bundle: warn during deploy when workspace folder permissions exceed the bundle's

ValidateFolderPermissions already compares the live workspace ACL against the
declared permissions, but it only runs during `bundle validate`. This brings the
same check to `bundle deploy` without adding any API latency: ApplyWorkspaceRoot-
Permissions already calls SetPermissions on each workspace path prefix (root_path
and, when separate, state_path), and the response carries the resulting ACL.

Reusing that response, we compare against the declared permissions. Because the
Set replaces the folder's direct ACL with the declared set, any principal still
showing higher access is inherited from a parent folder — the broader access that
actually persists after deploy, which is the scope mismatch worth surfacing.

Three telemetry signals are recorded in bool_values during deploy:
- state_path_acl_exceeds_permissions: whether the folder holding the deployment
  state grants more access than the permissions section declares. True by
  definition when no permissions are declared; determined statically for
  /Workspace/Shared state folders (all users have read/write) and from the live
  SetPermissions response otherwise.
- state_path_is_shared: state_path is under /Workspace/Shared.
- permissions_section_is_set: the bundle declares top-level permissions.

Covered by acceptance tests (no permissions / clean ACL / shared state path, and
an inherited-ACL mismatch staged via a server override) instead of unit tests.

Co-authored-by: Shreyas Goenka <shreyas.goenka@databricks.com>

Author: shreyas-goenka

NEXT_CHANGELOG.md

@@ -13,6 +13,7 @@
 * Set the default `data_security_mode` to `DATA_SECURITY_MODE_AUTO` in bundle templates ([#5452](https://github.com/databricks/cli/pull/5452)).
 * Mark vector search index index_subtype as backend_default to prevent drift after deployment ([#5454](https://github.com/databricks/cli/pull/5454)).
 * `bundle deployment migrate`: handle resources added to or removed from `databricks.yml` since the last Terraform deploy ([#5463](https://github.com/databricks/cli/pull/5463)).
+* Warn during `bundle deploy` when a workspace folder used by the bundle grants broader permissions than the bundle's top-level `permissions` section declares, for example through permissions inherited from a parent folder ([#5439](https://github.com/databricks/cli/pull/5439)).
 
 ### Dependency updates
 

acceptance/bundle/resource_deps/job_tasks/out.telemetry.direct.txt

@@ -4,7 +4,10 @@ has_classic_job_compute false
 has_serverless_compute true
 local.cache.attempt true
 local.cache.miss true
+permissions_section_is_set false
 presets_name_prefix_is_set false
 python_wheel_wrapper_is_set false
 run_as_set false
 skip_artifact_cleanup false
+state_path_acl_exceeds_permissions true
+state_path_is_shared false

acceptance/bundle/resource_deps/job_tasks/out.telemetry.terraform.txt

@@ -4,7 +4,10 @@ has_classic_job_compute false
 has_serverless_compute true
 local.cache.attempt true
 local.cache.miss true
+permissions_section_is_set false
 presets_name_prefix_is_set false
 python_wheel_wrapper_is_set false
 run_as_set false
 skip_artifact_cleanup false
+state_path_acl_exceeds_permissions true
+state_path_is_shared false

acceptance/bundle/resource_deps/resources_var/output.txt

@@ -42,7 +42,10 @@ has_classic_job_compute false
 has_serverless_compute false
 local.cache.attempt true
 local.cache.hit true
+permissions_section_is_set false
 presets_name_prefix_is_set true
 python_wheel_wrapper_is_set false
 run_as_set false
 skip_artifact_cleanup false
+state_path_acl_exceeds_permissions true
+state_path_is_shared false

acceptance/bundle/resource_deps/tf_path_only_error/out.telemetry.terraform.txt

@@ -5,7 +5,10 @@ has_serverless_compute false
 has_tf_only_references true
 local.cache.attempt true
 local.cache.hit true
+permissions_section_is_set false
 presets_name_prefix_is_set false
 python_wheel_wrapper_is_set false
 run_as_set false
 skip_artifact_cleanup false
+state_path_acl_exceeds_permissions true
+state_path_is_shared false

acceptance/bundle/telemetry/deploy-app-lifecycle-started/output.txt

@@ -37,6 +37,18 @@ Deployment complete!
       "key": "skip_artifact_cleanup",
       "value": false
     },
+    {
+      "key": "permissions_section_is_set",
+      "value": false
+    },
+    {
+      "key": "state_path_is_shared",
+      "value": false
+    },
+    {
+      "key": "state_path_acl_exceeds_permissions",
+      "value": true
+    },
     {
       "key": "has_serverless_compute",
       "value": false

acceptance/bundle/telemetry/deploy-compute-type/output.txt

@@ -41,6 +41,18 @@ Deployment complete!
     "key": "skip_artifact_cleanup",
     "value": false
   },
+  {
+    "key": "permissions_section_is_set",
+    "value": false
+  },
+  {
+    "key": "state_path_is_shared",
+    "value": false
+  },
+  {
+    "key": "state_path_acl_exceeds_permissions",
+    "value": true
+  },
   {
     "key": "has_serverless_compute",
     "value": true
@@ -83,6 +95,18 @@ Deployment complete!
     "key": "skip_artifact_cleanup",
     "value": false
   },
+  {
+    "key": "permissions_section_is_set",
+    "value": false
+  },
+  {
+    "key": "state_path_is_shared",
+    "value": false
+  },
+  {
+    "key": "state_path_acl_exceeds_permissions",
+    "value": true
+  },
   {
     "key": "has_serverless_compute",
     "value": true

acceptance/bundle/telemetry/deploy-experimental/output.txt

@@ -40,6 +40,18 @@ Deployment complete!
       "key": "skip_artifact_cleanup",
       "value": false
     },
+    {
+      "key": "permissions_section_is_set",
+      "value": false
+    },
+    {
+      "key": "state_path_is_shared",
+      "value": false
+    },
+    {
+      "key": "state_path_acl_exceeds_permissions",
+      "value": true
+    },
     {
       "key": "has_serverless_compute",
       "value": false

acceptance/bundle/telemetry/deploy-name-prefix/custom/output.txt

@@ -36,6 +36,18 @@ Deployment complete!
       "key": "skip_artifact_cleanup",
       "value": false
     },
+    {
+      "key": "permissions_section_is_set",
+      "value": false
+    },
+    {
+      "key": "state_path_is_shared",
+      "value": false
+    },
+    {
+      "key": "state_path_acl_exceeds_permissions",
+      "value": true
+    },
     {
       "key": "has_serverless_compute",
       "value": false

acceptance/bundle/telemetry/deploy-name-prefix/mode-development/output.txt

@@ -36,6 +36,18 @@ Deployment complete!
       "key": "skip_artifact_cleanup",
       "value": false
     },
+    {
+      "key": "permissions_section_is_set",
+      "value": false
+    },
+    {
+      "key": "state_path_is_shared",
+      "value": false
+    },
+    {
+      "key": "state_path_acl_exceeds_permissions",
+      "value": true
+    },
     {
       "key": "has_serverless_compute",
       "value": false