@databricks/appkit 0.19.0 → 0.20.0

package/dist/registry/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","names":[],"sources":["../../src/registry/types.ts"],"mappings":";;;;;;;;UA0DiB,kBAAA;EA+BD;EA7Bd,GAAA;EAWM;EATN,WAAA;AAAA;;;;;UAOe,mBAAA;EAoBQ;EAlBvB,IAAA,EAAM,YAAA;EAqBE;EAlBR,KAAA;EAyBe;EAtBf,WAAA;;EAGA,WAAA;EAkCmC;EA/BnC,UAAA,EAAY,kBAAA;EAgByB;;;;EAVrC,MAAA,EAAQ,MAAA,SAAe,kBAAA;EAevB;EAZA,QAAA;AAAA;;;;;UAOe,aAAA,SAAsB,mBAAA;EAqBtB;EAnBf,MAAA;;EAGA,QAAA;EAkBA;EAfA,MAAA,GAAS,MAAA;EAkBA;;;;;EAXT,iBAAA,GAAoB,MAAA,SAAe,kBAAA;AAAA;;;;UAMpB,gBAAA;EAyBc;EAvB7B,KAAA;EAyBM;EAtBN,OAAA,EAAS,aAAA;EAmCG;EAhCZ,GAAA,EAAK,aAAA;AAAA;;;;;;;KAWK,YAAA,GAAe,WAAA;;;;;UAMV,cAAA;EAkBH;EAhBZ,IAAA,EAAM,KAAA;EAuBN;EApBA,WAAA;EAqBU;EAlBV,WAAA;EA6BA;;;EAxBA,SAAA;IA4BA,kEA1BE,QAAA,EAAU,IAAA,CAAK,mBAAA,iBA0BV;IAvBL,QAAA,EAAU,IAAA,CAAK,mBAAA;EAAA;;;;;EAOjB,MAAA;IACE,MAAA,EAAQ,YAAA;EAAA;;;;EAMV,MAAA;;;;EAKA,MAAA;EACA,OAAA;EACA,UAAA;EACA,QAAA;EACA,OAAA;AAAA"}
+{"version":3,"file":"types.d.ts","names":[],"sources":["../../src/registry/types.ts"],"mappings":";;;;;;;;UA0DiB,kBAAA;EAqBA;EAnBf,GAAA;;EAEA,WAAA;EA+BY;EA7BZ,YAAA;EAmCQ;EAjCR,QAAA;EAiCc;EA/Bd,SAAA;EAaM;EAXN,KAAA;EAiBA;EAfA,OAAA;AAAA;;;;;UAOe,mBAAA;EAuBP;EArBR,IAAA,EAAM,YAAA;EA4BS;EAzBf,KAAA;;EAGA,WAAA;EAqCmC;EAlCnC,WAAA;EAmBqC;EAhBrC,UAAA,EAAY,kBAAA;EAgB4C;;;;EAVxD,MAAA,EAAQ,MAAA,SAAe,kBAAA;EAkBd;EAfT,QAAA;AAAA;;;;AA4BF;UArBiB,aAAA,SAAsB,mBAAA;;EAErC,MAAA;EAqBA;EAlBA,QAAA;EAqBS;EAlBT,MAAA,GAAS,MAAA;EAqBJ;;;AAWP;;EAzBE,iBAAA,GAAoB,MAAA,SAAe,kBAAA;AAAA;;AA+BrC;;UAzBiB,gBAAA;EA2BT;EAzBN,KAAA;EAsCY;EAnCZ,OAAA,EAAS,aAAA;EAsCG;EAnCZ,GAAA,EAAK,aAAA;AAAA;;;;;;;KAWK,YAAA,GAAe,WAAA;;;;;UAMV,cAAA;EAyBf;EAvBA,IAAA,EAAM,KAAA;EAwBI;EArBV,WAAA;EAgCA;EA7BA,WAAA;EA+BA;;;EA1BA,SAAA;IA4BO,kEA1BL,QAAA,EAAU,IAAA,CAAK,mBAAA;IAGf,QAAA,EAAU,IAAA,CAAK,mBAAA;EAAA;;;;;EAOjB,MAAA;IACE,MAAA,EAAQ,YAAA;EAAA;;;;EAMV,MAAA;;;;EAKA,MAAA;EACA,OAAA;EACA,UAAA;EACA,QAAA;EACA,OAAA;AAAA"}

package/dist/registry/types.generated.d.ts

@@ -10,6 +10,7 @@ declare enum ResourceType {
   UC_FUNCTION = "uc_function",
   UC_CONNECTION = "uc_connection",
   DATABASE = "database",
+  POSTGRES = "postgres",
   GENIE_SPACE = "genie_space",
   EXPERIMENT = "experiment",
   APP = "app"
@@ -32,6 +33,8 @@ type UcFunctionPermission = "EXECUTE";
 type UcConnectionPermission = "USE_CONNECTION";
 /** Permissions for DATABASE resources */
 type DatabasePermission = "CAN_CONNECT_AND_CREATE";
+/** Permissions for POSTGRES resources */
+type PostgresPermission = "CAN_CONNECT_AND_CREATE";
 /** Permissions for GENIE_SPACE resources */
 type GenieSpacePermission = "CAN_VIEW" | "CAN_RUN" | "CAN_EDIT" | "CAN_MANAGE";
 /** Permissions for EXPERIMENT resources */
@@ -39,7 +42,7 @@ type ExperimentPermission = "CAN_READ" | "CAN_EDIT" | "CAN_MANAGE";
 /** Permissions for APP resources */
 type AppPermission = "CAN_USE";
 /** Union of all possible permission levels across all resource types. */
-type ResourcePermission = SecretPermission | JobPermission | SqlWarehousePermission | ServingEndpointPermission | VolumePermission | VectorSearchIndexPermission | UcFunctionPermission | UcConnectionPermission | DatabasePermission | GenieSpacePermission | ExperimentPermission | AppPermission;
+type ResourcePermission = SecretPermission | JobPermission | SqlWarehousePermission | ServingEndpointPermission | VolumePermission | VectorSearchIndexPermission | UcFunctionPermission | UcConnectionPermission | DatabasePermission | PostgresPermission | GenieSpacePermission | ExperimentPermission | AppPermission;
 //#endregion
 export { AppPermission, DatabasePermission, ExperimentPermission, GenieSpacePermission, JobPermission, ResourcePermission, ResourceType, SecretPermission, ServingEndpointPermission, SqlWarehousePermission, UcConnectionPermission, UcFunctionPermission, VectorSearchIndexPermission, VolumePermission };
 //# sourceMappingURL=types.generated.d.ts.map

package/dist/registry/types.generated.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.generated.d.ts","names":[],"sources":["../../src/registry/types.generated.ts"],"mappings":";;aAIY,YAAA;EACV,MAAA;EACA,GAAA;EACA,aAAA;EACA,gBAAA;EACA,MAAA;EACA,mBAAA;EACA,WAAA;EACA,aAAA;EACA,QAAA;EACA,WAAA;EACA,UAAA;EACA,GAAA;AAAA;;KAOU,gBAAA;;KAGA,aAAA;AAHZ;AAAA,KAMY,sBAAA;;KAGA,yBAAA;;KAGA,gBAAA;;KAGA,2BAAA;;KAGA,oBAAA;AAZZ;AAAA,KAeY,sBAAA;;KAGA,kBAAA;;KAGA,oBAAA;;KAGA,oBAAA;;KAGA,aAAA;AArBZ;AAAA,KAwBY,kBAAA,GACR,gBAAA,GACA,aAAA,GACA,sBAAA,GACA,yBAAA,GACA,gBAAA,GACA,2BAAA,GACA,oBAAA,GACA,sBAAA,GACA,kBAAA,GACA,oBAAA,GACA,oBAAA,GACA,aAAA"}
+{"version":3,"file":"types.generated.d.ts","names":[],"sources":["../../src/registry/types.generated.ts"],"mappings":";;aAIY,YAAA;EACV,MAAA;EACA,GAAA;EACA,aAAA;EACA,gBAAA;EACA,MAAA;EACA,mBAAA;EACA,WAAA;EACA,aAAA;EACA,QAAA;EACA,QAAA;EACA,WAAA;EACA,UAAA;EACA,GAAA;AAAA;;KAOU,gBAAA;;KAGA,aAAA;AAHZ;AAAA,KAMY,sBAAA;;KAGA,yBAAA;;KAGA,gBAAA;;KAGA,2BAAA;;KAGA,oBAAA;AAZZ;AAAA,KAeY,sBAAA;;KAGA,kBAAA;;KAGA,kBAAA;;KAGA,oBAAA;;KAGA,oBAAA;AArBZ;AAAA,KAwBY,aAAA;;KAGA,kBAAA,GACR,gBAAA,GACA,aAAA,GACA,sBAAA,GACA,yBAAA,GACA,gBAAA,GACA,2BAAA,GACA,oBAAA,GACA,sBAAA,GACA,kBAAA,GACA,kBAAA,GACA,oBAAA,GACA,oBAAA,GACA,aAAA"}

package/dist/registry/types.generated.js

@@ -10,6 +10,7 @@ let ResourceType = /* @__PURE__ */ function(ResourceType) {
 	ResourceType["UC_FUNCTION"] = "uc_function";
 	ResourceType["UC_CONNECTION"] = "uc_connection";
 	ResourceType["DATABASE"] = "database";
+	ResourceType["POSTGRES"] = "postgres";
 	ResourceType["GENIE_SPACE"] = "genie_space";
 	ResourceType["EXPERIMENT"] = "experiment";
 	ResourceType["APP"] = "app";
@@ -38,6 +39,7 @@ const PERMISSION_HIERARCHY_BY_TYPE = {
 	[ResourceType.UC_FUNCTION]: ["EXECUTE"],
 	[ResourceType.UC_CONNECTION]: ["USE_CONNECTION"],
 	[ResourceType.DATABASE]: ["CAN_CONNECT_AND_CREATE"],
+	[ResourceType.POSTGRES]: ["CAN_CONNECT_AND_CREATE"],
 	[ResourceType.GENIE_SPACE]: [
 		"CAN_VIEW",
 		"CAN_RUN",

package/dist/registry/types.generated.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.generated.js","names":[],"sources":["../../src/registry/types.generated.ts"],"sourcesContent":["// AUTO-GENERATED from packages/shared/src/schemas/plugin-manifest.schema.json\n// Do not edit. Run: pnpm exec tsx tools/generate-registry-types.ts\n\n/** Resource types from schema $defs.resourceType.enum */\nexport enum ResourceType {\n  SECRET = \"secret\",\n  JOB = \"job\",\n  SQL_WAREHOUSE = \"sql_warehouse\",\n  SERVING_ENDPOINT = \"serving_endpoint\",\n  VOLUME = \"volume\",\n  VECTOR_SEARCH_INDEX = \"vector_search_index\",\n  UC_FUNCTION = \"uc_function\",\n  UC_CONNECTION = \"uc_connection\",\n  DATABASE = \"database\",\n  GENIE_SPACE = \"genie_space\",\n  EXPERIMENT = \"experiment\",\n  APP = \"app\",\n}\n\n// ============================================================================\n// Permissions per resource type (from schema permission $defs)\n// ============================================================================\n/** Permissions for SECRET resources */\nexport type SecretPermission = \"READ\" | \"WRITE\" | \"MANAGE\";\n\n/** Permissions for JOB resources */\nexport type JobPermission = \"CAN_VIEW\" | \"CAN_MANAGE_RUN\" | \"CAN_MANAGE\";\n\n/** Permissions for SQL_WAREHOUSE resources */\nexport type SqlWarehousePermission = \"CAN_USE\" | \"CAN_MANAGE\";\n\n/** Permissions for SERVING_ENDPOINT resources */\nexport type ServingEndpointPermission = \"CAN_VIEW\" | \"CAN_QUERY\" | \"CAN_MANAGE\";\n\n/** Permissions for VOLUME resources */\nexport type VolumePermission = \"READ_VOLUME\" | \"WRITE_VOLUME\";\n\n/** Permissions for VECTOR_SEARCH_INDEX resources */\nexport type VectorSearchIndexPermission = \"SELECT\";\n\n/** Permissions for UC_FUNCTION resources */\nexport type UcFunctionPermission = \"EXECUTE\";\n\n/** Permissions for UC_CONNECTION resources */\nexport type UcConnectionPermission = \"USE_CONNECTION\";\n\n/** Permissions for DATABASE resources */\nexport type DatabasePermission = \"CAN_CONNECT_AND_CREATE\";\n\n/** Permissions for GENIE_SPACE resources */\nexport type GenieSpacePermission = \"CAN_VIEW\" | \"CAN_RUN\" | \"CAN_EDIT\" | \"CAN_MANAGE\";\n\n/** Permissions for EXPERIMENT resources */\nexport type ExperimentPermission = \"CAN_READ\" | \"CAN_EDIT\" | \"CAN_MANAGE\";\n\n/** Permissions for APP resources */\nexport type AppPermission = \"CAN_USE\";\n\n/** Union of all possible permission levels across all resource types. */\nexport type ResourcePermission =\n  | SecretPermission\n  | JobPermission\n  | SqlWarehousePermission\n  | ServingEndpointPermission\n  | VolumePermission\n  | VectorSearchIndexPermission\n  | UcFunctionPermission\n  | UcConnectionPermission\n  | DatabasePermission\n  | GenieSpacePermission\n  | ExperimentPermission\n  | AppPermission;\n\n/** Permission hierarchy per resource type (weakest to strongest). Schema enum order. */\nexport const PERMISSION_HIERARCHY_BY_TYPE: Record<ResourceType, readonly ResourcePermission[]> = {\n  [ResourceType.SECRET]: [\"READ\", \"WRITE\", \"MANAGE\"],\n  [ResourceType.JOB]: [\"CAN_VIEW\", \"CAN_MANAGE_RUN\", \"CAN_MANAGE\"],\n  [ResourceType.SQL_WAREHOUSE]: [\"CAN_USE\", \"CAN_MANAGE\"],\n  [ResourceType.SERVING_ENDPOINT]: [\"CAN_VIEW\", \"CAN_QUERY\", \"CAN_MANAGE\"],\n  [ResourceType.VOLUME]: [\"READ_VOLUME\", \"WRITE_VOLUME\"],\n  [ResourceType.VECTOR_SEARCH_INDEX]: [\"SELECT\"],\n  [ResourceType.UC_FUNCTION]: [\"EXECUTE\"],\n  [ResourceType.UC_CONNECTION]: [\"USE_CONNECTION\"],\n  [ResourceType.DATABASE]: [\"CAN_CONNECT_AND_CREATE\"],\n  [ResourceType.GENIE_SPACE]: [\"CAN_VIEW\", \"CAN_RUN\", \"CAN_EDIT\", \"CAN_MANAGE\"],\n  [ResourceType.EXPERIMENT]: [\"CAN_READ\", \"CAN_EDIT\", \"CAN_MANAGE\"],\n  [ResourceType.APP]: [\"CAN_USE\"],\n} as const;\n\n/** Set of valid permissions per type (for validation). */\nexport const PERMISSIONS_BY_TYPE: Record<ResourceType, readonly ResourcePermission[]> = PERMISSION_HIERARCHY_BY_TYPE;\n"],"mappings":";;AAIA,IAAY,sDAAL;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;;;AA0DF,MAAa,+BAAoF;EAC9F,aAAa,SAAS;EAAC;EAAQ;EAAS;EAAS;EACjD,aAAa,MAAM;EAAC;EAAY;EAAkB;EAAa;EAC/D,aAAa,gBAAgB,CAAC,WAAW,aAAa;EACtD,aAAa,mBAAmB;EAAC;EAAY;EAAa;EAAa;EACvE,aAAa,SAAS,CAAC,eAAe,eAAe;EACrD,aAAa,sBAAsB,CAAC,SAAS;EAC7C,aAAa,cAAc,CAAC,UAAU;EACtC,aAAa,gBAAgB,CAAC,iBAAiB;EAC/C,aAAa,WAAW,CAAC,yBAAyB;EAClD,aAAa,cAAc;EAAC;EAAY;EAAW;EAAY;EAAa;EAC5E,aAAa,aAAa;EAAC;EAAY;EAAY;EAAa;EAChE,aAAa,MAAM,CAAC,UAAU;CAChC;;AAGD,MAAa,sBAA2E"}
+{"version":3,"file":"types.generated.js","names":[],"sources":["../../src/registry/types.generated.ts"],"sourcesContent":["// AUTO-GENERATED from packages/shared/src/schemas/plugin-manifest.schema.json\n// Do not edit. Run: pnpm exec tsx tools/generate-registry-types.ts\n\n/** Resource types from schema $defs.resourceType.enum */\nexport enum ResourceType {\n  SECRET = \"secret\",\n  JOB = \"job\",\n  SQL_WAREHOUSE = \"sql_warehouse\",\n  SERVING_ENDPOINT = \"serving_endpoint\",\n  VOLUME = \"volume\",\n  VECTOR_SEARCH_INDEX = \"vector_search_index\",\n  UC_FUNCTION = \"uc_function\",\n  UC_CONNECTION = \"uc_connection\",\n  DATABASE = \"database\",\n  POSTGRES = \"postgres\",\n  GENIE_SPACE = \"genie_space\",\n  EXPERIMENT = \"experiment\",\n  APP = \"app\",\n}\n\n// ============================================================================\n// Permissions per resource type (from schema permission $defs)\n// ============================================================================\n/** Permissions for SECRET resources */\nexport type SecretPermission = \"READ\" | \"WRITE\" | \"MANAGE\";\n\n/** Permissions for JOB resources */\nexport type JobPermission = \"CAN_VIEW\" | \"CAN_MANAGE_RUN\" | \"CAN_MANAGE\";\n\n/** Permissions for SQL_WAREHOUSE resources */\nexport type SqlWarehousePermission = \"CAN_USE\" | \"CAN_MANAGE\";\n\n/** Permissions for SERVING_ENDPOINT resources */\nexport type ServingEndpointPermission = \"CAN_VIEW\" | \"CAN_QUERY\" | \"CAN_MANAGE\";\n\n/** Permissions for VOLUME resources */\nexport type VolumePermission = \"READ_VOLUME\" | \"WRITE_VOLUME\";\n\n/** Permissions for VECTOR_SEARCH_INDEX resources */\nexport type VectorSearchIndexPermission = \"SELECT\";\n\n/** Permissions for UC_FUNCTION resources */\nexport type UcFunctionPermission = \"EXECUTE\";\n\n/** Permissions for UC_CONNECTION resources */\nexport type UcConnectionPermission = \"USE_CONNECTION\";\n\n/** Permissions for DATABASE resources */\nexport type DatabasePermission = \"CAN_CONNECT_AND_CREATE\";\n\n/** Permissions for POSTGRES resources */\nexport type PostgresPermission = \"CAN_CONNECT_AND_CREATE\";\n\n/** Permissions for GENIE_SPACE resources */\nexport type GenieSpacePermission = \"CAN_VIEW\" | \"CAN_RUN\" | \"CAN_EDIT\" | \"CAN_MANAGE\";\n\n/** Permissions for EXPERIMENT resources */\nexport type ExperimentPermission = \"CAN_READ\" | \"CAN_EDIT\" | \"CAN_MANAGE\";\n\n/** Permissions for APP resources */\nexport type AppPermission = \"CAN_USE\";\n\n/** Union of all possible permission levels across all resource types. */\nexport type ResourcePermission =\n  | SecretPermission\n  | JobPermission\n  | SqlWarehousePermission\n  | ServingEndpointPermission\n  | VolumePermission\n  | VectorSearchIndexPermission\n  | UcFunctionPermission\n  | UcConnectionPermission\n  | DatabasePermission\n  | PostgresPermission\n  | GenieSpacePermission\n  | ExperimentPermission\n  | AppPermission;\n\n/** Permission hierarchy per resource type (weakest to strongest). Schema enum order. */\nexport const PERMISSION_HIERARCHY_BY_TYPE: Record<ResourceType, readonly ResourcePermission[]> = {\n  [ResourceType.SECRET]: [\"READ\", \"WRITE\", \"MANAGE\"],\n  [ResourceType.JOB]: [\"CAN_VIEW\", \"CAN_MANAGE_RUN\", \"CAN_MANAGE\"],\n  [ResourceType.SQL_WAREHOUSE]: [\"CAN_USE\", \"CAN_MANAGE\"],\n  [ResourceType.SERVING_ENDPOINT]: [\"CAN_VIEW\", \"CAN_QUERY\", \"CAN_MANAGE\"],\n  [ResourceType.VOLUME]: [\"READ_VOLUME\", \"WRITE_VOLUME\"],\n  [ResourceType.VECTOR_SEARCH_INDEX]: [\"SELECT\"],\n  [ResourceType.UC_FUNCTION]: [\"EXECUTE\"],\n  [ResourceType.UC_CONNECTION]: [\"USE_CONNECTION\"],\n  [ResourceType.DATABASE]: [\"CAN_CONNECT_AND_CREATE\"],\n  [ResourceType.POSTGRES]: [\"CAN_CONNECT_AND_CREATE\"],\n  [ResourceType.GENIE_SPACE]: [\"CAN_VIEW\", \"CAN_RUN\", \"CAN_EDIT\", \"CAN_MANAGE\"],\n  [ResourceType.EXPERIMENT]: [\"CAN_READ\", \"CAN_EDIT\", \"CAN_MANAGE\"],\n  [ResourceType.APP]: [\"CAN_USE\"],\n} as const;\n\n/** Set of valid permissions per type (for validation). */\nexport const PERMISSIONS_BY_TYPE: Record<ResourceType, readonly ResourcePermission[]> = PERMISSION_HIERARCHY_BY_TYPE;\n"],"mappings":";;AAIA,IAAY,sDAAL;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;;;AA8DF,MAAa,+BAAoF;EAC9F,aAAa,SAAS;EAAC;EAAQ;EAAS;EAAS;EACjD,aAAa,MAAM;EAAC;EAAY;EAAkB;EAAa;EAC/D,aAAa,gBAAgB,CAAC,WAAW,aAAa;EACtD,aAAa,mBAAmB;EAAC;EAAY;EAAa;EAAa;EACvE,aAAa,SAAS,CAAC,eAAe,eAAe;EACrD,aAAa,sBAAsB,CAAC,SAAS;EAC7C,aAAa,cAAc,CAAC,UAAU;EACtC,aAAa,gBAAgB,CAAC,iBAAiB;EAC/C,aAAa,WAAW,CAAC,yBAAyB;EAClD,aAAa,WAAW,CAAC,yBAAyB;EAClD,aAAa,cAAc;EAAC;EAAY;EAAW;EAAY;EAAa;EAC5E,aAAa,aAAa;EAAC;EAAY;EAAY;EAAa;EAChE,aAAa,MAAM,CAAC,UAAU;CAChC;;AAGD,MAAa,sBAA2E"}

package/dist/registry/types.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.js","names":[],"sources":["../../src/registry/types.ts"],"sourcesContent":["/**\n * Resource Registry Type System\n *\n * This module defines the type system for the AppKit Resource Registry,\n * which enables plugins to declare their Databricks resource requirements\n * in a machine-readable format.\n *\n * Resource types and permissions are generated from plugin-manifest.schema.json\n * (see types.generated.ts). Hand-written interfaces below define the registry API.\n */\n\n// Re-export generated registry types (enum + const must be value exports for runtime)\nimport {\n  type AppPermission,\n  type DatabasePermission,\n  type ExperimentPermission,\n  type GenieSpacePermission,\n  type JobPermission,\n  PERMISSION_HIERARCHY_BY_TYPE,\n  PERMISSIONS_BY_TYPE,\n  type ResourcePermission,\n  ResourceType,\n  type SecretPermission,\n  type ServingEndpointPermission,\n  type SqlWarehousePermission,\n  type UcConnectionPermission,\n  type UcFunctionPermission,\n  type VectorSearchIndexPermission,\n  type VolumePermission,\n} from \"./types.generated\";\n\nexport {\n  PERMISSION_HIERARCHY_BY_TYPE,\n  PERMISSIONS_BY_TYPE,\n  ResourceType,\n  type AppPermission,\n  type DatabasePermission,\n  type ExperimentPermission,\n  type GenieSpacePermission,\n  type JobPermission,\n  type ResourcePermission,\n  type SecretPermission,\n  type ServingEndpointPermission,\n  type SqlWarehousePermission,\n  type UcConnectionPermission,\n  type UcFunctionPermission,\n  type VectorSearchIndexPermission,\n  type VolumePermission,\n};\n\n// ============================================================================\n// Hand-written interfaces (not in JSON schema)\n// ============================================================================\n\n/**\n * Defines a single field for a resource. Each field has its own environment variable and optional description.\n * Single-value types use one key (e.g. id); multi-value types (database, secret) use multiple (e.g. instance_name, database_name or scope, key).\n */\nexport interface ResourceFieldEntry {\n  /** Environment variable name for this field */\n  env: string;\n  /** Human-readable description for this field */\n  description?: string;\n}\n\n/**\n * Declares a resource requirement for a plugin.\n * Can be defined statically in a manifest or dynamically via getResourceRequirements().\n */\nexport interface ResourceRequirement {\n  /** Type of Databricks resource required */\n  type: ResourceType;\n\n  /** Unique alias for this resource within the plugin (e.g., 'warehouse', 'secrets'). Used for UI/display. */\n  alias: string;\n\n  /** Stable key for machine use (env naming, composite keys, app.yaml). Required. */\n  resourceKey: string;\n\n  /** Human-readable description of why this resource is needed */\n  description: string;\n\n  /** Required permission level for the resource */\n  permission: ResourcePermission;\n\n  /**\n   * Map of field name to env and optional description.\n   * Single-value types use one key (e.g. id); multi-value (database, secret) use multiple keys.\n   */\n  fields: Record<string, ResourceFieldEntry>;\n\n  /** Whether this resource is required (true) or optional (false) */\n  required: boolean;\n}\n\n/**\n * Internal representation of a resource in the registry.\n * Extends ResourceRequirement with resolution state and plugin ownership.\n */\nexport interface ResourceEntry extends ResourceRequirement {\n  /** Plugin(s) that require this resource (comma-separated if multiple) */\n  plugin: string;\n\n  /** Whether the resource has been resolved (all field env vars set) */\n  resolved: boolean;\n\n  /** Resolved value per field name. Populated by validate() when all field env vars are set. */\n  values?: Record<string, string>;\n\n  /**\n   * Per-plugin permission tracking.\n   * Maps plugin name to the permission it originally requested.\n   * Populated when multiple plugins share the same resource.\n   */\n  permissionSources?: Record<string, ResourcePermission>;\n}\n\n/**\n * Result of validating all registered resources against the environment.\n */\nexport interface ValidationResult {\n  /** Whether all required resources are available */\n  valid: boolean;\n\n  /** List of missing required resources */\n  missing: ResourceEntry[];\n\n  /** Complete list of all registered resources (required and optional) */\n  all: ResourceEntry[];\n}\n\nimport type { JSONSchema7 } from \"json-schema\";\n\n/**\n * Configuration schema definition for plugin config.\n * Re-exported from the standard JSON Schema Draft 7 types.\n *\n * @see {@link https://json-schema.org/draft-07/json-schema-release-notes | JSON Schema Draft 7}\n */\nexport type ConfigSchema = JSONSchema7;\n\n/**\n * Plugin manifest that declares metadata and resource requirements.\n * Attached to plugin classes as a static property.\n */\nexport interface PluginManifest<TName extends string = string> {\n  /** Plugin identifier — the single source of truth for the plugin's name */\n  name: TName;\n\n  /** Human-readable display name for UI/CLI */\n  displayName: string;\n\n  /** Brief description of what the plugin does */\n  description: string;\n\n  /**\n   * Resource requirements declaration\n   */\n  resources: {\n    /** Resources that must be available for the plugin to function */\n    required: Omit<ResourceRequirement, \"required\">[];\n\n    /** Resources that enhance functionality but are not mandatory */\n    optional: Omit<ResourceRequirement, \"required\">[];\n  };\n\n  /**\n   * Configuration schema for the plugin.\n   * Defines the shape and validation rules for plugin config.\n   */\n  config?: {\n    schema: ConfigSchema;\n  };\n\n  /**\n   * When true, excluded from the template plugins manifest during sync.\n   */\n  hidden?: boolean;\n\n  /**\n   * Optional metadata for community plugins\n   */\n  author?: string;\n  version?: string;\n  repository?: string;\n  keywords?: string[];\n  license?: string;\n}\n"],"mappings":""}
+{"version":3,"file":"types.js","names":[],"sources":["../../src/registry/types.ts"],"sourcesContent":["/**\n * Resource Registry Type System\n *\n * This module defines the type system for the AppKit Resource Registry,\n * which enables plugins to declare their Databricks resource requirements\n * in a machine-readable format.\n *\n * Resource types and permissions are generated from plugin-manifest.schema.json\n * (see types.generated.ts). Hand-written interfaces below define the registry API.\n */\n\n// Re-export generated registry types (enum + const must be value exports for runtime)\nimport {\n  type AppPermission,\n  type DatabasePermission,\n  type ExperimentPermission,\n  type GenieSpacePermission,\n  type JobPermission,\n  PERMISSION_HIERARCHY_BY_TYPE,\n  PERMISSIONS_BY_TYPE,\n  type ResourcePermission,\n  ResourceType,\n  type SecretPermission,\n  type ServingEndpointPermission,\n  type SqlWarehousePermission,\n  type UcConnectionPermission,\n  type UcFunctionPermission,\n  type VectorSearchIndexPermission,\n  type VolumePermission,\n} from \"./types.generated\";\n\nexport {\n  PERMISSION_HIERARCHY_BY_TYPE,\n  PERMISSIONS_BY_TYPE,\n  ResourceType,\n  type AppPermission,\n  type DatabasePermission,\n  type ExperimentPermission,\n  type GenieSpacePermission,\n  type JobPermission,\n  type ResourcePermission,\n  type SecretPermission,\n  type ServingEndpointPermission,\n  type SqlWarehousePermission,\n  type UcConnectionPermission,\n  type UcFunctionPermission,\n  type VectorSearchIndexPermission,\n  type VolumePermission,\n};\n\n// ============================================================================\n// Hand-written interfaces (not in JSON schema)\n// ============================================================================\n\n/**\n * Defines a single field for a resource. Each field has its own environment variable and optional description.\n * Single-value types use one key (e.g. id); multi-value types (database, secret) use multiple (e.g. instance_name, database_name or scope, key).\n */\nexport interface ResourceFieldEntry {\n  /** Environment variable name for this field */\n  env?: string;\n  /** Human-readable description for this field */\n  description?: string;\n  /** When true, this field is excluded from Databricks bundle configuration (databricks.yml) generation. */\n  bundleIgnore?: boolean;\n  /** Example values showing the expected format for this field */\n  examples?: string[];\n  /** When true, this field is only generated for local .env files. The Databricks Apps platform auto-injects it at deploy time. */\n  localOnly?: boolean;\n  /** Static value for this field. Used when no prompted or resolved value exists. */\n  value?: string;\n  /** Named resolver prefixed by resource type (e.g., 'postgres:host'). The CLI resolves this value during the init prompt flow. */\n  resolve?: string;\n}\n\n/**\n * Declares a resource requirement for a plugin.\n * Can be defined statically in a manifest or dynamically via getResourceRequirements().\n */\nexport interface ResourceRequirement {\n  /** Type of Databricks resource required */\n  type: ResourceType;\n\n  /** Unique alias for this resource within the plugin (e.g., 'warehouse', 'secrets'). Used for UI/display. */\n  alias: string;\n\n  /** Stable key for machine use (env naming, composite keys, app.yaml). Required. */\n  resourceKey: string;\n\n  /** Human-readable description of why this resource is needed */\n  description: string;\n\n  /** Required permission level for the resource */\n  permission: ResourcePermission;\n\n  /**\n   * Map of field name to env and optional description.\n   * Single-value types use one key (e.g. id); multi-value (database, secret) use multiple keys.\n   */\n  fields: Record<string, ResourceFieldEntry>;\n\n  /** Whether this resource is required (true) or optional (false) */\n  required: boolean;\n}\n\n/**\n * Internal representation of a resource in the registry.\n * Extends ResourceRequirement with resolution state and plugin ownership.\n */\nexport interface ResourceEntry extends ResourceRequirement {\n  /** Plugin(s) that require this resource (comma-separated if multiple) */\n  plugin: string;\n\n  /** Whether the resource has been resolved (all field env vars set) */\n  resolved: boolean;\n\n  /** Resolved value per field name. Populated by validate() when all field env vars are set. */\n  values?: Record<string, string>;\n\n  /**\n   * Per-plugin permission tracking.\n   * Maps plugin name to the permission it originally requested.\n   * Populated when multiple plugins share the same resource.\n   */\n  permissionSources?: Record<string, ResourcePermission>;\n}\n\n/**\n * Result of validating all registered resources against the environment.\n */\nexport interface ValidationResult {\n  /** Whether all required resources are available */\n  valid: boolean;\n\n  /** List of missing required resources */\n  missing: ResourceEntry[];\n\n  /** Complete list of all registered resources (required and optional) */\n  all: ResourceEntry[];\n}\n\nimport type { JSONSchema7 } from \"json-schema\";\n\n/**\n * Configuration schema definition for plugin config.\n * Re-exported from the standard JSON Schema Draft 7 types.\n *\n * @see {@link https://json-schema.org/draft-07/json-schema-release-notes | JSON Schema Draft 7}\n */\nexport type ConfigSchema = JSONSchema7;\n\n/**\n * Plugin manifest that declares metadata and resource requirements.\n * Attached to plugin classes as a static property.\n */\nexport interface PluginManifest<TName extends string = string> {\n  /** Plugin identifier — the single source of truth for the plugin's name */\n  name: TName;\n\n  /** Human-readable display name for UI/CLI */\n  displayName: string;\n\n  /** Brief description of what the plugin does */\n  description: string;\n\n  /**\n   * Resource requirements declaration\n   */\n  resources: {\n    /** Resources that must be available for the plugin to function */\n    required: Omit<ResourceRequirement, \"required\">[];\n\n    /** Resources that enhance functionality but are not mandatory */\n    optional: Omit<ResourceRequirement, \"required\">[];\n  };\n\n  /**\n   * Configuration schema for the plugin.\n   * Defines the shape and validation rules for plugin config.\n   */\n  config?: {\n    schema: ConfigSchema;\n  };\n\n  /**\n   * When true, excluded from the template plugins manifest during sync.\n   */\n  hidden?: boolean;\n\n  /**\n   * Optional metadata for community plugins\n   */\n  author?: string;\n  version?: string;\n  repository?: string;\n  keywords?: string[];\n  license?: string;\n}\n"],"mappings":""}

package/dist/schemas/plugin-manifest.schema.json

@@ -111,6 +111,7 @@
         "uc_function",
         "uc_connection",
         "database",
+        "postgres",
         "genie_space",
         "experiment",
         "app"
@@ -162,6 +163,11 @@
       "enum": ["CAN_CONNECT_AND_CREATE"],
       "description": "Permission for database resources"
     },
+    "postgresPermission": {
+      "type": "string",
+      "enum": ["CAN_CONNECT_AND_CREATE"],
+      "description": "Permission for Postgres resources"
+    },
     "genieSpacePermission": {
       "type": "string",
       "enum": ["CAN_VIEW", "CAN_RUN", "CAN_EDIT", "CAN_MANAGE"],
@@ -179,7 +185,6 @@
     },
     "resourceFieldEntry": {
       "type": "object",
-      "required": ["env"],
       "properties": {
         "env": {
           "type": "string",
@@ -190,20 +195,37 @@
         "description": {
           "type": "string",
           "description": "Human-readable description for this field"
+        },
+        "bundleIgnore": {
+          "type": "boolean",
+          "default": false,
+          "description": "When true, this field is excluded from Databricks bundle configuration (databricks.yml) generation."
+        },
+        "examples": {
+          "type": "array",
+          "items": { "type": "string" },
+          "description": "Example values showing the expected format for this field"
+        },
+        "localOnly": {
+          "type": "boolean",
+          "default": false,
+          "description": "When true, this field is only generated for local .env files. The Databricks Apps platform auto-injects it at deploy time."
+        },
+        "value": {
+          "type": "string",
+          "description": "Static value for this field. Used when no prompted or resolved value exists."
+        },
+        "resolve": {
+          "type": "string",
+          "pattern": "^[a-z_]+:[a-zA-Z]+$",
+          "description": "Named resolver prefixed by resource type (e.g., 'postgres:host'). The CLI resolves this value during the init prompt flow."
         }
       },
       "additionalProperties": false
     },
     "resourceRequirement": {
       "type": "object",
-      "required": [
-        "type",
-        "alias",
-        "resourceKey",
-        "description",
-        "permission",
-        "fields"
-      ],
+      "required": ["type", "alias", "resourceKey", "description", "permission"],
       "properties": {
         "type": {
           "$ref": "#/$defs/resourceType"
@@ -337,6 +359,17 @@
             }
           }
         },
+        {
+          "if": {
+            "properties": { "type": { "const": "postgres" } },
+            "required": ["type"]
+          },
+          "then": {
+            "properties": {
+              "permission": { "$ref": "#/$defs/postgresPermission" }
+            }
+          }
+        },
         {
           "if": {
             "properties": { "type": { "const": "genie_space" } },

package/dist/shared/src/plugin.d.ts

@@ -74,9 +74,19 @@ interface PluginManifest<TName extends string = string> {
  */
 interface ResourceFieldEntry {
   /** Environment variable name for this field */
-  env: string;
+  env?: string;
   /** Human-readable description for this field */
   description?: string;
+  /** When true, this field is excluded from Databricks bundle configuration (databricks.yml) generation. */
+  bundleIgnore?: boolean;
+  /** Example values showing the expected format for this field */
+  examples?: string[];
+  /** When true, this field is only generated for local .env files. The Databricks Apps platform auto-injects it at deploy time. */
+  localOnly?: boolean;
+  /** Static value for this field. Used when no prompted or resolved value exists. */
+  value?: string;
+  /** Named resolver prefixed by resource type (e.g., 'postgres:host'). The CLI resolves this value during the init prompt flow. */
+  resolve?: string;
 }
 /**
  * Resource requirement declaration (imported from registry types).

package/dist/shared/src/plugin.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"plugin.d.ts","names":[],"sources":["../../../../shared/src/plugin.ts"],"mappings":";;;;;UAIiB,UAAA;EACf,IAAA;EAEA,qBAAA;EAEA,KAAA,IAAS,OAAA;EAET,YAAA,CAAa,MAAA,EAAQ,OAAA,CAAQ,MAAA;EAE7B,YAAA,IAAgB,iBAAA;EAEhB,uBAAA,KAA4B,WAAA;EAE5B,OAAA;AAAA;;UAIe,gBAAA;EACf,IAAA;EACA,IAAA;EAAA,CAEC,GAAA;EAMD,SAAA,GAAY,gBAAA;AAAA;AAAA,KAGF,gBAAA;EAGN,MAAA;EACA,OAAA;EACA,IAAA;AAAA;AAAA,KAQM,WAAA;;;;;KAMA,iBAAA,KACN,gBAAA,YACM,UAAA,GAAa,UAAA,UAEvB,MAAA,EAAQ,CAAA,KACL,CAAA;EACH,cAAA,GAAiB,MAAA;EACjB,KAAA,GAAQ,WAAA;EA7BI;;;AAGd;EA+BE,QAAA,EAAU,cAAA;;;;;EAKV,uBAAA,EAAyB,MAAA,EAAQ,CAAA,GAAI,mBAAA;AAAA;;AAvBvC;;;UA8BiB,cAAA;EACf,IAAA,EAAM,KAAA;EACN,WAAA;EACA,WAAA;EACA,SAAA;IACE,QAAA,EAAU,IAAA,CAAK,mBAAA;IACf,QAAA,EAAU,IAAA,CAAK,mBAAA;EAAA;EAEjB,MAAA;IACE,MAAA,EAAQ,WAAA;EAAA;EAEV,cAAA;EACA,MAAA;EACA,MAAA;EACA,OAAA;EACA,UAAA;EACA,QAAA;EACA,OAAA;AAAA;;;;;;;UASe,kBAAA;EA5CE;EA8CjB,GAAA;EA7CQ;EA+CR,WAAA;AAAA;;;;;UAOe,mBAAA;EACf,IAAA;EACA,KAAA;EAvC6B;EAyC7B,WAAA;EACA,WAAA;EACA,UAAA;EAtCY;;;;EA2CZ,MAAA,EAAQ,MAAA,SAAe,kBAAA;EACvB,QAAA;AAAA;;;;;;KAoCU,aAAA,WAAwB,UAAA,IAClC,CAAA,sCAAqC,CAAA,GAAI,MAAA;AA5D3C;;;;;AAWA;;AAXA,KAqEY,UAAA,QAAkB,GAAA,cAAgB,IAAA,mBAC1C,GAAA,GACA,GAAA;EAjDY;;;;;EAuDV,MAAA,GAAS,GAAA,EAAK,WAAA,KAAgB,GAAA;AAAA;;;;;;AAlBpC;;;KA6BY,SAAA,oBACS,UAAA,CAAW,iBAAA,gCAExB,CAAA,YAAa,CAAA,WAAY,UAAA,CAC7B,aAAA,CAAc,YAAA,CAAa,CAAA;AAAA,KAInB,UAAA;EAAwB,MAAA,EAAQ,CAAA;EAAG,MAAA,EAAQ,CAAA;EAAG,IAAA,EAAM,CAAA;AAAA;AAAA,KACpD,QAAA,4BACV,MAAA,GAAS,CAAA,KACN,UAAA,CAAW,CAAA,EAAG,CAAA,EAAG,CAAA;;KAGV,UAAA,GAAa,OAAA,CAAQ,MAAA;AAAA,KACrB,YAAA,GAAe,OAAA,CAAQ,QAAA;AAAA,KACvB,WAAA,GAAc,OAAA,CAAQ,OAAA;AAAA,KAEtB,UAAA;AAAA,KAEA,WAAA;EAvCU,+DAyCpB,IAAA;EACA,MAAA,EAAQ,UAAA;EACR,IAAA;EACA,OAAA,GAAU,GAAA,EAAK,WAAA,EAAa,GAAA,EAAK,YAAA,KAAiB,OAAA,QApChB;EAsClC,eAAA;AAAA;;KAIU,iBAAA,GAAoB,MAAA"}
+{"version":3,"file":"plugin.d.ts","names":[],"sources":["../../../../shared/src/plugin.ts"],"mappings":";;;;;UAIiB,UAAA;EACf,IAAA;EAEA,qBAAA;EAEA,KAAA,IAAS,OAAA;EAET,YAAA,CAAa,MAAA,EAAQ,OAAA,CAAQ,MAAA;EAE7B,YAAA,IAAgB,iBAAA;EAEhB,uBAAA,KAA4B,WAAA;EAE5B,OAAA;AAAA;;UAIe,gBAAA;EACf,IAAA;EACA,IAAA;EAAA,CAEC,GAAA;EAMD,SAAA,GAAY,gBAAA;AAAA;AAAA,KAGF,gBAAA;EAGN,MAAA;EACA,OAAA;EACA,IAAA;AAAA;AAAA,KAQM,WAAA;;;;;KAMA,iBAAA,KACN,gBAAA,YACM,UAAA,GAAa,UAAA,UAEvB,MAAA,EAAQ,CAAA,KACL,CAAA;EACH,cAAA,GAAiB,MAAA;EACjB,KAAA,GAAQ,WAAA;EA7BI;;;AAGd;EA+BE,QAAA,EAAU,cAAA;;;;;EAKV,uBAAA,EAAyB,MAAA,EAAQ,CAAA,GAAI,mBAAA;AAAA;;AAvBvC;;;UA8BiB,cAAA;EACf,IAAA,EAAM,KAAA;EACN,WAAA;EACA,WAAA;EACA,SAAA;IACE,QAAA,EAAU,IAAA,CAAK,mBAAA;IACf,QAAA,EAAU,IAAA,CAAK,mBAAA;EAAA;EAEjB,MAAA;IACE,MAAA,EAAQ,WAAA;EAAA;EAEV,cAAA;EACA,MAAA;EACA,MAAA;EACA,OAAA;EACA,UAAA;EACA,QAAA;EACA,OAAA;AAAA;;;;;;;UASe,kBAAA;EA5CE;EA8CjB,GAAA;EA7CQ;EA+CR,WAAA;EA1CU;EA4CV,YAAA;EAvCiC;EAyCjC,QAAA;EAzCqC;EA2CrC,SAAA;EA3CwD;EA6CxD,KAAA;EAtC6B;EAwC7B,OAAA;AAAA;;;;;UAOe,mBAAA;EACf,IAAA;EACA,KAAA;EAjD8B;EAmD9B,WAAA;EACA,WAAA;EACA,UAAA;EAlDA;;;;EAuDA,MAAA,EAAQ,MAAA,SAAe,kBAAA;EACvB,QAAA;AAAA;;;;;;KAoCU,aAAA,WAAwB,UAAA,IAClC,CAAA,sCAAqC,CAAA,GAAI,MAAA;;;;AAjD3C;;;;KA0DY,UAAA,QAAkB,GAAA,cAAgB,IAAA,mBAC1C,GAAA,GACA,GAAA;EA1DF;;;;;EAgEI,MAAA,GAAS,GAAA,EAAK,WAAA,KAAgB,GAAA;AAAA;;;;AAlBpC;;;;;KA6BY,SAAA,oBACS,UAAA,CAAW,iBAAA,gCAExB,CAAA,YAAa,CAAA,WAAY,UAAA,CAC7B,aAAA,CAAc,YAAA,CAAa,CAAA;AAAA,KAInB,UAAA;EAAwB,MAAA,EAAQ,CAAA;EAAG,MAAA,EAAQ,CAAA;EAAG,IAAA,EAAM,CAAA;AAAA;AAAA,KACpD,QAAA,4BACV,MAAA,GAAS,CAAA,KACN,UAAA,CAAW,CAAA,EAAG,CAAA,EAAG,CAAA;;KAGV,UAAA,GAAa,OAAA,CAAQ,MAAA;AAAA,KACrB,YAAA,GAAe,OAAA,CAAQ,QAAA;AAAA,KACvB,WAAA,GAAc,OAAA,CAAQ,OAAA;AAAA,KAEtB,UAAA;AAAA,KAEA,WAAA;EAtCR,+DAwCF,IAAA;EACA,MAAA,EAAQ,UAAA;EACR,IAAA;EACA,OAAA,GAAU,GAAA,EAAK,WAAA,EAAa,GAAA,EAAK,YAAA,KAAiB,OAAA,QApCb;EAsCrC,eAAA;AAAA;;KAIU,iBAAA,GAAoB,MAAA"}

package/docs/api/appkit/Enumeration.ResourceType.md

@@ -49,6 +49,15 @@ JOB: "job";
 
 ***
 
+### POSTGRES[​](#postgres "Direct link to POSTGRES")
+
+```ts
+POSTGRES: "postgres";
+
+```
+
+***
+
 ### SECRET[​](#secret "Direct link to SECRET")
 
 ```ts

package/docs/api/appkit/Interface.ResourceFieldEntry.md

@@ -4,6 +4,17 @@ Defines a single field for a resource. Each field has its own environment variab
 
 ## Properties[​](#properties "Direct link to Properties")
 
+### bundleIgnore?[​](#bundleignore "Direct link to bundleIgnore?")
+
+```ts
+optional bundleIgnore: boolean;
+
+```
+
+When true, this field is excluded from Databricks bundle configuration (databricks.yml) generation.
+
+***
+
 ### description?[​](#description "Direct link to description?")
 
 ```ts
@@ -15,11 +26,55 @@ Human-readable description for this field
 
 ***
 
-### env[​](#env "Direct link to env")
+### env?[​](#env "Direct link to env?")
 
 ```ts
-env: string;
+optional env: string;
 
 ```
 
 Environment variable name for this field
+
+***
+
+### examples?[​](#examples "Direct link to examples?")
+
+```ts
+optional examples: string[];
+
+```
+
+Example values showing the expected format for this field
+
+***
+
+### localOnly?[​](#localonly "Direct link to localOnly?")
+
+```ts
+optional localOnly: boolean;
+
+```
+
+When true, this field is only generated for local .env files. The Databricks Apps platform auto-injects it at deploy time.
+
+***
+
+### resolve?[​](#resolve "Direct link to resolve?")
+
+```ts
+optional resolve: string;
+
+```
+
+Named resolver prefixed by resource type (e.g., 'postgres<!-- -->:host<!-- -->'). The CLI resolves this value during the init prompt flow.
+
+***
+
+### value?[​](#value "Direct link to value?")
+
+```ts
+optional value: string;
+
+```
+
+Static value for this field. Used when no prompted or resolved value exists.

package/docs/api/appkit/TypeAlias.ResourcePermission.md

@@ -11,6 +11,7 @@ type ResourcePermission =
   | UcFunctionPermission
   | UcConnectionPermission
   | DatabasePermission
+  | PostgresPermission
   | GenieSpacePermission
   | ExperimentPermission
   | AppPermission;

package/docs/plugins/lakebase.md

@@ -1,9 +1,5 @@
 # Lakebase plugin
 
-info
-
-Currently, the Lakebase plugin currently requires a one-time manual setup to connect your Databricks App with your Lakebase database. An automated setup process is planned for an upcoming future release.
-
 Provides a PostgreSQL connection pool for Databricks Lakebase Autoscaling with automatic OAuth token refresh.
 
 **Key features:**
@@ -12,90 +8,24 @@ Provides a PostgreSQL connection pool for Databricks Lakebase Autoscaling with a
 * Automatic OAuth token refresh (1-hour tokens, 2-minute refresh buffer)
 * Token caching to minimize API calls
 * Built-in OpenTelemetry instrumentation (query duration, pool connections, token refresh)
+* AppKit logger configured by default for query and connection events
 
-## Setting up Lakebase[​](#setting-up-lakebase "Direct link to Setting up Lakebase")
-
-Before using the plugin, you need to connect your Databricks App's service principal to your Lakebase database.
-
-### 1. Find your app's service principal[​](#1-find-your-apps-service-principal "Direct link to 1. Find your app's service principal")
-
-Create a Databricks App from the UI (`Compute > Apps > Create App > Create a custom app`). Navigate to the **Environment** tab and note the `DATABRICKS_CLIENT_ID` value — this is the service principal that will connect to your Lakebase database.
-
-![App environment tab](/appkit/assets/images/step-1-073320f925a3961838afa0842c727307.png)
-
-### 2. Find your Project ID and Branch ID[​](#2-find-your-project-id-and-branch-id "Direct link to 2. Find your Project ID and Branch ID")
+## Getting started with the Lakebase[​](#getting-started-with-the-lakebase "Direct link to Getting started with the Lakebase")
 
-Create a new Lakebase Postgres Autoscaling project. Navigate to your Lakebase project's branch details and switch to the **Compute** tab. Note the **Project ID** and **Branch ID** from the URL.
+The easiest way to get started with the Lakebase plugin is to use the Databricks CLI to create a new Databricks app with AppKit installed and the Lakebase plugin.
 
-![Branch details](/appkit/assets/images/step-2-25954a56aecd4dafe4966f7cecc6e8f4.png)
+### Prerequisites[​](#prerequisites "Direct link to Prerequisites")
 
-### 3. Find your endpoint[​](#3-find-your-endpoint "Direct link to 3. Find your endpoint")
+* [Node.js](https://nodejs.org) v22+ environment with `npm`
+* Databricks CLI (v0.287.0 or higher): install and configure it according to the [official tutorial](https://docs.databricks.com/aws/en/dev-tools/cli/tutorial).
+* A new Databricks app with AppKit installed. See [Bootstrap a new Databricks app](./docs.md#quick-start-options) for more details.
 
-Use the Databricks CLI to list endpoints for the branch. Note the `name` field from the output — this is your `LAKEBASE_ENDPOINT` value.
+### Steps[​](#steps "Direct link to Steps")
 
-```bash
-databricks postgres list-endpoints projects/{project-id}/branches/{branch-id}
-
-```
-
-Example output:
-
-```json
-[
-  {
-    "create_time": "2026-02-19T12:13:02Z",
-    "name": "projects/{project-id}/branches/{branch-id}/endpoints/primary"
-  }
-]
-
-```
-
-### 4. Get connection parameters[​](#4-get-connection-parameters "Direct link to 4. Get connection parameters")
-
-Click the **Connect** button on your Lakebase branch and copy the `PGHOST` and `PGDATABASE` values for later.
-
-![Connect dialog](/appkit/assets/images/step-4-78b906d125c2c130f6e14984a9f89a62.png)
-
-### 5. Grant access to the service principal[​](#5-grant-access-to-the-service-principal "Direct link to 5. Grant access to the service principal")
-
-Navigate to the **SQL Editor** tab on your Lakebase branch. Run the following SQL against the `databricks_postgres` database, replacing the service principal ID in the `DECLARE` block with the `DATABRICKS_CLIENT_ID` value from step 1:
-
-```sql
-CREATE EXTENSION IF NOT EXISTS databricks_auth;
-
-DO $$
-DECLARE
-  sp TEXT := 'your-service-principal-id';  -- Replace with DATABRICKS_CLIENT_ID from Step 1
-BEGIN
-  -- Create service principal role
-  PERFORM databricks_create_role(sp, 'SERVICE_PRINCIPAL');
-
-  -- Connection and schema access
-  EXECUTE format('GRANT CONNECT ON DATABASE "databricks_postgres" TO %I', sp);
-  EXECUTE format('GRANT ALL ON SCHEMA public TO %I', sp);
-
-  -- Privileges on existing objects
-  EXECUTE format('GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO %I', sp);
-  EXECUTE format('GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO %I', sp);
-  EXECUTE format('GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO %I', sp);
-  EXECUTE format('GRANT ALL PRIVILEGES ON ALL PROCEDURES IN SCHEMA public TO %I', sp);
-
-  -- Default privileges on future objects you create
-  EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO %I', sp);
-  EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO %I', sp);
-  EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON FUNCTIONS TO %I', sp);
-  EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON ROUTINES TO %I', sp);
-END $$;
-
-```
-
-![SQL Editor](/appkit/assets/images/step-5-38bdf3e3ac8aadf2c0cd57aa5f0ba090.png)
-
-### 6. Verify the role[​](#6-verify-the-role "Direct link to 6. Verify the role")
-
-Navigate to the **Roles & Databases** tab and confirm the role is visible. You may need to fully refresh the page.
-
-![Roles \& Databases tab](/appkit/assets/images/step-6-edbb462e89a66c46d58424768c163e4e.png)
+1. Firstly, create a new Lakebase Postgres Autoscaling project according to the [Get started documentation](https://docs.databricks.com/aws/en/oltp/projects/get-started).
+2. To add the Lakebase plugin to your project, run the `databricks apps init` command and interactively select the **Lakebase** plugin. The CLI will guide you through picking a Lakebase project, branch, and database.
+   <!-- -->
+   * When asked, select **Yes** to deploy the app to Databricks Apps right after its creation.
 
 ## Basic usage[​](#basic-usage "Direct link to Basic usage")
 
@@ -108,34 +38,6 @@ await createApp({
 
 ```
 
-## Environment variables[​](#environment-variables "Direct link to Environment variables")
-
-The required environment variables:
-
-| Variable            | Description                                                             |
-| ------------------- | ----------------------------------------------------------------------- |
-| `PGHOST`            | Lakebase host                                                           |
-| `PGDATABASE`        | Database name                                                           |
-| `LAKEBASE_ENDPOINT` | Endpoint resource path (e.g. `projects/.../branches/.../endpoints/...`) |
-| `PGSSLMODE`         | TLS mode — set to `require`                                             |
-
-Ensure that those environment variables are set both for local development (`.env` file) and for deployment (`app.yaml` file):
-
-```yaml
-env:
-  - name: LAKEBASE_ENDPOINT
-    value: projects/{project-id}/branches/{branch-id}/endpoints/primary
-  - name: PGHOST
-    value: {your-lakebase-host}
-  - name: PGDATABASE
-    value: databricks_postgres
-  - name: PGSSLMODE
-    value: require
-
-```
-
-For the full configuration reference (SSL, pool size, timeouts, logging, ORM examples), see the [`@databricks/lakebase` README](https://github.com/databricks/appkit/blob/main/packages/lakebase/README.md).
-
 ## Accessing the pool[​](#accessing-the-pool "Direct link to Accessing the pool")
 
 After initialization, access Lakebase through the `AppKit.lakebase` object:
@@ -145,9 +47,17 @@ const AppKit = await createApp({
   plugins: [server(), lakebase()],
 });
 
-// Direct query (parameterized)
+await AppKit.lakebase.query(`CREATE SCHEMA IF NOT EXISTS app`);
+
+await AppKit.lakebase.query(`CREATE TABLE IF NOT EXISTS app.orders (
+  id SERIAL PRIMARY KEY,
+  user_id VARCHAR(255) NOT NULL,
+  amount DECIMAL(10, 2) NOT NULL,
+  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+)`);
+
 const result = await AppKit.lakebase.query(
-  "SELECT * FROM orders WHERE user_id = $1",
+  "SELECT * FROM app.orders WHERE user_id = $1",
   [userId],
 );
 
@@ -160,7 +70,33 @@ const pgConfig = AppKit.lakebase.getPgConfig();    // pg.PoolConfig
 
 ```
 
-## Configuration options[​](#configuration-options "Direct link to Configuration options")
+## Configuration[​](#configuration "Direct link to Configuration")
+
+### Environment variables[​](#environment-variables "Direct link to Environment variables")
+
+The required environment variables are:
+
+| Variable            | Description                                                                                          |
+| ------------------- | ---------------------------------------------------------------------------------------------------- |
+| `LAKEBASE_ENDPOINT` | Endpoint resource path (e.g. `projects/.../branches/.../endpoints/...`)                              |
+| `PGHOST`            | Lakebase host (auto-injected in production by the `postgres` Databricks Apps resource)               |
+| `PGDATABASE`        | Database name (auto-injected in production by the `postgres` Databricks Apps resource)               |
+| `PGSSLMODE`         | TLS mode - set to `require` (auto-injected in production by the `postgres` Databricks Apps resource) |
+
+When deployed to Databricks Apps with a `postgres` database resource configured, `PGHOST`, `PGDATABASE`, `PGSSLMODE`, `PGUSER`, `PGPORT`, and `PGAPPNAME` are automatically injected by the platform. Only `LAKEBASE_ENDPOINT` must be set explicitly:
+
+```yaml
+env:
+  - name: LAKEBASE_ENDPOINT
+    valueFrom: postgres
+
+```
+
+For local development, the `.env` file is automatically generated by `databricks apps init` with the correct values for your Lakebase project.
+
+For the full configuration reference (SSL, pool size, timeouts, logging, ORM examples), see the [`@databricks/lakebase` README](https://github.com/databricks/appkit/blob/main/packages/lakebase/README.md).
+
+### Pool configuration[​](#pool-configuration "Direct link to Pool configuration")
 
 Pass a `pool` object to override any defaults:
 
@@ -178,3 +114,74 @@ await createApp({
 });
 
 ```
+
+## Database Permissions[​](#database-permissions "Direct link to Database Permissions")
+
+When you create the app with the Lakebase resource using the [Getting started](#getting-started-with-the-lakebase) guide, the Service Principal is automatically granted `CONNECT_AND_CREATE` permission on the `postgres` resource. This lets the Service Principal connect to the database and create new objects, but **not access any existing schemas or tables.**
+
+### Local development[​](#local-development "Direct link to Local development")
+
+To develop locally against a deployed Lakebase database:
+
+1. **Deploy the app first.** The Service Principal creates the database schema and tables on first deploy. Apps generated from `databricks apps init` handle this automatically - they check if tables exist on startup and skip creation if they do.
+
+2. **Grant `databricks_superuser` via the Lakebase UI:**
+
+   1. Open the Lakebase Autoscaling UI and navigate to your project's **Branch Overview** page.
+   2. Click **Add role** (or **Edit role** if your OAuth role already exists).
+   3. Select your Databricks identity as the principal and check the **`databricks_superuser`** system role.
+
+3. **Run locally** - your Databricks user identity (email) is used for OAuth authentication. The `databricks_superuser` role gives full **DML access** (read/write data) but **not DDL** (creating schemas or tables) - that's why deploying first matters (see note below).
+
+For other users, use the same **Add role** flow in the Lakebase UI to create an OAuth role with `databricks_superuser` for each user.
+
+tip
+
+[Postgres password authentication](https://docs.databricks.com/aws/en/oltp/projects/authentication#overview) is a simpler alternative that avoids OAuth role permission complexity. However, it requires you to set up a password for the user in the **Branch Overview** page in the Lakebase Autoscaling UI.
+
+Why deploy first?
+
+When the app is deployed, the Service Principal creates schemas and tables and becomes their owner. A `databricks_superuser` has full **DML access** (SELECT, INSERT, UPDATE, DELETE) to these objects, but **cannot run DDL** (CREATE SCHEMA, CREATE TABLE) on schemas owned by the Service Principal. Deploying first ensures all objects exist before local development begins.
+
+### Fine-grained permissions[​](#fine-grained-permissions "Direct link to Fine-grained permissions")
+
+For most use cases, `databricks_superuser` is sufficient. If you need schema-level grants instead, refer to the official documentation:
+
+* [Manage database permissions](https://docs.databricks.com/aws/en/oltp/projects/manage-roles-permissions)
+* [Postgres roles](https://docs.databricks.com/aws/en/oltp/projects/postgres-roles)
+
+SQL script for fine-grained grants
+
+Deploy and run the app at least once before executing these grants so the Service Principal initializes the database schema first.
+
+Replace `subject` with the user email and `schema` with your schema name:
+
+```sql
+CREATE EXTENSION IF NOT EXISTS databricks_auth;
+
+DO $$
+DECLARE
+  subject TEXT := 'your-subject';  -- User email like name@databricks.com
+  schema TEXT := 'your_schema'; -- Replace 'your_schema' with your schema name
+BEGIN
+  -- Create OAuth role for the Databricks identity
+  PERFORM databricks_create_role(subject, 'USER');
+
+  -- Connection and schema access
+  EXECUTE format('GRANT CONNECT ON DATABASE "databricks_postgres" TO %I', subject);
+  EXECUTE format('GRANT ALL ON SCHEMA %s TO %I', schema, subject);
+
+  -- Privileges on existing objects
+  EXECUTE format('GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA %s TO %I', schema, subject);
+  EXECUTE format('GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA %s TO %I', schema, subject);
+  EXECUTE format('GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA %s TO %I', schema, subject);
+  EXECUTE format('GRANT ALL PRIVILEGES ON ALL PROCEDURES IN SCHEMA %s TO %I', schema, subject);
+
+  -- Default privileges on future objects
+  EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT ALL ON TABLES TO %I', schema, subject);
+  EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT ALL ON SEQUENCES TO %I', schema, subject);
+  EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT ALL ON FUNCTIONS TO %I', schema, subject);
+  EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT ALL ON ROUTINES TO %I', schema, subject);
+END $$;
+
+```

package/llms.txt

@@ -46,7 +46,7 @@ npx @databricks/appkit docs <query>
 - [Execution context](./docs/plugins/execution-context.md): AppKit manages Databricks authentication via two contexts:
 - [Files plugin](./docs/plugins/files.md): File operations against Databricks Unity Catalog Volumes. Supports listing, reading, downloading, uploading, deleting, and previewing files with built-in caching, retry, and timeout handling via the execution interceptor pipeline.
 - [Genie plugin](./docs/plugins/genie.md): Integrates Databricks AI/BI Genie spaces into your AppKit application, enabling natural language data queries via a conversational interface.
-- [Lakebase plugin](./docs/plugins/lakebase.md): Currently, the Lakebase plugin currently requires a one-time manual setup to connect your Databricks App with your Lakebase database. An automated setup process is planned for an upcoming future release.
+- [Lakebase plugin](./docs/plugins/lakebase.md): Provides a PostgreSQL connection pool for Databricks Lakebase Autoscaling with automatic OAuth token refresh.
 - [Plugin management](./docs/plugins/plugin-management.md): AppKit includes a CLI for managing plugins. All commands are available under npx @databricks/appkit plugin.
 - [Server plugin](./docs/plugins/server.md): Provides HTTP server capabilities with development and production modes.
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@databricks/appkit",
   "type": "module",
-  "version": "0.19.0",
+  "version": "0.20.0",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
   "packageManager": "pnpm@10.21.0",