feat(mcp): add show_chart MCP tool + chart-scoped guest tokens (POC)

[mistercrunch]

⚠️ DRAFT / POC — this is an exploratory PR for MCP Apps integration. Not ready for merge.

SUMMARY

Adds a new show_chart MCP tool and a ui://superset/chart-viewer MCP resource that together let MCP Apps clients (e.g. Claude Desktop) render a live, interactive Superset chart inline via a sandboxed iframe — without the user needing an active Superset session in the host app.

Mechanism:

• show_chart(identifier) mints a short-lived (5 min), chart-scoped guest token and returns explore_url (/explore/?slice_id=…&standalone=1&guest_token=…) plus a resource descriptor for the MCP Apps UI mount point.
• GuestTokenResourceType gains a CHART member so guest tokens can be scoped to a single chart (in addition to the existing dashboard-scoped path).
• SupersetSecurityManager.validate_guest_token_resources and a new has_guest_chart_access branch honor chart-scoped tokens.
• ChartFilter grants read access when the guest token's resource matches the requested chart (by id or uuid).
• The ui://superset/chart-viewer resource holds the iframe shell the host client mounts.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

To be added after the client-side iframe is wired up end-to-end.

TESTING INSTRUCTIONS

Automated:

pytest tests/unit_tests/mcp_service/chart/tool/test_show_chart.py \
       tests/unit_tests/security/chart_guest_token_test.py

Manual (POC):

1. Run the Superset MCP service against a running Superset instance.
2. Call the show_chart tool with {"identifier": "<chart_id_or_uuid>"}.
3. Open the returned explore_url in a browser — the chart should render standalone without a login redirect.
4. (Optional) Point an MCP Apps-capable client at the MCP server; the tool result includes the ui://superset/chart-viewer resource descriptor so the client can embed the chart inline.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration
• Introduces new feature or API (new MCP tool + chart-scoped guest token type)
• Removes existing feature or API

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	e8efaf9
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/69ee6feb20cc3f00086e322b
😎 Deploy Preview	https://deploy-preview-39601--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 39.31034% with 88 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.57%. Comparing base (6ad1583) to head (e8efaf9).

Files with missing lines	Patch %	Lines
superset/mcp_service/chart/tool/show_chart.py	29.03%	44 Missing ⚠️
superset/charts/filters.py	10.00%	17 Missing and 1 partial ⚠️
superset/security/manager.py	28.00%	14 Missing and 4 partials ⚠️
superset/mcp_service/middleware.py	0.00%	7 Missing ⚠️
...perset/mcp_service/chart/resources/chart_viewer.py	88.88%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #39601      +/-   ##
==========================================
+ Coverage   64.48%   64.57%   +0.09%     
==========================================
  Files        2566     2573       +7     
  Lines      133926   134689     +763     
  Branches    31096    31123      +27     
==========================================
+ Hits        86357    86975     +618     
- Misses      46074    46214     +140     
- Partials     1495     1500       +5     

Flag	Coverage Δ
hive	39.75% <34.48%> (-0.02%)	⬇️
mysql	60.16% <39.31%> (-0.06%)	⬇️
postgres	60.24% <39.31%> (-0.06%)	⬇️
presto	41.52% <35.17%> (-0.02%)	⬇️
python	61.81% <39.31%> (-0.06%)	⬇️
sqlite	59.88% <39.31%> (-0.06%)	⬇️
superset-extensions-cli	90.82% <ø> (?)
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.