docs(AppKit): document Files plugin policy API#71
Merged
Conversation
atilafassina
force-pushed
the
appkit-files-policy
branch
from
fc1a3fe to
369050a
Compare
Update the Files skill reference for AppKit v0.21.0+ per-volume policy enforcement (PR databricks/appkit#197): - Add Permission Model section explaining the three layers (UC grants, execution identity, file policies) - Add Access Policies section with built-ins, combinators, custom policies, and policy-input types - Fix HTTP Routes intro: routes always run as service principal, user identity comes from x-forwarded-user and is passed to the policy (not asUser(req)) - Reframe Server-Side API: asUser(req) switches policy identity, not UC credentials - Refresh troubleshooting with policy-related errors and the default-publicRead() write-denial gotcha Co-authored-by: Isaac
Align with the jobs.md/lakebase.md style: keep gotchas and idioms in-skill, push encyclopedic reference to `npx @databricks/appkit docs`. - Flatten Access Policies subsections (5 H3s → 0) - Drop Policy inputs types block (duplicate of upstream `## Types`) - Drop standalone SP-bypass snippet (mention inline instead) - Inline Execution defaults table as a single sentence in Server-Side API - Drop full HTTP Routes table; keep the 403/security gotchas - Add `npx @databricks/appkit docs` pointers from each trimmed section (defer-to-docs count: 2 → 5, matching jobs.md) Net effect: 410 → 346 lines (-15%); the policy concepts and HTTP-route execution model stay, the redundant tables go. Co-authored-by: Isaac
atilafassina
force-pushed
the
appkit-files-policy
branch
from
369050a to
2663a7d
Compare
The skill described pre-OBO behavior for `asUser(req)` and HTTP routes. Per the current source (appkit v0.36.0, JSDoc on `VolumeHandle.asUser` explicitly flags this as a behavior change): - `asUser(req)` is now a hard override that wraps the call in `runInUserContext`; the SDK call runs as the end user, not just the policy identity. - Per-volume `auth: "service-principal" | "on-behalf-of-user"` controls execution identity for HTTP routes too — they don't always run as SP. Updates: - Permission Model: rewrite layer 2 (execution identity) around the `auth` field; clarify UC-grants behavior on SP vs OBO volumes. - Configuration example: add `auth` per-volume option and resolution order. - Server-Side API: rewrite `asUser(req)` semantics to describe SDK-call override; document production-vs-dev fallback. - HTTP Routes: replace "always run as SP" with the `auth`-based model; describe `/raw` attachment-forcing as an allowlist (images, plain text, CSV, markdown, JSON, PDF), not a denylist of HTML/JS/SVG. - `user_api_scopes` Note: required for OBO volumes too, not only `.asUser(req)` programmatic calls. - Typo fixes: `READ_ACTIONS`/`WRITE_ACTIONS` are `ReadonlySet<FileAction>` not `Set<FileAction>`; troubleshooting `Unknown volume "X"` (was `Unknown volume key "X"`). Co-authored-by: Isaac
pkosiec
approved these changes
Jun 3, 2026
There was a problem hiding this comment.
Pull request overview
Updates the AppKit Files reference documentation to reflect the current Files plugin policy model and related operational guidance, including new sections describing how access is evaluated and how to configure per-volume policies.
Changes:
- Adds new Permission Model and Access Policies documentation, including defaults and examples.
- Updates server-side/API and HTTP route guidance, plus troubleshooting entries related to policy enforcement.
- Refreshes assorted docs commands, configuration snippets, and formatting for clarity.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
publicRead,allowAll,denyAll), combinators (all,any,not), customFilePolicyshape, exported types, andPolicyDeniedErrorx-forwarded-userand is passed to the policy (not viaasUser(req))asUser(req)is described as switching the policy identity, not the UC credentialspublicRead()default-write-denial gotchaTest plan
python3 scripts/skills.py validatepasses@databricks/appkitv0.31.0 typesThis pull request and its description were written by Isaac.