Brickbuilder submission readiness
Evidence checklist for preparing Fabric Harness for a Databricks Brickbuilder solution or accelerator technical review.
This page is an engineering evidence checklist for a Brickbuilder submission, not a claim of Databricks validation, endorsement, or program acceptance. Confirm the current process and requirements in the Databricks Partner Portal with your partner contact.
Solution narrative
Fabric Harness is a TypeScript agent runtime and deployment toolkit for governed data and AI agents. Its Databricks value is the integration of Model Serving, Unity Catalog-aware tools, SQL Warehouses, Vector Search, AI/BI Genie, Feature Serving, Lakeflow, Lakebase durability, MLflow telemetry, usage reconciliation, approval controls, and deployable Databricks App artifacts under one propagated identity.
Technical evidence
| Evidence | What to provide |
|---|---|
| Repeatable install | Databricks template scaffold and locked package versions |
| Reference architecture | Architecture and identity flow |
| Live App | A deployed databricks-app artifact with health and readiness checks |
| Governed denial | A recording or test showing Unity Catalog rejects an unauthorized table or volume |
| App identity | Service-principal execution with token values absent from logs and model context |
| User identity | OBO request showing user-level permissions when the use case requires it |
| Durable recovery | Lakebase-backed session and submission recovery after App restart |
| AI integrations | Live Model Serving plus at least one of Vector Search, Genie, or Feature Serving |
| Operational evidence | MLflow or OpenTelemetry trace correlated to submission and tenant identifiers |
| Cost governance | Estimated budget enforcement and actual usage reconciliation |
| Supply chain | Manifest, SBOM, provenance, dependency scan, and Apache-2.0 license |
| Test report | Unit, contract, artifact, security, and live workspace test results with dates |
Live validation gate
Create or reconcile the isolated certification fixture with a workspace-admin user token. Review the plan before allowing mutations:
pnpm databricks:cert:plan
FABRIC_DATABRICKS_PROVISION=1 pnpm databricks:cert:provisionThe provisioner is safe to rerun. It creates named, disposable resources for SQL, UC allow/deny,
Vector Search, MLflow evaluation, Jobs, Lakeflow, Genie, Feature Serving, Volumes, and OBO grant
differentiation, then writes the environment-variable manifest under artifacts/.
pnpm --filter @fabric-harness/databricks build
FABRIC_DATABRICKS_EVIDENCE_PATH=artifacts/databricks-certification.json \
node packages/databricks/dist/certify.js
node scripts/build-databricks-compatibility-matrix.mjs artifacts/databricks-certification.jsonThe command records each capability as passed, failed, or not-configured, fails when any
required capability does not pass, removes tokens from errors, and writes schema-versioned JSON
with commit SHA, durations, workspace origin, and summary counts. The databricks-live GitHub
environment uploads that file as the databricks-certification workflow artifact.
Core variables:
| Capability | Configuration |
|---|---|
| Identity | DATABRICKS_HOST plus DATABRICKS_TOKEN, or DATABRICKS_CLIENT_ID and DATABRICKS_CLIENT_SECRET for OAuth M2M |
| SQL and Unity Catalog | DATABRICKS_WAREHOUSE_ID, DATABRICKS_CATALOG, DATABRICKS_SCHEMA |
| Governed SQL | DATABRICKS_ALLOWED_TABLE and DATABRICKS_DENIED_TABLE |
| Unity AI Gateway model service | DATABRICKS_MODEL (system.ai.*) |
| Optional custom endpoint | DATABRICKS_MODEL plus DATABRICKS_INFERENCE_MODE=serving-endpoints |
| Vector Search and RAG | DATABRICKS_VECTOR_INDEX, DATABRICKS_VECTOR_TEXT_COLUMN, DATABRICKS_VECTOR_ID_COLUMN, DATABRICKS_RAG_QUERY |
| Managed RAG evaluation | DATABRICKS_RAG_EVAL_JOB_ID; optional DATABRICKS_RAG_EVAL_THRESHOLD on the Job environment |
| Genie | DATABRICKS_GENIE_SPACE_ID |
| Feature Serving | DATABRICKS_FEATURE_ENDPOINT, DATABRICKS_FEATURE_RECORDS_JSON |
| Lakeflow | DATABRICKS_PIPELINE_ID |
| Jobs and notebook | DATABRICKS_JOB_ID, DATABRICKS_NOTEBOOK_PATH; DATABRICKS_CLUSTER_ID only for classic compute |
| UC Volumes | DATABRICKS_VOLUME plus catalog/schema |
| Lakebase | ENDPOINT_NAME, PGHOST, PGDATABASE, PGUSER |
| Managed App Lakebase resource | BUNDLE_VAR_lakebase_endpoint, BUNDLE_VAR_lakebase_database_resource |
| OBO | DATABRICKS_OBO_TOKEN, DATABRICKS_OBO_DIFFERENTIAL_TABLE, DATABRICKS_OBO_EXPECT |
| System Tables and reconciliation | DATABRICKS_SYSTEM_TABLES_TEST=1, cost scope/estimate/drift variables, plus warehouse |
| Databricks App | DATABRICKS_APP_URL |
| ChatAgent proxy | DATABRICKS_CHAT_AGENT_ENDPOINT |
Keep the existing live Vitest suite enabled as a lower-level diagnostic gate. Certification is the strict evidence gate: optional checks may be unconfigured, but required checks cannot silently skip.
The protected databricks-live workflow runs daily, on every published release, and on demand. OBO
is an explicit manual-dispatch gate because the user authorization token is intentionally
short-lived; refresh DATABRICKS_OBO_TOKEN and dispatch with require_obo enabled.
For a second workspace or cloud, create another protected GitHub Environment with the same secret
and variable names, provision that workspace with pnpm databricks:cert:provision, then dispatch
live-tests.yml with databricks_environment set to the new environment name. The workflow runs the
same build, App deployment, restart, load, RAG, governance, Model Serving, and evidence gates; it does
not infer compatibility from the first workspace. Use run_soak for the 15-minute paced load gate.
The protected Azure reference run for commit 9add3f89d59c45d806919b5329759df997903728
completed the paced gate with 300 of 300 requests, no failures, and no duplicate run IDs. Admission
p95 was 81 ms against a 1,500 ms limit, and end-to-end p95 was 339 ms against a 10,000 ms
limit. The same run passed all 24 required Databricks capability checks plus App health, readiness,
and finite-job lifecycle conformance. Treat these as reference-workspace evidence, then run the gate
with your own App workload, capacity, data, and SLO thresholds before production approval.
The workflow covers:
- Databricks App project deployment, bare stop/start recovery from the same source into a new snapshot, managed-resource continuity, and cascade deletion.
- Service-principal and OBO identity paths used by the solution.
- Unity AI Gateway readiness, model-service discovery, tagged inference, and secured MLflow ChatAgent aggregated and streaming proxy invocation.
- Vector Search retrieval plus a grounded RAG answer with validated inline citations.
- A governed MLflow 3 evaluation dataset and serverless managed-judge quality gate for answer and retrieval quality.
- SQL Warehouse execution and permission denial.
- Unity Catalog table and Volume allow and deny cases.
- Lakebase credential exchange plus session, submission, conversation offset, and attachment recovery.
- Every optional API enabled in the submitted reference solution.
- API authentication, mutation approval classification, lineage joins, and actual-cost reconciliation.
The interactive OBO lifecycle is intentionally separate from unattended release CI because it must
cross a real user-token expiry boundary. Run scripts/certify-databricks-obo-lifecycle.mjs prepare
and verify with one U2M CLI profile; retain artifacts/databricks-obo-lifecycle.json with the release
evidence. The artifact contains only identity stability and token lifetime timestamps.
Official guidance
- Databricks Partner Well-Architected Framework
- Databricks Apps authorization
- Add a Lakebase resource to a Databricks App
- Unity Catalog Volumes
- Authorize access to Databricks resources
Do not use Databricks program badges or validation language until Databricks has granted that status.