@databricks/appkit-ui 0.19.1 → 0.20.0

package/CLAUDE.md

@@ -46,7 +46,7 @@ npx @databricks/appkit docs <query>
 - [Execution context](./docs/plugins/execution-context.md): AppKit manages Databricks authentication via two contexts:
 - [Files plugin](./docs/plugins/files.md): File operations against Databricks Unity Catalog Volumes. Supports listing, reading, downloading, uploading, deleting, and previewing files with built-in caching, retry, and timeout handling via the execution interceptor pipeline.
 - [Genie plugin](./docs/plugins/genie.md): Integrates Databricks AI/BI Genie spaces into your AppKit application, enabling natural language data queries via a conversational interface.
-- [Lakebase plugin](./docs/plugins/lakebase.md): Currently, the Lakebase plugin currently requires a one-time manual setup to connect your Databricks App with your Lakebase database. An automated setup process is planned for an upcoming future release.
+- [Lakebase plugin](./docs/plugins/lakebase.md): Provides a PostgreSQL connection pool for Databricks Lakebase Autoscaling with automatic OAuth token refresh.
 - [Plugin management](./docs/plugins/plugin-management.md): AppKit includes a CLI for managing plugins. All commands are available under npx @databricks/appkit plugin.
 - [Server plugin](./docs/plugins/server.md): Provides HTTP server capabilities with development and production modes.
 

package/dist/schemas/plugin-manifest.schema.json

@@ -111,6 +111,7 @@
         "uc_function",
         "uc_connection",
         "database",
+        "postgres",
         "genie_space",
         "experiment",
         "app"
@@ -162,6 +163,11 @@
       "enum": ["CAN_CONNECT_AND_CREATE"],
       "description": "Permission for database resources"
     },
+    "postgresPermission": {
+      "type": "string",
+      "enum": ["CAN_CONNECT_AND_CREATE"],
+      "description": "Permission for Postgres resources"
+    },
     "genieSpacePermission": {
       "type": "string",
       "enum": ["CAN_VIEW", "CAN_RUN", "CAN_EDIT", "CAN_MANAGE"],
@@ -179,7 +185,6 @@
     },
     "resourceFieldEntry": {
       "type": "object",
-      "required": ["env"],
       "properties": {
         "env": {
           "type": "string",
@@ -190,20 +195,37 @@
         "description": {
           "type": "string",
           "description": "Human-readable description for this field"
+        },
+        "bundleIgnore": {
+          "type": "boolean",
+          "default": false,
+          "description": "When true, this field is excluded from Databricks bundle configuration (databricks.yml) generation."
+        },
+        "examples": {
+          "type": "array",
+          "items": { "type": "string" },
+          "description": "Example values showing the expected format for this field"
+        },
+        "localOnly": {
+          "type": "boolean",
+          "default": false,
+          "description": "When true, this field is only generated for local .env files. The Databricks Apps platform auto-injects it at deploy time."
+        },
+        "value": {
+          "type": "string",
+          "description": "Static value for this field. Used when no prompted or resolved value exists."
+        },
+        "resolve": {
+          "type": "string",
+          "pattern": "^[a-z_]+:[a-zA-Z]+$",
+          "description": "Named resolver prefixed by resource type (e.g., 'postgres:host'). The CLI resolves this value during the init prompt flow."
         }
       },
       "additionalProperties": false
     },
     "resourceRequirement": {
       "type": "object",
-      "required": [
-        "type",
-        "alias",
-        "resourceKey",
-        "description",
-        "permission",
-        "fields"
-      ],
+      "required": ["type", "alias", "resourceKey", "description", "permission"],
       "properties": {
         "type": {
           "$ref": "#/$defs/resourceType"
@@ -337,6 +359,17 @@
             }
           }
         },
+        {
+          "if": {
+            "properties": { "type": { "const": "postgres" } },
+            "required": ["type"]
+          },
+          "then": {
+            "properties": {
+              "permission": { "$ref": "#/$defs/postgresPermission" }
+            }
+          }
+        },
         {
           "if": {
             "properties": { "type": { "const": "genie_space" } },

package/docs/api/appkit/Enumeration.ResourceType.md

@@ -49,6 +49,15 @@ JOB: "job";
 
 ***
 
+### POSTGRES[​](#postgres "Direct link to POSTGRES")
+
+```ts
+POSTGRES: "postgres";
+
+```
+
+***
+
 ### SECRET[​](#secret "Direct link to SECRET")
 
 ```ts

package/docs/api/appkit/Interface.ResourceFieldEntry.md

@@ -4,6 +4,17 @@ Defines a single field for a resource. Each field has its own environment variab
 
 ## Properties[​](#properties "Direct link to Properties")
 
+### bundleIgnore?[​](#bundleignore "Direct link to bundleIgnore?")
+
+```ts
+optional bundleIgnore: boolean;
+
+```
+
+When true, this field is excluded from Databricks bundle configuration (databricks.yml) generation.
+
+***
+
 ### description?[​](#description "Direct link to description?")
 
 ```ts
@@ -15,11 +26,55 @@ Human-readable description for this field
 
 ***
 
-### env[​](#env "Direct link to env")
+### env?[​](#env "Direct link to env?")
 
 ```ts
-env: string;
+optional env: string;
 
 ```
 
 Environment variable name for this field
+
+***
+
+### examples?[​](#examples "Direct link to examples?")
+
+```ts
+optional examples: string[];
+
+```
+
+Example values showing the expected format for this field
+
+***
+
+### localOnly?[​](#localonly "Direct link to localOnly?")
+
+```ts
+optional localOnly: boolean;
+
+```
+
+When true, this field is only generated for local .env files. The Databricks Apps platform auto-injects it at deploy time.
+
+***
+
+### resolve?[​](#resolve "Direct link to resolve?")
+
+```ts
+optional resolve: string;
+
+```
+
+Named resolver prefixed by resource type (e.g., 'postgres<!-- -->:host<!-- -->'). The CLI resolves this value during the init prompt flow.
+
+***
+
+### value?[​](#value "Direct link to value?")
+
+```ts
+optional value: string;
+
+```
+
+Static value for this field. Used when no prompted or resolved value exists.

package/docs/api/appkit/TypeAlias.ResourcePermission.md

@@ -11,6 +11,7 @@ type ResourcePermission =
   | UcFunctionPermission
   | UcConnectionPermission
   | DatabasePermission
+  | PostgresPermission
   | GenieSpacePermission
   | ExperimentPermission
   | AppPermission;

package/docs/plugins/lakebase.md

@@ -1,9 +1,5 @@
 # Lakebase plugin
 
-info
-
-Currently, the Lakebase plugin currently requires a one-time manual setup to connect your Databricks App with your Lakebase database. An automated setup process is planned for an upcoming future release.
-
 Provides a PostgreSQL connection pool for Databricks Lakebase Autoscaling with automatic OAuth token refresh.
 
 **Key features:**
@@ -12,90 +8,24 @@ Provides a PostgreSQL connection pool for Databricks Lakebase Autoscaling with a
 * Automatic OAuth token refresh (1-hour tokens, 2-minute refresh buffer)
 * Token caching to minimize API calls
 * Built-in OpenTelemetry instrumentation (query duration, pool connections, token refresh)
+* AppKit logger configured by default for query and connection events
 
-## Setting up Lakebase[​](#setting-up-lakebase "Direct link to Setting up Lakebase")
-
-Before using the plugin, you need to connect your Databricks App's service principal to your Lakebase database.
-
-### 1. Find your app's service principal[​](#1-find-your-apps-service-principal "Direct link to 1. Find your app's service principal")
-
-Create a Databricks App from the UI (`Compute > Apps > Create App > Create a custom app`). Navigate to the **Environment** tab and note the `DATABRICKS_CLIENT_ID` value — this is the service principal that will connect to your Lakebase database.
-
-![App environment tab](/appkit/assets/images/step-1-073320f925a3961838afa0842c727307.png)
-
-### 2. Find your Project ID and Branch ID[​](#2-find-your-project-id-and-branch-id "Direct link to 2. Find your Project ID and Branch ID")
+## Getting started with the Lakebase[​](#getting-started-with-the-lakebase "Direct link to Getting started with the Lakebase")
 
-Create a new Lakebase Postgres Autoscaling project. Navigate to your Lakebase project's branch details and switch to the **Compute** tab. Note the **Project ID** and **Branch ID** from the URL.
+The easiest way to get started with the Lakebase plugin is to use the Databricks CLI to create a new Databricks app with AppKit installed and the Lakebase plugin.
 
-![Branch details](/appkit/assets/images/step-2-25954a56aecd4dafe4966f7cecc6e8f4.png)
+### Prerequisites[​](#prerequisites "Direct link to Prerequisites")
 
-### 3. Find your endpoint[​](#3-find-your-endpoint "Direct link to 3. Find your endpoint")
+* [Node.js](https://nodejs.org) v22+ environment with `npm`
+* Databricks CLI (v0.287.0 or higher): install and configure it according to the [official tutorial](https://docs.databricks.com/aws/en/dev-tools/cli/tutorial).
+* A new Databricks app with AppKit installed. See [Bootstrap a new Databricks app](./docs.md#quick-start-options) for more details.
 
-Use the Databricks CLI to list endpoints for the branch. Note the `name` field from the output — this is your `LAKEBASE_ENDPOINT` value.
+### Steps[​](#steps "Direct link to Steps")
 
-```bash
-databricks postgres list-endpoints projects/{project-id}/branches/{branch-id}
-
-```
-
-Example output:
-
-```json
-[
-  {
-    "create_time": "2026-02-19T12:13:02Z",
-    "name": "projects/{project-id}/branches/{branch-id}/endpoints/primary"
-  }
-]
-
-```
-
-### 4. Get connection parameters[​](#4-get-connection-parameters "Direct link to 4. Get connection parameters")
-
-Click the **Connect** button on your Lakebase branch and copy the `PGHOST` and `PGDATABASE` values for later.
-
-![Connect dialog](/appkit/assets/images/step-4-78b906d125c2c130f6e14984a9f89a62.png)
-
-### 5. Grant access to the service principal[​](#5-grant-access-to-the-service-principal "Direct link to 5. Grant access to the service principal")
-
-Navigate to the **SQL Editor** tab on your Lakebase branch. Run the following SQL against the `databricks_postgres` database, replacing the service principal ID in the `DECLARE` block with the `DATABRICKS_CLIENT_ID` value from step 1:
-
-```sql
-CREATE EXTENSION IF NOT EXISTS databricks_auth;
-
-DO $$
-DECLARE
-  sp TEXT := 'your-service-principal-id';  -- Replace with DATABRICKS_CLIENT_ID from Step 1
-BEGIN
-  -- Create service principal role
-  PERFORM databricks_create_role(sp, 'SERVICE_PRINCIPAL');
-
-  -- Connection and schema access
-  EXECUTE format('GRANT CONNECT ON DATABASE "databricks_postgres" TO %I', sp);
-  EXECUTE format('GRANT ALL ON SCHEMA public TO %I', sp);
-
-  -- Privileges on existing objects
-  EXECUTE format('GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO %I', sp);
-  EXECUTE format('GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO %I', sp);
-  EXECUTE format('GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO %I', sp);
-  EXECUTE format('GRANT ALL PRIVILEGES ON ALL PROCEDURES IN SCHEMA public TO %I', sp);
-
-  -- Default privileges on future objects you create
-  EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO %I', sp);
-  EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO %I', sp);
-  EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON FUNCTIONS TO %I', sp);
-  EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON ROUTINES TO %I', sp);
-END $$;
-
-```
-
-![SQL Editor](/appkit/assets/images/step-5-38bdf3e3ac8aadf2c0cd57aa5f0ba090.png)
-
-### 6. Verify the role[​](#6-verify-the-role "Direct link to 6. Verify the role")
-
-Navigate to the **Roles & Databases** tab and confirm the role is visible. You may need to fully refresh the page.
-
-![Roles \& Databases tab](/appkit/assets/images/step-6-edbb462e89a66c46d58424768c163e4e.png)
+1. Firstly, create a new Lakebase Postgres Autoscaling project according to the [Get started documentation](https://docs.databricks.com/aws/en/oltp/projects/get-started).
+2. To add the Lakebase plugin to your project, run the `databricks apps init` command and interactively select the **Lakebase** plugin. The CLI will guide you through picking a Lakebase project, branch, and database.
+   <!-- -->
+   * When asked, select **Yes** to deploy the app to Databricks Apps right after its creation.
 
 ## Basic usage[​](#basic-usage "Direct link to Basic usage")
 
@@ -108,34 +38,6 @@ await createApp({
 
 ```
 
-## Environment variables[​](#environment-variables "Direct link to Environment variables")
-
-The required environment variables:
-
-| Variable            | Description                                                             |
-| ------------------- | ----------------------------------------------------------------------- |
-| `PGHOST`            | Lakebase host                                                           |
-| `PGDATABASE`        | Database name                                                           |
-| `LAKEBASE_ENDPOINT` | Endpoint resource path (e.g. `projects/.../branches/.../endpoints/...`) |
-| `PGSSLMODE`         | TLS mode — set to `require`                                             |
-
-Ensure that those environment variables are set both for local development (`.env` file) and for deployment (`app.yaml` file):
-
-```yaml
-env:
-  - name: LAKEBASE_ENDPOINT
-    value: projects/{project-id}/branches/{branch-id}/endpoints/primary
-  - name: PGHOST
-    value: {your-lakebase-host}
-  - name: PGDATABASE
-    value: databricks_postgres
-  - name: PGSSLMODE
-    value: require
-
-```
-
-For the full configuration reference (SSL, pool size, timeouts, logging, ORM examples), see the [`@databricks/lakebase` README](https://github.com/databricks/appkit/blob/main/packages/lakebase/README.md).
-
 ## Accessing the pool[​](#accessing-the-pool "Direct link to Accessing the pool")
 
 After initialization, access Lakebase through the `AppKit.lakebase` object:
@@ -145,9 +47,17 @@ const AppKit = await createApp({
   plugins: [server(), lakebase()],
 });
 
-// Direct query (parameterized)
+await AppKit.lakebase.query(`CREATE SCHEMA IF NOT EXISTS app`);
+
+await AppKit.lakebase.query(`CREATE TABLE IF NOT EXISTS app.orders (
+  id SERIAL PRIMARY KEY,
+  user_id VARCHAR(255) NOT NULL,
+  amount DECIMAL(10, 2) NOT NULL,
+  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+)`);
+
 const result = await AppKit.lakebase.query(
-  "SELECT * FROM orders WHERE user_id = $1",
+  "SELECT * FROM app.orders WHERE user_id = $1",
   [userId],
 );
 
@@ -160,7 +70,33 @@ const pgConfig = AppKit.lakebase.getPgConfig();    // pg.PoolConfig
 
 ```
 
-## Configuration options[​](#configuration-options "Direct link to Configuration options")
+## Configuration[​](#configuration "Direct link to Configuration")
+
+### Environment variables[​](#environment-variables "Direct link to Environment variables")
+
+The required environment variables are:
+
+| Variable            | Description                                                                                          |
+| ------------------- | ---------------------------------------------------------------------------------------------------- |
+| `LAKEBASE_ENDPOINT` | Endpoint resource path (e.g. `projects/.../branches/.../endpoints/...`)                              |
+| `PGHOST`            | Lakebase host (auto-injected in production by the `postgres` Databricks Apps resource)               |
+| `PGDATABASE`        | Database name (auto-injected in production by the `postgres` Databricks Apps resource)               |
+| `PGSSLMODE`         | TLS mode - set to `require` (auto-injected in production by the `postgres` Databricks Apps resource) |
+
+When deployed to Databricks Apps with a `postgres` database resource configured, `PGHOST`, `PGDATABASE`, `PGSSLMODE`, `PGUSER`, `PGPORT`, and `PGAPPNAME` are automatically injected by the platform. Only `LAKEBASE_ENDPOINT` must be set explicitly:
+
+```yaml
+env:
+  - name: LAKEBASE_ENDPOINT
+    valueFrom: postgres
+
+```
+
+For local development, the `.env` file is automatically generated by `databricks apps init` with the correct values for your Lakebase project.
+
+For the full configuration reference (SSL, pool size, timeouts, logging, ORM examples), see the [`@databricks/lakebase` README](https://github.com/databricks/appkit/blob/main/packages/lakebase/README.md).
+
+### Pool configuration[​](#pool-configuration "Direct link to Pool configuration")
 
 Pass a `pool` object to override any defaults:
 
@@ -178,3 +114,74 @@ await createApp({
 });
 
 ```
+
+## Database Permissions[​](#database-permissions "Direct link to Database Permissions")
+
+When you create the app with the Lakebase resource using the [Getting started](#getting-started-with-the-lakebase) guide, the Service Principal is automatically granted `CONNECT_AND_CREATE` permission on the `postgres` resource. This lets the Service Principal connect to the database and create new objects, but **not access any existing schemas or tables.**
+
+### Local development[​](#local-development "Direct link to Local development")
+
+To develop locally against a deployed Lakebase database:
+
+1. **Deploy the app first.** The Service Principal creates the database schema and tables on first deploy. Apps generated from `databricks apps init` handle this automatically - they check if tables exist on startup and skip creation if they do.
+
+2. **Grant `databricks_superuser` via the Lakebase UI:**
+
+   1. Open the Lakebase Autoscaling UI and navigate to your project's **Branch Overview** page.
+   2. Click **Add role** (or **Edit role** if your OAuth role already exists).
+   3. Select your Databricks identity as the principal and check the **`databricks_superuser`** system role.
+
+3. **Run locally** - your Databricks user identity (email) is used for OAuth authentication. The `databricks_superuser` role gives full **DML access** (read/write data) but **not DDL** (creating schemas or tables) - that's why deploying first matters (see note below).
+
+For other users, use the same **Add role** flow in the Lakebase UI to create an OAuth role with `databricks_superuser` for each user.
+
+tip
+
+[Postgres password authentication](https://docs.databricks.com/aws/en/oltp/projects/authentication#overview) is a simpler alternative that avoids OAuth role permission complexity. However, it requires you to set up a password for the user in the **Branch Overview** page in the Lakebase Autoscaling UI.
+
+Why deploy first?
+
+When the app is deployed, the Service Principal creates schemas and tables and becomes their owner. A `databricks_superuser` has full **DML access** (SELECT, INSERT, UPDATE, DELETE) to these objects, but **cannot run DDL** (CREATE SCHEMA, CREATE TABLE) on schemas owned by the Service Principal. Deploying first ensures all objects exist before local development begins.
+
+### Fine-grained permissions[​](#fine-grained-permissions "Direct link to Fine-grained permissions")
+
+For most use cases, `databricks_superuser` is sufficient. If you need schema-level grants instead, refer to the official documentation:
+
+* [Manage database permissions](https://docs.databricks.com/aws/en/oltp/projects/manage-roles-permissions)
+* [Postgres roles](https://docs.databricks.com/aws/en/oltp/projects/postgres-roles)
+
+SQL script for fine-grained grants
+
+Deploy and run the app at least once before executing these grants so the Service Principal initializes the database schema first.
+
+Replace `subject` with the user email and `schema` with your schema name:
+
+```sql
+CREATE EXTENSION IF NOT EXISTS databricks_auth;
+
+DO $$
+DECLARE
+  subject TEXT := 'your-subject';  -- User email like name@databricks.com
+  schema TEXT := 'your_schema'; -- Replace 'your_schema' with your schema name
+BEGIN
+  -- Create OAuth role for the Databricks identity
+  PERFORM databricks_create_role(subject, 'USER');
+
+  -- Connection and schema access
+  EXECUTE format('GRANT CONNECT ON DATABASE "databricks_postgres" TO %I', subject);
+  EXECUTE format('GRANT ALL ON SCHEMA %s TO %I', schema, subject);
+
+  -- Privileges on existing objects
+  EXECUTE format('GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA %s TO %I', schema, subject);
+  EXECUTE format('GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA %s TO %I', schema, subject);
+  EXECUTE format('GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA %s TO %I', schema, subject);
+  EXECUTE format('GRANT ALL PRIVILEGES ON ALL PROCEDURES IN SCHEMA %s TO %I', schema, subject);
+
+  -- Default privileges on future objects
+  EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT ALL ON TABLES TO %I', schema, subject);
+  EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT ALL ON SEQUENCES TO %I', schema, subject);
+  EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT ALL ON FUNCTIONS TO %I', schema, subject);
+  EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT ALL ON ROUTINES TO %I', schema, subject);
+END $$;
+
+```

package/llms.txt

@@ -46,7 +46,7 @@ npx @databricks/appkit docs <query>
 - [Execution context](./docs/plugins/execution-context.md): AppKit manages Databricks authentication via two contexts:
 - [Files plugin](./docs/plugins/files.md): File operations against Databricks Unity Catalog Volumes. Supports listing, reading, downloading, uploading, deleting, and previewing files with built-in caching, retry, and timeout handling via the execution interceptor pipeline.
 - [Genie plugin](./docs/plugins/genie.md): Integrates Databricks AI/BI Genie spaces into your AppKit application, enabling natural language data queries via a conversational interface.
-- [Lakebase plugin](./docs/plugins/lakebase.md): Currently, the Lakebase plugin currently requires a one-time manual setup to connect your Databricks App with your Lakebase database. An automated setup process is planned for an upcoming future release.
+- [Lakebase plugin](./docs/plugins/lakebase.md): Provides a PostgreSQL connection pool for Databricks Lakebase Autoscaling with automatic OAuth token refresh.
 - [Plugin management](./docs/plugins/plugin-management.md): AppKit includes a CLI for managing plugins. All commands are available under npx @databricks/appkit plugin.
 - [Server plugin](./docs/plugins/server.md): Provides HTTP server capabilities with development and production modes.
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@databricks/appkit-ui",
   "type": "module",
-  "version": "0.19.1",
+  "version": "0.20.0",
   "license": "Apache-2.0",
   "repository": {
     "type": "git",