Encode tag policy key as a single path segment in Get/Delete/UpdateTagPolicy

Governed tag keys may be hierarchical and contain "/" (e.g. "a/b"). The
generated TagPoliciesAPI builds the request path as
fmt.Sprintf("/api/2.1/tag-policies/%v", request.TagKey), so a raw "/" is
treated as a path separator and the request resolves to no matching endpoint
(404 / ENDPOINT_NOT_FOUND). Get, Delete, and Update are affected.

Add hand-written overrides on TagPoliciesAPI that url.PathEscape the path-param
TagKey before delegating to the generated impl; the server decodes it back to
the original key. The encoded fields are `json:"-" url:"-"`, so only the path
is affected. CreateTagPolicy is intentionally not overridden -- it sends the
key in the JSON body, where "/" is valid and must be stored verbatim.

Co-authored-by: Isaac
Signed-off-by: Lizhen Xiang <lizhen.xiang@databricks.com>

Author: lizhenxiang-db

NEXT_CHANGELOG.md

@@ -8,6 +8,8 @@
 
 ### Bug Fixes
 
+* Encode the tag policy key as a single path segment in `GetTagPolicy`, `DeleteTagPolicy`, and `UpdateTagPolicy` ([tags.TagPoliciesAPI](https://pkg.go.dev/github.com/databricks/databricks-sdk-go/service/tags#TagPoliciesAPI)). Keys may be hierarchical and contain `/`; the raw value was previously treated as a path separator, so such requests resolved to no endpoint (`404` / `ENDPOINT_NOT_FOUND`).
+
 ### Documentation
 
 ### Internal Changes

service/tags/ext_impl.go

@@ -0,0 +1,38 @@
+package tags
+
+import (
+	"context"
+	"net/url"
+)
+
+// This file is hand-written (not generated). It extends the generated
+// TagPoliciesAPI to percent-encode the governed-tag key when it travels as a
+// URL *path* parameter.
+//
+// Subdomain tag keys are hierarchical and contain "/" (e.g.
+// "Field/Shared Technical Services"). The generated impl builds the path as
+// fmt.Sprintf("/api/2.1/tag-policies/%v", request.TagKey), so a raw "/" is
+// treated as a path separator and the request resolves to no endpoint (404).
+// Encoding the key ("/" -> %2F) makes it route as a single path segment; the
+// server decodes it back to the original key.
+//
+// These methods shadow the promoted (generated) tagPoliciesImpl methods on
+// TagPoliciesAPI. CreateTagPolicy is intentionally NOT overridden: it sends the
+// key in the JSON body (CreateTagPolicyRequest.TagPolicy.TagKey), where a raw
+// "/" is correct and must be stored verbatim. The TagKey fields encoded below
+// are `json:"-" url:"-"`, so they are used only in the path — never the body.
+
+func (a *TagPoliciesAPI) GetTagPolicy(ctx context.Context, request GetTagPolicyRequest) (*TagPolicy, error) {
+	request.TagKey = url.PathEscape(request.TagKey)
+	return a.tagPoliciesImpl.GetTagPolicy(ctx, request)
+}
+
+func (a *TagPoliciesAPI) DeleteTagPolicy(ctx context.Context, request DeleteTagPolicyRequest) error {
+	request.TagKey = url.PathEscape(request.TagKey)
+	return a.tagPoliciesImpl.DeleteTagPolicy(ctx, request)
+}
+
+func (a *TagPoliciesAPI) UpdateTagPolicy(ctx context.Context, request UpdateTagPolicyRequest) (*TagPolicy, error) {
+	request.TagKey = url.PathEscape(request.TagKey)
+	return a.tagPoliciesImpl.UpdateTagPolicy(ctx, request)
+}

service/tags/ext_impl_test.go

@@ -0,0 +1,58 @@
+package tags
+
+import (
+	"context"
+	"testing"
+
+	"github.com/databricks/databricks-sdk-go/qa"
+)
+
+// These tests verify that the governed-tag key is percent-encoded when it is
+// sent as a URL *path* parameter, so a hierarchical key containing "/" (e.g.
+// "Field/Shared Technical Services") routes as a single path segment rather
+// than being split into multiple segments (which resolves to no endpoint).
+// The qa fixture matches on the raw request URI, so a passing match proves the
+// "/" was encoded to %2F.
+
+func TestGetTagPolicyEncodesPathKey(t *testing.T) {
+	requestMocks := qa.HTTPFixtures{
+		{
+			Method:   "GET",
+			Resource: "/api/2.1/tag-policies/Field%2FShared%20Technical%20Services?",
+			Response: TagPolicy{TagKey: "Field/Shared Technical Services"},
+		},
+	}
+	client, server := requestMocks.Client(t)
+	defer server.Close()
+	api := &TagPoliciesAPI{tagPoliciesImpl: tagPoliciesImpl{client: client}}
+
+	resp, err := api.GetTagPolicy(context.Background(), GetTagPolicyRequest{
+		TagKey: "Field/Shared Technical Services",
+	})
+	if err != nil {
+		t.Fatalf("GetTagPolicy returned error: %v", err)
+	}
+	if resp.TagKey != "Field/Shared Technical Services" {
+		t.Fatalf("unexpected tag_key in response: %q", resp.TagKey)
+	}
+}
+
+func TestDeleteTagPolicyEncodesPathKey(t *testing.T) {
+	requestMocks := qa.HTTPFixtures{
+		{
+			Method:   "DELETE",
+			Resource: "/api/2.1/tag-policies/Field%2FShared%20Technical%20Services?",
+			Response: map[string]any{},
+		},
+	}
+	client, server := requestMocks.Client(t)
+	defer server.Close()
+	api := &TagPoliciesAPI{tagPoliciesImpl: tagPoliciesImpl{client: client}}
+
+	err := api.DeleteTagPolicy(context.Background(), DeleteTagPolicyRequest{
+		TagKey: "Field/Shared Technical Services",
+	})
+	if err != nil {
+		t.Fatalf("DeleteTagPolicy returned error: %v", err)
+	}
+}