Make sure warnings asking for approval are understood by agents#5239
Merged
Conversation
Adds a consent-token-based gating system for AI agents using destructive CLI flags (--force-lock, --auto-approve, --force). Includes agent detection via environment variables, improved error messages, and a `databricks agent consent` command. This commit preserves the original approach before simplification. Co-authored-by: Isaac
This reverts commit e70997b.
Error messages for --auto-approve, --force-lock, and --force previously instructed callers to add the flag (e.g., "please specify --auto-approve"). AI agents follow this literally and retry with the flag, destroying resources without human review. This change: - Rewrites error messages to explain consequences instead of instructing callers to add the flag - Detects AI agents via environment variables (Claude Code, Cursor, Codex, Cline, Gemini CLI, OpenCode, Antigravity) - Blocks agents from using --auto-approve, --force-lock, or --force with a clear error telling them to get human approval first Co-authored-by: Isaac
Instead of blocking agents from using --auto-approve/--force-lock/--force with a separate early gate, append an agent notice to the existing error messages. This way agents see the warning in context and are told not to retry with those flags without human approval. Also improves error messages to describe data loss consequences: - destroy: mentions schemas, pipelines, streaming tables, volume files - deploy: mentions schemas, pipelines, volumes may be permanently deleted - lock: explains risk of corrupting in-progress deployment Co-authored-by: Isaac
Replace custom agent detection with useragent.AgentProvider() from the Go SDK, which already detects AI agents via environment variables. Rephrase all error messages to lead with the situation, then explain what the flag does and its consequences, rather than assuming the reader already knows what the flag is for. Co-authored-by: Isaac
Tighten the wording of destructive-action error messages and rewrite AgentNotice to refer to "the flag suggested above" rather than listing all gated flags. The notice now says the operation may be irreversible rather than claiming data loss, which fits all sites (destroy, deploy, lock, git branch, dashboard, bind). Co-authored-by: Isaac
…Warning Move the "use --auto-approve" line to the end of the destroy/deploy error messages so the call to action follows the consequences. Extract the data-loss line into a shared DataLossWarning constant in bundle/phases, reused by both cmd/bundle/destroy and bundle/phases/deploy. Drop AgentNotice from the locker error: a lock conflict is an ops concern, not a destructive one. Reword "corrupt the other deployment" to "conflict with the other deployment". Reword bind no-tty error from "without confirmation, ... changes above" to "use --auto-approve after reviewing the plan above". Co-authored-by: Isaac
lennartkats-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
lennartkats-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
The "^Error:" grep was filtering out the actionable second line
("To proceed, use --auto-approve after reviewing the plan above.").
Use sed to print from "Error:" to end of file.
Co-authored-by: Isaac
lennartkats-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
lennartkats-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
Co-authored-by: Isaac
lennartkats-db
changed the title
Co-authored-by: Isaac
- Drop the //nolint comment that was carried over from the original bind error (no longer needed with the rewritten message). - Remove the trailing period from the lock conflict error to satisfy ST1005 (error strings should not end with punctuation). Co-authored-by: Isaac
lennartkats-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
lennartkats-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
The earlier merge with main brought back engine/direct changelog entries that have since been released. Keep only the new entry for this PR. Co-authored-by: Isaac
lennartkats-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
lennartkats-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
…ding This UC-only test runs on aws-ucws/azure-ucws environments (not in make test), so the fixture wasn't regenerated when the destroy/deploy error wording changed. The `"principal":"..."` spacing change is a separate cosmetic update. Co-authored-by: Isaac
lennartkats-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
lennartkats-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
# Conflicts: # NEXT_CHANGELOG.md
lennartkats-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
lennartkats-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
Member
|
This is a really solid initiative. Looks fine to me, but will let someone with more bundle knowledge review in depth |
denik
approved these changes
May 15, 2026
denik
pushed a commit
that referenced
this pull request
May 20, 2026
## Changes This improves warnings like "current console does not support prompting. Please specify --auto-approve if you would like to skip prompts and proceed" for better understandability by agents. Right now there's risk they dismiss any warnings and proceed without human consent. ## Tests * Agentic validation * Acceptance tests
deco-sdk-tagging Bot
added a commit
that referenced
this pull request
May 21, 2026
## Release v1.0.0 ### Notable Changes * The Databricks CLI is now generally available with version v1.0.0 as the first major release 🚀. From this version on, the CLI follows semantic versioning (see [README](README.md)). This change does not impact DABs or other existing commands beyond the changes listed below. * The 0.299.x line continues to receive security-critical patches through May 20, 2027; see [SECURITY](SECURITY.md) for the support policy. * Starting with v1.0.0, the CLI will use [immutable release tags](https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases) to increase security against supply chain attacks. * Breaking change: OAuth tokens for interactive logins (`auth_type = databricks-cli`) are now stored in the OS-native secure store by default (Keychain on macOS, Credential Manager on Windows, Secret Service on Linux) instead of `~/.databricks/token-cache.json`. After upgrading, run `databricks auth login` once per profile to re-authenticate; cached tokens from older versions are not migrated. To keep the previous file-backed storage, set `DATABRICKS_AUTH_STORAGE=plaintext` or add `auth_storage = plaintext` under `[__settings__]` in `~/.databrickscfg` (the env var takes precedence over the config setting), then re-run `databricks auth login`. On systems where the OS keyring is not reachable (e.g. Linux containers without a D-Bus session bus), the CLI transparently falls back to the file cache when reading tokens so legacy `token-cache.json` entries remain accessible without manual configuration. ### CLI * Added `databricks aitools` command group for installing Databricks skills into your coding agents (Claude Code, Cursor, Codex CLI, OpenCode, GitHub Copilot, Antigravity). Skills are fetched from [github.com/databricks/databricks-agent-skills](https://github.com/databricks/databricks-agent-skills) and either symlinked into each agent's skills directory or copied into the current project. Use `databricks aitools install` to set up, `update` to pull newer versions, `list` to see what's available, and `uninstall` to remove them. Pick where they go with `--scope=project|global` (`--scope=both` is accepted on `update` and `list`). * `[__settings__].default_profile` is now consulted as a fallback by `databricks api`, `databricks auth token`, and bundle commands when neither `--profile` nor `DATABRICKS_CONFIG_PROFILE` is set. `databricks auth token` continues to give precedence to `DATABRICKS_HOST` over `default_profile`. For bundle commands, `default_profile` only applies when the bundle does not pin its own `workspace.host`. * Fixed bug where auth commands did not load the DEFAULT profile properly during auth where type is `databricks-cli`. * `databricks workspace import-dir` now skips `.git`, `.databricks`, and `node_modules` directories during recursive imports. To import one of these directories deliberately, pass it as `SOURCE_PATH` ([#5118](#5118)). * `databricks postgres create-role --help` now documents the `--json` body shape and rejects the common mistake of wrapping the body in `{"role": ...}` client-side with a hint pointing at the correct shape ([#5111](#5111)). * `databricks aitools list` honors `--output json`, emitting a structured `{release, skills[...], summary{}}` document so coding agents and CI can consume the skill/version/installation matrix without scraping the tabular text output ([#5233](#5233)). ### Bundles * Make sure warnings asking for approval are understood by agents ([#5239](#5239)) * Support `replace_existing: true` on `postgres_branches` and `postgres_endpoints` so bundles can manage the implicitly-created production branch and primary read-write endpoint of a Lakebase project. * Add `postgres_catalogs` resource to bind a Unity Catalog catalog to a Postgres database on a Lakebase Autoscaling branch ([#5265](#5265)). * Add `postgres_synced_tables` resource to sync a Unity Catalog Delta table into a Postgres table on a Lakebase Autoscaling branch ([#5268](#5268)). * engine/direct: Changes to state file now persisted to .wal file right away instead of being saved in the end ([#5149](#5149))
TanishqDatabricks
pushed a commit
to TanishqDatabricks/cli
that referenced
this pull request
May 22, 2026
…bricks#5239) ## Changes This improves warnings like "current console does not support prompting. Please specify --auto-approve if you would like to skip prompts and proceed" for better understandability by agents. Right now there's risk they dismiss any warnings and proceed without human consent. ## Tests * Agentic validation * Acceptance tests
TanishqDatabricks
pushed a commit
to TanishqDatabricks/cli
that referenced
this pull request
May 22, 2026
## Release v1.0.0 ### Notable Changes * The Databricks CLI is now generally available with version v1.0.0 as the first major release 🚀. From this version on, the CLI follows semantic versioning (see [README](README.md)). This change does not impact DABs or other existing commands beyond the changes listed below. * The 0.299.x line continues to receive security-critical patches through May 20, 2027; see [SECURITY](SECURITY.md) for the support policy. * Starting with v1.0.0, the CLI will use [immutable release tags](https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases) to increase security against supply chain attacks. * Breaking change: OAuth tokens for interactive logins (`auth_type = databricks-cli`) are now stored in the OS-native secure store by default (Keychain on macOS, Credential Manager on Windows, Secret Service on Linux) instead of `~/.databricks/token-cache.json`. After upgrading, run `databricks auth login` once per profile to re-authenticate; cached tokens from older versions are not migrated. To keep the previous file-backed storage, set `DATABRICKS_AUTH_STORAGE=plaintext` or add `auth_storage = plaintext` under `[__settings__]` in `~/.databrickscfg` (the env var takes precedence over the config setting), then re-run `databricks auth login`. On systems where the OS keyring is not reachable (e.g. Linux containers without a D-Bus session bus), the CLI transparently falls back to the file cache when reading tokens so legacy `token-cache.json` entries remain accessible without manual configuration. ### CLI * Added `databricks aitools` command group for installing Databricks skills into your coding agents (Claude Code, Cursor, Codex CLI, OpenCode, GitHub Copilot, Antigravity). Skills are fetched from [github.com/databricks/databricks-agent-skills](https://github.com/databricks/databricks-agent-skills) and either symlinked into each agent's skills directory or copied into the current project. Use `databricks aitools install` to set up, `update` to pull newer versions, `list` to see what's available, and `uninstall` to remove them. Pick where they go with `--scope=project|global` (`--scope=both` is accepted on `update` and `list`). * `[__settings__].default_profile` is now consulted as a fallback by `databricks api`, `databricks auth token`, and bundle commands when neither `--profile` nor `DATABRICKS_CONFIG_PROFILE` is set. `databricks auth token` continues to give precedence to `DATABRICKS_HOST` over `default_profile`. For bundle commands, `default_profile` only applies when the bundle does not pin its own `workspace.host`. * Fixed bug where auth commands did not load the DEFAULT profile properly during auth where type is `databricks-cli`. * `databricks workspace import-dir` now skips `.git`, `.databricks`, and `node_modules` directories during recursive imports. To import one of these directories deliberately, pass it as `SOURCE_PATH` ([databricks#5118](databricks#5118)). * `databricks postgres create-role --help` now documents the `--json` body shape and rejects the common mistake of wrapping the body in `{"role": ...}` client-side with a hint pointing at the correct shape ([databricks#5111](databricks#5111)). * `databricks aitools list` honors `--output json`, emitting a structured `{release, skills[...], summary{}}` document so coding agents and CI can consume the skill/version/installation matrix without scraping the tabular text output ([databricks#5233](databricks#5233)). ### Bundles * Make sure warnings asking for approval are understood by agents ([databricks#5239](databricks#5239)) * Support `replace_existing: true` on `postgres_branches` and `postgres_endpoints` so bundles can manage the implicitly-created production branch and primary read-write endpoint of a Lakebase project. * Add `postgres_catalogs` resource to bind a Unity Catalog catalog to a Postgres database on a Lakebase Autoscaling branch ([databricks#5265](databricks#5265)). * Add `postgres_synced_tables` resource to sync a Unity Catalog Delta table into a Postgres table on a Lakebase Autoscaling branch ([databricks#5268](databricks#5268)). * engine/direct: Changes to state file now persisted to .wal file right away instead of being saved in the end ([databricks#5149](databricks#5149))
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
This improves warnings like "current console does not support prompting. Please specify --auto-approve if you would like to skip prompts and proceed" for better understandability by agents. Right now there's risk they dismiss any warnings and proceed without human consent.
Tests