Prepare v1.0.0 release and document stability policy.

NEXT_CHANGELOG.md

@@ -1,9 +1,12 @@
 # NEXT CHANGELOG
 
-## Release v0.300.0
+## Release v1.0.0
 
 ### Notable Changes
 
+* The Databricks CLI is now generally available with version v1.0.0 as the first major release 🚀. From this version on, the CLI follows semantic versioning (see [README](README.md)). This change does not impact DABs or other existing commands beyond the changes listed below.
+* The 0.299.x line continues to receive security-critical patches through May 20, 2027; see [SECURITY](SECURITY.md) for the support policy.
+* Starting with v1.0.0, the CLI will use [immutable release tags](https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases) to increase security against supply chain attacks.
 * Breaking change: OAuth tokens for interactive logins (`auth_type = databricks-cli`) are now stored in the OS-native secure store by default (Keychain on macOS, Credential Manager on Windows, Secret Service on Linux) instead of `~/.databricks/token-cache.json`. After upgrading, run `databricks auth login` once per profile to re-authenticate; cached tokens from older versions are not migrated. To keep the previous file-backed storage, set `DATABRICKS_AUTH_STORAGE=plaintext` or add `auth_storage = plaintext` under `[__settings__]` in `~/.databrickscfg` (the env var takes precedence over the config setting), then re-run `databricks auth login`. On systems where the OS keyring is not reachable (e.g. Linux containers without a D-Bus session bus), the CLI transparently falls back to the file cache when reading tokens so legacy `token-cache.json` entries remain accessible without manual configuration.
 
 ### CLI
@@ -19,5 +22,3 @@
 * Support `replace_existing: true` on `postgres_branches` and `postgres_endpoints` so bundles can manage the implicitly-created production branch and primary read-write endpoint of a Lakebase project.
 * Add `postgres_catalogs` resource to bind a Unity Catalog catalog to a Postgres database on a Lakebase Autoscaling branch ([#5265](https://github.com/databricks/cli/pull/5265)).
 * engine/direct: Changes to state file now persisted to .wal file right away instead of being saved in the end ([#5149](https://github.com/databricks/cli/pull/5149))
-
-### Dependency updates

README.md

@@ -36,5 +36,30 @@ This CLI follows the Databricks Unified Authentication principles.
 
 You can find a detailed description at https://github.com/databricks/databricks-sdk-go#authentication.
 
+## Stability Policy
+
+### Feature stability
+
+Commands and flags are stable by default and will not break within a major version.
+
+Some features are unstable and may change in any MINOR release:
+
+- Commands and flags marked **Beta** or **Private Preview** in their `--help` output.
+- Commands in the `databricks experimental` group.
+
+### Versioning
+
+The CLI follows [Semantic Versioning](https://semver.org) (`MAJOR.MINOR.PATCH`):
+
+- `MAJOR` is incremented for breaking changes to **stable** features.
+- `MINOR` is incremented for new features and for breaking changes to **unstable** features.
+- `PATCH` is incremented for backward-compatible bug fixes, security fixes, and dependency updates.
+
+Databricks may ship a breaking change to a stable feature without a major version bump in exceptional circumstances where waiting for the next major version would itself cause greater harm: an active security incident, a legal or compliance requirement, or a regression introduced in the current major version. Any such exceptional change is announced in the release notes.
+
+### Security patches
+
+Security patches ship on the current release, and on specific older versions listed in [`SECURITY.md`](./SECURITY.md). The CLI does not currently offer a broader long-term support commitment.
+
 ## Privacy Notice
 Databricks CLI use is subject to the [Databricks License](https://github.com/databricks/cli/blob/main/LICENSE) and [Databricks Privacy Notice](https://www.databricks.com/legal/privacynotice), including any Usage Data provisions.

SECURITY.md

@@ -1,4 +1,14 @@
 ## Reporting a Vulnerability
 
-We appreciate any security concerns brought to our attention and encourage you to notify us of any potential vulnerabilities discovered in our systems or products.
-If you believe you have found a security vulnerability, please report it to us at [security@databricks.com](mailto:security@databricks.com).
+We appreciate any security concerns brought to our attention and encourage you to notify us of any potential vulnerabilities discovered in our systems or products. If you believe you have found a security vulnerability, please report it to us at [security@databricks.com](mailto:security@databricks.com).
+
+## Supported Versions
+
+The following versions receive security patches:
+
+| Version | Notes |
+| :---- | :---- |
+| Latest release | Active development line. |
+| `v0.299.x` | Extended security support until 2027-05-20. |
+
+Other versions of the CLI do not receive patches.