chore: update .mcp.json to use production MCP server

[saddlepaddle]

Summary

• Update MCP server URLs from localhost:3001 to api.superset.sh for production use

Changes

- "url": "http://localhost:3001/api/agent/mcp"
+ "url": "https://api.superset.sh/api/agent/mcp"

- "authorizationUrl": "http://localhost:3001/api/auth/mcp/authorize"
+ "authorizationUrl": "https://api.superset.sh/api/auth/mcp/authorize"

- "tokenUrl": "http://localhost:3001/api/auth/mcp/token"
+ "tokenUrl": "https://api.superset.sh/api/auth/mcp/token"

Test plan

• bun run lint:fix - passes
• bun test - 1181 pass, 7 skip
• Manual test: /mcp command connects to production server

Summary by CodeRabbit

• Chores
  • Updated authentication and API endpoints to production servers with enhanced security (HTTPS).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Configuration endpoints in the mcpServers.superset configuration were updated from HTTP localhost addresses to HTTPS production URLs. Three endpoints were modified: the agent, authorization, and token endpoints now point to api.superset.sh instead of localhost:3001.

Changes

Cohort / File(s)	Summary
Configuration update ​.mcp.json	Updated mcpServers.superset endpoints from http://localhost:3001 to https://api.superset.sh for agent, authorization, and token routes

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 From localhost we hop away,
To HTTPS production's day,
Three endpoints secure and bright,
api.superset.sh takes flight! 🚀
Configuration hops abound,
In this domain-switch we've found! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: updating .mcp.json configuration to use production MCP server instead of localhost.
Description check	✅ Passed	The description includes a summary of changes with diff examples and documents test results, but is missing several required template sections like Related Issues, Type of Change, and Additional Notes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.mcp.json:
- Around line 5-9: The MCP config currently hardcodes production endpoints
("url", "oauth.authorizationUrl", "oauth.tokenUrl") in .mcp.json; change it so
local dev can override these by implementing environment substitution or a
dev-specific config loader: update the MCP config loading logic to read
process.env.NEXT_PUBLIC_API_URL (or a new MCP_API_URL) and replace the "url"
value, and likewise derive "oauth.authorizationUrl" and "oauth.tokenUrl" from
that base when present, or add support to load a separate .mcp.development.json
when NODE_ENV === "development"; ensure the loader falls back to the current
hardcoded values if no override is provided.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

Superset MCP api.superset.sh agent endpoint documentation

💡 Result:

I couldn’t find any public “agent endpoint” / MCP API documentation for api.superset.sh.

What I was able to verify:

• Hitting the base host https://api.superset.sh/ returns 404 Not Found, which suggests there isn’t a browsable public docs root (or it’s intentionally not exposed). [1]
• The Superset (superset.sh) app is open-source, and its repo shows the backend is built around tRPC (see “Tech Stack”) and includes an apps/api service—so the “agent API” appears to be an internal tRPC API used by the app rather than a separately documented public HTTP API. [2]
• The public docs site that exists is docs.superset.sh, but it doesn’t surface an API reference for api.superset.sh from what’s publicly crawlable. [3]

If you tell me what you mean by “agent endpoint” (e.g., create/run an agent, stream logs, list workspaces, etc.), I can point you to the exact tRPC router/procedure names in the open-source repo that implement it.

Sources: [1] [2] [3]

---

🏁 Script executed:

# Search for .mcp.json context in the codebase
git ls-files | grep -E '\.mcp|mcp\.json|\.env' | head -20

Repository: superset-sh/superset

Length of output: 86

---

🏁 Script executed:

# Check the entire .mcp.json file to understand the full configuration
find . -name '.mcp.json' -type f

Repository: superset-sh/superset

Length of output: 75

---

🏁 Script executed:

# Search for any references to api.superset.sh or environment configuration
rg 'api\.superset\.sh|superset.*mcp|MCP.*superset' -i

Repository: superset-sh/superset

Length of output: 759

---

🏁 Script executed:

cat apps/api/MCP_TOOLS.md

Repository: superset-sh/superset

Length of output: 8921

---

🏁 Script executed:

cat .env.example

Repository: superset-sh/superset

Length of output: 4047

---

🏁 Script executed:

cat -n .mcp.json

Repository: superset-sh/superset

Length of output: 506

---

Add mechanism to override .mcp.json URLs for local development.

The hardcoded production URLs will route all MCP calls to api.superset.sh even during local development. Since .env.example configures other services to use http://localhost:3001 locally, .mcp.json should either:

• Support environment variable substitution (e.g., $NEXT_PUBLIC_API_URL) for the MCP endpoints, or
• Include a separate development configuration file that can be loaded conditionally, or
• Document the manual override required for local testing.

Without this, developers will inadvertently hit production APIs during development.

🤖 Prompt for AI Agents

In @.mcp.json around lines 5 - 9, The MCP config currently hardcodes production
endpoints ("url", "oauth.authorizationUrl", "oauth.tokenUrl") in .mcp.json;
change it so local dev can override these by implementing environment
substitution or a dev-specific config loader: update the MCP config loading
logic to read process.env.NEXT_PUBLIC_API_URL (or a new MCP_API_URL) and replace
the "url" value, and likewise derive "oauth.authorizationUrl" and
"oauth.tokenUrl" from that base when present, or add support to load a separate
.mcp.development.json when NODE_ENV === "development"; ensure the loader falls
back to the current hardcoded values if no override is provided.

[github-actions]

🚀 Preview Deployment

🔗 Preview Links

Service	Status	Link
Database (Neon)	✅	View Branch
Electric (Fly.io)	✅	View App
API (Vercel)	✅	Open Preview
Web (Vercel)	✅	Open Preview
Marketing (Vercel)	✅	Open Preview
Admin (Vercel)	✅	Open Preview
Docs (Vercel)	✅	Open Preview

---

Preview updates automatically with new commits