Skip to content

docs(AppKit): document Files plugin policy API#71

Draft
atilafassina wants to merge 2 commits intomainfrom
appkit-files-policy
Draft

docs(AppKit): document Files plugin policy API#71
atilafassina wants to merge 2 commits intomainfrom
appkit-files-policy

Conversation

@atilafassina
Copy link
Copy Markdown
Contributor

@atilafassina atilafassina commented May 7, 2026

Summary

  • Updates the Files skill reference for AppKit v0.21.0+ per-volume policy enforcement (databricks/appkit#197)
  • Adds Permission Model + Access Policies sections covering built-ins (publicRead, allowAll, denyAll), combinators (all, any, not), custom FilePolicy shape, exported types, and PolicyDeniedError
  • Fixes a factually wrong HTTP Routes line — routes always run as the service principal; user identity comes from x-forwarded-user and is passed to the policy (not via asUser(req))
  • Reframes the Server-Side API section so asUser(req) is described as switching the policy identity, not the UC credentials
  • Refreshes the troubleshooting table with policy-related rows, including the publicRead() default-write-denial gotcha

Test plan

  • python3 scripts/skills.py validate passes
  • Skim rendered Markdown for the new Permission Model / Access Policies sections
  • Confirm policy snippets compile against @databricks/appkit v0.31.0 types

This pull request and its description were written by Isaac.

@atilafassina
docs(AppKit): document Files plugin policy API
7e95540 
Update the Files skill reference for AppKit v0.21.0+ per-volume
policy enforcement (PR databricks/appkit#197):

- Add Permission Model section explaining the three layers
  (UC grants, execution identity, file policies)
- Add Access Policies section with built-ins, combinators,
  custom policies, and policy-input types
- Fix HTTP Routes intro: routes always run as service principal,
  user identity comes from x-forwarded-user and is passed to
  the policy (not asUser(req))
- Reframe Server-Side API: asUser(req) switches policy identity,
  not UC credentials
- Refresh troubleshooting with policy-related errors and the
  default-publicRead() write-denial gotcha

Co-authored-by: Isaac
@atilafassina
docs(AppKit): trim Files skill to defer reference data to upstream docs
fc1a3fe 
Align with the jobs.md/lakebase.md style: keep gotchas and idioms
in-skill, push encyclopedic reference to `npx @databricks/appkit docs`.

- Flatten Access Policies subsections (5 H3s → 0)
- Drop Policy inputs types block (duplicate of upstream `## Types`)
- Drop standalone SP-bypass snippet (mention inline instead)
- Inline Execution defaults table as a single sentence in
  Server-Side API
- Drop full HTTP Routes table; keep the 403/security gotchas
- Add `npx @databricks/appkit docs` pointers from each trimmed
  section (defer-to-docs count: 2 → 5, matching jobs.md)

Net effect: 410 → 346 lines (-15%); the policy concepts and
HTTP-route execution model stay, the redundant tables go.

Co-authored-by: Isaac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@atilafassina