Improve errors for workspace commands against account console hosts

[simonfaltum]

Why

Profiles that point at a classic account console host (https://accounts.cloud.databricks.com and friends) only serve account-level APIs. When users run workspace commands against such a profile, the console returns junk and the CLI surfaces it as-is: databricks jobs list fails with "Error: received HTML response instead of JSON", and other paths return a bare HTTP 400 with "Unable to load OAuth Config". Nothing tells the user the host is the problem.

Worse, the existing account-only profile error said "Edit the profile to set workspace_id to a real ID", which can never work on an account console host (it serves no workspace APIs) and is exactly how the broken profiles in the linked issue were created.

These failure shapes are unstructured (HTML pages, bare-string bodies, no error codes), so there is no reliable way to detect "this API is not available here" from the response. Instead, the CLI now adds context based on what it does know: the command operates against a workspace, and the host is an account console host.

Relates to #5479

Changes

Before, workspace commands against an account console host failed with raw junk errors and misleading advice; now the CLI explains the host mismatch and points to a fix.

1. Failure-time hint: when a command fails and a workspace client was configured on the command context and the host is a classic account console host, cmd/root.Execute appends a note via the new auth.AppendAccountHostHint:

   Note: profile "acc" points to a Databricks account console host (https://accounts.cloud.databricks.com), which serves only account-level APIs.
   Workspace commands need a workspace host: run `databricks auth login --host https://<workspace-url>`, or use `databricks account ...` commands with this profile
   

   The note fires for any error from such commands (workspace commands can never succeed against these hosts today), composes with the existing 401/403 enrichment, and stays silent for databricks account ... commands, auth commands, and anything that did not configure a workspace client. Adds cmdctx.HasWorkspaceClient as the non-panicking lookup.

2. Host-aware ErrAccountOnlyProfile: the error now carries the profile's canonical host. For account console hosts it says the host serves only account-level APIs and suggests databricks auth login --host https://<workspace-url> or databricks account ... commands, instead of the impossible "set workspace_id to a real ID" advice. Other hosts (SPOG/unified) keep the existing wording, and MustAnyClient still matches the type to fall through to the account client.

Test plan

• Unit tests for both AppendAccountHostHint message variants (profile and no profile), the non-account-host and empty-host passthroughs, error chain preservation, and composition with EnrichAuthError (libs/auth)
• Table-driven trigger tests through Execute: hint fires for workspace client + account console host; stays silent for workspace host, account client, and no client (cmd/root)
• Unit tests for both ErrAccountOnlyProfile message variants and host plumb-through via workspaceClientOrPrompt, plus the existing MustAnyClient fall-through test still passes (cmd/root)
• go test ./cmd/root/... ./libs/auth/... ./libs/cmdctx/...
• ./task fmt-q, ./task lint-q, ./task checks
• Manual smoke test with a fake .databrickscfg: verified the note on jobs list, the new account-only message, and no note on account groups list

No acceptance tests: the hint path needs a live workspace client against a real accounts.* host, and real domains are forbidden in fixtures; unit coverage exercises the same seams.

This pull request and its description were written by Isaac.

[github-actions]

Approval status: pending

/cmd/root/ - needs approval

4 files changed
Suggested: @mihaimitrea-db
Also eligible: @tanmay-db, @renaudhartert-db, @hectorcast-db, @parthban-db, @Divyansh-db, @tejaskochar-db, @chrisst, @rauchy

/libs/auth/ - needs approval

Files: libs/auth/error.go, libs/auth/error_test.go
Suggested: @mihaimitrea-db
Also eligible: @tanmay-db, @renaudhartert-db, @hectorcast-db, @parthban-db, @Divyansh-db, @tejaskochar-db, @chrisst, @rauchy

General files (require maintainer)

Files: NEXT_CHANGELOG.md, libs/cmdctx/workspace_client.go, libs/cmdctx/workspace_client_test.go
Based on git history:

• @pietern -- recent work in cmd/root/, ./, libs/cmdctx/

_{Any maintainer (@andrewnester, @anton-107, @denik, @pietern, @shreyas-goenka, @renaudhartert-db) can approve all areas.
See OWNERS for ownership rules.}

[eng-dev-ecosystem-bot]

Commit: 3e9ccd8

Run: 27233541638

	Env	🟨​KNOWN	🔄​flaky	💚​RECOVERED	🙈​SKIP	✅​pass	🙈​skip	Time
🟨​	aws linux	7			15	261	928	8:20
🟨​	aws windows	7			15	263	926	17:03
💚​	aws-ucws linux			7	15	357	842	8:38
💚​	aws-ucws windows			7	15	359	840	12:17
💚​	azure linux			1	17	264	926	8:29
💚​	azure windows			1	17	266	924	11:29
💚​	azure-ucws linux			1	17	362	838	9:03
🔄​	azure-ucws windows		1	1	17	363	836	15:33
💚​	gcp linux			1	17	260	929	8:38
💚​	gcp windows			1	17	262	927	11:08

23 interesting tests: 15 SKIP, 7 KNOWN, 1 flaky

	Test Name	aws linux	aws windows	aws-ucws linux	aws-ucws windows	azure linux	azure windows	azure-ucws linux	azure-ucws windows	gcp linux	gcp windows
🟨​	TestAccept	🟨​K	🟨​K	💚​R	💚​R	💚​R	💚​R	💚​R	💚​R	💚​R	💚​R
🙈​	TestAccept/bundle/invariant/no_drift	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/permissions	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🟨​	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions	🟨​K	🟨​K	💚​R	💚​R	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🟨​	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct	🟨​K	🟨​K	💚​R	💚​R
🟨​	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform	🟨​K	🟨​K	💚​R	💚​R
🟨​	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions	🟨​K	🟨​K	💚​R	💚​R	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🟨​	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct	🟨​K	🟨​K	💚​R	💚​R
🟨​	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform	🟨​K	🟨​K	💚​R	💚​R
🙈​	TestAccept/bundle/resources/postgres_branches/basic	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_branches/recreate	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_branches/replace_existing	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_branches/update_protected	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_branches/without_branch_id	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_endpoints/basic	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_endpoints/recreate	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_projects/update_display_name	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/synced_database_tables/basic	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/vector_search_endpoints/drift/recreated_same_name	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/vector_search_indexes/basic	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/vector_search_indexes/grants/select	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/ssh/connection	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🔄​	TestSyncIncrementalFileOverwritesFolder	✅​p	✅​p	✅​p	✅​p	✅​p	✅​p	✅​p	🔄​f	✅​p	✅​p

Top 29 slowest tests (at least 2 minutes):

duration	env	testname
6:09	azure-ucws windows	TestAccept
5:52	azure windows	TestAccept
5:51	gcp windows	TestAccept
5:09	gcp linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
5:00	aws-ucws windows	TestAccept
4:40	gcp linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
4:15	gcp windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:46	gcp windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:43	azure-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:33	aws-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:26	azure linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:18	azure windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:16	azure-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:15	aws-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:13	aws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:13	azure linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:10	aws-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:09	azure-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:05	azure windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:56	azure linux	TestAccept
2:52	gcp linux	TestAccept
2:47	aws-ucws linux	TestAccept
2:47	aws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:46	azure-ucws linux	TestAccept
2:45	aws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:44	azure-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:32	aws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:27	aws-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:18	azure-ucws windows	TestAccept/bundle/deploy/files/no-snapshot-sync/DATABRICKS_BUNDLE_ENGINE=terraform