter state value](/developer-docs/api/get-a-dashboard-s-filter-state-value) | `/api/v1/dashboard/{pk}/filter_state/{key}` |
+| `PUT` | [Update a dashboard's filter state value](/developer-docs/api/update-a-dashboard-s-filter-state-value) | `/api/v1/dashboard/{pk}/filter_state/{key}` |

 </details>

@@ -410,7 +406,7 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
 #### Security & Access Control

 <details>
-<summary><strong>Security Roles</strong> (11 endpoints) — Manage security roles and their permissions.</summary>
+<summary><strong>Security Roles</strong> (10 endpoints) — Manage security roles and their permissions.</summary>

 | Method | Endpoint | Description |
 |--------|----------|-------------|
@@ -420,7 +416,6 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
 | `DELETE` | [Delete security roles by pk](/developer-docs/api/delete-security-roles-by-pk) | `/api/v1/security/roles/{pk}` |
 | `GET` | [Get security roles by pk](/developer-docs/api/get-security-roles-by-pk) | `/api/v1/security/roles/{pk}` |
 | `PUT` | [Update security roles by pk](/developer-docs/api/update-security-roles-by-pk) | `/api/v1/security/roles/{pk}` |
-| `PUT` | [Update security roles by role_id groups](/developer-docs/api/update-security-roles-by-role-id-groups) | `/api/v1/security/roles/{role_id}/groups` |
 | `POST` | [Create security roles by role_id permissions](/developer-docs/api/create-security-roles-by-role-id-permissions) | `/api/v1/security/roles/{role_id}/permissions` |
 | `GET` | [Get security roles by role_id permissions](/developer-docs/api/get-security-roles-by-role-id-permissions) | `/api/v1/security/roles/{role_id}/permissions/` |
 | `PUT` | [Update security roles by role_id users](/developer-docs/api/update-security-roles-by-role-id-users) | `/api/v1/security/roles/{role_id}/users` |
@@ -468,7 +463,7 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
 </details>

 <details>
-<summary><strong>Security Permissions on Resources (View Menus)</strong> (6 endpoints) — Permission-resource mappings.</summary>
+<summary><strong>Security Permissions on Resources (View Menus)</strong> (6 endpoints) — Manage permission-resource mappings.</summary>

 | Method | Endpoint | Description |
 |--------|----------|-------------|
@@ -482,7 +477,7 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
 </details>

 <details>
-<summary><strong>Row Level Security</strong> (8 endpoints) — Manage row-level security rules for data access.</summary>
+<summary><strong>Row Level Security</strong> (8 endpoints) — Manage row-level security rules for data access control.</summary>

 | Method | Endpoint | Description |
 |--------|----------|-------------|
@@ -500,7 +495,7 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
 #### Import/Export & Administration

 <details>
-<summary><strong>Import/export</strong> (2 endpoints) — Import and export Superset assets.</summary>
+<summary><strong>Import/export</strong> (2 endpoints) — Import and export Superset assets (dashboards, charts, databases).</summary>

 | Method | Endpoint | Description |
 |--------|----------|-------------|
@@ -533,12 +528,11 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
 #### User & System

 <details>
-<summary><strong>Current User</strong> (3 endpoints) — Get information about the authenticated user.</summary>
+<summary><strong>Current User</strong> (2 endpoints) — Get information about the currently authenticated user.</summary>

 | Method | Endpoint | Description |
 |--------|----------|-------------|
 | `GET` | [Get the user object](/developer-docs/api/get-the-user-object) | `/api/v1/me/` |
-| `PUT` | [Update the current user](/developer-docs/api/update-the-current-user) | `/api/v1/me/` |
 | `GET` | [Get the user roles](/developer-docs/api/get-the-user-roles) | `/api/v1/me/roles/` |

 </details>
@@ -588,60 +582,6 @@ curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \

 </details>

-#### Other
-
-<details>
-<summary><strong>Security Groups</strong> (6 endpoints) — Endpoints related to Security Groups.</summary>
-
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| `GET` | [Get security groups](/developer-docs/api/get-security-groups) | `/api/v1/security/groups/` |
-| `POST` | [Create security groups](/developer-docs/api/create-security-groups) | `/api/v1/security/groups/` |
-| `GET` | [Get security groups  info](/developer-docs/api/get-security-groups-info) | `/api/v1/security/groups/_info` |
-| `DELETE` | [Delete security groups by pk](/developer-docs/api/delete-security-groups-by-pk) | `/api/v1/security/groups/{pk}` |
-| `GET` | [Get security groups by pk](/developer-docs/api/get-security-groups-by-pk) | `/api/v1/security/groups/{pk}` |
-| `PUT` | [Update security groups by pk](/developer-docs/api/update-security-groups-by-pk) | `/api/v1/security/groups/{pk}` |
-
-</details>
-
-<details>
-<summary><strong>Themes</strong> (14 endpoints) — Manage UI themes for customizing Superset's appearance.</summary>
-
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| `DELETE` | [Bulk delete themes](/developer-docs/api/bulk-delete-themes) | `/api/v1/theme/` |
-| `GET` | [Get a list of themes](/developer-docs/api/get-a-list-of-themes) | `/api/v1/theme/` |
-| `POST` | [Create a theme](/developer-docs/api/create-a-theme) | `/api/v1/theme/` |
-| `GET` | [Get metadata information about this API resource (theme--info)](/developer-docs/api/get-metadata-information-about-this-api-resource-theme-info) | `/api/v1/theme/_info` |
-| `DELETE` | [Delete a theme](/developer-docs/api/delete-a-theme) | `/api/v1/theme/{pk}` |
-| `GET` | [Get a theme](/developer-docs/api/get-a-theme) | `/api/v1/theme/{pk}` |
-| `PUT` | [Update a theme](/developer-docs/api/update-a-theme) | `/api/v1/theme/{pk}` |
-| `PUT` | [Set a theme as the system dark theme](/developer-docs/api/set-a-theme-as-the-system-dark-theme) | `/api/v1/theme/{pk}/set_system_dark` |
-| `PUT` | [Set a theme as the system default theme](/developer-docs/api/set-a-theme-as-the-system-default-theme) | `/api/v1/theme/{pk}/set_system_default` |
-| `GET` | [Download multiple themes as YAML files](/developer-docs/api/download-multiple-themes-as-yaml-files) | `/api/v1/theme/export/` |
-| `POST` | [Import themes from a ZIP file](/developer-docs/api/import-themes-from-a-zip-file) | `/api/v1/theme/import/` |
-| `GET` | [Get related fields data (theme-related-column-name)](/developer-docs/api/get-related-fields-data-theme-related-column-name) | `/api/v1/theme/related/{column_name}` |
-| `DELETE` | [Clear the system dark theme](/developer-docs/api/clear-the-system-dark-theme) | `/api/v1/theme/unset_system_dark` |
-| `DELETE` | [Clear the system default theme](/developer-docs/api/clear-the-system-default-theme) | `/api/v1/theme/unset_system_default` |
-
-</details>
-
-<details>
-<summary><strong>UserRegistrationsRestAPI</strong> (8 endpoints) — Endpoints related to UserRegistrationsRestAPI.</summary>
-
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| `GET` | [Get security user registrations](/developer-docs/api/get-security-user-registrations) | `/api/v1/security/user_registrations/` |
-| `POST` | [Create security user registrations](/developer-docs/api/create-security-user-registrations) | `/api/v1/security/user_registrations/` |
-| `GET` | [Get security user registrations  info](/developer-docs/api/get-security-user-registrations-info) | `/api/v1/security/user_registrations/_info` |
-| `DELETE` | [Delete security user registrations by pk](/developer-docs/api/delete-security-user-registrations-by-pk) | `/api/v1/security/user_registrations/{pk}` |
-| `GET` | [Get security user registrations by pk](/developer-docs/api/get-security-user-registrations-by-pk) | `/api/v1/security/user_registrations/{pk}` |
-| `PUT` | [Update security user registrations by pk](/developer-docs/api/update-security-user-registrations-by-pk) | `/api/v1/security/user_registrations/{pk}` |
-| `GET` | [Get distinct values from field data (security-user-registrations-distinct-column-name)](/developer-docs/api/get-distinct-values-from-field-data-security-user-registrations-distinct-column-name) | `/api/v1/security/user_registrations/distinct/{column_name}` |
-| `GET` | [Get related fields data (security-user-registrations-related-column-name)](/developer-docs/api/get-related-fields-data-security-user-registrations-related-column-name) | `/api/v1/security/user_registrations/related/{column_name}` |
-
-</details>
-
 ---

 ### Additional Resources
--- a/docs/developer_docs/components/design-system/dropdowncontainer.mdx
+++ b/docs/developer_docs/components/design-system/dropdowncontainer.mdx
@@ -156,7 +156,7 @@ function SelectFilters() {
 ## Import

 ```tsx
-import { DropdownContainer } from '@superset-ui/core/components';
+import { DropdownContainer } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/design-system/flex.mdx
+++ b/docs/developer_docs/components/design-system/flex.mdx
@@ -186,7 +186,7 @@ function JustifyAlign() {
 ## Import

 ```tsx
-import { Flex } from '@superset-ui/core/components';
+import { Flex } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/design-system/grid.mdx
+++ b/docs/developer_docs/components/design-system/grid.mdx
@@ -181,7 +181,7 @@ function AlignmentDemo() {
 ## Import

 ```tsx
-import { Grid } from '@superset-ui/core/components';
+import Grid from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/design-system/layout.mdx
+++ b/docs/developer_docs/components/design-system/layout.mdx
@@ -128,7 +128,7 @@ function RightSidebar() {
 ## Import

 ```tsx
-import { Layout } from '@superset-ui/core/components';
+import { Layout } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/design-system/metadatabar.mdx
+++ b/docs/developer_docs/components/design-system/metadatabar.mdx
@@ -163,7 +163,7 @@ function FullMetadata() {
 ## Import

 ```tsx
-import { MetadataBar } from '@superset-ui/core/components';
+import MetadataBar from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/design-system/space.mdx
+++ b/docs/developer_docs/components/design-system/space.mdx
@@ -157,7 +157,7 @@ function SpaceSizes() {
 ## Import

 ```tsx
-import { Space } from '@superset-ui/core/components';
+import { Space } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/design-system/table.mdx
+++ b/docs/developer_docs/components/design-system/table.mdx
@@ -300,7 +300,7 @@ function LoadingTable() {
 ## Import

 ```tsx
-import { Table } from '@superset-ui/core/components';
+import { Table } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/index.mdx
+++ b/docs/developer_docs/components/index.mdx
@@ -23,16 +23,7 @@ sidebar_position: 0
    under the License.
 -->

-import { ComponentIndex } from '@site/src/components/ui-components';
-import componentData from '@site/static/data/components.json';
-
-# UI Components
-
-<ComponentIndex data={componentData} />
-
---
-
-## Design System
+# Superset Design System

 A design system is a complete set of standards intended to manage design at scale using reusable components and patterns.

@@ -44,6 +35,19 @@ The Superset Design System uses [Atomic Design](https://bradfrost.com/blog/post/

 <img src="/img/atomic-design.png" alt="Atoms = Foundations, Molecules = Components, Organisms = Patterns, Templates = Templates, Pages / Screens = Features" style={{maxWidth: '100%'}} />

+---
+
+## Component Library
+
+Interactive documentation for Superset's UI component library. **53 components** documented across 2 categories.
+
+### [Core Components](./ui/)
+46 components — Buttons, inputs, modals, selects, and other fundamental UI elements.
+
+### [Layout Components](./design-system/)
+7 components — Grid, Layout, Table, Flex, Space, and container components for page structure.
+
+
 ## Usage

 All components are exported from `@superset-ui/core/components`:
--- a/docs/developer_docs/components/ui/autocomplete.mdx
+++ b/docs/developer_docs/components/ui/autocomplete.mdx
@@ -204,7 +204,7 @@ function Demo() {
 ## Import

 ```tsx
-import { AutoComplete } from '@superset-ui/core/components';
+import { AutoComplete } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/avatar.mdx
+++ b/docs/developer_docs/components/ui/avatar.mdx
@@ -129,7 +129,7 @@ function Demo() {
 ## Import

 ```tsx
-import { Avatar } from '@superset-ui/core/components';
+import { Avatar } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/badge.mdx
+++ b/docs/developer_docs/components/ui/badge.mdx
@@ -149,7 +149,7 @@ function ColorGallery() {
 ## Import

 ```tsx
-import { Badge } from '@superset-ui/core/components';
+import { Badge } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/breadcrumb.mdx
+++ b/docs/developer_docs/components/ui/breadcrumb.mdx
@@ -82,7 +82,7 @@ function Demo() {
 ## Import

 ```tsx
-import { Breadcrumb } from '@superset-ui/core/components';
+import { Breadcrumb } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/button.mdx
+++ b/docs/developer_docs/components/ui/button.mdx
@@ -43,7 +43,7 @@ The Button component from Superset's UI library.
 <StoryWithControls
  component="Button"
  props={{
-  buttonStyle: "primary",
+  buttonStyle: "default",
  buttonSize: "default",
  children: "Button!"
 }}
@@ -111,7 +111,7 @@ Edit the code below to experiment with the component:
 function Demo() {
  return (
    <Button
-      buttonStyle="primary"
+      buttonStyle="default"
      buttonSize="default"
    >
      Button!
@@ -124,14 +124,14 @@ function Demo() {

 | Prop | Type | Default | Description |
 |------|------|---------|-------------|
-| `buttonStyle` | `string` | `"primary"` | The style variant of the button. |
+| `buttonStyle` | `string` | `"default"` | The style variant of the button. |
 | `buttonSize` | `string` | `"default"` | The size of the button. |
 | `children` | `string` | `"Button!"` | The button text or content. |

 ## Import

 ```tsx
-import { Button } from '@superset-ui/core/components';
+import { Button } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/buttongroup.mdx
+++ b/docs/developer_docs/components/ui/buttongroup.mdx
@@ -77,7 +77,7 @@ function Demo() {
 ## Import

 ```tsx
-import { ButtonGroup } from '@superset-ui/core/components';
+import { ButtonGroup } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/cachedlabel.mdx
+++ b/docs/developer_docs/components/ui/cachedlabel.mdx
@@ -68,7 +68,7 @@ function Demo() {
 ## Import

 ```tsx
-import { CachedLabel } from '@superset-ui/core/components';
+import { CachedLabel } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/card.mdx
+++ b/docs/developer_docs/components/ui/card.mdx
@@ -131,7 +131,7 @@ function CardStates() {
 ## Import

 ```tsx
-import { Card } from '@superset-ui/core/components';
+import { Card } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/checkbox.mdx
+++ b/docs/developer_docs/components/ui/checkbox.mdx
@@ -130,7 +130,7 @@ function SelectAllDemo() {
 ## Import

 ```tsx
-import { Checkbox } from '@superset-ui/core/components';
+import { Checkbox } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/collapse.mdx
+++ b/docs/developer_docs/components/ui/collapse.mdx
@@ -95,7 +95,7 @@ function Demo() {
 ## Import

 ```tsx
-import { Collapse } from '@superset-ui/core/components';
+import { Collapse } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/datepicker.mdx
+++ b/docs/developer_docs/components/ui/datepicker.mdx
@@ -99,7 +99,7 @@ function Demo() {
 ## Import

 ```tsx
-import { DatePicker } from '@superset-ui/core/components';
+import { DatePicker } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/divider.mdx
+++ b/docs/developer_docs/components/ui/divider.mdx
@@ -133,7 +133,7 @@ function Demo() {
 ## Import

 ```tsx
-import { Divider } from '@superset-ui/core/components';
+import { Divider } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/editabletitle.mdx
+++ b/docs/developer_docs/components/ui/editabletitle.mdx
@@ -161,7 +161,7 @@ function Demo() {
 ## Import

 ```tsx
-import { EditableTitle } from '@superset-ui/core/components';
+import { EditableTitle } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/emptystate.mdx
+++ b/docs/developer_docs/components/ui/emptystate.mdx
@@ -136,7 +136,7 @@ function Demo() {
 ## Import

 ```tsx
-import { EmptyState } from '@superset-ui/core/components';
+import { EmptyState } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/favestar.mdx
+++ b/docs/developer_docs/components/ui/favestar.mdx
@@ -85,7 +85,7 @@ function Demo() {
 ## Import

 ```tsx
-import { FaveStar } from '@superset-ui/core/components';
+import { FaveStar } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/iconbutton.mdx
+++ b/docs/developer_docs/components/ui/iconbutton.mdx
@@ -95,7 +95,7 @@ function Demo() {
 ## Import

 ```tsx
-import { IconButton } from '@superset-ui/core/components';
+import { IconButton } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/icons.mdx
+++ b/docs/developer_docs/components/ui/icons.mdx
@@ -241,7 +241,7 @@ function IconWithText() {
 ## Import

 ```tsx
-import { Icons } from '@superset-ui/core/components';
+import { Icons } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/icontooltip.mdx
+++ b/docs/developer_docs/components/ui/icontooltip.mdx
@@ -89,7 +89,7 @@ function Demo() {
 ## Import

 ```tsx
-import { IconTooltip } from '@superset-ui/core/components';
+import { IconTooltip } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/infotooltip.mdx
+++ b/docs/developer_docs/components/ui/infotooltip.mdx
@@ -95,7 +95,7 @@ function Demo() {
 ## Import

 ```tsx
-import { InfoTooltip } from '@superset-ui/core/components';
+import { InfoTooltip } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/input.mdx
+++ b/docs/developer_docs/components/ui/input.mdx
@@ -151,7 +151,7 @@ function Demo() {
 ## Import

 ```tsx
-import { Input } from '@superset-ui/core/components';
+import { Input } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/label.mdx
+++ b/docs/developer_docs/components/ui/label.mdx
@@ -94,7 +94,7 @@ function Demo() {
 ## Import

 ```tsx
-import { Label } from '@superset-ui/core/components';
+import { Label } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/list.mdx
+++ b/docs/developer_docs/components/ui/list.mdx
@@ -106,7 +106,7 @@ function Demo() {
 ## Import

 ```tsx
-import { List } from '@superset-ui/core/components';
+import { List } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/listviewcard.mdx
+++ b/docs/developer_docs/components/ui/listviewcard.mdx
@@ -121,7 +121,7 @@ function Demo() {
 ## Import

 ```tsx
-import { ListViewCard } from '@superset-ui/core/components';
+import { ListViewCard } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/loading.mdx
+++ b/docs/developer_docs/components/ui/loading.mdx
@@ -176,7 +176,7 @@ function ContextualDemo() {
 ## Import

 ```tsx
-import { Loading } from '@superset-ui/core/components';
+import { Loading } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/menu.mdx
+++ b/docs/developer_docs/components/ui/menu.mdx
@@ -163,7 +163,7 @@ function MenuWithIcons() {
 ## Import

 ```tsx
-import { Menu } from '@superset-ui/core/components';
+import { Menu } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/modal.mdx
+++ b/docs/developer_docs/components/ui/modal.mdx
@@ -196,7 +196,7 @@ function ConfirmationDialogs() {
 ## Import

 ```tsx
-import { Modal } from '@superset-ui/core/components';
+import { Modal } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/modaltrigger.mdx
+++ b/docs/developer_docs/components/ui/modaltrigger.mdx
@@ -181,7 +181,7 @@ function DraggableModal() {
 ## Import

 ```tsx
-import { ModalTrigger } from '@superset-ui/core/components';
+import { ModalTrigger } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/popover.mdx
+++ b/docs/developer_docs/components/ui/popover.mdx
@@ -188,7 +188,7 @@ function RichPopover() {
 ## Import

 ```tsx
-import { Popover } from '@superset-ui/core/components';
+import { Popover } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/progressbar.mdx
+++ b/docs/developer_docs/components/ui/progressbar.mdx
@@ -195,7 +195,7 @@ function CustomColors() {
 ## Import

 ```tsx
-import { ProgressBar } from '@superset-ui/core/components';
+import { ProgressBar } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/radio.mdx
+++ b/docs/developer_docs/components/ui/radio.mdx
@@ -126,7 +126,7 @@ function VerticalDemo() {
 ## Import

 ```tsx
-import { Radio } from '@superset-ui/core/components';
+import { Radio } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/safemarkdown.mdx
+++ b/docs/developer_docs/components/ui/safemarkdown.mdx
@@ -74,7 +74,7 @@ function Demo() {
 ## Import

 ```tsx
-import { SafeMarkdown } from '@superset-ui/core/components';
+import { SafeMarkdown } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/select.mdx
+++ b/docs/developer_docs/components/ui/select.mdx
@@ -297,7 +297,7 @@ function OneLineDemo() {
 ## Import

 ```tsx
-import { Select } from '@superset-ui/core/components';
+import { Select } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/skeleton.mdx
+++ b/docs/developer_docs/components/ui/skeleton.mdx
@@ -129,7 +129,7 @@ function Demo() {
 ## Import

 ```tsx
-import { Skeleton } from '@superset-ui/core/components';
+import { Skeleton } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/slider.mdx
+++ b/docs/developer_docs/components/ui/slider.mdx
@@ -242,7 +242,7 @@ function VerticalDemo() {
 ## Import

 ```tsx
-import { Slider } from '@superset-ui/core/components';
+import { Slider } from '@superset/components';
 ```

 ---
--- a/docs/developer_docs/components/ui/steps.mdx
+++ b/docs/developer_docs/components/ui/steps.mdx
@@ -261,7 +261,7 @@ function DotAndSmall() {
 ## Import

 ```tsx
-import { Steps } from '@superset-ui/core/components';
+import { Steps } from '@superset/components';
 ```

 ---
--- a/Show More
+++ b/Show More