fix(mcp): context-aware recovery hints and sanitize identifier in not-found errors

- In get_chart_preview, when identifier looks like a form_data_key (long non-numeric string), suggest regenerating the explore link rather than always pointing to list_charts, which is only relevant for chart IDs. - Truncate request.identifier to 200 chars before embedding in error messages across get_chart_preview, get_chart_data, and update_chart to prevent injection via oversized attacker-controlled identifiers.
fix(mcp): improve "not found" errors to suggest corresponding list_* tools
2026-05-13 03:45:12 +00:00 · 2026-05-09 00:26:11 +00:00 · 2026-05-06 22:55:46 +00:00
9 changed files with 51 additions and 15 deletions
--- a/superset/mcp_service/chart/tool/get_chart_data.py
+++ b/superset/mcp_service/chart/tool/get_chart_data.py
@@ -199,8 +199,12 @@ async def get_chart_data(  # noqa: C901

        if not chart:
            await ctx.warning("Chart not found: identifier=%s" % (request.identifier,))
+            safe_id = str(request.identifier)[:200]
            return ChartError(
-                error=f"No chart found with identifier: {request.identifier}",
+                error=(
+                    f"No chart found with identifier: {safe_id}."
+                    " Use list_charts to get valid chart IDs."
+                ),
                error_type="NotFound",
            )

--- a/superset/mcp_service/chart/tool/get_chart_preview.py
+++ b/superset/mcp_service/chart/tool/get_chart_preview.py
@@ -1192,8 +1192,22 @@ async def _get_chart_preview_internal(  # noqa: C901

        if not chart:
            await ctx.warning("Chart not found: identifier=%s" % (request.identifier,))
+            safe_id = str(request.identifier)[:200]
+            is_form_data_key = (
+                isinstance(request.identifier, str)
+                and len(request.identifier) > 8
+                and not request.identifier.isdigit()
+            )
+            if is_form_data_key:
+                recovery = (
+                    "If using a form_data_key, it may have expired — "
+                    "use generate_explore_link to get a fresh key, "
+                    "or use list_charts to find a saved chart by ID."
+                )
+            else:
+                recovery = "Use list_charts to get valid chart IDs."
            return ChartError(
-                error=f"No chart found with identifier: {request.identifier}",
+                error=f"No chart found with identifier: {safe_id}. {recovery}",
                error_type="NotFound",
            )

--- a/superset/mcp_service/chart/tool/update_chart.py
+++ b/superset/mcp_service/chart/tool/update_chart.py
@@ -337,17 +337,18 @@ async def update_chart(  # noqa: C901
            chart = find_chart_by_identifier(request.identifier)

        if not chart:
+            safe_id = str(request.identifier)[:200]
+            not_found_msg = (
+                f"No chart found with identifier: {safe_id}."
+                " Use list_charts to get valid chart IDs."
+            )
            return GenerateChartResponse.model_validate(
                {
                    "chart": None,
                    "error": {
                        "error_type": "NotFound",
-                        "message": (
-                            f"No chart found with identifier: {request.identifier}"
-                        ),
-                        "details": (
-                            f"No chart found with identifier: {request.identifier}"
-                        ),
+                        "message": not_found_msg,
+                        "details": not_found_msg,
                    },
                    "success": False,
                    "schema_version": "2.0",
--- a/superset/mcp_service/dashboard/tool/add_chart_to_existing_dashboard.py
+++ b/superset/mcp_service/dashboard/tool/add_chart_to_existing_dashboard.py
@@ -334,7 +334,10 @@ def _find_and_authorize_dashboard(
            dashboard=None,
            dashboard_url=None,
            position=None,
-            error=f"Dashboard with ID {dashboard_id} not found",
+            error=(
+                f"Dashboard with ID {dashboard_id} not found."
+                " Use list_dashboards to get valid dashboard IDs."
+            ),
        )

    try:
@@ -392,7 +395,10 @@ def add_chart_to_existing_dashboard(
                    dashboard=None,
                    dashboard_url=None,
                    position=None,
-                    error=f"Chart with ID {request.chart_id} not found",
+                    error=(
+                        f"Chart with ID {request.chart_id} not found."
+                        " Use list_charts to get valid chart IDs."
+                    ),
                )

            # Validate dataset access for the chart.
--- a/superset/mcp_service/dashboard/tool/generate_dashboard.py
+++ b/superset/mcp_service/dashboard/tool/generate_dashboard.py
@@ -230,7 +230,10 @@ def generate_dashboard(  # noqa: C901
                return GenerateDashboardResponse(
                    dashboard=None,
                    dashboard_url=None,
-                    error=f"Charts not found: {list(missing_chart_ids)}",
+                    error=(
+                        f"Charts not found: {list(missing_chart_ids)}."
+                        " Use list_charts to get valid chart IDs."
+                    ),
                )

            # Validate dataset access for each chart.
--- a/superset/mcp_service/dataset/tool/query_dataset.py
+++ b/superset/mcp_service/dataset/tool/query_dataset.py
@@ -183,7 +183,10 @@ async def query_dataset(  # noqa: C901
        if dataset is None:
            await ctx.error("Dataset not found: identifier=%s" % (request.dataset_id,))
            return DatasetError.create(
-                error=f"No dataset found with identifier: {request.dataset_id}",
+                error=(
+                    f"No dataset found with identifier: {request.dataset_id}."
+                    " Use list_datasets to get valid dataset IDs."
+                ),
                error_type="NotFound",
            )

--- a/superset/mcp_service/sql_lab/tool/execute_sql.py
+++ b/superset/mcp_service/sql_lab/tool/execute_sql.py
@@ -100,7 +100,10 @@ async def execute_sql(request: ExecuteSqlRequest, ctx: Context) -> ExecuteSqlRes
                )
                return ExecuteSqlResponse(
                    success=False,
-                    error=f"Database with ID {request.database_id} not found",
+                    error=(
+                        f"Database with ID {request.database_id} not found."
+                        " Use list_databases to get valid database IDs."
+                    ),
                    error_type=SupersetErrorType.DATABASE_NOT_FOUND_ERROR.value,
                )

--- a/superset/mcp_service/sql_lab/tool/open_sql_lab_with_context.py
+++ b/superset/mcp_service/sql_lab/tool/open_sql_lab_with_context.py
@@ -103,7 +103,8 @@ def open_sql_lab_with_context(
            database = DatabaseDAO.find_by_id(request.database_connection_id)
        if not database:
            error_message = (
-                f"Database with ID {request.database_connection_id} not found"
+                f"Database with ID {request.database_connection_id} not found."
+                " Use list_databases to get valid database IDs."
            )
            return _sanitize_sql_lab_response_for_llm_context(
                SqlLabResponse(
--- a/tests/unit_tests/mcp_service/sql_lab/tool/test_open_sql_lab_with_context.py
+++ b/tests/unit_tests/mcp_service/sql_lab/tool/test_open_sql_lab_with_context.py
@@ -298,7 +298,8 @@ class TestOpenSqlLabWithContext:
                field_path=("title",),
            )
            assert response.error == sanitize_for_llm_context(
-                "Database with ID 404 not found",
+                "Database with ID 404 not found."
+                " Use list_databases to get valid database IDs.",
                field_path=("error",),
            )
        finally: