Improve apps logs streaming helpers

[ericfeunekes]

Changes

• Add the databricks apps logs NAME command, including tail/follow/search/source/output-file flags wired via cmdgroup, file mirroring with 0600 perms, and validation against apps that lack a public URL. (cmd/workspace/apps)
• Introduce the reusable libs/logstream helper with token refresh hooks, buffering, search/source filtering, structured error handling, context-driven deadlines, and a comprehensive unit suite so other commands can stream logs without bespoke WebSocket loops.
• Refactor databricks auth token to reuse auth.AcquireToken via the new libs/auth/token_loader.go, ensuring persistent auth options and timeouts stay centralized and fully covered by regression tests.

Why

This is a quality of life addition that allows the CLI to tail logs to the CLI. It hooks directly into the token acquisition module so that the tokens don't need to be managed separately.

Tests

• go test ./libs/logstream
• go test ./cmd/workspace/apps
• go test ./cmd/auth

[pkosiec]

Thank you @ericfeunekes for your contribution! The new app logs command is super helpful. I tested the changes and it works well 👍

Before merge, please take a look at my comments. I can help you implementing the changes if you'd like to - feel free to ping me anytime. Thanks!

[pkosiec]

If we already pass args.authArguments (which consists of Host and AccountID properties), perhaps it makes sense to:

• pass the whole struct args.authArguments as an input argument
• do oauthArgument, err := args.authArguments.ToOAuthArgument() inside the auth.AcquireToken()

In that way we'll reduce 3 input args to just one. Does it make sense?

[ericfeunekes]

auth.AcquireTokenRequest now carries the entire auth.AuthArguments struct and does the ToOAuthArgument conversion internally, so CLI callers don’t need to juggle host/account IDs or duplicate that logic. cmd/auth token and the new apps logs command just pass the struct plus profile/timeout metadata.

[pkosiec]

If I understood correctly, this test verifies those 3 lines:

allOpts := append([]u2m.PersistentAuthOption{}, req.PersistentAuthOpts...)
allOpts = append(allOpts, u2m.WithOAuthArgument(req.OAuthArgument))
persistentAuth, err := u2m.NewPersistentAuth(ctx, allOpts...)

Is that correct? So it effectively tests the AcquireToken function, and just that specific part. I'm not really sure if there's enough value in such separate unit test 🤔 I'll ask for a second opinion, but for now we can keep it, however let's move it to libs/auth/token_loader_test.go 👍

[pkosiec]

Shouldn't we move the loadToken tests to libs/auth/token_loader_test.go, and keep just a single happy path for the loadToken itself? Now the core logic is in the AcquireToken and basically that's what the loadToken unit tests test.

[pkosiec]

I'm not sure if this is the best place to have this skill definition - what do you think about moving it to .claude/skills/logstream.md?

Also, do you have any use case for the CLI that could use your skill? I'm wondering if we need it at all 🤔

[pkosiec]

I think the comment above was missed, please move this file to .claude/skills/logstream.md 🙏

[pkosiec]

(As noted in the first comment, once it is applied, this would be moved to the auth.AcquireTokenRequest)

[pkosiec]

Could you define consts for the error codes please?

[pkosiec]

Please add 5*time.Second to consts 👍

[pkosiec]

Can we split the Run and consume methods to increase readability please? 🙏

[pkosiec]

The refactoring (splitting the method to multiple ones) would be helpful as then we could follow the best practices and add defer conn.Close() right after a successful connection:

        conn, resp, err := s.dialer.DialContext(ctx, s.url, headers)
		if err != nil {
			// err handling
		}
        defer conn.Close() // <-- here

and also, within the same function, we could move the goroutine:

	go func() {
		select {
		case <-ctx.Done():
			_ = conn.WriteControl(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, "context canceled"), time.Now().Add(time.Second))
			_ = conn.Close()
		case <-closeCh:
		}
	}()

[pkosiec]

Also, currently the connection is closed two times and in case of timeouted context, second call would return an error (connection already closed). Could we use sync.Once to solve it?

[pkosiec]

I'd add a comment that this method isn't thread-safe, just to make sure no one runs a single logStreamer instance concurrently 👍

[ericfeunekes]

@pkosiec I think I've addressed each of your issues and tried to keep them on separate commits to make it easier to review

[pkosiec]

Thanks a lot for implementing the comments, including the logs color formatting!

We're almost there - I put some minor comments. There's one small issue with -f and -tail-lines flags, but other than that I don't see any major blockers 👍

[pkosiec]

Those are moved tests from the token_test.go, correct? Could you please keep them defined as table tests? It's much easier to maintain such cases in table test format. Thanks!

[pkosiec]

If I understand correctly, this is defined purely for a single unit test that checks if the PersistentAuthOpts aren't mutated, correct?

I'd get rid of this as we don't need to do that. Please check my next comment for more details 👍

[pkosiec]

I'd just skip that part, and use the mockOAuthEndpointSupplier, and then check the length of the opts, without counting the calls etc. 👍 No need for it IMO.

[pkosiec]

I think the comment above was missed, please move this file to .claude/skills/logstream.md 🙏

[pkosiec]

Suggested change

	const handshakeErrorBodyLimit = 4 * 1024
	const defaultUserAgent = "databricks-cli logstream"
	const initialReconnectBackoff = 200 * time.Millisecond
	const maxReconnectBackoff = 5 * time.Second
	const closeCodeUnauthorized = 4401
	const closeCodeForbidden = 4403
	const (
	handshakeErrorBodyLimit = 4 * 1024
	defaultUserAgent = "databricks-cli logstream"
	initialReconnectBackoff = 200 * time.Millisecond
	maxReconnectBackoff = 5 * time.Second
	closeCodeUnauthorized = 4401
	closeCodeForbidden = 4403
	)

[pkosiec]

We stop the timer immediately in the next line - shouldn't we have just var timer time.Timer?

[pkosiec]

Do I understand correctly that we don't need to do that as the stopWatch will close the connection? If so, then we can remove that line (that was my original intention of one of the previous comments - ensure the connection is closed only once)

[pkosiec]

nit (for later): Later (in a follow-up PR) we could move tailBuffer, formatting-related helpers to separate files. But let's do that later 👍

[pkosiec]

those functions look super similar, can't we have just one, stopTimer? resetTimer is called only once and it could use stopTimer with another line timer.Reset(d).

[pkosiec]

Apologies, I know I put a comment to add the command as a part of the file but now I realized it is generated from API files in one of our internal repositories.

Could we please revert the changes in ffe6e3d? 🙏 I can do that, if you'd like to 👍 Thank you!

(For a later follow-up PR)
@fjakobs @pietern The /logz and /logz/stream endpoints don't seem to be part of the public API. Should we keep it as it is (after the revert of the mentioned commit) or should I include the endpoints in our proto files in the universe repo?

[pietern]

You can move this into overrides.go in the same directory.

See cmdOverrides.

[pietern]

@pkosiec The endpoints are not public APIs at the platform level, they are specific to the apps runtime.

That's why they are not documented in the platform level API docs.

[pietern]

Hi @ericfeunekes, thanks for the PR!

The token changes (cmd/auth/token_* and libs/auth/token_*) are not necessary. You can use the TokenSource function on the SDK configuration directly to get a fresh OAuth token. I confirmed that the following patch works: https://gist.github.com/pietern/41d02acc2907416244789c7408fb232f

Please move logstream to libs/apps to make it clearer that it is specific to apps.

[pietern]

You can move this into overrides.go in the same directory.

See cmdOverrides.

[pietern]

Btw, when I stop an app during tail, the logs command doesn't stop or error.

[pietern]

@ericfeunekes I forgot an important detail in the previous message.

Contributing to CLI requires a signed CLA, if that's something you're willing to do, please reach out with a request to sign CLA to [email protected] and we will take it from there.

Thanks!

[github-actions]

An authorized user can trigger integration tests manually by following the instructions below:

Trigger:
go/deco-tests-run/cli

Inputs:

• PR number: 3908
• Commit SHA: ce50048dcd5743ec1931ccc58c4666669ee24245

Checks will be approved automatically on success.