databricks · bbqiu · Feb 2, 2026 · Jan 27, 2026 · Jan 27, 2026 · Jan 28, 2026
diff --git a/.claude/skills/add-tools-langgraph/SKILL.md b/.claude/skills/add-tools-langgraph/SKILL.md
@@ -0,0 +1,104 @@
+---
+name: add-tools
+description: "Add tools to your agent and grant required permissions in databricks.yml. Use when: (1) Adding MCP servers, Genie spaces, vector search, or UC functions to agent, (2) Permission errors at runtime, (3) User says 'add tool', 'connect to', 'grant permission', (4) Configuring databricks.yml resources."
+---
+
+# Add Tools & Grant Permissions
+
+**After adding any MCP server to your agent, you MUST grant the app access in `databricks.yml`.**
+
+Without this, you'll get permission errors when the agent tries to use the resource.
+
+## Workflow
+
+**Step 1:** Add MCP server in `agent_server/agent.py`:
+```python
+from databricks_langchain import DatabricksMCPServer, DatabricksMultiServerMCPClient
+
+genie_server = DatabricksMCPServer(
+    url=f"{host}/api/2.0/mcp/genie/01234567-89ab-cdef",
+    name="my genie space",
+)
+
+mcp_client = DatabricksMultiServerMCPClient([genie_server])
+tools = await mcp_client.get_tools()
+```
+
+**Step 2:** Grant access in `databricks.yml`:
+```yaml
+resources:
+  apps:
+    agent_langgraph:
+      resources:
+        - name: 'my_genie_space'
+          genie_space:
+            name: 'My Genie Space'
+            space_id: '01234567-89ab-cdef'
+            permission: 'CAN_RUN'
+```
+
+**Step 3:** Deploy and run:
+```bash
+databricks bundle deploy
+databricks bundle run agent_langgraph  # Required to start app with new code!
+```
+
+See **deploy** skill for more details.
+
+## Resource Type Examples
+
+See the `examples/` directory for complete YAML snippets:
+
+| File | Resource Type | When to Use |
+|------|--------------|-------------|
+| `uc-function.yaml` | Unity Catalog function | UC functions via MCP |
+| `uc-connection.yaml` | UC connection | External MCP servers |
+| `vector-search.yaml` | Vector search index | RAG applications |
+| `sql-warehouse.yaml` | SQL warehouse | SQL execution |
+| `serving-endpoint.yaml` | Model serving endpoint | Model inference |
+| `genie-space.yaml` | Genie space | Natural language data |
+| `lakebase.yaml` | Lakebase database | Agent memory storage |
+| `experiment.yaml` | MLflow experiment | Tracing (already configured) |
+| `custom-mcp-server.md` | Custom MCP apps | Apps starting with `mcp-*` |
+
+## Custom MCP Servers (Databricks Apps)
+
+Apps are **not yet supported** as resource dependencies in `databricks.yml`. Manual permission grant required:
+
+**Step 1:** Get your agent app's service principal:
+```bash
+databricks apps get <your-agent-app-name> --output json | jq -r '.service_principal_name'
+```
+
+**Step 2:** Grant permission on the MCP server app:
+```bash
+databricks apps update-permissions <mcp-server-app-name> \
+  --service-principal <agent-app-service-principal> \
+  --permission-level CAN_USE
+```
+
+See `examples/custom-mcp-server.md` for detailed steps.
+
+## valueFrom Pattern (for app.yaml)
+
+**IMPORTANT**: Make sure all `valueFrom` references in `app.yaml` reference an existing key in the `databricks.yml` file. 
+Some resources need environment variables in your app. Use `valueFrom` in `app.yaml` to reference resources defined in `databricks.yml`:
+
+```yaml
+# app.yaml
+env:
+  - name: MLFLOW_EXPERIMENT_ID
+    valueFrom: "experiment"        # References resources.apps.<app>.resources[name='experiment']
+  - name: LAKEBASE_INSTANCE_NAME
+    valueFrom: "database"   # References resources.apps.<app>.resources[name='database']
+```
+
+**Critical:** Every `valueFrom` value must match a `name` field in `databricks.yml` resources.
+
+## Important Notes
+
+- **MLflow experiment**: Already configured in template, no action needed
+- **Multiple resources**: Add multiple entries under `resources:` list
+- **Permission types vary**: Each resource type has specific permission values
+- **Deploy + Run after changes**: Run both `databricks bundle deploy` AND `databricks bundle run agent_langgraph`
+- **valueFrom matching**: Ensure `app.yaml` `valueFrom` values match `databricks.yml` resource `name` values
diff --git a/.claude/skills/add-tools-langgraph/examples/custom-mcp-server.md b/.claude/skills/add-tools-langgraph/examples/custom-mcp-server.md
@@ -0,0 +1,57 @@
+# Custom MCP Server (Databricks App)
+
+Custom MCP servers are Databricks Apps with names starting with `mcp-*`.
+
+**Apps are not yet supported as resource dependencies in `databricks.yml`**, so manual permission grant is required.
+
+## Steps
+
+### 1. Add MCP server in `agent_server/agent.py`
+
+```python
+from databricks_langchain import DatabricksMCPServer, DatabricksMultiServerMCPClient
+
+custom_mcp = DatabricksMCPServer(
+    url="https://mcp-my-server.cloud.databricks.com/mcp",
+    name="my custom mcp server",
+)
+
+mcp_client = DatabricksMultiServerMCPClient([custom_mcp])
+tools = await mcp_client.get_tools()
+```
+
+### 2. Deploy your agent app first
+
+```bash
+databricks bundle deploy
+databricks bundle run agent_langgraph
+```
+
+### 3. Get your agent app's service principal
+
+```bash
+databricks apps get <your-agent-app-name> --output json | jq -r '.service_principal_name'
+```
+
+Example output: `sp-abc123-def456`
+
+### 4. Grant permission on the MCP server app
+
+```bash
+databricks apps update-permissions <mcp-server-app-name> \
+  --service-principal <agent-app-service-principal> \
+  --permission-level CAN_USE
+```
+
+Example:
+```bash
+databricks apps update-permissions mcp-my-server \
+  --service-principal sp-abc123-def456 \
+  --permission-level CAN_USE
+```
+
+## Notes
+
+- This manual step is required each time you connect to a new custom MCP server
+- The permission grant persists across deployments
+- If you redeploy the agent app with a new service principal, you'll need to grant permissions again
diff --git a/.claude/skills/add-tools-langgraph/examples/experiment.yaml b/.claude/skills/add-tools-langgraph/examples/experiment.yaml
@@ -0,0 +1,8 @@
+# MLflow Experiment
+# Use for: Tracing and model logging
+# Note: Already configured in template's databricks.yml
+
+- name: 'my_experiment'
+  experiment:
+    experiment_id: '12349876'
+    permission: 'CAN_MANAGE'
diff --git a/.claude/skills/add-tools-langgraph/examples/genie-space.yaml b/.claude/skills/add-tools-langgraph/examples/genie-space.yaml
@@ -0,0 +1,9 @@
+# Genie Space
+# Use for: Natural language interface to data
+# MCP URL: {host}/api/2.0/mcp/genie/{space_id}
+
+- name: 'my_genie_space'
+  genie_space:
+    name: 'My Genie Space'
+    space_id: '01234567-89ab-cdef'
+    permission: 'CAN_RUN'
diff --git a/.claude/skills/add-tools-langgraph/examples/lakebase.yaml b/.claude/skills/add-tools-langgraph/examples/lakebase.yaml
@@ -0,0 +1,18 @@
+# Lakebase Database (for agent memory)
+# Use for: Long-term memory storage via AsyncDatabricksStore
+# Requires: valueFrom reference in app.yaml
+
+# In databricks.yml - add to resources.apps.<app>.resources:
+- name: 'database'
+  database:
+    instance_name: '<your-lakebase-instance-name>'
+    database_name: 'postgres'
+    permission: 'CAN_CONNECT_AND_CREATE'
+
+# In app.yaml - add to env:
+# - name: LAKEBASE_INSTANCE_NAME
+#   valueFrom: "database"
+# - name: EMBEDDING_ENDPOINT
+#   value: "databricks-gte-large-en"
+# - name: EMBEDDING_DIMS
+#   value: "1024"
diff --git a/.claude/skills/add-tools-langgraph/examples/serving-endpoint.yaml b/.claude/skills/add-tools-langgraph/examples/serving-endpoint.yaml
@@ -0,0 +1,7 @@
+# Model Serving Endpoint
+# Use for: Model inference endpoints
+
+- name: 'my_endpoint'
+  serving_endpoint:
+    name: 'my_endpoint'
+    permission: 'CAN_QUERY'
diff --git a/.claude/skills/add-tools-langgraph/examples/sql-warehouse.yaml b/.claude/skills/add-tools-langgraph/examples/sql-warehouse.yaml
@@ -0,0 +1,7 @@
+# SQL Warehouse
+# Use for: SQL query execution
+
+- name: 'my_warehouse'
+  sql_warehouse:
+    sql_warehouse_id: 'abc123def456'
+    permission: 'CAN_USE'
diff --git a/.claude/skills/add-tools-langgraph/examples/uc-connection.yaml b/.claude/skills/add-tools-langgraph/examples/uc-connection.yaml
@@ -0,0 +1,9 @@
+# Unity Catalog Connection
+# Use for: External MCP servers via UC connections
+# MCP URL: {host}/api/2.0/mcp/external/{connection_name}
+
+- name: 'my_connection'
+  uc_securable:
+    securable_full_name: 'my-connection-name'
+    securable_type: 'CONNECTION'
+    permission: 'USE_CONNECTION'
diff --git a/.claude/skills/add-tools-langgraph/examples/uc-function.yaml b/.claude/skills/add-tools-langgraph/examples/uc-function.yaml
@@ -0,0 +1,9 @@
+# Unity Catalog Function
+# Use for: UC functions accessed via MCP server
+# MCP URL: {host}/api/2.0/mcp/functions/{catalog}/{schema}/{function_name}
+
+- name: 'my_uc_function'
+  uc_securable:
+    securable_full_name: 'catalog.schema.function_name'
+    securable_type: 'FUNCTION'
+    permission: 'EXECUTE'
diff --git a/.claude/skills/add-tools-langgraph/examples/vector-search.yaml b/.claude/skills/add-tools-langgraph/examples/vector-search.yaml
@@ -0,0 +1,9 @@
+# Vector Search Index
+# Use for: RAG applications with unstructured data
+# MCP URL: {host}/api/2.0/mcp/vector-search/{catalog}/{schema}/{index_name}
+
+- name: 'my_vector_index'
+  uc_securable:
+    securable_full_name: 'catalog.schema.index_name'
+    securable_type: 'TABLE'
+    permission: 'SELECT'
diff --git a/.claude/skills/add-tools-openai/SKILL.md b/.claude/skills/add-tools-openai/SKILL.md
@@ -0,0 +1,83 @@
+---
+name: add-tools
+description: "Add tools to your agent and grant required permissions in databricks.yml. Use when: (1) Adding MCP servers, Genie spaces, vector search, or UC functions to agent, (2) Permission errors at runtime, (3) User says 'add tool', 'connect to', 'grant permission', (4) Configuring databricks.yml resources."
+---
+
+# Add Tools & Grant Permissions
+
+**After adding any MCP server to your agent, you MUST grant the app access in `databricks.yml`.**
+
+Without this, you'll get permission errors when the agent tries to use the resource.
+
+## Workflow
+
+**Step 1:** Add MCP server in `agent_server/agent.py`:
+```python
+from databricks_openai.agents import McpServer
+
+genie_server = McpServer(
+    url=f"{host}/api/2.0/mcp/genie/01234567-89ab-cdef",
+    name="my genie space",
+)
+
+agent = Agent(
+    name="my agent",
+    model="databricks-claude-3-7-sonnet",
+    mcp_servers=[genie_server],
+)
+```
+
+**Step 2:** Grant access in `databricks.yml`:
+```yaml
+resources:
+  apps:
+    agent_openai_agents_sdk:
+      resources:
+        - name: 'my_genie_space'
+          genie_space:
+            name: 'My Genie Space'
+            space_id: '01234567-89ab-cdef'
+            permission: 'CAN_RUN'
+```
+
+**Step 3:** Deploy with `databricks bundle deploy` (see **deploy** skill)
+
+## Resource Type Examples
+
+See the `examples/` directory for complete YAML snippets:
+
+| File | Resource Type | When to Use |
+|------|--------------|-------------|
+| `uc-function.yaml` | Unity Catalog function | UC functions via MCP |
+| `uc-connection.yaml` | UC connection | External MCP servers |
+| `vector-search.yaml` | Vector search index | RAG applications |
+| `sql-warehouse.yaml` | SQL warehouse | SQL execution |
+| `serving-endpoint.yaml` | Model serving endpoint | Model inference |
+| `genie-space.yaml` | Genie space | Natural language data |
+| `experiment.yaml` | MLflow experiment | Tracing (already configured) |
+| `custom-mcp-server.md` | Custom MCP apps | Apps starting with `mcp-*` |
+
+## Custom MCP Servers (Databricks Apps)
+
+Apps are **not yet supported** as resource dependencies in `databricks.yml`. Manual permission grant required:
+
+**Step 1:** Get your agent app's service principal:
+```bash
+databricks apps get <your-agent-app-name> --output json | jq -r '.service_principal_name'
+```
+
+**Step 2:** Grant permission on the MCP server app:
+```bash
+databricks apps update-permissions <mcp-server-app-name> \
+  --service-principal <agent-app-service-principal> \
+  --permission-level CAN_USE
+```
+
+See `examples/custom-mcp-server.md` for detailed steps.
+
+## Important Notes
+
+- **MLflow experiment**: Already configured in template, no action needed
+- **Multiple resources**: Add multiple entries under `resources:` list
+- **Permission types vary**: Each resource type has specific permission values
+- **Deploy after changes**: Run `databricks bundle deploy` after modifying `databricks.yml`
diff --git a/.claude/skills/add-tools-openai/examples/custom-mcp-server.md b/.claude/skills/add-tools-openai/examples/custom-mcp-server.md
@@ -0,0 +1,60 @@
+# Custom MCP Server (Databricks App)
+
+Custom MCP servers are Databricks Apps with names starting with `mcp-*`.
+
+**Apps are not yet supported as resource dependencies in `databricks.yml`**, so manual permission grant is required.
+
+## Steps
+
+### 1. Add MCP server in `agent_server/agent.py`
+
+```python
+from databricks_openai.agents import McpServer
+
+custom_mcp = McpServer(
+    url="https://mcp-my-server.cloud.databricks.com/mcp",
+    name="my custom mcp server",
+)
+
+agent = Agent(
+    name="my agent",
+    model="databricks-claude-3-7-sonnet",
+    mcp_servers=[custom_mcp],
+)
+```
+
+### 2. Deploy your agent app first
+
+```bash
+databricks bundle deploy
+databricks bundle run agent_openai_agents_sdk
+```
+
+### 3. Get your agent app's service principal
+
+```bash
+databricks apps get <your-agent-app-name> --output json | jq -r '.service_principal_name'
+```
+
+Example output: `sp-abc123-def456`
+
+### 4. Grant permission on the MCP server app
+
+```bash
+databricks apps update-permissions <mcp-server-app-name> \
+  --service-principal <agent-app-service-principal> \
+  --permission-level CAN_USE
+```
+
+Example:
+```bash
+databricks apps update-permissions mcp-my-server \
+  --service-principal sp-abc123-def456 \
+  --permission-level CAN_USE
+```
+
+## Notes
+
+- This manual step is required each time you connect to a new custom MCP server
+- The permission grant persists across deployments
+- If you redeploy the agent app with a new service principal, you'll need to grant permissions again