Merge branch 'main' into denik/internet-sandbo

Author: denik

.agent/rules/testing.md

@@ -1,5 +1,9 @@
 ---
 description: Rules for the testing strategy of this repo
+paths:
+  - "**/*_test.go"
+  - "acceptance/**"
+  - "integration/**"
 ---
 
 # Rules for the testing strategy of this repo
@@ -132,6 +136,12 @@ Available on `PATH` during test execution (from `acceptance/bin/`):
 - `gron.py`: flatten JSON into greppable discrete assignments (simpler than `jq` for searching JSON).
 - `jq` is also available for JSON processing.
 
+**RULE: Prefer `gron.py | grep <field>` over inline `jq` paths for single-value lookups.** The gron output prints the JSON path inline, so the test log explains itself.
+
+**RULE: Don't pass `--keep` to `print_requests.py` if a later `print_requests.py` call follows.** The buffer accumulates, so the second call double-prints the earlier requests.
+
+**RULE: Route noisy or non-deterministic command output to `LOG.<name>` instead of `output.txt` or `/dev/null`.** `LOG.*` files are visible under `go test -v` but excluded from the diff — see `acceptance/selftest/log/`. Use `&> LOG.<name>` to capture both streams (then `contains.py` to assert invariants like `'!panic' '!internal error'`), or `2>>LOG.<name>` for cleanup-step stderr you'd otherwise drop to `/dev/null`.
+
 ### Update workflow
 
 **RULE: Run `./task test-update` to regenerate outputs, then `./task fmt` and `./task lint`.** If fmt or lint modify files in `acceptance/`, there's an issue in the source files. Fix the source, regenerate, and verify fmt/lint pass cleanly.

.agent/skills/pr-checklist/SKILL.md

@@ -47,6 +47,8 @@ After the commands above pass, scrub the diff before pushing. The quick version:
 
 Follow `.github/PULL_REQUEST_TEMPLATE.md` exactly. Use its section headings (`## Changes`, `## Why`, `## Tests`) in the same order, and fill each one in. Do not invent new sections (`## Summary`, `## Test plan`, etc.), do not drop sections, and do not leave the HTML comment placeholders in the final body — replace them with real content. If a section genuinely does not apply (e.g. a docs-only change has no test steps), say so explicitly under that heading rather than removing it.
 
+**RULE: Be concise in the PR summary.** Overly verbose descriptions tend to be ignored by reviewers. Let the diff speak for itself and only describe at a high level what you have implemented/what components were touched.
+
 When using `gh pr create`, read `.github/PULL_REQUEST_TEMPLATE.md` first and base `--body` on it.
 
 If an agent (you) authored or substantially helped author the PR, disclose it on the last line of the body, e.g. `_This PR was written by Claude Code._` or `_PR description drafted with Claude Code._`. Be honest about the level of involvement — "written by" vs. "drafted with" vs. "reviewed by" — and keep it to a single italicized line so it doesn't crowd the template sections.

.github/OWNERS

@@ -21,6 +21,10 @@
 /libs/apps/                 team:eng-apps-devex
 /acceptance/apps/           team:eng-apps-devex
 
+# Sandbox
+/cmd/sandbox/               @pietern @akshaysingla-db @shuochen0311
+/acceptance/cmd/sandbox/    @pietern @akshaysingla-db @shuochen0311
+
 # Auth
 /cmd/auth/                  team:platform
 /libs/auth/                 team:platform

.github/workflows/bump-vuln-deps.yml

@@ -0,0 +1,97 @@
+name: Bump vulnerable dependencies
+
+on:
+  schedule:
+    # Run daily at 05:30 UTC, just after the Go toolchain bumper.
+    - cron: "30 5 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+  # Required by setup-jfrog (GOPROXY exchange).
+  id-token: write
+
+jobs:
+  bump-vuln-deps:
+    runs-on:
+      group: databricks-protected-runner-group-large
+      labels: linux-ubuntu-latest-large
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup JFrog
+        uses: ./.github/actions/setup-jfrog
+
+      - name: Setup Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          # vulnbump lives in the tools module, which is what this job compiles.
+          go-version-file: tools/go.mod
+
+      - name: Build vulnbump
+        run: go -C tools/vulnbump build -o "$RUNNER_TEMP/vulnbump" .
+
+      - name: Bump vulnerable dependencies
+        id: bump
+        run: |
+          set -euo pipefail
+
+          # govulncheck is pinned as a tool dependency in tools/go.mod; -modfile
+          # resolves it from there while it scans the root module (the working
+          # directory). Only the root module ships; tools/ and
+          # bundle/internal/tf/codegen are build- and CI-only, so they are not
+          # scanned. Its vulnerability database is fetched from vuln.go.dev at
+          # runtime, so the pinned binary still uses the latest advisories.
+          #
+          # -scan module reports every advisory affecting a required module,
+          # regardless of whether the vulnerable symbol is reachable. In JSON
+          # mode govulncheck exits 0 on success whether or not it finds anything,
+          # and non-zero only on a real error; a failure must abort the job
+          # rather than be silently mistaken for "no vulnerabilities".
+          scan="$(mktemp)"
+          go tool -modfile=tools/go.mod govulncheck -scan module -format json > "$scan"
+
+          summary_file="$(mktemp)"
+          "$RUNNER_TEMP/vulnbump" . < "$scan" > "$summary_file"
+
+          if git diff --quiet; then
+            echo "No vulnerable dependencies to bump."
+            echo "needed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "needed=true" >> "$GITHUB_OUTPUT"
+            {
+              echo "summary<<SUMMARY_EOF"
+              cat "$summary_file"
+              echo "SUMMARY_EOF"
+            } >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Show diff
+        if: steps.bump.outputs.needed == 'true'
+        run: git diff
+
+      - name: Create pull request
+        if: steps.bump.outputs.needed == 'true'
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
+        with:
+          # A fixed branch means a daily run updates the existing open PR in
+          # place rather than opening a new one; no branch-suffix is needed.
+          branch: auto/bump-vuln-deps
+          commit-message: "Bump dependencies with known vulnerabilities"
+          title: "Bump dependencies with known vulnerabilities"
+          body: |
+            Bump dependencies flagged by `govulncheck -scan module` to their fixed versions.
+
+            Each CVE links to its Go advisory page.
+
+            ${{ steps.bump.outputs.summary }}
+
+            Vulnerabilities in the Go standard library are left to the `Bump Go toolchain` workflow.
+
+            If a bump promotes a new direct dependency, double-check its license annotation in `go.mod` and `NOTICE`.
+          reviewers: simonfaltum,andrewnester,anton-107,denik,janniklasrose,pietern,shreyas-goenka
+          labels: dependencies

.github/workflows/push.yml

@@ -318,6 +318,58 @@ jobs:
         run: |
           go tool -modfile=tools/task/go.mod task test-pipelines
 
+  test-sandbox:
+    needs:
+      - cleanups
+      - testmask
+
+    # Only run if the target is in the list of targets from testmask
+    if: ${{ contains(fromJSON(needs.testmask.outputs.targets), 'test-sandbox') }}
+    name: "task test-sandbox (${{matrix.os.name}})"
+    runs-on: ${{ matrix.os.runner }}
+
+    defaults:
+      run:
+        shell: bash
+
+    permissions:
+      id-token: write
+      contents: read
+
+    env:
+      TASK_CONCURRENCY: ${{ matrix.os.name == 'windows' && '1' || '' }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - name: linux
+            runner:
+              group: databricks-protected-runner-group-large
+              labels: linux-ubuntu-latest-large
+
+          - name: windows
+            runner:
+              group: databricks-protected-runner-group-large
+              labels: windows-server-latest-large
+
+          - name: macos
+            runner:
+              labels: macos-latest
+
+    steps:
+      - name: Checkout repository and submodules
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup build environment
+        uses: ./.github/actions/setup-build-environment
+        with:
+          cache-key: test-sandbox
+
+      - name: Run tests
+        run: |
+          go tool -modfile=tools/task/go.mod task test-sandbox
+
   # This job groups the result of all the above test jobs.
   # It is a required check, so it blocks auto-merge and the merge queue.
   #
@@ -333,6 +385,7 @@ jobs:
       - test-exp-aitools
       - test-exp-ssh
       - test-pipelines
+      - test-sandbox
 
     if: ${{ always() }}
     name: test-result

.gitignore

@@ -73,6 +73,7 @@ go.work.sum
 .codegen/openapi.json
 
 .claude/settings.local.json
+.claude/scheduled_tasks.lock
 .cursor/cli.json
 tools/gofumpt
 .claude/worktrees/

.release_metadata.json

@@ -1,3 +1,3 @@
 {
-    "timestamp": "2026-06-04 14:30:32+0000"
+    "timestamp": "2026-06-10 15:15:08+0000"
 }

CHANGELOG.md

@@ -1,5 +1,25 @@
 # Version changelog
 
+## Release v1.3.0 (2026-06-10)
+
+### Notable Changes
+* The `direct` deployment engine is now Generally Available and the default for new deployments. To opt out, set `engine: terraform` under `bundle` in your `databricks.yml` or set `DATABRICKS_BUNDLE_ENGINE=terraform`. Existing deployments keep their current engine; see https://docs.databricks.com/aws/en/dev-tools/bundles/direct to migrate.
+
+### CLI
+* Added the `databricks quickstart` command, a short introduction to the CLI that prints a human-friendly guide interactively and an agent-oriented version when run non-interactively ([#5464](https://github.com/databricks/cli/pull/5464)).
+* Add `databricks version --check` to report whether a newer CLI version is available and print the upgrade command for the detected install method ([#5469](https://github.com/databricks/cli/pull/5469)).
+* `databricks auth describe` now verifies credentials against both the workspace and account endpoints before reporting a failure, fixing false "Unable to authenticate" errors for account console profiles ([#5479](https://github.com/databricks/cli/issues/5479)).
+* `databricks auth login` no longer prompts for workspace selection when logging in to an account console host (`https://accounts.*`). Pass `--workspace-id` explicitly to store a workspace ID on such a profile ([#5504](https://github.com/databricks/cli/pull/5504)).
+* `databricks auth profiles --skip-validate` no longer makes any network calls; the host metadata fetch is skipped along with validation ([#5530](https://github.com/databricks/cli/pull/5530)).
+
+### Bundles
+* Set the default `data_security_mode` to `DATA_SECURITY_MODE_AUTO` in bundle templates ([#5452](https://github.com/databricks/cli/pull/5452)).
+* Mark vector search index index_subtype as backend_default to prevent drift after deployment ([#5454](https://github.com/databricks/cli/pull/5454)).
+* `bundle deployment migrate`: handle resources added to or removed from `databricks.yml` since the last Terraform deploy ([#5463](https://github.com/databricks/cli/pull/5463)).
+* Add the `genie_spaces` bundle resource for managing Databricks Genie spaces as code, plus `bundle generate genie-space` to import an existing space. Direct deployment engine only ([#5282](https://github.com/databricks/cli/pull/5282)).
+* Fix spurious recreate of schemas and volumes whose names use mixed case ([#5531](https://github.com/databricks/cli/pull/5531)).
+
+
 ## Release v1.2.1 (2026-06-04)
 
 ### Bundles

NEXT_CHANGELOG.md

@@ -1,13 +1,12 @@
 # NEXT CHANGELOG
 
-## Release v1.3.0
+## Release v1.4.0
 
 ### Notable Changes
 
 ### CLI
 
 ### Bundles
-* Set the default `data_security_mode` to `DATA_SECURITY_MODE_AUTO` in bundle templates ([#5452](https://github.com/databricks/cli/pull/5452)).
 
 ### Dependency updates
 

Taskfile.yml

@@ -658,6 +658,25 @@ tasks:
           --packages ./acceptance/... \
           -- -timeout=${LOCAL_TIMEOUT:-30m} -run "TestAccept/pipelines"
 
+  test-sandbox:
+    desc: Run sandbox unit and acceptance tests
+    sources:
+      - cmd/sandbox/**
+      - acceptance/cmd/sandbox/**
+    cmds:
+      - |
+        {{.GO_TOOL}} gotestsum \
+          --format ${GOTESTSUM_FORMAT:-pkgname-and-test-fails} \
+          --no-summary=skipped \
+          --packages ./cmd/sandbox/... \
+          -- -timeout=${LOCAL_TIMEOUT:-30m}
+      - |
+        {{.GO_TOOL}} gotestsum \
+          --format ${GOTESTSUM_FORMAT:-pkgname-and-test-fails} \
+          --no-summary=skipped \
+          --packages ./acceptance/... \
+          -- -timeout=${LOCAL_TIMEOUT:-30m} -run "TestAccept/cmd/sandbox"
+
   # --- Integration tests ---
 
   integration:
@@ -799,8 +818,7 @@ tasks:
     generates:
       - acceptance/bundle/refschema/out.fields.txt
     cmds:
-      - cmd: go test ./acceptance -run TestAccept/bundle/refschema -update &> /dev/null
-        ignore_error: true # -update returns non-zero exit code on changes
+      - go test ./acceptance -run TestAccept/bundle/refschema -update
 
   generate-schema:
     desc: Generate bundle JSON schema