fix(mcp): Instance not bound to session error

[kgabryje]

SUMMARY

Don't rollback the session on finally, fixes Error calling tool 'list_datasets': Parent instance <Group at 0x7fffaf7346a0> is not bound to a Session; lazy load operation of attribute 'roles' cannot proceed (Background on this error at: https://sqlalche.me/e/14/bhk3) and similar errors

CC @aminghadersohi

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[bito-code-review]

Code Review Agent Run #7c8c32

Actionable Suggestions - 0

Review Details

• Files reviewed - 1 · Commit Range: d643c96..d643c96

  • superset/mcp_service/auth.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[codeant-ai-for-open-source]

Suggestion: Top-level import of ORM model classes (Group, User) at module import time can trigger import-time side effects (like requiring a Flask app context or creating circular imports). Move runtime imports into functions or keep them under TYPE_CHECKING to avoid "working outside of application context" errors and circular import problems. [possible bug]

Severity Level: Major ⚠️

- ❌ MCP module import fails during standalone startup.
- ⚠️ FastMCP tool discovery may error on import.
- ⚠️ Some unit tests importing auth will fail.

Suggested change

	from flask_appbuilder.security.sqla.models import Group, User
	# Import model classes at runtime inside functions to avoid import-time side effects

Steps of Reproduction ✅

1. Open a Python REPL or a process that does not create a Flask app context.

2. Execute: import superset.mcp_service.auth (file: superset/mcp_service/auth.py line 35).

   - This triggers the module top-level import at line 35: "from
   flask_appbuilder.security.sqla.models import Group, User".

3. If flask_appbuilder.security.sqla.models requires an application context or touches
SQLAlchemy

   engine setup during import, the import will raise a RuntimeError (e.g., "Working
   outside

   of application context") or other import-time failure.

4. Observed symptom: module import fails before any MCP decorator or runtime logic runs.

   - Reproduces concretely by running `python -c "import superset.mcp_service.auth"` in

     an environment where no Flask app is configured.

Note: The PR's file actually contains this top-level import at line 35, so the suggested

mitigation (defer import) is relevant if this module is imported in contexts without a
Flask app.

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** superset/mcp_service/auth.py
**Line:** 35:35
**Comment:**
	*Possible Bug: Top-level import of ORM model classes (`Group`, `User`) at module import time can trigger import-time side effects (like requiring a Flask app context or creating circular imports). Move runtime imports into functions or keep them under TYPE_CHECKING to avoid "working outside of application context" errors and circular import problems.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.58%. Comparing base (675a4c7) to head (d643c96).
⚠️ Report is 5 commits behind head on master.

Files with missing lines	Patch %	Lines
superset/mcp_service/auth.py	0.00%	12 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #37548       +/-   ##
===========================================
+ Coverage        0   66.58%   +66.58%     
===========================================
  Files           0      643      +643     
  Lines           0    49050    +49050     
  Branches        0     5501     +5501     
===========================================
+ Hits            0    32662    +32662     
- Misses          0    15093    +15093     
- Partials        0     1295     +1295     

Flag	Coverage Δ
hive	41.92% <0.00%> (?)
mysql	64.64% <0.00%> (?)
postgres	64.72% <0.00%> (?)
presto	41.94% <0.00%> (?)
python	66.56% <0.00%> (?)
sqlite	64.42% <0.00%> (?)
unit	100.00% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.