auth: clear error for PAT profile on SPOG without workspace_id (#5341)

## Why

Personal access tokens are workspace-scoped. When a PAT profile points
at a SPOG host (account-scoped OIDC discovery) without \`workspace_id\`,
the SDK can't add the routing identifier, the request lands on the
account-plane where PATs aren't accepted, and the user sees the opaque
error \"Credential was not sent or was of an unsupported type for this
API\" from the auth endpoint. Reported in a bug bash.

Reproduced against \`db-deco-test.databricks.com\`:
\`\`\`
[spog-pat-no-wid]
host  = https://db-deco-test.databricks.com
token = dapi...

$ databricks auth describe --profile spog-pat-no-wid
Unable to authenticate: Credential was not sent or was of an unsupported
type for this API. [ReqId: ...]
\`\`\`

## Changes

- Before: PAT-on-SPOG without \`workspace_id\` failed with the opaque
credentials error.
- Now: \`workspaceClientOrPrompt\` detects the combination
(\`auth_type=pat\` + SPOG discovery signal + \`workspace_id\` empty)
before any API call and returns a message that names the profile,
explains the routing constraint, and points at the fix: add
\`workspace_id = <id>\` for the workspace the token was minted in.

\`databricks auth describe --profile spog-pat-no-wid\` now prints:
\`\`\`
Unable to authenticate: profile \"spog-pat-no-wid\" uses PAT auth on a
SPOG host but is missing workspace_id; PATs are workspace-scoped, so the
request can't be routed. Edit the profile to add workspace_id = <id>
matching the workspace the token was minted in
\`\`\`

## Test plan

- [x] Reproduced against \`db-deco-test.databricks.com\` with a PAT
profile that has no \`workspace_id\`; saw the opaque \"Credential was
not sent\" error.
- [x] Same profile with the fix → clear, actionable error message naming
the profile and pointing at the fix (verified with \`auth describe\` and
\`current-user me\`).
- [x] Existing \`spog-deco-aws\` (PAT with valid \`workspace_id\`) still
works against the same host — no regression.
- [x] New unit tests: \`TestIsPATOnSPOGWithoutWorkspaceID\`,
\`TestWorkspaceClientOrPromptRejectsPATOnSPOGWithoutWorkspaceID\`
- [x] \`go test ./cmd/root/...\`, \`./task checks\`, \`./task lint-q\`

Author: simonfaltum

cmd/root/auth.go

@@ -52,6 +52,26 @@ func initProfileFlag(cmd *cobra.Command) {
 	cmd.RegisterFlagCompletionFunc("profile", profile.ProfileCompletion)
 }
 
+// isPATOnSPOGWithoutWorkspaceID reports whether the resolved config is a PAT
+// profile pointing at a SPOG host with no workspace_id set. The SDK strips the
+// routing identifier from the request, which lands on the account-plane where
+// PATs aren't accepted. The legacy "none" sentinel (auth.WorkspaceIDNone) is
+// treated as empty here, matching the convention used elsewhere in the repo
+// (e.g. libs/databrickscfg/profile/profiler.go).
+func isPATOnSPOGWithoutWorkspaceID(cfg *config.Config) bool {
+	return cfg.AuthType == auth.AuthTypePat &&
+		(cfg.WorkspaceID == "" || cfg.WorkspaceID == auth.WorkspaceIDNone) &&
+		auth.HasUnifiedHostSignal(cfg.DiscoveryURL)
+}
+
+// patSPOGNoWorkspaceIDError describes the configuration gap and how to fix it.
+func patSPOGNoWorkspaceIDError(profileName string) error {
+	if profileName == "" {
+		return errors.New("personal access token (PAT) auth on this host requires a workspace_id; PATs are workspace-scoped, but no workspace_id is set. Add workspace_id = <id> (or set DATABRICKS_WORKSPACE_ID) to the profile associated with this PAT token")
+	}
+	return fmt.Errorf("profile %q uses PAT auth on a SPOG host but is missing workspace_id; PATs are workspace-scoped, so the request can't be routed. Edit the profile to add workspace_id = <id> matching the workspace the token was minted in", profileName)
+}
+
 // ErrAccountOnlyProfile signals that the resolved profile has an account_id
 // but no workspace_id, so workspace APIs can't be reached. Workspace-only
 // commands surface this as an actionable error; MustAnyClient (used by `auth
@@ -221,9 +241,20 @@ func workspaceClientOrPrompt(ctx context.Context, cfg *config.Config, allowPromp
 		//
 		// We require cfg.Profile to be set so we don't reject env-var-only
 		// configs targeting a unified host where workspace APIs are also
-		// served from the account host.
+		// served from the account host. This branch runs first so MustAnyClient
+		// can recognize ErrAccountOnlyProfile and fall through to the account
+		// client; the PAT-on-SPOG check below handles the remaining cases
+		// (env-var-only configs and profiles without account_id resolved).
 		return nil, accountOnlyProfileError(cfg.Profile)
 	}
+	if err == nil && isPATOnSPOGWithoutWorkspaceID(cfg) {
+		// PATs are workspace-scoped. On a SPOG host without workspace_id the
+		// SDK can't add the routing identifier, the backend treats the call as
+		// account-plane, and PATs aren't accepted there. The result is an
+		// opaque "Credential was not sent" error from the auth endpoint;
+		// rewrite up front so the user sees what's actually wrong.
+		return nil, patSPOGNoWorkspaceIDError(cfg.Profile)
+	}
 	if err == nil {
 		err = w.Config.Authenticate(emptyHttpRequest(ctx))
 	}

cmd/root/auth_test.go

@@ -2,13 +2,16 @@ package root
 
 import (
 	"context"
+	"fmt"
 	"net/http"
+	"net/http/httptest"
 	"os"
 	"path/filepath"
 	"testing"
 	"time"
 
 	"github.com/databricks/cli/internal/testutil"
+	"github.com/databricks/cli/libs/auth"
 	"github.com/databricks/cli/libs/cmdctx"
 	"github.com/databricks/cli/libs/cmdio"
 	"github.com/databricks/databricks-sdk-go"
@@ -454,6 +457,62 @@ func TestAccountClientOrPromptReturnsErrorForWrongHostType(t *testing.T) {
 	assert.ErrorIs(t, err, databricks.ErrNotAccountClient)
 }
 
+func TestIsPATOnSPOGWithoutWorkspaceID(t *testing.T) {
+	tests := []struct {
+		name string
+		cfg  *config.Config
+		want bool
+	}{
+		{
+			name: "pat on spog without workspace_id",
+			cfg: &config.Config{
+				AuthType:     "pat",
+				DiscoveryURL: "https://spog.example.test/oidc/accounts/abc/.well-known/oauth-authorization-server",
+			},
+			want: true,
+		},
+		{
+			name: "pat on spog with workspace_id is fine",
+			cfg: &config.Config{
+				AuthType:     "pat",
+				WorkspaceID:  "12345",
+				DiscoveryURL: "https://spog.example.test/oidc/accounts/abc/.well-known/oauth-authorization-server",
+			},
+			want: false,
+		},
+		{
+			name: "pat on spog with legacy 'none' sentinel is treated as missing",
+			cfg: &config.Config{
+				AuthType:     "pat",
+				WorkspaceID:  auth.WorkspaceIDNone,
+				DiscoveryURL: "https://spog.example.test/oidc/accounts/abc/.well-known/oauth-authorization-server",
+			},
+			want: true,
+		},
+		{
+			name: "pat on classic workspace host is fine",
+			cfg: &config.Config{
+				AuthType:     "pat",
+				DiscoveryURL: "https://workspace.example.test/oidc/.well-known/oauth-authorization-server",
+			},
+			want: false,
+		},
+		{
+			name: "u2m on spog is not affected (handled by other paths)",
+			cfg: &config.Config{
+				AuthType:     "databricks-cli",
+				DiscoveryURL: "https://spog.example.test/oidc/accounts/abc/.well-known/oauth-authorization-server",
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.want, isPATOnSPOGWithoutWorkspaceID(tt.cfg))
+		})
+	}
+}
+
 func TestWorkspaceClientOrPromptRejectsAccountOnlyProfile(t *testing.T) {
 	tests := []struct {
 		name        string
@@ -490,6 +549,75 @@ func TestWorkspaceClientOrPromptRejectsAccountOnlyProfile(t *testing.T) {
 	}
 }
 
+func TestWorkspaceClientOrPromptRejectsPATOnSPOGWithoutWorkspaceID(t *testing.T) {
+	testutil.CleanupEnvironment(t)
+	t.Setenv("PATH", "")
+
+	// No AccountID is set, so the account-only profile detector (which requires
+	// AccountID) does not fire and the PAT-on-SPOG detector is exercised.
+	cfg := &config.Config{
+		Host:          "https://spog.example.test/",
+		Token:         "dapi-fake",
+		Profile:       "spog-pat",
+		DiscoveryURL:  "https://spog.example.test/oidc/accounts/abc-123/.well-known/oauth-authorization-server",
+		AuthType:      "pat",
+		HTTPTransport: noNetworkTransport,
+	}
+
+	w, err := workspaceClientOrPrompt(t.Context(), cfg, false)
+	assert.Nil(t, w)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), `profile "spog-pat"`)
+	assert.Contains(t, err.Error(), "workspace_id")
+	assert.Contains(t, err.Error(), "PAT")
+}
+
+// TestWorkspaceClientOrPromptRejectsPATOnSPOGFromConfigFile exercises the
+// real .databrickscfg shape from the bug bash: `host` + `token` only, no
+// `auth_type`, no `workspace_id`. The SDK populates AuthType during
+// NewWorkspaceClient via its credential probe, so the PAT-on-SPOG detector
+// must keep working after going through that path.
+func TestWorkspaceClientOrPromptRejectsPATOnSPOGFromConfigFile(t *testing.T) {
+	// testutil.CleanupEnvironment calls os.Clearenv(), which wipes Windows
+	// essentials like SystemRoot and breaks Winsock initialization for
+	// subsequent net.Listen calls. We only need a clean DATABRICKS_CONFIG_FILE
+	// for this test; set it directly with t.Setenv so the rest of the
+	// environment (notably the Windows networking stack) keeps working.
+	t.Setenv("DATABRICKS_AUTH_TYPE", "")
+	t.Setenv("DATABRICKS_HOST", "")
+	t.Setenv("DATABRICKS_TOKEN", "")
+	t.Setenv("DATABRICKS_CONFIG_PROFILE", "")
+	t.Setenv("PATH", "")
+
+	// Mock .well-known/databricks-config to return an account-scoped OIDC
+	// endpoint so the SDK populates cfg.DiscoveryURL with the SPOG signal.
+	// Omit account_id so AccountID stays unset; otherwise the account-only
+	// profile detector would intercept this case before the PAT-on-SPOG check.
+	mux := http.NewServeMux()
+	mux.HandleFunc("/.well-known/databricks-config", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		_, _ = w.Write([]byte(`{"oidc_endpoint":"https://spog.example.test/oidc/accounts/abc-123"}`))
+	})
+	server := httptest.NewServer(mux)
+	t.Cleanup(server.Close)
+
+	configFile := filepath.Join(t.TempDir(), ".databrickscfg")
+	require.NoError(t, os.WriteFile(configFile, fmt.Appendf(nil, `
+[spog-pat]
+host  = %s
+token = dapi-fake
+`, server.URL), 0o600))
+	t.Setenv("DATABRICKS_CONFIG_FILE", configFile)
+
+	cfg := &config.Config{Profile: "spog-pat"}
+	w, err := workspaceClientOrPrompt(t.Context(), cfg, false)
+	assert.Nil(t, w)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), `profile "spog-pat"`)
+	assert.Contains(t, err.Error(), "workspace_id")
+	assert.Contains(t, err.Error(), "PAT")
+}
+
 func TestMustAnyClientFallsThroughOnAccountOnlyProfile(t *testing.T) {
 	testutil.CleanupEnvironment(t)
 	t.Setenv("PATH", "")