Skip to content

fix(mcp): coerce Role ORM objects to role names in UserInfo schema#40746

Merged
rusackas merged 6 commits into
apache:masterfrom
goingforstudying-ctrl:fix-mcp-userinfo-roles
Jul 7, 2026
Merged

fix(mcp): coerce Role ORM objects to role names in UserInfo schema#40746
rusackas merged 6 commits into
apache:masterfrom
goingforstudying-ctrl:fix-mcp-userinfo-roles

Conversation

@goingforstudying-ctrl

Copy link
Copy Markdown
Contributor

Fixes #40733

Problem

Multiple MCP tools (get_dataset_info, get_chart_info, generate_chart) fail with a Pydantic validation error when the calling user has Superset roles assigned:

2 validation errors for UserInfo
roles.0
  Input should be a valid string [type=string_type, input_value=Admin, input_type=Role]

The UserInfo model uses from_attributes=True, so Pydantic maps user.roles directly. With the SQLAlchemy ORM, roles returns Role objects—not strings—causing serialization to fail.

Fix

Add a field_validator("roles", mode=before) to UserInfo that coerces each item:

  • If already a str, keep it
  • If it has a .name attribute (Role ORM object), extract str(item.name)

This is idempotent and backward-compatible.

Impact

  • Fixes false-negative responses from MCP tools
  • Prevents retry storms from LLM clients that interpret the error as a failure
  • generate_chart with save_chart=true no longer silently saves while reporting failure

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses MCP tool response serialization failures by ensuring UserInfo.roles can be validated when SQLAlchemy provides Role ORM objects (instead of strings), preventing Pydantic validation errors in MCP tool outputs.

Changes:

  • Adds a field_validator("roles", mode="before") on UserInfo to coerce role-like objects to role-name strings.

Comment thread superset/mcp_service/user/schemas.py Outdated
Comment thread superset/mcp_service/user/schemas.py
Comment thread superset/mcp_service/user/schemas.py Outdated
@codecov

codecov Bot commented Jun 5, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 14.28571% with 24 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.69%. Comparing base (fbc2495) to head (19ccf20).
⚠️ Report is 2 commits behind head on master.

Files with missing lines Patch % Lines
superset/mcp_service/user/schemas.py 14.28% 24 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master   #40746      +/-   ##
==========================================
- Coverage   64.70%   64.69%   -0.02%     
==========================================
  Files        2701     2701              
  Lines      149839   149863      +24     
  Branches    34497    34504       +7     
==========================================
- Hits        96958    96955       -3     
- Misses      51106    51130      +24     
- Partials     1775     1778       +3     
Flag Coverage Δ
hive 39.15% <14.28%> (-0.01%) ⬇️
mysql 57.67% <14.28%> (-0.02%) ⬇️
postgres 57.73% <14.28%> (-0.02%) ⬇️
presto 40.67% <14.28%> (-0.01%) ⬇️
python 59.13% <14.28%> (-0.02%) ⬇️
sqlite 57.32% <14.28%> (-0.02%) ⬇️
unit 100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@pull-request-size pull-request-size Bot added size/L and removed size/S labels Jun 5, 2026
@goingforstudying-ctrl

Copy link
Copy Markdown
Contributor Author

Pushed an update to the _extract_role_names validator:

  • Bare strings are now rejected instead of being split into characters.
  • Empty role lists are preserved as [] rather than collapsed to None.
  • DetachedInstanceError on Role.name is caught per-item and skipped.
  • Added unit tests covering string rejection, empty-list preservation, role-object coercion, detached-instance handling, and the serialize_user_object -> UserInfo round trip.

Let me know if anything else looks off.

@netlify

netlify Bot commented Jun 5, 2026

Copy link
Copy Markdown

Deploy Preview for superset-docs-preview ready!

Name Link
🔨 Latest commit f4c2990
🔍 Latest deploy log https://app.netlify.com/projects/superset-docs-preview/deploys/6a4d2f89b92be1000700ac39
😎 Deploy Preview https://deploy-preview-40746--superset-docs-preview.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@bito-code-review bito-code-review Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Agent Run #22db82

Actionable Suggestions - 1
  • superset/mcp_service/user/schemas.py - 1
Review Details
  • Files reviewed - 2 · Commit Range: b7aa1f3..c397f7c
    • superset/mcp_service/user/schemas.py
    • tests/unit_tests/mcp_service/user/test_schemas.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Comment thread superset/mcp_service/user/schemas.py Outdated
@goingforstudying-ctrl

Copy link
Copy Markdown
Contributor Author

Good catch on the spacing. Added the missing blank line between the validator and the next field.

Comment thread superset/mcp_service/user/schemas.py Outdated
Comment thread tests/unit_tests/mcp_service/user/test_schemas.py Outdated
Comment thread superset/mcp_service/user/schemas.py Outdated
Comment thread superset/mcp_service/user/schemas.py Outdated
Comment thread superset/mcp_service/user/schemas.py Outdated
Comment thread superset/mcp_service/user/schemas.py Outdated
@goingforstudying-ctrl
goingforstudying-ctrl force-pushed the fix-mcp-userinfo-roles branch 3 times, most recently from 5327c63 to a259d32 Compare June 8, 2026 14:53

@bito-code-review bito-code-review Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Agent Run #64cd4a

Actionable Suggestions - 2
  • tests/unit_tests/mcp_service/user/test_schemas.py - 2
Review Details
  • Files reviewed - 2 · Commit Range: f4d11ac..899150b
    • superset/mcp_service/user/schemas.py
    • tests/unit_tests/mcp_service/user/test_schemas.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Comment thread tests/unit_tests/mcp_service/user/test_schemas.py
Comment thread tests/unit_tests/mcp_service/user/test_schemas.py
@goingforstudying-ctrl
goingforstudying-ctrl force-pushed the fix-mcp-userinfo-roles branch 8 times, most recently from d291e7e to d050377 Compare June 9, 2026 19:33
@goingforstudying-ctrl
goingforstudying-ctrl force-pushed the fix-mcp-userinfo-roles branch 3 times, most recently from f399be6 to 4e4d133 Compare June 18, 2026 20:22

@bito-code-review bito-code-review Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Agent Run #8137cc

Actionable Suggestions - 1
  • superset/mcp_service/user/schemas.py - 1
Additional Suggestions - 2
  • tests/unit_tests/mcp_service/user/test_schemas.py - 1
    • CWE-117: Inconsistent LLM sanitization · Line 98-102
      `username` and `email` use `escape_llm_context_delimiters` (lines 317, 325 in schemas.py) while `first_name`/`last_name` use `sanitize_for_llm_context` (wrap-style); tests on lines 98-102 expose this inconsistency. All four fields are user-controlled strings that should receive the same LLM-context treatment in the same function.
  • superset/mcp_service/user/schemas.py - 1
    • Inconsistent log messages · Line 129-131
      Inconsistent logging message: validator uses 'Skipping role with detached instance in UserInfo.roles coercion' while serialize_user_object uses 'Skipping role that raised exception in serialize_user_object'. Consider using a consistent format.
Filtered by Review Rules

Bito filtered these suggestions based on rules created automatically for your feedback. Manage rules.

  • superset/mcp_service/user/schemas.py - 1
Review Details
  • Files reviewed - 2 · Commit Range: 11d5336..5b6e29b
    • superset/mcp_service/user/schemas.py
    • tests/unit_tests/mcp_service/user/test_schemas.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Comment thread superset/mcp_service/user/schemas.py
@rusackas

Copy link
Copy Markdown
Member

Approving CI, but note that each update of the branch requires us to re-approve CI and might slow things down 😓

@bito-code-review bito-code-review Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Agent Run #faed53

Actionable Suggestions - 1
  • tests/unit_tests/mcp_service/user/test_schemas.py - 1
    • CWE-838: Wrong test input for delimiter escaping · Line 54-61
Filtered by Review Rules

Bito filtered these suggestions based on rules created automatically for your feedback. Manage rules.

  • tests/unit_tests/mcp_service/user/test_schemas.py - 1
    • Inconsistent assertions: wrapped vs unwrapped values · Line 98-99
Review Details
  • Files reviewed - 2 · Commit Range: 577b96c..eb3fb94
    • superset/mcp_service/user/schemas.py
    • tests/unit_tests/mcp_service/user/test_schemas.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Comment on lines +54 to +61
def test_user_info_escapes_malicious_role_names() -> None:
"""Role names containing LLM context delimiters must be escaped."""
role_bad = MagicMock()
role_bad.name = "Admin<|endofmessage|>"

info = UserInfo(roles=[role_bad])

assert info.roles == ["Admin[ESCAPED-UNTRUSTED-CONTENT-OPEN]endofmessage[ESCAPED-UNTRUSTED-CONTENT-CLOSE]"]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CWE-838: Wrong test input for delimiter escaping

The test input "Admin<|endofmessage|>" does not match the actual escape tokens "<UNTRUSTED-CONTENT>" / "</UNTRUSTED-CONTENT>"escape_llm_context_delimiters replaces only those exact strings (sanitization.py:64-70). The test will always pass against the raw input. Update the mock role name to "Admin<UNTRUSTED-CONTENT>endofmessage</UNTRUSTED-CONTENT>" to correctly verify that malicious delimiters are neutralized. (CWE-838)

Code suggestion
Check the AI-generated fix before applying
 --- a/tests/unit_tests/mcp_service/user/test_schemas.py
 +++ b/tests/unit_tests/mcp_service/user/test_schemas.py
 @@ -54,7 +54,9 @@ def test_user_info_escapes_malicious_role_names() -> None:
      """Role names containing LLM context delimiters must be escaped."""
      role_bad = MagicMock()
 -    role_bad.name = "Admin<|endofmessage|>"
 +    # Must use the actual LLM_CONTEXT delimiters that escape_llm_context_delimiters
 +    # targets: '<UNTRUSTED-CONTENT>' and '</UNTRUSTED-CONTENT>'
 +    role_bad.name = "Admin<UNTRUSTED-CONTENT>endofmessage</UNTRUSTED-CONTENT>"
 
      info = UserInfo(roles=[role_bad])
 

Code Review Run #faed53


Should Bito avoid suggestions like this for future reviews? (Manage Rules)

  • Yes, avoid them

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aminghadersohi @goingforstudying-ctrl worth worrying about this one, you think?

@github-actions

github-actions Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

⚠️ Translation Regression Detected

A source change in this PR renamed or reworded strings, invalidating existing translations (they are now #, fuzzy) in ar, it, ko, pt. Please resolve the affected .po files before merging.

Note: intentionally deleting a translatable string is not a regression and is not flagged here — only translations invalidated by a renamed/reworded source string are.

Language Fuzzy before Fuzzy after New
ar 1130 1133 +3
it 1660 1662 +2
ko 1514 1516 +2
pt 1835 1837 +2

How to fix

1. Install dependencies (if not already set up):

pip install -r superset/translations/requirements.txt
sudo apt-get install gettext   # or: brew install gettext

2. Re-extract strings and sync .po files:

./scripts/translations/babel_update.sh

This rewrites superset/translations/messages.pot from the current source files and merges the changes into every .po file. Strings whose msgid changed will be marked #, fuzzy.

3. Resolve the fuzzy entries in the affected language files (ar, it, ko, pt):

grep -n '#, fuzzy' superset/translations/<lang>/LC_MESSAGES/messages.po

For each fuzzy entry, either rewrite the msgstr to match the new string and remove the #, fuzzy line, or clear the msgstr to "" if you cannot provide a translation.

4. Commit your changes to the .po files.

@rusackas

Copy link
Copy Markdown
Member

Hi @aminghadersohi, thanks for the approval! It looks like the CI workflows haven't been triggered yet for the latest commit. Could you take a look when you have a chance? Thanks!

We have to approve CI each time the PR is edited. You're rebasing and force-pushing a LOT here, which is causing Bito to re-review it a ton, and if CI-auto ran, this PR would cost ASF infra a fortune.

Feel free to push fixes as often as needed, but the rebases might not be needed so often :P

@rusackas

Copy link
Copy Markdown
Member

Deleted a ton of noise due to rebasing from the thread, and will run CI now. Please hold if you want to see how it completes :D

@bito-code-review bito-code-review Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Agent Run #6fcd18

Actionable Suggestions - 1
  • superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformProps.ts - 1
Additional Suggestions - 4
  • superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/EchartsTimeseries.test.tsx - 2
    • Test coverage gap for queryEventHandlers · Line 400-497
      The 4 removed tests covered queryEventHandlers behavior (accessing 'yAxis.category' query for horizontal bars). None of the 5 remaining tests access queryEventHandlers — they all use eventHandlers.click/contextmenu instead. The test gap should be documented.
    • Test description vs config mismatch · Line 400-498
      Test names say 'horizontal categorical bar' but the tests omit the `orientation` prop, defaulting to `OrientationType.Vertical` from `defaultFormData`. The deleted tests explicitly set `orientation: OrientationType.Horizontal`. If horizontal orientation behavior is the intended scenario, add `orientation: OrientationType.Horizontal` to `propsWithHorizontalXAxis`.
  • superset/mcp_service/user/schemas.py - 1
    • Missing HTML sanitization on roles · Line 298-300
      The original `serialize_user_object` wrapped roles with `sanitize_for_llm_context(r, field_path=('roles',))` before the list comprehension. This performed HTML stripping. The new code (lines 308-311) only applies `escape_llm_context_delimiters`. If role names can contain HTML that should be stripped (like first_name/last_name), this behavior change may be unintended.
  • superset-frontend/src/features/tags/BulkTagModal.test.tsx - 1
    • describe blocks contradict project guidance · Line 39-40
      This change wraps 6 independent `test()` calls in a `describe` block, which contradicts AGENTS.md's directive to `Use test() instead of describe()` (see https://kentcdodds.com/blog/avoid-nesting-when-youre-testing). The TODO comment acknowledges this anti-pattern but doesn't address it. Flat test files improve readability and maintainability.
      Code suggestion
      --- superset-frontend/src/features/tags/BulkTagModal.test.tsx (lines 39-44) ---
       39: -// eslint-disable-next-line no-restricted-globals -- TODO: Migrate from describe blocks
       39: -describe('BulkTagModal', () => {
       39: +afterEach(() => {
       40: -  afterEach(() => {
       41: +  fetchMock.clearHistory().removeRoutes();
       42: -    fetchMock.clearHistory().removeRoutes();
       42: +  jest.clearAllMocks();
       43: -    jest.clearAllMocks();
       43: -  });
       44: +});
Filtered by Review Rules

Bito filtered these suggestions based on rules created automatically for your feedback. Manage rules.

  • superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/EchartsTimeseries.tsx - 1
Review Details
  • Files reviewed - 11 · Commit Range: f2094f7..f2094f7
    • superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/EchartsTimeseries.test.tsx
    • superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/EchartsTimeseries.tsx
    • superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformProps.ts
    • superset-frontend/plugins/plugin-chart-echarts/src/components/Echart.tsx
    • superset-frontend/plugins/plugin-chart-echarts/src/types.ts
    • superset-frontend/plugins/plugin-chart-echarts/test/Timeseries/transformProps.test.ts
    • superset-frontend/src/features/tags/BulkTagModal.test.tsx
    • superset-frontend/src/hooks/useThemeMenuItems.test.tsx
    • superset-frontend/src/utils/common.test.tsx
    • superset/mcp_service/user/schemas.py
    • tests/unit_tests/mcp_service/user/test_schemas.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • Eslint (Linter) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

@goingforstudying-ctrl

Copy link
Copy Markdown
Contributor Author

Fixed the current CI failures on the latest push: ruff formatting/import ordering in the user schema tests, and the ECharts query event handler support needed by Echart.test.tsx and the TypeScript check.

Verified locally:

  • ruff format --check / ruff check on the changed Python files
  • npm run test -- --shard=5/8 --coverageReporters=json
  • npm run plugins:build && npm run type

The pull_request workflows are currently waiting for maintainer approval to run after this push.

@bito-code-review bito-code-review Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Agent Run #0d2268

Actionable Suggestions - 1
  • superset-frontend/src/features/tags/BulkTagModal.test.tsx - 1
Additional Suggestions - 1
  • superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/EchartsTimeseries.test.tsx - 1
    • Missing test for axis-label click behavior · Line 364-511
      After removing `queryEventHandlers` and the `componentType === 'series'` guard, axis-label clicks in vertical charts now emit cross-filter via `props.name`. The removed test 'does not emit duplicate cross-filter for generic axis label clicks' validated the old behavior. Add a test confirming horizontal bar axis-label clicks emit cross-filter with the category value, since this specific scenario has no coverage after the refactor.
Filtered by Review Rules

Bito filtered these suggestions based on rules created automatically for your feedback. Manage rules.

  • superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformProps.ts - 1
    • Misleading commit message masking functional changes · Line 889-895
  • tests/unit_tests/mcp_service/user/test_schemas.py - 1
Review Details
  • Files reviewed - 9 · Commit Range: 77a0e23..01c0dc0
    • superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/EchartsTimeseries.test.tsx
    • superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/EchartsTimeseries.tsx
    • superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformProps.ts
    • superset-frontend/plugins/plugin-chart-echarts/test/Timeseries/transformProps.test.ts
    • superset-frontend/src/features/tags/BulkTagModal.test.tsx
    • superset-frontend/src/hooks/useThemeMenuItems.test.tsx
    • superset-frontend/src/utils/common.test.tsx
    • superset/mcp_service/user/schemas.py
    • tests/unit_tests/mcp_service/user/test_schemas.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • Eslint (Linter) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Comment thread superset-frontend/src/features/tags/BulkTagModal.test.tsx Outdated
@rusackas

Copy link
Copy Markdown
Member

Looks like some pretty worrisome bot review comments above... can we avoid those test and functionality regressions?

@rusackas

Copy link
Copy Markdown
Member

Running CI again, but would still appreciate comments on the open review comments above. Seems like you might have addressed them, but I'll give it a more thorough review when CI is (hopefully) green.

@bito-code-review bito-code-review Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Agent Run #012b19

Actionable Suggestions - 2
  • tests/unit_tests/mcp_service/user/test_schemas.py - 2
Filtered by Review Rules

Bito filtered these suggestions based on rules created automatically for your feedback. Manage rules.

  • tests/unit_tests/mcp_service/user/test_schemas.py - 2
    • CWE-20: Wrong assertion on sanitized output · Line 104-109
    • CWE-20: Wrong assertion on sanitized output · Line 114-145
Review Details
  • Files reviewed - 2 · Commit Range: 5c5c98e..5c5c98e
    • superset/mcp_service/user/schemas.py
    • tests/unit_tests/mcp_service/user/test_schemas.py
  • Files skipped - 0
  • Tools
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Comment thread tests/unit_tests/mcp_service/user/test_schemas.py
Comment thread tests/unit_tests/mcp_service/user/test_schemas.py Outdated

@bito-code-review bito-code-review Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Agent Run #fa460d

Actionable Suggestions - 1
  • superset/mcp_service/user/schemas.py - 1
Filtered by Review Rules

Bito filtered these suggestions based on rules created automatically for your feedback. Manage rules.

  • tests/unit_tests/mcp_service/user/test_schemas.py - 1
    • Test assertion uses implicit string concatenation · Line 60-73
  • superset/mcp_service/user/schemas.py - 1
    • Duplicated role coercion across validator and serializer · Line 111-132
Review Details
  • Files reviewed - 2 · Commit Range: 942f325..b29704c
    • superset/mcp_service/user/schemas.py
    • tests/unit_tests/mcp_service/user/test_schemas.py
  • Files skipped - 0
  • Tools
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Comment thread superset/mcp_service/user/schemas.py

@bito-code-review bito-code-review Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Agent Run #b65788

Actionable Suggestions - 1
  • superset/mcp_service/user/schemas.py - 1
    • Move try-except outside loop for performance · Line 309-316
Review Details
  • Files reviewed - 2 · Commit Range: 30ff64e..34d6fd1
    • superset/mcp_service/user/schemas.py
    • tests/unit_tests/mcp_service/user/test_schemas.py
  • Files skipped - 0
  • Tools
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Comment thread superset/mcp_service/user/schemas.py
@rusackas

Copy link
Copy Markdown
Member

Running CI again. @aminghadersohi you might want to give this another review pass, including any open/unaddressed bot comments.

@rusackas

Copy link
Copy Markdown
Member

Some people I can never get to rebase, but this one is getting rebased TOO often... please let CI sit if/when it turns green, otherwise this will never merge.

@bito-code-review

bito-code-review Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Code Review Agent Run #d26f01

Actionable Suggestions - 0
Additional Suggestions - 1
  • superset/mcp_service/user/schemas.py - 1
    • CWE-117: LLM Context Wrapping Inconsistency · Line 121-127
      `roles` field uses `escape_llm_context_delimiters` (only escapes delimiters), but `first_name`/`last_name` use `sanitize_for_llm_context` (wraps in ``). Role names with embedded delimiter sequences won't be isolated in untrusted-content markers, creating an LLM injection vector inconsistency with other user fields.
Filtered by Review Rules

Bito filtered these suggestions based on rules created automatically for your feedback. Manage rules.

  • tests/unit_tests/mcp_service/user/test_schemas.py - 2
Review Details
  • Files reviewed - 2 · Commit Range: bb74d1b..6d431d3
    • superset/mcp_service/user/schemas.py
    • tests/unit_tests/mcp_service/user/test_schemas.py
  • Files skipped - 0
  • Tools
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

@bito-code-review

bito-code-review Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Code Review Agent Run #1e200e

Actionable Suggestions - 0
Review Details
  • Files reviewed - 2 · Commit Range: 880ff6a..564efd7
    • superset/mcp_service/user/schemas.py
    • tests/unit_tests/mcp_service/user/test_schemas.py
  • Files skipped - 0
  • Tools
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

@bito-code-review

bito-code-review Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Code Review Agent Run #29af93

Actionable Suggestions - 0
Review Details
  • Files reviewed - 2 · Commit Range: 0f30441..86c02bd
    • superset/mcp_service/user/schemas.py
    • tests/unit_tests/mcp_service/user/test_schemas.py
  • Files skipped - 0
  • Tools
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

goingforstudying-ctrl and others added 6 commits July 7, 2026 09:54
- Add _extract_role_names field validator to UserInfo.roles to coerce
  Role ORM objects to their .name strings, handling DetachedInstanceError
- Update serialize_user_object to use the same coercion and escape
  LLM context delimiters on role names
- Add unit tests for role coercion, escaping, and detached instance
  handling

Fixes apache#40746
- Move logger import after third-party imports to fix ruff E402
- Replace hasattr(item, "name") with direct item.name access inside try/except
  to correctly catch DetachedInstanceError from SQLAlchemy lazy loads
- Catch AttributeError alongside DetachedInstanceError for robustness
- Remove unnecessary continue statements in _extract_role_names
- Fix vacuous ternary in serialize_user_object: roles=roles instead of
  roles=roles if roles is not None else None

Addresses review comments from aminghadersohi on PR apache#40746.
…in serialize_user_object

sanitize_for_llm_context wraps strings in UNTRUSTED-CONTENT tags,
which breaks round-trip assertions in unit tests. Operational
identifiers like first_name and last_name should only have delimiter
tokens escaped, not wrapped, matching the username/email pattern.

Also update the malicious-role-names test to expect the new escaped
delimiter format [ESCAPED-UNTRUSTED-CONTENT-OPEN]...[/CLOSE].
The escape_llm_context_delimiters helper only replaces explicit
UNTRUSTED-CONTENT tokens, not arbitrary <|...|> substrings.
Update the test assertion to match the actual behavior.

Signed-off-by: goingforstudying-ctrl <goingforstudying-ctrl@users.noreply.github.com>
- Revert serialize_user_object to use sanitize_for_llm_context for
  first_name and last_name so user-controlled name fields are wrapped
  in explicit LLM-context delimiters.
- Update test_schemas.py assertions to expect wrapped values.
- Fix ruff import sorting in test_schemas.py.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@bito-code-review

bito-code-review Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Code Review Agent Run #10604e

Actionable Suggestions - 1
  • superset/mcp_service/user/schemas.py - 1
Review Details
  • Files reviewed - 2 · Commit Range: 9a05d8a..19ccf20
    • superset/mcp_service/user/schemas.py
    • tests/unit_tests/mcp_service/user/test_schemas.py
  • Files skipped - 0
  • Tools
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-if-green If approved and tests are green, please go ahead and merge it for me size/L

Projects

None yet

Development

Successfully merging this pull request may close these issues.

MCP tools fail with UserInfo Pydantic role-serialization error (input_value=Admin, input_type=Role)

4 participants