bundle: drop the state-path-outside-root warning, keep it as telemetry only

Storing workspace.state_path outside workspace.root_path is a valid
configuration, not a misconfiguration, so it should not produce a warning.
ValidateWorkspacePermissions now warns only when a path's effective access
exceeds the declared permissions (cases 1 and 2). The StatePathOutsideRootPath
predicate and its telemetry field remain as an informational signal.

Co-authored-by: Shreyas Goenka <shreyas.goenka@databricks.com>

Author: shreyas-goenka

bundle/permissions/validate.go

@@ -13,15 +13,17 @@ import (
 type validateWorkspacePermissions struct{}
 
 // ValidateWorkspacePermissions statically validates workspace path configurations
-// for potential permission misconfigurations. It emits a warning for each of the
-// following, all of which are also recorded as telemetry via the predicates below:
+// and warns when a workspace path grants broader access than the top-level
+// permissions section declares:
 //
 //  1. workspace.root_path grants broader access than the permissions section
 //     declares (RootPathScopeExceedsPermissions).
 //  2. workspace.state_path grants broader access than the permissions section
 //     declares (StatePathScopeExceedsPermissions).
-//  3. workspace.state_path is stored outside workspace.root_path, so its
-//     permissions are managed independently (StatePathOutsideRootPath).
+//
+// Note: StatePathOutsideRootPath is intentionally not warned about — storing the
+// state outside the bundle root is a valid configuration, not a misconfiguration.
+// It is still recorded as telemetry.
 func ValidateWorkspacePermissions() bundle.Mutator {
 	return &validateWorkspacePermissions{}
 }
@@ -56,16 +58,6 @@ func (*validateWorkspacePermissions) Apply(ctx context.Context, b *bundle.Bundle
 		})
 	}
 
-	// Case 3: state_path is stored outside root_path.
-	// Skip when state_path is shared, since case 2 is the more specific warning.
-	if StatePathOutsideRootPath(b) && !StatePathIsShared(b) {
-		diags = diags.Append(diag.Diagnostic{
-			Severity: diag.Warning,
-			Summary:  fmt.Sprintf("workspace.state_path %q is not nested under workspace.root_path %q", statePath, rootPath),
-			Detail:   "The deployment state is stored in a workspace folder separate from the bundle root. Bundle permissions will be applied to this path independently during deployment. Ensure the path is accessible and the configured permissions are appropriate.",
-		})
-	}
-
 	return diags
 }
 

bundle/permissions/validate_test.go

@@ -109,9 +109,9 @@ func TestValidateWorkspacePermissions_BothShared_OnlyOneWarning(t *testing.T) {
 	assert.Contains(t, diags[0].Summary, "root path")
 }
 
-// --- Case 3: state_path outside root_path ---
+// state_path outside root_path is informational only — it must not warn.
 
-func TestValidateWorkspacePermissions_StateOutsideRoot_Warn(t *testing.T) {
+func TestValidateWorkspacePermissions_StateOutsideRoot_NoWarn(t *testing.T) {
 	b := &bundle.Bundle{
 		Config: config.Root{
 			Workspace: config.Workspace{
@@ -121,43 +121,9 @@ func TestValidateWorkspacePermissions_StateOutsideRoot_Warn(t *testing.T) {
 		},
 	}
 	diags := applyValidate(t, b)
-	require.Len(t, diags, 1)
-	assert.Equal(t, diag.Warning, diags[0].Severity)
-	assert.Contains(t, diags[0].Summary, "workspace.state_path")
-	assert.Contains(t, diags[0].Summary, "workspace.root_path")
-}
-
-func TestValidateWorkspacePermissions_StateInsideRoot_NoWarn(t *testing.T) {
-	b := &bundle.Bundle{
-		Config: config.Root{
-			Workspace: config.Workspace{
-				RootPath:  "/Workspace/Users/user@example.test/bundle",
-				StatePath: "/Workspace/Users/user@example.test/bundle/state",
-			},
-		},
-	}
-	diags := applyValidate(t, b)
 	require.Empty(t, diags)
 }
 
-func TestValidateWorkspacePermissions_StateSharedAndOutsideRoot_OnlyCaseTwo(t *testing.T) {
-	// state_path is in Shared and outside root — only case 2 fires, not case 3.
-	b := &bundle.Bundle{
-		Config: config.Root{
-			Workspace: config.Workspace{
-				RootPath:  "/Workspace/Users/user@example.test/bundle",
-				StatePath: "/Workspace/Shared/state",
-			},
-			Permissions: []resources.Permission{
-				{Level: CAN_MANAGE, UserName: "user@example.test"},
-			},
-		},
-	}
-	diags := applyValidate(t, b)
-	require.Len(t, diags, 1)
-	assert.Contains(t, diags[0].Summary, "state path")
-}
-
 // --- Helper function tests ---
 
 func TestRootPathScopeExceedsPermissions(t *testing.T) {