isolinear 0.1.0__tar.gz

isolinear-0.1.0/.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,41 @@
+name: Bug report
+description: Something isn't working
+labels: [bug]
+body:
+  - type: textarea
+    id: what
+    attributes:
+      label: What happened?
+      description: What did you do, what did you expect, and what happened instead?
+    validations:
+      required: true
+  - type: textarea
+    id: repro
+    attributes:
+      label: Steps to reproduce
+      placeholder: |
+        1. Run `isolinear`
+        2. ...
+  - type: input
+    id: version
+    attributes:
+      label: Isolinear version
+      placeholder: "0.1.0  (uvx isolinear --version, or `uv tool list`)"
+  - type: input
+    id: python
+    attributes:
+      label: Python version
+      placeholder: "3.12"
+  - type: input
+    id: os
+    attributes:
+      label: OS / terminal
+      placeholder: "macOS 15 · iTerm2"
+  - type: textarea
+    id: logs
+    attributes:
+      label: Error output
+      description: >
+        The TUI takes over the screen, so capture stderr with
+        `isolinear 2>err.log` and paste `err.log` here.
+      render: text

isolinear-0.1.0/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/misja-pronk/isolinear/security/advisories/new
+    about: Please report security issues privately, not as a public issue.

isolinear-0.1.0/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,13 @@
+<!-- Thanks for contributing to Isolinear! -->
+
+## What & why
+
+<!-- What does this change, and why? Link any related issue (#123). -->
+
+## Checklist
+
+- [ ] `uv run pytest` passes
+- [ ] `uv run ruff check .` and `uv run ruff format .` are clean
+- [ ] `uv run ty check` passes
+- [ ] New behaviour has a test
+- [ ] Business logic stays out of `interface/`; the SDK stays in `infrastructure/`

isolinear-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,59 @@
+name: ci
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  lint:
+    name: lint + types
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v6
+        with:
+          enable-cache: true
+      - run: uv sync
+      - name: Lint (ruff)
+        run: uv run ruff check .
+      - name: Format check (ruff)
+        run: uv run ruff format --check .
+      - name: Type check (ty)
+        run: uv run ty check
+
+  test:
+    name: test (py${{ matrix.python-version }} · ${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest]
+        python-version: ["3.11", "3.12", "3.13", "3.14"]
+        include:
+          - os: macos-latest
+            python-version: "3.14"
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v6
+        with:
+          enable-cache: true
+      - name: Tests (pytest)
+        run: uv run --python ${{ matrix.python-version }} pytest
+
+  build:
+    name: build (wheel + sdist)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v6
+      - run: uv build
+      - name: Smoke-test the built wheel on 3.11
+        run: |
+          uv venv /tmp/smoke -p 3.11
+          uv pip install --python /tmp/smoke/bin/python dist/*.whl
+          /tmp/smoke/bin/python -c "import isolinear.app; print('import OK')"
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/*

isolinear-0.1.0/.github/workflows/release.yml

@@ -0,0 +1,43 @@
+name: release
+
+# Publish to PyPI when a version tag is pushed, e.g. `git tag v0.1.0 && git push --tags`.
+# Uses PyPI Trusted Publishing (OIDC) — no API token needed. Configure a trusted
+# publisher for this repo + workflow at https://pypi.org/manage/account/publishing/.
+
+on:
+  push:
+    tags: ["v*"]
+  workflow_dispatch:
+
+jobs:
+  pypi:
+    name: build + publish to PyPI
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write # required for trusted publishing
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v6
+
+      - name: Build
+        run: uv build
+
+      - name: Publish
+        run: uv publish --trusted-publishing always
+
+  github-release:
+    name: attach artifacts to the GitHub release
+    needs: pypi
+    if: startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v6
+      - run: uv build
+      - uses: softprops/action-gh-release@v2
+        with:
+          files: dist/*
+          generate_release_notes: true

isolinear-0.1.0/.gitignore

@@ -0,0 +1,8 @@
+.venv/
+__pycache__/
+*.pyc
+.textual/
+dist/
+build/
+*.egg-info/
+.DS_Store

isolinear-0.1.0/CHANGELOG.md

@@ -0,0 +1,27 @@
+# Changelog
+
+All notable changes to this project are documented here. The format is based on
+[Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project
+adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [0.1.0]
+
+Initial release.
+
+### Added
+
+- Three-pane terminal browser for Databricks scopes, secrets, and ACLs.
+- Onboarding: OAuth browser login by workspace URL, account-level workspace
+  discovery (AWS / Azure / GCP), and saved `~/.databrickscfg` profiles.
+- Create / edit / delete secrets, create / delete scopes, and manage scope
+  permissions (ACLs).
+- Reveal & copy secret values (fetched lazily; never bulk-loaded).
+- Authorization overview of your effective permission per scope.
+- Fuzzy filter (`/`), command palette (`ctrl+p`), vim + arrow navigation.
+- Pre-loads and caches scopes/secrets/ACLs on startup.
+- Three switchable themes (violet, amber Okudagram, phosphor green).
+
+[Unreleased]: https://github.com/misja-pronk/isolinear/compare/v0.1.0...HEAD
+[0.1.0]: https://github.com/misja-pronk/isolinear/releases/tag/v0.1.0

isolinear-0.1.0/CONTRIBUTING.md

@@ -0,0 +1,62 @@
+# Contributing to Isolinear
+
+Thanks for your interest! Issues and pull requests are very welcome.
+
+## Toolchain
+
+Isolinear uses [`mise`](https://mise.jdx.dev) to pin tools and the all-Astral
+stack — [`uv`](https://docs.astral.sh/uv/) (env / deps / run),
+[`ruff`](https://docs.astral.sh/ruff/) (lint + format), and
+[`ty`](https://docs.astral.sh/ty/) (type check).
+
+```sh
+mise install   # installs the pinned Python + uv (optional but recommended)
+uv sync        # creates .venv and installs deps + dev tools
+```
+
+## Day-to-day
+
+```sh
+uv run isolinear                  # run the app
+uv run textual run --dev isolinear.app:IsolinearApp   # with Textual devtools
+
+uv run pytest                     # test suite
+uv run ruff check . && uv run ruff format .   # lint + format
+uv run ty check                   # type check
+```
+
+All four of these run in CI on every push/PR — please make sure they're green
+before opening a PR. New behaviour should come with a test.
+
+## Architecture
+
+The codebase is hexagonal / DDD; the dependency rule is enforced by convention:
+
+```
+interface → application → domain ← infrastructure
+```
+
+- **`domain/`** — pure model, rules, and ports (`Protocol`s). No Textual, SDK,
+  or asyncio.
+- **`application/`** — use-cases (`WorkspaceService`, `OnboardingService`) and
+  the in-memory read model. Depends only on `domain`.
+- **`infrastructure/`** — adapters that implement the ports; the *only* place
+  that imports the Databricks SDK.
+- **`interface/`** — the Textual UI. Talks to `application` + `domain` only.
+- **`app.py`** — the composition root that wires the adapters together.
+
+Keep business logic out of the UI, keep the SDK out of everything but
+`infrastructure/`, and tests can substitute the in-memory fakes in `tests/`.
+
+## Tests
+
+- `domain` / `application` are covered by fast unit tests with fake ports.
+- The UI is driven through Textual's `Pilot` harness — no network, no real
+  Databricks. See `tests/fakes.py` for the in-memory doubles.
+
+## Commits & PRs
+
+- Small, focused PRs are easiest to review.
+- Describe the *why*, not just the *what*.
+- By contributing you agree your work is licensed under the project's
+  [MIT License](LICENSE).

isolinear-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Misja Pronk
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

isolinear-0.1.0/PKG-INFO

@@ -0,0 +1,163 @@
+Metadata-Version: 2.4
+Name: isolinear
+Version: 0.1.0
+Summary: A keyboard-driven terminal UI for managing Databricks secrets
+Project-URL: Homepage, https://github.com/misja-pronk/isolinear
+Project-URL: Repository, https://github.com/misja-pronk/isolinear
+Project-URL: Issues, https://github.com/misja-pronk/isolinear/issues
+Project-URL: Changelog, https://github.com/misja-pronk/isolinear/blob/main/CHANGELOG.md
+Author-email: Misja Pronk <misja@prorexconsultancy.nl>
+License-Expression: MIT
+License-File: LICENSE
+Keywords: cli,databricks,secret-manager,secrets,security,terminal,textual,tui
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: System Administrators
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Topic :: Security
+Classifier: Topic :: Terminals
+Classifier: Topic :: Utilities
+Classifier: Typing :: Typed
+Requires-Python: >=3.11
+Requires-Dist: databricks-sdk>=0.30
+Requires-Dist: textual>=2.0
+Description-Content-Type: text/markdown
+
+# Isolinear ▦
+
+**A keyboard-driven terminal UI for managing Databricks secrets.**
+Browse workspaces, scopes, secrets and ACLs; create / edit / delete; reveal &
+copy values — all from a fast, LCARS-flavoured TUI.
+
+[![ci](https://github.com/misja-pronk/isolinear/actions/workflows/ci.yml/badge.svg)](https://github.com/misja-pronk/isolinear/actions/workflows/ci.yml)
+[![PyPI](https://img.shields.io/pypi/v/isolinear.svg)](https://pypi.org/project/isolinear/)
+[![Python](https://img.shields.io/pypi/pyversions/isolinear.svg)](https://pypi.org/project/isolinear/)
+[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
+[![Ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff)
+
+![Isolinear browsing secrets](docs/img/browse.png)
+
+## Install
+
+Run it with [uv](https://docs.astral.sh/uv/) — no clone, no virtualenv:
+
+```sh
+uvx isolinear              # run once, ephemerally
+uv tool install isolinear  # install the `isolinear` (and `iso`) commands on PATH
+```
+
+Or with pipx: `pipx run isolinear` / `pipx install isolinear`.
+
+> Requires Python ≥ 3.11. Built with [Textual](https://textual.textualize.io)
+> and the [Databricks SDK](https://github.com/databricks/databricks-sdk-py).
+
+## Quickstart
+
+```sh
+isolinear        # or: iso
+```
+
+You **don't** need to pre-configure anything. On first launch Isolinear opens an
+onboarding hub with two doors:
+
+1. **Workspace URL** — paste a workspace URL and sign in through your browser
+   (OAuth U2M / SSO). No token required.
+2. **Discover via account** — pick your cloud (AWS / Azure / GCP), paste your
+   Account ID, sign in once, and Isolinear lists **every workspace in the
+   account** for you to choose from.
+
+Tick *save as profile* and it writes a reusable entry to `~/.databrickscfg`
+(host + `auth_type = external-browser`, **no secret stored** — same as
+`databricks auth login`), so next launch connects instantly. Existing
+`~/.databrickscfg` profiles show up automatically.
+
+<table>
+  <tr>
+    <td><img src="docs/img/login.png" alt="Login hub"></td>
+    <td><img src="docs/img/auth.png" alt="Authorization overview"></td>
+  </tr>
+  <tr>
+    <td align="center"><sub>Onboarding hub</sub></td>
+    <td align="center"><sub>Authorization overview</sub></td>
+  </tr>
+</table>
+
+## Features
+
+- **Three-pane browser** — scopes (with secret counts + your access), secrets
+  (with relative age), and a detail pane.
+- **Reveal & copy** secret values; values are fetched lazily on reveal and never
+  bulk-pulled into memory.
+- **Full CRUD** — create / edit / delete secrets, create / delete scopes,
+  manage scope **permissions (ACLs)**.
+- **Authorization overview** — your effective permission on every scope.
+- **Fuzzy filter** (`/`), **command palette** (`ctrl+p`), vim + arrow navigation.
+- **Multiple workspaces** — switch profiles, or add new connections on the fly.
+- **Pre-loads & caches** everything on startup for an instant experience.
+- Three switchable themes (violet, amber Okudagram, phosphor green).
+
+## Keys
+
+Everything is keyboard driven. Press `?` for the in-app cheat-sheet or `ctrl+p`
+for the fuzzy command palette.
+
+| Key | Action |
+|-----|--------|
+| `↑↓` / `j` `k` | Move within a pane |
+| `←→` / `h` `l` · `tab` | Move between panes |
+| `g` / `G` | Jump to top / bottom |
+| `/` | Filter the focused pane |
+| `n` / `N` | New secret / new scope |
+| `e` · `d` | Edit secret · delete (with confirm) |
+| `p` | Manage scope permissions (ACLs) |
+| `space` · `c` | Reveal / hide value · copy value |
+| `r` / `R` | Refresh scope / workspace |
+| `a` | Authorization overview |
+| `w` · `ctrl+p` | Switch workspace · command palette |
+| `?` · `q` | Help · quit |
+
+## Security
+
+Isolinear talks to Databricks through the official SDK's unified auth. It does
+**not** store secret *values* — they're read on demand and kept only in memory.
+Saved profiles contain a host + `auth_type`, never a token. See
+[SECURITY.md](SECURITY.md) for details and how to report a vulnerability.
+
+## How it's built
+
+Hexagonal / DDD layers; dependencies point inward and **all I/O is behind domain
+ports**, so the UI never touches the SDK and the whole domain is unit-testable
+without a network:
+
+```
+isolinear/
+  domain/          model, rules + ports (SecretStore, WorkspaceConnector, ProfileStore)
+  application/     use-cases (WorkspaceService, OnboardingService) + read model
+  infrastructure/  adapters — the only Databricks-SDK importers
+  interface/       Textual presentation (no business logic, no infra)
+  app.py           composition root
+```
+
+## Contributing
+
+Issues and PRs welcome — see [CONTRIBUTING.md](CONTRIBUTING.md). The toolkit is
+all-[Astral](https://astral.sh): **uv** (env/deps/run), **ruff** (lint+format),
+**ty** (types).
+
+```sh
+uv sync
+uv run pytest        # tests (core units + UI via Textual Pilot)
+uv run ruff check .  # lint
+uv run ty check      # types
+uv run isolinear     # run it
+```
+
+## License
+
+[MIT](LICENSE) © Misja Pronk

isolinear-0.1.0/README.md

@@ -0,0 +1,132 @@
+# Isolinear ▦
+
+**A keyboard-driven terminal UI for managing Databricks secrets.**
+Browse workspaces, scopes, secrets and ACLs; create / edit / delete; reveal &
+copy values — all from a fast, LCARS-flavoured TUI.
+
+[![ci](https://github.com/misja-pronk/isolinear/actions/workflows/ci.yml/badge.svg)](https://github.com/misja-pronk/isolinear/actions/workflows/ci.yml)
+[![PyPI](https://img.shields.io/pypi/v/isolinear.svg)](https://pypi.org/project/isolinear/)
+[![Python](https://img.shields.io/pypi/pyversions/isolinear.svg)](https://pypi.org/project/isolinear/)
+[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
+[![Ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff)
+
+![Isolinear browsing secrets](docs/img/browse.png)
+
+## Install
+
+Run it with [uv](https://docs.astral.sh/uv/) — no clone, no virtualenv:
+
+```sh
+uvx isolinear              # run once, ephemerally
+uv tool install isolinear  # install the `isolinear` (and `iso`) commands on PATH
+```
+
+Or with pipx: `pipx run isolinear` / `pipx install isolinear`.
+
+> Requires Python ≥ 3.11. Built with [Textual](https://textual.textualize.io)
+> and the [Databricks SDK](https://github.com/databricks/databricks-sdk-py).
+
+## Quickstart
+
+```sh
+isolinear        # or: iso
+```
+
+You **don't** need to pre-configure anything. On first launch Isolinear opens an
+onboarding hub with two doors:
+
+1. **Workspace URL** — paste a workspace URL and sign in through your browser
+   (OAuth U2M / SSO). No token required.
+2. **Discover via account** — pick your cloud (AWS / Azure / GCP), paste your
+   Account ID, sign in once, and Isolinear lists **every workspace in the
+   account** for you to choose from.
+
+Tick *save as profile* and it writes a reusable entry to `~/.databrickscfg`
+(host + `auth_type = external-browser`, **no secret stored** — same as
+`databricks auth login`), so next launch connects instantly. Existing
+`~/.databrickscfg` profiles show up automatically.
+
+<table>
+  <tr>
+    <td><img src="docs/img/login.png" alt="Login hub"></td>
+    <td><img src="docs/img/auth.png" alt="Authorization overview"></td>
+  </tr>
+  <tr>
+    <td align="center"><sub>Onboarding hub</sub></td>
+    <td align="center"><sub>Authorization overview</sub></td>
+  </tr>
+</table>
+
+## Features
+
+- **Three-pane browser** — scopes (with secret counts + your access), secrets
+  (with relative age), and a detail pane.
+- **Reveal & copy** secret values; values are fetched lazily on reveal and never
+  bulk-pulled into memory.
+- **Full CRUD** — create / edit / delete secrets, create / delete scopes,
+  manage scope **permissions (ACLs)**.
+- **Authorization overview** — your effective permission on every scope.
+- **Fuzzy filter** (`/`), **command palette** (`ctrl+p`), vim + arrow navigation.
+- **Multiple workspaces** — switch profiles, or add new connections on the fly.
+- **Pre-loads & caches** everything on startup for an instant experience.
+- Three switchable themes (violet, amber Okudagram, phosphor green).
+
+## Keys
+
+Everything is keyboard driven. Press `?` for the in-app cheat-sheet or `ctrl+p`
+for the fuzzy command palette.
+
+| Key | Action |
+|-----|--------|
+| `↑↓` / `j` `k` | Move within a pane |
+| `←→` / `h` `l` · `tab` | Move between panes |
+| `g` / `G` | Jump to top / bottom |
+| `/` | Filter the focused pane |
+| `n` / `N` | New secret / new scope |
+| `e` · `d` | Edit secret · delete (with confirm) |
+| `p` | Manage scope permissions (ACLs) |
+| `space` · `c` | Reveal / hide value · copy value |
+| `r` / `R` | Refresh scope / workspace |
+| `a` | Authorization overview |
+| `w` · `ctrl+p` | Switch workspace · command palette |
+| `?` · `q` | Help · quit |
+
+## Security
+
+Isolinear talks to Databricks through the official SDK's unified auth. It does
+**not** store secret *values* — they're read on demand and kept only in memory.
+Saved profiles contain a host + `auth_type`, never a token. See
+[SECURITY.md](SECURITY.md) for details and how to report a vulnerability.
+
+## How it's built
+
+Hexagonal / DDD layers; dependencies point inward and **all I/O is behind domain
+ports**, so the UI never touches the SDK and the whole domain is unit-testable
+without a network:
+
+```
+isolinear/
+  domain/          model, rules + ports (SecretStore, WorkspaceConnector, ProfileStore)
+  application/     use-cases (WorkspaceService, OnboardingService) + read model
+  infrastructure/  adapters — the only Databricks-SDK importers
+  interface/       Textual presentation (no business logic, no infra)
+  app.py           composition root
+```
+
+## Contributing
+
+Issues and PRs welcome — see [CONTRIBUTING.md](CONTRIBUTING.md). The toolkit is
+all-[Astral](https://astral.sh): **uv** (env/deps/run), **ruff** (lint+format),
+**ty** (types).
+
+```sh
+uv sync
+uv run pytest        # tests (core units + UI via Textual Pilot)
+uv run ruff check .  # lint
+uv run ty check      # types
+uv run isolinear     # run it
+```
+
+## License
+
+[MIT](LICENSE) © Misja Pronk

isolinear-0.1.0/SECURITY.md

@@ -0,0 +1,32 @@
+# Security Policy
+
+## How Isolinear handles secrets
+
+- **Secret values are never persisted.** They're read on demand via the
+  Databricks SDK (`get_secret`) and held only in memory for the current session.
+- **Reveal is lazy.** Values are fetched only when you explicitly reveal or copy
+  one — they are not bulk-pulled during the startup cache warm.
+- **Saved profiles store no secrets.** When you save a connection, Isolinear
+  writes only a `host` and `auth_type = external-browser` to `~/.databrickscfg`
+  (the same thing `databricks auth login` does). Authentication is delegated to
+  the Databricks SDK's unified auth / OAuth token cache.
+- **The SDK boundary is isolated.** Only the `infrastructure/` layer touches the
+  Databricks SDK or the network.
+
+Copying a value places it on your system clipboard — clear it afterwards if you
+share your machine.
+
+## Supported versions
+
+The latest released version on PyPI is supported. Please upgrade before
+reporting an issue.
+
+## Reporting a vulnerability
+
+Please report security issues **privately**:
+
+- Open a [GitHub Security Advisory](https://github.com/misja-pronk/isolinear/security/advisories/new), or
+- email **misja@prorexconsultancy.nl**.
+
+Do not open a public issue for security reports. You'll get an acknowledgement
+as soon as possible, and we'll coordinate a fix and disclosure with you.

isolinear-0.1.0/docs/USER_STORIES.md

@@ -0,0 +1,63 @@
+# Isolinear — Databricks Secret Manager · User Stories
+
+A keyboard-driven terminal app for managing Databricks secrets. Superfile-inspired
+multi-pane layout with its own distinct "Isolinear" theme. Built with Python, Textual,
+and the Databricks SDK.
+
+> **Workspace** in this app = a connection profile in `~/.databrickscfg`.
+
+---
+
+## Epic 1 — Workspace connection & navigation
+| ID | Story | Acceptance |
+|----|-------|-----------|
+| US-1 | See all configured workspaces (profiles) and pick one. | Profiles parsed from `~/.databrickscfg`; host shown; selectable on the login hub. |
+| US-1a | Sign in with a workspace URL when no profile exists. | Paste host → OAuth U2M browser login (`auth_type=external-browser`); no token. |
+| US-1b | Discover workspaces via the account (AWS/Azure/GCP). | Pick cloud + account ID → account OAuth → `workspaces.list()` → pick → `get_workspace_client`. |
+| US-1c | Persist a login as a reusable profile. | Optional "save as" writes host+auth_type to `~/.databrickscfg`; instant next launch. |
+| US-2 | Connection verified; shows authenticated identity. | `current_user.me()` resolved; username + status shown. |
+| US-3 | Switch workspaces without restarting. | `w` opens the login hub; switching re-warms cache for new workspace. |
+
+## Epic 2 — Browsing scopes & secrets
+| ID | Story | Acceptance |
+|----|-------|-----------|
+| US-4 | Browse all scopes with backend type. | Scopes list shows `DATABRICKS` vs `AZURE_KEYVAULT`. |
+| US-5 | Browse secret keys in a scope with timestamps. | Keys + last-updated shown for selected scope. |
+| US-6 | Detail panel for selected secret/scope. | Right pane shows metadata + ACLs. |
+
+## Epic 3 — Secret operations (CRUD)
+| ID | Story | Acceptance |
+|----|-------|-----------|
+| US-7 | Create a secret (key + value) in a scope. | `put_secret`; cache + list update. |
+| US-8 | Update an existing secret's value. | `put_secret` on existing key; timestamp refreshes. |
+| US-9 | Delete a secret with confirmation. | Confirm modal; `delete_secret`; row removed. |
+| US-10 | Reveal & copy a secret value. | `get_secret`; reveal toggle; copy to clipboard. |
+| US-11 | Create & delete scopes. | `create_scope` / `delete_scope` with confirm. |
+| US-11a | Update a scope's permissions (ACLs). | `p` opens a permissions editor; `put_acl` / `delete_acl` (a scope is otherwise immutable). |
+
+## Epic 4 — Authorization overview
+| ID | Story | Acceptance |
+|----|-------|-----------|
+| US-12 | See & edit ACLs (principal + permission) per scope. | `list_acls` in detail pane; full add/change/remove via the `p` editor. |
+| US-13 | Authorization status overview. | My identity + my effective permission per scope; write-capable flagged. |
+
+## Epic 5 — Performance & UX (caching / pre-call)
+| ID | Story | Acceptance |
+|----|-------|-----------|
+| US-14 | Pre-load scopes, secret metadata, ACLs on startup. | Background worker warms cache; progress shown. |
+| US-15 | Refresh cache on demand. | `r` refreshes scope; `R` refreshes workspace. |
+| US-16 | Lazy + cached secret values. | Values fetched only on reveal; cached thereafter. |
+
+## Epic 6 — Look & feel
+| ID | Story | Acceptance |
+|----|-------|-----------|
+| US-17 | Distinct "Isolinear" theme. | Violet-cyber LCARS palette, isolinear-chip motif, multi-pane. |
+| US-18 | Keyboard-driven with footer + help overlay. | Footer bindings; `?` help screen. |
+
+---
+
+## Out of scope (v1 / future)
+- Account-level workspace enumeration (requires account auth).
+- Secret value history / versioning (not exposed by the API).
+- Bulk import/export of secrets.
+- Renaming a scope (immutable in the Databricks API — delete + recreate).