Merge branch 'main' into demo-lakebox

Author: akshaysingla-db

.agent/skills/bump-cli-compat/SKILL.md

@@ -0,0 +1,153 @@
+---
+name: bump-cli-compat
+description: "Bump cli-compat.json with new AppKit and Agent Skills versions, then create a PR. Use when the user says 'bump cli-compat', 'update cli-compat', 'bump compatibility manifest', 'new appkit release cli-compat', or wants to update the CLI compatibility manifest after an AppKit or Agent Skills release."
+user-invocable: true
+allowed-tools: Read, Edit, Write, Bash, Glob, Grep, AskUserQuestion
+---
+
+# Bump CLI Compatibility Manifest
+
+Updates `internal/build/cli-compat.json` with new AppKit and Agent Skills versions, validates the result, and creates a PR.
+
+## Arguments
+
+Parse the user's input for optional named flags:
+
+- `--appkit <version>` → AppKit version (e.g. `0.28.0`)
+- `--skills <version>` → Agent Skills version (e.g. `0.1.6`)
+- No args → auto-detect latest versions from GitHub tags
+
+Versions should be provided **without** the `v` prefix (e.g. `0.28.0`, not `v0.28.0`). If provided with the prefix, strip it.
+
+## Workflow
+
+### Step 1: Resolve versions
+
+If both `--appkit` and `--skills` versions were provided, skip to Step 2.
+
+For any missing version, fetch the latest tag from GitHub:
+
+```bash
+# Latest appkit version (strip leading 'v')
+gh api repos/databricks/appkit/tags --jq '.[0].name' | sed 's/^v//'
+
+# Latest skills version (strip leading 'v')
+gh api repos/databricks/databricks-agent-skills/tags --jq '.[0].name' | sed 's/^v//'
+```
+
+Show the resolved versions to the user and ask:
+
+> The latest versions are:
+> - AppKit: `{appkit_version}`
+> - Agent Skills: `{skills_version}`
+>
+> Have these versions been evaluated (evals passed with no regressions)?
+
+**Do NOT proceed until the user confirms.** If the user says no or wants different versions, ask them to provide the correct versions.
+
+### Step 2: Validate tags exist
+
+Verify that the corresponding Git tags exist on GitHub. For AppKit, also validate the `template-v` tag (used by `apps init`):
+
+```bash
+# AppKit release tag
+gh api repos/databricks/appkit/git/ref/tags/v{appkit_version} --jq '.ref'
+
+# AppKit template tag (used by apps init)
+gh api repos/databricks/appkit/git/ref/tags/template-v{appkit_version} --jq '.ref'
+
+# Agent Skills tag
+gh api repos/databricks/databricks-agent-skills/git/ref/tags/v{skills_version} --jq '.ref'
+```
+
+If any tag doesn't exist, report the error and stop.
+
+### Step 3: Read current manifest
+
+Read `internal/build/cli-compat.json`. Note the current versions and the list of versioned entries.
+
+### Step 4: Determine update type
+
+Ask the user:
+
+> Do any of these apply?
+> - **AppKit**: The new templates require new CLI logic in `apps init` (e.g. new flags, prompts, or template handling that older CLIs don't have)
+> - **Skills**: The new skills version uses CLI commands that older CLIs don't support
+>
+> If **neither** applies, this is a non-breaking bump (default).
+
+- **No breaking changes** (default): proceed to Step 4a.
+- **Breaking changes**: proceed to Step 4b.
+
+### Step 4a: No breaking changes (update in-place)
+
+Update the **highest versioned entry** to the new appkit and skills versions. Do NOT add new versioned keys. The manifest is range-based: updating the highest entry automatically covers all CLI versions in that range.
+
+Write the updated `internal/build/cli-compat.json`.
+
+### Step 4b: Breaking changes (add new entry)
+
+Ask the user for the **minimum CLI version** that supports the new features.
+
+Add a new entry keyed to that CLI version with the new appkit and skills versions. Keep older entries unchanged so older CLI binaries stay compatible.
+
+Write the updated `internal/build/cli-compat.json`.
+
+### Step 5: Validate
+
+Run the Go tests to ensure the manifest is well-formed:
+
+```bash
+go test ./libs/clicompat/... -run TestEmbeddedManifest -v
+```
+
+If validation fails, show the errors and fix them before proceeding.
+
+### Step 6: Create branch, commit, and PR
+
+```bash
+# Create a new branch from the current branch (or main)
+git checkout -b bump-cli-compat-appkit-{appkit_version}-skills-{skills_version}
+
+# Stage and commit
+git add internal/build/cli-compat.json
+git commit -s -m "Bump cli-compat to appkit {appkit_version}, skills {skills_version}"
+
+# Push and create PR
+git push -u origin HEAD
+gh pr create \
+  --title "Bump cli-compat to appkit {appkit_version}, skills {skills_version}" \
+  --body "$(cat <<'EOF'
+## Summary
+Bump `cli-compat.json` to use:
+- AppKit `{appkit_version}`
+- Agent Skills `{skills_version}`
+
+## Checklist
+- [ ] Evals passed with no regressions
+- [ ] `go test ./libs/clicompat/... -run TestEmbeddedManifest` passes
+EOF
+)"
+```
+
+Show the PR URL to the user when done.
+
+## Examples
+
+### Example: With explicit versions
+```
+/bump-cli-compat --appkit 0.28.0 --skills 0.1.6
+```
+Validates tags exist (including `template-v0.28.0`), updates manifest, creates PR.
+
+### Example: Auto-detect latest
+```
+/bump-cli-compat
+```
+Fetches latest tags, asks for eval confirmation, then updates and creates PR.
+
+### Example: Only bump AppKit
+```
+/bump-cli-compat --appkit 0.28.0
+```
+Auto-detects latest skills version, asks for confirmation, then updates both.

.agent/skills/pr-checklist/SKILL.md

@@ -16,14 +16,15 @@ Before submitting a PR, run these commands to match what CI checks. CI uses the
 # 3. Tests (CI runs with both deployment engines)
 ./task test
 
-# 4. If you changed bundle config structs or schema-related code:
+# 4. If you changed bundle config structs, schema, or direct-engine resource code:
 ./task generate-schema
+./task generate-direct
 
 # 5. If you changed files in python/:
 ./task pydabs-codegen pydabs-test pydabs-lint pydabs-docs
 
-# 6. If you changed experimental/aitools or experimental/ssh:
-./task test-exp-aitools   # only if aitools code changed
+# 6. If you changed cmd/aitools/, libs/aitools/, experimental/aitools/, or experimental/ssh/:
+./task test-exp-aitools   # only if aitools code changed (top-level or experimental)
 ./task test-exp-ssh       # only if ssh code changed
 ```
 

.codegen/_openapi_sha

@@ -1 +1 @@
-11ae6f9d98f0d0838a5e53c27032f178fecc4ee0
+a499dda0f7802e37868d3f3076f62639165475d8

.gitattributes

@@ -8,6 +8,7 @@ cmd/account/credentials/credentials.go linguist-generated=true
 cmd/account/csp-enablement-account/csp-enablement-account.go linguist-generated=true
 cmd/account/custom-app-integration/custom-app-integration.go linguist-generated=true
 cmd/account/disable-legacy-features/disable-legacy-features.go linguist-generated=true
+cmd/account/disaster-recovery/disaster-recovery.go linguist-generated=true
 cmd/account/enable-ip-access-lists/enable-ip-access-lists.go linguist-generated=true
 cmd/account/encryption-keys/encryption-keys.go linguist-generated=true
 cmd/account/endpoints/endpoints.go linguist-generated=true
@@ -151,6 +152,7 @@ cmd/workspace/resource-quotas/resource-quotas.go linguist-generated=true
 cmd/workspace/restrict-workspace-admins/restrict-workspace-admins.go linguist-generated=true
 cmd/workspace/rfa/rfa.go linguist-generated=true
 cmd/workspace/schemas/schemas.go linguist-generated=true
+cmd/workspace/secrets-uc/secrets-uc.go linguist-generated=true
 cmd/workspace/secrets/secrets.go linguist-generated=true
 cmd/workspace/service-principal-secrets-proxy/service-principal-secrets-proxy.go linguist-generated=true
 cmd/workspace/service-principals-v2/service-principals-v2.go linguist-generated=true
@@ -159,12 +161,14 @@ cmd/workspace/settings/settings.go linguist-generated=true
 cmd/workspace/shares/shares.go linguist-generated=true
 cmd/workspace/sql-results-download/sql-results-download.go linguist-generated=true
 cmd/workspace/storage-credentials/storage-credentials.go linguist-generated=true
+cmd/workspace/supervisor-agents/supervisor-agents.go linguist-generated=true
 cmd/workspace/system-schemas/system-schemas.go linguist-generated=true
 cmd/workspace/table-constraints/table-constraints.go linguist-generated=true
 cmd/workspace/tables/tables.go linguist-generated=true
 cmd/workspace/tag-policies/tag-policies.go linguist-generated=true
 cmd/workspace/temporary-path-credentials/temporary-path-credentials.go linguist-generated=true
 cmd/workspace/temporary-table-credentials/temporary-table-credentials.go linguist-generated=true
+cmd/workspace/temporary-volume-credentials/temporary-volume-credentials.go linguist-generated=true
 cmd/workspace/token-management/token-management.go linguist-generated=true
 cmd/workspace/tokens/tokens.go linguist-generated=true
 cmd/workspace/users-v2/users-v2.go linguist-generated=true

.github/OWNERS

@@ -59,5 +59,13 @@
 # Internal
 /internal/                  team:platform
 
+# AI tools
+/cmd/aitools/               team:eng-apps-devex team:platform @lennartkats-db
+/libs/aitools/              team:eng-apps-devex team:platform @lennartkats-db
+
+# CLI compatibility manifest
+/internal/build/cli-compat.json  team:eng-apps-devex team:platform
+/libs/clicompat/                 team:eng-apps-devex team:platform
+
 # Experimental
 /experimental/aitools/      team:eng-apps-devex @lennartkats-db

.github/workflows/tagging.yml

@@ -4,7 +4,12 @@ name: tagging
 on:
   # Manual dispatch.
   workflow_dispatch:
-  # No inputs are required for the manual dispatch.
+    inputs:
+      packages:
+        description: 'Comma-separated list of packages to tag (e.g. "pkg1,pkg2"). Leave empty to tag all packages with pending releases.'
+        required: false
+        type: string
+        default: ''
 
   # NOTE: Temporarily disable automated releases.
   #
@@ -31,8 +36,8 @@ jobs:
       github.repository == 'databricks/databricks-sdk-java'
     environment: "release-is"
     runs-on:
-      group: databricks-deco-testing-runner-group
-      labels: ubuntu-latest-deco
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     steps:
       - name: Generate GitHub App Token
         id: generate-token
@@ -44,6 +49,12 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          # Force re-resolution of ``main`` at step time. Without
+          # ``ref:``, checkout pins to ``github.sha`` — the SHA frozen
+          # at workflow_dispatch time — which means re-running a stale
+          # dispatch checks out an older main even when newer commits
+          # exist.
+          ref: main
           fetch-depth: 0
           token: ${{ steps.generate-token.outputs.token }}
 
@@ -60,4 +71,18 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
           GITHUB_REPOSITORY: ${{ github.repository }}
-        run: uv run --locked internal/genkit/tagging.py
+          PACKAGES: ${{ inputs.packages }}
+        run: |
+          if [ -n "$PACKAGES" ]; then
+            uv run --locked internal/genkit/tagging.py --package "$PACKAGES"
+          else
+            uv run --locked internal/genkit/tagging.py
+          fi
+
+      - name: Upload created tags artifact
+        if: always()
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: created-tags
+          path: created_tags.json
+          if-no-files-found: ignore

.release_metadata.json

@@ -1,3 +1,3 @@
 {
-    "timestamp": "2026-05-07 10:05:31+0000"
+    "timestamp": "2026-05-13 14:20:07+0000"
 }

CHANGELOG.md

@@ -1,5 +1,32 @@
 # Version changelog
 
+## Release v0.299.2 (2026-05-13)
+
+### Notable Changes
+* Breaking change: `vector_search_endpoints` renamed `min_qps` to `target_qps` in DABs configuration and the `vector-search-endpoints` commands, following the SDK rename in v0.131.0. Update any `databricks.yml` using `min_qps:` to `target_qps:` and any CLI invocations using `--min-qps` to `--target-qps`.
+
+### CLI
+
+* `auth login` no longer falls back to plaintext when the OS keyring is reachable but locked. The unlock prompt shown by the probe now runs in parallel with the OAuth flow, and the token is stored in the keyring once the user has typed their password.
+* `databricks auth describe` now reports where U2M (`databricks-cli`) tokens are stored: `plaintext` (`~/.databricks/token-cache.json`) or `secure` (OS keyring), and the source of the choice (env var, config setting, or default).
+* Marked the default profile in the interactive pickers shown by `databricks auth switch`, `databricks auth logout`, `databricks auth token`, and `databricks auth login`, and moved it to the top of the list. `databricks auth login` and `databricks auth logout` now offer the same selectors as `databricks auth token` and `databricks auth switch` respectively.
+* The interactive auth profile pickers now start in search mode so typing immediately filters the list, and the action entries (`+ Create a new profile`, `→ Enter a host URL manually`) are visually distinct from real profiles and stay visible regardless of the search query.
+* Shortened the host prompt label shown after `→ Enter a host URL manually` in `databricks auth login` so the prompt no longer leaves stale lines on screen when typing or pasting a host URL.
+
+### Bundles
+* Stop applying `presets.name_prefix` (and the dev-mode `[dev <user>]` rename) to `vector_search_endpoints` ([#5209](https://github.com/databricks/cli/pull/5209)).
+
+* Fix `bundle generate` job to preserve nested notebook directory structure ([#4596](https://github.com/databricks/cli/pull/4596))
+* Propagate authentication environment (including `DATABRICKS_CONFIG_PROFILE`) to the `experimental.python` subprocess so bundle validate/deploy no longer fails with a multi-profile host ambiguity error when several profiles in `~/.databrickscfg` share the same host.
+* Fixed `--force-pull` on `bundle summary` and `bundle open` so the flag bypasses the local state cache and reads state from the workspace.
+
+### Dependency updates
+
+* Bump Go toolchain to 1.25.10 ([#5213](https://github.com/databricks/cli/pull/5213)).
+* Bump `github.com/databricks/databricks-sdk-go` from v0.128.0 to v0.132.0.
+* Bump Terraform provider to v1.115.0.
+
+
 ## Release v0.299.1 (2026-05-07)
 
 ### CLI

NEXT_CHANGELOG.md

@@ -1,19 +1,23 @@
 # NEXT CHANGELOG
 
-## Release v0.299.2
+## Release v0.300.0
+
+### Notable Changes
+
+* Breaking change: OAuth tokens for interactive logins (`auth_type = databricks-cli`) are now stored in the OS-native secure store by default (Keychain on macOS, Credential Manager on Windows, Secret Service on Linux) instead of `~/.databricks/token-cache.json`. After upgrading, run `databricks auth login` once per profile to re-authenticate; cached tokens from older versions are not migrated. To keep the previous file-backed storage, set `DATABRICKS_AUTH_STORAGE=plaintext` or add `auth_storage = plaintext` under `[__settings__]` in `~/.databrickscfg` (the env var takes precedence over the config setting), then re-run `databricks auth login`. On systems where the OS keyring is not reachable (e.g. Linux containers without a D-Bus session bus), the CLI transparently falls back to the file cache when reading tokens so legacy `token-cache.json` entries remain accessible without manual configuration.
 
 ### CLI
 
-* `databricks auth describe` now reports where U2M (`databricks-cli`) tokens are stored: `plaintext` (`~/.databricks/token-cache.json`) or `secure` (OS keyring), and the source of the choice (env var, config setting, or default).
-* Marked the default profile in the interactive pickers shown by `databricks auth switch`, `databricks auth logout`, `databricks auth token`, and `databricks auth login`, and moved it to the top of the list. `databricks auth login` and `databricks auth logout` now offer the same selectors as `databricks auth token` and `databricks auth switch` respectively.
+* Added `databricks aitools` command group for installing Databricks skills into your coding agents (Claude Code, Cursor, Codex CLI, OpenCode, GitHub Copilot, Antigravity). Skills are fetched from [github.com/databricks/databricks-agent-skills](https://github.com/databricks/databricks-agent-skills) and either symlinked into each agent's skills directory or copied into the current project. Use `databricks aitools install` to set up, `update` to pull newer versions, `list` to see what's available, and `uninstall` to remove them. Pick where they go with `--scope=project|global` (`--scope=both` is accepted on `update` and `list`).
+* `[__settings__].default_profile` is now consulted as a fallback by `databricks api`, `databricks auth token`, and bundle commands when neither `--profile` nor `DATABRICKS_CONFIG_PROFILE` is set. `databricks auth token` continues to give precedence to `DATABRICKS_HOST` over `default_profile`. For bundle commands, `default_profile` only applies when the bundle does not pin its own `workspace.host`.
+* `databricks workspace import-dir` now skips `.git`, `.databricks`, and `node_modules` directories during recursive imports. To import one of these directories deliberately, pass it as `SOURCE_PATH` ([#5118](https://github.com/databricks/cli/pull/5118)).
+* `databricks postgres create-role --help` now documents the `--json` body shape and rejects the common mistake of wrapping the body in `{"role": ...}` client-side with a hint pointing at the correct shape ([#5111](https://github.com/databricks/cli/pull/5111)).
+* `databricks aitools list` honors `--output json`, emitting a structured `{release, skills[...], summary{}}` document so coding agents and CI can consume the skill/version/installation matrix without scraping the tabular text output ([#5233](https://github.com/databricks/cli/pull/5233)).
 
 ### Bundles
-* Stop applying `presets.name_prefix` (and the dev-mode `[dev <user>]` rename) to `vector_search_endpoints` ([#5209](https://github.com/databricks/cli/pull/5209)).
-
-* Fix `bundle generate` job to preserve nested notebook directory structure ([#4596](https://github.com/databricks/cli/pull/4596))
-* Propagate authentication environment (including `DATABRICKS_CONFIG_PROFILE`) to the `experimental.python` subprocess so bundle validate/deploy no longer fails with a multi-profile host ambiguity error when several profiles in `~/.databrickscfg` share the same host.
-* Fixed `--force-pull` on `bundle summary` and `bundle open` so the flag bypasses the local state cache and reads state from the workspace.
+* Make sure warnings asking for approval are understood by agents ([#5239](https://github.com/databricks/cli/pull/5239))
+* Support `replace_existing: true` on `postgres_branches` and `postgres_endpoints` so bundles can manage the implicitly-created production branch and primary read-write endpoint of a Lakebase project.
+* Add `postgres_catalogs` resource to bind a Unity Catalog catalog to a Postgres database on a Lakebase Autoscaling branch ([#5265](https://github.com/databricks/cli/pull/5265)).
+* engine/direct: Changes to state file now persisted to .wal file right away instead of being saved in the end ([#5149](https://github.com/databricks/cli/pull/5149))
 
 ### Dependency updates
-
-* Bump Go toolchain to 1.25.10 ([#5213](https://github.com/databricks/cli/pull/5213)).

NOTICE

@@ -66,10 +66,6 @@ google/uuid - https://github.com/google/uuid
 Copyright (c) 2009,2014 Google Inc. All rights reserved.
 License - https://github.com/google/uuid/blob/master/LICENSE
 
-manifoldco/promptui - https://github.com/manifoldco/promptui
-Copyright (c) 2017, Arigato Machine Inc. All rights reserved.
-License - https://github.com/manifoldco/promptui/blob/master/LICENSE.md
-
 hexops/gotextdiff - https://github.com/hexops/gotextdiff
 Copyright (c) 2009 The Go Authors. All rights reserved.
 License - https://github.com/hexops/gotextdiff/blob/main/LICENSE
@@ -143,6 +139,10 @@ charmbracelet/lipgloss - https://github.com/charmbracelet/lipgloss
 Copyright (c) 2021-2025 Charmbracelet, Inc
 License - https://github.com/charmbracelet/lipgloss/blob/master/LICENSE
 
+charmbracelet/x/ansi - https://github.com/charmbracelet/x
+Copyright (c) 2023-2025 Charmbracelet, Inc
+License - https://github.com/charmbracelet/x/blob/main/ansi/LICENSE
+
 Masterminds/semver - https://github.com/Masterminds/semver
 Copyright (C) 2014-2019, Matt Butcher and Matt Farina
 License - https://github.com/Masterminds/semver/blob/master/LICENSE.txt