feat(mcp): add create_rls_filter tool for row-level security management

[aminghadersohi]

SUMMARY

Adds a new create_rls_filter MCP mutation tool that allows AI assistants to create row-level security (RLS) filter rules in Apache Superset.

RLS filters restrict which rows users can see based on their role membership. This tool enables programmatic creation of these access-control policies via the MCP service.

Key design decisions:

• Uses CreateRLSRuleCommand from superset.commands.security.create — same command used by the REST API POST /api/v1/rowlevelsecurity/
• Admin-only: requires Row Level Security write permission (class_permission_name="Row Level Security", method_permission_name="write")
• Tagged mutate with readOnlyHint=False following the mutation tool pattern
• Located in superset/mcp_service/rls/ following the existing module structure
• Returns structured error response (not exception) for validation failures (role/table not found)

Supported filter types:

• Regular: Hides rows from specified roles unless the SQL clause matches
• Base: Shows only rows where the SQL clause matches to specified roles

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A — backend-only MCP tool.

TESTING INSTRUCTIONS

1. Start the Superset MCP server
2. Connect an MCP client (e.g., Claude Desktop) with admin credentials
3. Call create_rls_filter with:

   {
     "name": "EMEA filter",
     "filter_type": "Regular",
     "tables": [<valid_table_id>],
     "roles": [<valid_role_id>],
     "clause": "region = 'EMEA'"
   }

4. Verify the filter appears in Superset under Security → Row Level Security

Error cases to test:

• Invalid table ID → returns error field with DatasourceNotFoundValidationError message
• Invalid role ID → returns error field with RolesNotFoundValidationError message

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration
• Introduces new feature or API
• Removes existing feature or API

[codecov]

Codecov Report

❌ Patch coverage is 57.89474% with 24 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.19%. Comparing base (5966bb1) to head (ea8bca7).

Files with missing lines	Patch %	Lines
superset/mcp_service/rls/tool/create_rls_filter.py	25.00%	24 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #40356      +/-   ##
==========================================
- Coverage   64.20%   64.19%   -0.01%     
==========================================
  Files        2592     2595       +3     
  Lines      139004   139061      +57     
  Branches    32273    32275       +2     
==========================================
+ Hits        89241    89274      +33     
- Misses      48231    48255      +24     
  Partials     1532     1532              

Flag	Coverage Δ
hive	39.31% <57.89%> (+0.01%)	⬆️
mysql	58.81% <57.89%> (-0.01%)	⬇️
postgres	58.89% <57.89%> (-0.01%)	⬇️
presto	40.98% <57.89%> (+0.01%)	⬆️
python	60.45% <57.89%> (-0.01%)	⬇️
sqlite	58.53% <57.89%> (-0.01%)	⬇️
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.