@databricks/appkit-ui 0.23.0 → 0.25.0

package/docs/plugins/files.md

@@ -12,6 +12,7 @@ File operations against Databricks Unity Catalog Volumes. Supports listing, read
 * Automatic cache invalidation on write operations
 * Custom content type mappings
 * Per-user execution context (OBO)
+* **Access policies**: Per-volume policy functions that gate read and write operations
 
 ## Basic usage[​](#basic-usage "Direct link to Basic usage")
 
@@ -75,6 +76,8 @@ interface IFilesConfig {
 }
 
 interface VolumeConfig {
+  /** Access policy for this volume. */
+  policy?: FilePolicy;
   /** Maximum upload size in bytes for this volume. Overrides plugin-level default. */
   maxUploadSize?: number;
   /** Map of file extensions to MIME types for this volume. Overrides plugin-level default. */
@@ -99,6 +102,121 @@ files({
 
 ```
 
+### Permission model[​](#permission-model "Direct link to Permission model")
+
+There are three layers of access control in the files plugin. Understanding how they interact is critical for securing your app:
+
+```text
+┌─────────────────────────────────────────────────┐
+│  Unity Catalog grants                           │
+│  (WRITE_VOLUME on the SP — set at deploy time)  │
+├─────────────────────────────────────────────────┤
+│  Execution identity                             │
+│  HTTP routes → always service principal         │
+│  Programmatic → SP by default, asUser() for OBO │
+├─────────────────────────────────────────────────┤
+│  File policies                                  │
+│  Per-volume (action, resource, user) → boolean  │
+│  Only app-level gate for HTTP routes            │
+└─────────────────────────────────────────────────┘
+
+```
+
+* **UC grants** control what the service principal can do at the Databricks level. These are set at deploy time via `app.yaml` resource bindings. The SP needs `WRITE_VOLUME` — the plugin declares this via resource requirements.
+* **Execution identity** determines whose credentials are used for the actual API call. HTTP routes always use the SP. The programmatic API uses SP by default but supports `asUser(req)` for OBO.
+* **File policies** are application-level checks evaluated **before** the API call. They receive the requesting user's identity (from the `x-forwarded-user` header) and decide allow/deny. This is the only gate that distinguishes between users on HTTP routes.
+
+warning
+
+Since HTTP routes always execute as the service principal, removing a user's UC `WRITE_VOLUME` grant has **no effect** on HTTP access — the SP's grant is what's used. Policies are how you restrict what individual users can do through your app.
+
+New in v0.21.0
+
+File policies are new. Volumes without an explicit policy now default to `publicRead()`, which **denies all write operations** (`upload`, `mkdir`, `delete`). If your app relies on write access, set an explicit policy — for example `files.policy.allowAll()` — on each volume that needs it.
+
+#### Access policies[​](#access-policies "Direct link to Access policies")
+
+Attach a policy to a volume to control which actions are allowed:
+
+```ts
+import { files } from "@databricks/appkit";
+
+files({
+  volumes: {
+    uploads: { policy: files.policy.publicRead() },
+  },
+});
+
+```
+
+#### Actions[​](#actions "Direct link to Actions")
+
+Policies receive an action string. The full list, split by category:
+
+| Category | Actions                                                            |
+| -------- | ------------------------------------------------------------------ |
+| Read     | `list`, `read`, `download`, `raw`, `exists`, `metadata`, `preview` |
+| Write    | `upload`, `mkdir`, `delete`                                        |
+
+#### Built-in policies[​](#built-in-policies "Direct link to Built-in policies")
+
+| Helper                      | Allows           | Denies            |
+| --------------------------- | ---------------- | ----------------- |
+| `files.policy.publicRead()` | all read actions | all write actions |
+| `files.policy.allowAll()`   | everything       | nothing           |
+| `files.policy.denyAll()`    | nothing          | everything        |
+
+#### Composing policies[​](#composing-policies "Direct link to Composing policies")
+
+Combine built-in and custom policies with three combinators:
+
+* **`files.policy.all(a, b)`** — AND: all policies must allow. Short-circuits on first denial.
+* **`files.policy.any(a, b)`** — OR: at least one policy must allow. Short-circuits on first allow.
+* **`files.policy.not(p)`** — Inverts a policy. For example, `not(publicRead())` yields a write-only policy (useful for ingestion/drop-box volumes).
+
+```ts
+// Read-only for regular users, full access for the service principal
+files({
+  volumes: {
+    shared: {
+      policy: files.policy.any(
+        (_action, _resource, user) => !!user.isServicePrincipal,
+        files.policy.publicRead(),
+      ),
+    },
+  },
+});
+
+```
+
+#### Custom policies[​](#custom-policies "Direct link to Custom policies")
+
+`FilePolicy` is a function `(action, resource, user) → boolean | Promise<boolean>`, so you can inline arbitrary logic:
+
+```ts
+import { type FilePolicy, WRITE_ACTIONS } from "@databricks/appkit";
+
+const ADMIN_IDS = ["admin-sp-id", "lead-user-id"];
+
+const adminOnly: FilePolicy = (action, _resource, user) => {
+  if (WRITE_ACTIONS.has(action)) {
+    return ADMIN_IDS.includes(user.id);
+  }
+  return true; // reads allowed for everyone
+};
+
+files({
+  volumes: { reports: { policy: adminOnly } },
+});
+
+```
+
+#### Enforcement[​](#enforcement "Direct link to Enforcement")
+
+* **HTTP routes**: Policy checked before every operation. Denied → `403` JSON response with `Policy denied "{action}" on volume "{volumeKey}"`.
+* **Programmatic API**: Policy checked on both `appkit.files("vol").list()` (SP identity, `isServicePrincipal: true`) and `appkit.files("vol").asUser(req).list()` (user identity). Denied → throws `PolicyDeniedError`.
+* **No policy configured**: Defaults to `files.policy.publicRead()` — read actions are allowed, write actions are denied. A startup warning is logged encouraging you to set an explicit policy.
+
 ### Custom content types[​](#custom-content-types "Direct link to Custom content types")
 
 Override or extend the built-in extension → MIME map:
@@ -118,7 +236,7 @@ Dangerous MIME types (`text/html`, `text/javascript`, `application/javascript`,
 
 ## HTTP routes[​](#http-routes "Direct link to HTTP routes")
 
-Routes are mounted at `/api/files/*`. All routes except `/volumes` execute in user context via `asUser(req)`.
+Routes are mounted at `/api/files/*`. All routes execute as the service principal. Policy enforcement checks user identity (from the `x-forwarded-user` header) before allowing operations — see [Access policies](#access-policies).
 
 | Method | Path                   | Query / Body                 | Response                                                     |
 | ------ | ---------------------- | ---------------------------- | ------------------------------------------------------------ |
@@ -242,7 +360,36 @@ interface FilePreview extends FileMetadata {
   isImage: boolean;
 }
 
+type FileAction =
+  | "list" | "read" | "download" | "raw"
+  | "exists" | "metadata" | "preview"
+  | "upload" | "mkdir" | "delete";
+
+interface FileResource {
+  /** Relative path within the volume. */
+  path: string;
+  /** The volume key (e.g. `"uploads"`). */
+  volume: string;
+  /** Content length in bytes — only present for uploads. */
+  size?: number;
+}
+
+interface FilePolicyUser {
+  /** User ID from the `x-forwarded-user` header. */
+  id: string;
+  /** `true` when the caller is the service principal (direct SDK call, not `asUser`). */
+  isServicePrincipal?: boolean;
+}
+
+type FilePolicy = (
+  action: FileAction,
+  resource: FileResource,
+  user: FilePolicyUser,
+) => boolean | Promise<boolean>;
+
 interface VolumeConfig {
+  /** Access policy for this volume. */
+  policy?: FilePolicy;
   /** Maximum upload size in bytes for this volume. */
   maxUploadSize?: number;
   /** Map of file extensions to MIME types for this volume. */
@@ -280,7 +427,7 @@ Built-in extensions: `.png`, `.jpg`, `.jpeg`, `.gif`, `.webp`, `.svg`, `.bmp`, `
 
 ## User context[​](#user-context "Direct link to User context")
 
-Routes use `this.asUser(req)` so operations execute with the requesting user's Databricks credentials (on-behalf-of / OBO). The `/volumes` route is the only exception since it only reads plugin config.
+HTTP routes always execute as the **service principal** — the SP's Databricks credentials are used for all API calls. User identity is extracted from the `x-forwarded-user` header and passed to the volume's [access policy](#access-policies) for authorization. This means UC grants on the SP (not individual users) determine what operations are possible, while policies control what each user is allowed to do through the app.
 
 The programmatic API returns a `VolumeHandle` that exposes all `VolumeAPI` methods directly (service principal) and an `asUser(req)` method for OBO access. Calling any method without `asUser()` logs a warning encouraging OBO usage but does not throw. OBO access is strongly recommended for production use.
 
@@ -305,6 +452,7 @@ All errors return JSON:
 | Status | Description                                                   |
 | ------ | ------------------------------------------------------------- |
 | 400    | Missing or invalid `path` parameter                           |
+| 403    | Policy denied "`{action}`" on volume "`{volumeKey}`"          |
 | 404    | Unknown volume key                                            |
 | 413    | Upload exceeds `maxUploadSize`                                |
 | 500    | Operation failed (SDK, network, upstream, or unhandled error) |

package/docs/plugins/{serving.md → model-serving.md}

@@ -1,4 +1,4 @@
-# Serving plugin
+# Model Serving plugin
 
 Provides an authenticated proxy to [Databricks Model Serving](https://docs.databricks.com/aws/en/machine-learning/model-serving) endpoints, with invoke and streaming support.
 

package/docs/plugins/plugin-management.md

@@ -6,19 +6,30 @@ AppKit includes a CLI for managing plugins. All commands are available under `np
 
 ## Create a plugin[​](#create-a-plugin "Direct link to Create a plugin")
 
-Scaffold a new plugin interactively:
+Scaffold a new plugin interactively or via flags:
 
 ```bash
+# Interactive mode (prompts for all options)
 npx @databricks/appkit plugin create
 
+# Non-interactive mode (all required flags provided)
+npx @databricks/appkit plugin create \
+  --placement in-repo \
+  --path plugins/my-plugin \
+  --name my-plugin \
+  --description "My custom plugin" \
+  --resources sql_warehouse \
+  --force
+
 ```
 
-The wizard walks you through:
+In interactive mode, the wizard walks you through:
 
 * **Placement**: In your repository (e.g. `plugins/my-plugin`) or as a standalone package
 * **Metadata**: Name, display name, description
 * **Resources**: Which Databricks resources the plugin needs (SQL Warehouse, Secret, etc.) and whether each is required or optional
-* **Optional fields**: Author, version, license
+
+In non-interactive mode, `--placement`, `--path`, `--name`, and `--description` are required. Resources can be specified as a comma-separated list (`--resources sql_warehouse,volume`) or as JSON for full control (`--resources-json '[{"type":"sql_warehouse","permission":"CAN_MANAGE"}]'`). For all available options, run `npx @databricks/appkit plugin create --help`.
 
 The command generates a complete plugin scaffold with `manifest.json` and a TypeScript plugin class that imports the manifest directly — ready to register in your app.
 
@@ -91,12 +102,17 @@ npx @databricks/appkit plugin list --json
 
 ## Add a resource to a plugin[​](#add-a-resource-to-a-plugin "Direct link to Add a resource to a plugin")
 
-Interactively add a new resource requirement to an existing plugin manifest. **Requires `manifest.json`** in the plugin directory (the command edits it in place; it does not modify `manifest.js`):
+Add a new resource requirement to an existing plugin manifest. **Requires `manifest.json`** in the plugin directory (the command edits it in place; it does not modify `manifest.js`):
 
 ```bash
+# Interactive mode
 npx @databricks/appkit plugin add-resource
-
-# Or specify the plugin directory
 npx @databricks/appkit plugin add-resource --path plugins/my-plugin
 
+# Non-interactive mode (--type triggers flag-based mode)
+npx @databricks/appkit plugin add-resource --path plugins/my-plugin --type sql_warehouse
+npx @databricks/appkit plugin add-resource --path plugins/my-plugin --type volume --no-required --dry-run
+
 ```
+
+In non-interactive mode, only `--type` is required — all other fields (permission, resource key, field env vars) default to sensible values from the schema. Use `--dry-run` to preview the updated manifest without writing. For all available options, run `npx @databricks/appkit plugin add-resource --help`.

package/docs/plugins/vector-search.md

@@ -0,0 +1,247 @@
+# Vector Search plugin
+
+Query Databricks Vector Search indexes with hybrid search, reranking, and cursor pagination from your AppKit application.
+
+**Key features:**
+
+* Named index aliases for multiple Vector Search indexes
+* Hybrid, ANN, and full-text query modes
+* Optional reranking with column-level control
+* Cursor-based pagination for large result sets
+* Service principal (default) and on-behalf-of-user auth
+* Self-managed embedding indexes via custom `embeddingFn`
+
+## Basic usage[​](#basic-usage "Direct link to Basic usage")
+
+```ts
+import { createApp, vectorSearch, server } from "@databricks/appkit";
+
+await createApp({
+  plugins: [
+    server(),
+    vectorSearch({
+      indexes: {
+        products: {
+          indexName: "catalog.schema.products_idx",
+          columns: ["id", "name", "description"],
+          queryType: "hybrid",
+          numResults: 20,
+        },
+      },
+    }),
+  ],
+});
+
+```
+
+## Configuration options[​](#configuration-options "Direct link to Configuration options")
+
+| Option    | Type                          | Default | Description                                              |
+| --------- | ----------------------------- | ------- | -------------------------------------------------------- |
+| `indexes` | `Record<string, IndexConfig>` | —       | **Required.** Map of alias names to index configurations |
+| `timeout` | `number`                      | `30000` | Query timeout in ms                                      |
+
+### Index aliases[​](#index-aliases "Direct link to Index aliases")
+
+Index aliases let you reference multiple Vector Search indexes by name. The alias is used in API routes and programmatic calls:
+
+```ts
+vectorSearch({
+  indexes: {
+    products: {
+      indexName: "catalog.schema.products_idx",
+      columns: ["id", "name", "description"],
+    },
+    docs: {
+      indexName: "catalog.schema.docs_idx",
+      columns: ["id", "title", "content", "url"],
+      queryType: "full_text",
+    },
+  },
+});
+
+```
+
+## IndexConfig[​](#indexconfig "Direct link to IndexConfig")
+
+| Field          | Type                                         | Default               | Description                                                                     |
+| -------------- | -------------------------------------------- | --------------------- | ------------------------------------------------------------------------------- |
+| `indexName`    | `string`                                     | —                     | **Required.** Three-level Unity Catalog name (`catalog.schema.index`)           |
+| `columns`      | `string[]`                                   | —                     | **Required.** Columns to return in query results                                |
+| `queryType`    | `"ann" \| "hybrid" \| "full_text"`           | `"hybrid"`            | Search mode                                                                     |
+| `numResults`   | `number`                                     | `20`                  | Maximum results per query                                                       |
+| `reranker`     | `boolean \| { columnsToRerank: string[] }`   | —                     | Enable reranking. Pass `true` to rerank all result columns, or specify a subset |
+| `auth`         | `"service-principal" \| "on-behalf-of-user"` | `"service-principal"` | Authentication mode for query execution                                         |
+| `pagination`   | `boolean`                                    | —                     | Enable cursor-based pagination                                                  |
+| `endpointName` | `string`                                     | —                     | Vector Search endpoint name. Required when `pagination` is `true`               |
+| `embeddingFn`  | `(text: string) => Promise<number[]>`        | —                     | Custom embedding function for self-managed embedding indexes                    |
+
+### Query types[​](#query-types "Direct link to Query types")
+
+* **`hybrid`** — Combines vector similarity and keyword search. Best for general-purpose retrieval.
+* **`ann`** — Approximate nearest neighbor search using embeddings only. Best for semantic similarity.
+* **`full_text`** — Keyword-based search with no embedding required.
+
+### Reranking[​](#reranking "Direct link to Reranking")
+
+Reranking improves result relevance by running a second-stage model over the initial candidates:
+
+```ts
+vectorSearch({
+  indexes: {
+    products: {
+      indexName: "catalog.schema.products_idx",
+      columns: ["id", "name", "description", "category"],
+      reranker: { columnsToRerank: ["name", "description"] },
+    },
+  },
+});
+
+```
+
+Pass `reranker: true` to rerank across all returned columns.
+
+### On-behalf-of-user auth[​](#on-behalf-of-user-auth "Direct link to On-behalf-of-user auth")
+
+By default, queries run as the app's service principal. Set `auth: "on-behalf-of-user"` to execute queries as the signed-in user instead:
+
+```ts
+vectorSearch({
+  indexes: {
+    documents: {
+      indexName: "catalog.schema.documents_idx",
+      columns: ["id", "title", "body"],
+      auth: "on-behalf-of-user",
+    },
+  },
+});
+
+```
+
+### Pagination[​](#pagination "Direct link to Pagination")
+
+Enable cursor pagination to page through large result sets:
+
+```ts
+vectorSearch({
+  indexes: {
+    products: {
+      indexName: "catalog.schema.products_idx",
+      columns: ["id", "name", "description"],
+      pagination: true,
+      endpointName: "my-vector-search-endpoint",
+    },
+  },
+});
+
+```
+
+`endpointName` is required when `pagination` is `true`. Use the `/:alias/next-page` route to fetch subsequent pages.
+
+### Self-managed embedding indexes[​](#self-managed-embedding-indexes "Direct link to Self-managed embedding indexes")
+
+For indexes that manage their own embeddings, provide an `embeddingFn` that takes a query string and returns a vector:
+
+```ts
+import { embed } from "./my-embedding-client";
+
+vectorSearch({
+  indexes: {
+    products: {
+      indexName: "catalog.schema.products_idx",
+      columns: ["id", "name", "description"],
+      queryType: "ann",
+      embeddingFn: (text) => embed(text),
+    },
+  },
+});
+
+```
+
+## HTTP routes[​](#http-routes "Direct link to HTTP routes")
+
+Routes are mounted at `/api/vector-search`.
+
+| Method | Path                | Description                                                  |
+| ------ | ------------------- | ------------------------------------------------------------ |
+| `POST` | `/:alias/query`     | Query an index by alias                                      |
+| `POST` | `/:alias/next-page` | Fetch the next page of results (requires `pagination: true`) |
+| `GET`  | `/:alias/config`    | Return the resolved config for an index alias                |
+
+### Query an index[​](#query-an-index "Direct link to Query an index")
+
+```text
+POST /api/vector-search/:alias/query
+Content-Type: application/json
+
+{
+  "queryText": "machine learning guide",
+  "numResults": 10
+}
+
+```
+
+Response:
+
+```json
+{
+  "results": [
+    { "id": "42", "name": "Intro to ML", "description": "..." }
+  ],
+  "nextPageToken": "eyJvZmZzZXQiOjEwfQ=="
+}
+
+```
+
+`nextPageToken` is only present when `pagination` is enabled and more results are available.
+
+### Fetch the next page[​](#fetch-the-next-page "Direct link to Fetch the next page")
+
+```text
+POST /api/vector-search/:alias/next-page
+Content-Type: application/json
+
+{
+  "queryText": "machine learning guide",
+  "pageToken": "eyJvZmZzZXQiOjEwfQ=="
+}
+
+```
+
+### Get index config[​](#get-index-config "Direct link to Get index config")
+
+```text
+GET /api/vector-search/:alias/config
+
+```
+
+Returns the resolved `IndexConfig` for the alias (excluding `embeddingFn`).
+
+## Programmatic access[​](#programmatic-access "Direct link to Programmatic access")
+
+The plugin exposes a `query` method for server-side use:
+
+```ts
+const AppKit = await createApp({
+  plugins: [
+    server(),
+    vectorSearch({
+      indexes: {
+        products: {
+          indexName: "catalog.schema.products_idx",
+          columns: ["id", "name", "description"],
+        },
+      },
+    }),
+  ],
+});
+
+const result = await AppKit.vectorSearch.query("products", {
+  queryText: "machine learning guide",
+});
+
+console.log(result.results);
+
+```
+
+Pass optional overrides as a second argument to `query` to adjust `numResults` or other per-call settings.

package/llms.txt

@@ -49,9 +49,10 @@ npx @databricks/appkit docs <query>
 - [Files plugin](./docs/plugins/files.md): File operations against Databricks Unity Catalog Volumes. Supports listing, reading, downloading, uploading, deleting, and previewing files with built-in caching, retry, and timeout handling via the execution interceptor pipeline.
 - [Genie plugin](./docs/plugins/genie.md): Integrates Databricks AI/BI Genie spaces into your AppKit application, enabling natural language data queries via a conversational interface.
 - [Lakebase plugin](./docs/plugins/lakebase.md): Provides a PostgreSQL connection pool for Databricks Lakebase Autoscaling with automatic OAuth token refresh.
+- [Model Serving plugin](./docs/plugins/model-serving.md): Provides an authenticated proxy to Databricks Model Serving endpoints, with invoke and streaming support.
 - [Plugin management](./docs/plugins/plugin-management.md): AppKit includes a CLI for managing plugins. All commands are available under npx @databricks/appkit plugin.
 - [Server plugin](./docs/plugins/server.md): Provides HTTP server capabilities with development and production modes.
-- [Serving plugin](./docs/plugins/serving.md): Provides an authenticated proxy to Databricks Model Serving endpoints, with invoke and streaming support.
+- [Vector Search plugin](./docs/plugins/vector-search.md): Query Databricks Vector Search indexes with hybrid search, reranking, and cursor pagination from your AppKit application.
 
 ## appkit API reference [collapsed]
 
@@ -63,6 +64,7 @@ npx @databricks/appkit docs <query>
 - [Class: ExecutionError](./docs/api/appkit/Class.ExecutionError.md): Error thrown when an operation execution fails.
 - [Class: InitializationError](./docs/api/appkit/Class.InitializationError.md): Error thrown when a service or component is not properly initialized.
 - [Abstract Class: Plugin<TConfig>](./docs/api/appkit/Class.Plugin.md): Base abstract class for creating AppKit plugins.
+- [Class: PolicyDeniedError](./docs/api/appkit/Class.PolicyDeniedError.md): Thrown when a policy denies an action.
 - [Class: ResourceRegistry](./docs/api/appkit/Class.ResourceRegistry.md): Central registry for tracking plugin resource requirements.
 - [Class: ServerError](./docs/api/appkit/Class.ServerError.md): Error thrown when server lifecycle operations fail.
 - [Class: TunnelError](./docs/api/appkit/Class.TunnelError.md): Error thrown when remote tunnel operations fail.
@@ -88,6 +90,8 @@ npx @databricks/appkit docs <query>
 - [Interface: CacheConfig](./docs/api/appkit/Interface.CacheConfig.md): Configuration for the CacheInterceptor. Controls TTL, size limits, storage backend, and probabilistic cleanup.
 - [Interface: DatabaseCredential](./docs/api/appkit/Interface.DatabaseCredential.md): Database credentials with OAuth token for Postgres connection
 - [Interface: EndpointConfig](./docs/api/appkit/Interface.EndpointConfig.md): Properties
+- [Interface: FilePolicyUser](./docs/api/appkit/Interface.FilePolicyUser.md): Minimal user identity passed to the policy function.
+- [Interface: FileResource](./docs/api/appkit/Interface.FileResource.md): Describes the file or directory being acted upon.
 - [Interface: GenerateDatabaseCredentialRequest](./docs/api/appkit/Interface.GenerateDatabaseCredentialRequest.md): Request parameters for generating database OAuth credentials
 - [Interface: ITelemetry](./docs/api/appkit/Interface.ITelemetry.md): Plugin-facing interface for OpenTelemetry instrumentation.
 - [Interface: LakebasePoolConfig](./docs/api/appkit/Interface.LakebasePoolConfig.md): Configuration for creating a Lakebase connection pool
@@ -104,12 +108,16 @@ npx @databricks/appkit docs <query>
 - [Interface: ValidationResult](./docs/api/appkit/Interface.ValidationResult.md): Result of validating all registered resources against the environment.
 - [Type Alias: ConfigSchema](./docs/api/appkit/TypeAlias.ConfigSchema.md): Configuration schema definition for plugin config.
 - [Type Alias: ExecutionResult<T>](./docs/api/appkit/TypeAlias.ExecutionResult.md): Discriminated union for plugin execution results.
+- [Type Alias: FileAction](./docs/api/appkit/TypeAlias.FileAction.md): Every action the files plugin can perform.
+- [Type Alias: FilePolicy()](./docs/api/appkit/TypeAlias.FilePolicy.md): A policy function that decides whether user may perform action on
 - [Type Alias: IAppRouter](./docs/api/appkit/TypeAlias.IAppRouter.md): Express router type for plugin route registration
 - [Type Alias: PluginData<T, U, N>](./docs/api/appkit/TypeAlias.PluginData.md): Tuple of plugin class, config, and name. Created by toPlugin() and passed to createApp().
 - [Type Alias: ResourcePermission](./docs/api/appkit/TypeAlias.ResourcePermission.md): Union of all possible permission levels across all resource types.
 - [Type Alias: ServingFactory](./docs/api/appkit/TypeAlias.ServingFactory.md): Factory function returned by AppKit.serving.
 - [Type Alias: ToPlugin()<T, U, N>](./docs/api/appkit/TypeAlias.ToPlugin.md): Factory function type returned by toPlugin(). Accepts optional config and returns a PluginData tuple.
+- [Variable: READ_ACTIONS](./docs/api/appkit/Variable.READ_ACTIONS.md): Actions that only read data.
 - [Variable: sql](./docs/api/appkit/Variable.sql.md): SQL helper namespace
+- [Variable: WRITE_ACTIONS](./docs/api/appkit/Variable.WRITE_ACTIONS.md): Actions that mutate data.
 
 ## appkit-ui API reference [collapsed]
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@databricks/appkit-ui",
   "type": "module",
-  "version": "0.23.0",
+  "version": "0.25.0",
   "license": "Apache-2.0",
   "repository": {
     "type": "git",