Azure strategies (azure-cli, azure-client-secret, github-oidc-azure) are
now skipped on GCP/AWS hosts in auto-detect mode. GCP strategies
(google-credentials, google-id) are skipped on Azure/AWS hosts.

When authType is explicitly set, cloud filtering is bypassed so the named
strategy is always attempted regardless of host cloud.

Individual credential providers no longer perform their own isAzure()/isGcp()
checks — that responsibility now lives centrally in DefaultCredentialsProvider
via a CLOUD_REQUIREMENTS map, mirroring the approach taken in
databricks/databricks-sdk-go#1505.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

…CloudRequirements

PR #1505 changed NewCredentialsChain to return *credentialsChain (unexported)
to enable WithCloudRequirements chaining. This broke the public API.

Restore the return type to CredentialsStrategy and introduce
NewCredentialsChainWithCloudRequirements for callers that need cloud-based
filtering. DefaultCredentials now uses the new constructor directly.
The WithCloudRequirements method is removed as it is no longer needed.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
Signed-off-by: Hector Castejon Diaz <[email protected]>

…CloudRequirements

PR #1505 changed NewCredentialsChain to return *credentialsChain (unexported)
to enable WithCloudRequirements chaining. This broke the public API.

Restore the return type to CredentialsStrategy and introduce
NewCredentialsChainWithCloudRequirements for callers that need cloud-based
filtering. DefaultCredentials now uses the new constructor directly.
The WithCloudRequirements method is removed as it is no longer needed.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
Signed-off-by: Hector Castejon Diaz <[email protected]>

…CloudRequirements

PR #1505 changed NewCredentialsChain to return *credentialsChain (unexported)
to enable WithCloudRequirements chaining. This broke the public API.

Restore the return type to CredentialsStrategy and introduce
NewCredentialsChainWithCloudRequirements for callers that need cloud-based
filtering. DefaultCredentials now uses the new constructor directly.
The WithCloudRequirements method is removed as it is no longer needed.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
Signed-off-by: Hector Castejon Diaz <[email protected]>

…CloudRequirements

PR #1505 changed NewCredentialsChain to return *credentialsChain (unexported)
to enable WithCloudRequirements chaining. This broke the public API.

Restore the return type to CredentialsStrategy and introduce
NewCredentialsChainWithCloudRequirements for callers that need cloud-based
filtering. DefaultCredentials now uses the new constructor directly.
The WithCloudRequirements method is removed as it is no longer needed.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
Signed-off-by: Hector Castejon Diaz <[email protected]>

…#1505)

## Changes

Move Cloud filtering from each Credentials Strategy to the
DefaultCredentialStrategy.

**Problem:** Each Azure/GCP strategy previously contained its own
host-cloud guard (e.g. `AzureCliCredentials` returned `nil, nil` on a
non-Azure host). This meant that explicitly setting
`auth_type="azure-cli"` on a GCP host was silently ignored — the
strategy would just return nil.

**Solution:** Cloud filtering moves into the `DefaultCredentials`
orchestrator via a `cloudRequirements` map on `credentialsChain`:

- In **auto-detect mode** (`auth_type` not set): Azure strategies are
skipped on GCP/AWS hosts and GCP strategies are skipped on Azure/AWS
hosts. Each skip is logged at debug level: `Skipping "azure-cli": not
configured for Azure`.
- When **`auth_type` is explicitly set**: the `cloudRequirements` map is
not consulted and the named strategy is always attempted, regardless of
detected host cloud. This enables e.g. `auth_type="azure-cli"` to work
on a host whose cloud is unknown.

Individual strategies no longer contain `cfg.IsAzure()` / `cfg.IsGcp()`
guards — that responsibility belongs entirely to the orchestrator.

**Files changed:**
- `config/auth_default.go` — `credentialsChain` gains `cloudRequirements
map[string]environment.Cloud` and a `WithCloudRequirements` builder;
`DefaultCredentials.Configure` wires it up via
`NewCredentialsChain(...).WithCloudRequirements(...)`
- `config/auth_azure_cli.go`, `auth_azure_msi.go`,
`auth_azure_client_secret.go`, `auth_azure_github_oidc.go` — removed
`cfg.IsAzure()` guards
- `config/auth_gcp_google_credentials.go`, `auth_gcp_google_id.go` —
removed `cfg.IsGcp()` guards

## Tests

- `TestCredentialsChain_CloudFiltering_SkipsOnCloudMismatch` — chain
skips an Azure strategy on a GCP host in auto-detect mode
- `TestCredentialsChain_CloudFiltering_BypassesOnExplicitAuthType` —
chain attempts the Azure strategy on a GCP host when `auth_type` is
explicitly set

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Signed-off-by: Hector Castejon Diaz <[email protected]>
Co-authored-by: Claude Sonnet 4.6 <[email protected]>

…dentials (#1505)"

This reverts commit 004a000.

## Summary
- Reverts PR #1505 which moved cloud filtering logic from individual
credential strategies to `DefaultCredentials`
- Restores the original behavior where each Azure/GCP strategy contains
its own `IsAzure()` / `IsGcp()` guard
## Changes
Reverts the following changes from #1505:
- Removes `cloudRequirements` map and `WithCloudRequirements` builder
from `credentialsChain` in `config/auth_default.go`
- Restores `IsAzure()` / `IsGcp()` guards in individual Azure and GCP
credential strategies
- Removes cloud filtering tests from `config/auth_default_test.go`
- Removes test for Azure CLI credentials skipping on AWS hosts from
`config/auth_azure_cli_test.go`
- Removes changelog entry for the reverted feature
## Tests
Existing unit tests cover the restored behavior.

NO_CHANGELOG=true

## Summary

- Clear `PATH` in `cmd/root` auth tests to prevent the Go SDK
(v0.117.0+) from shelling out to `az account show` during credential
resolution
- For `TestBundleConfigureDefault`, restrict `PATH` to system
directories instead of clearing it fully — the bundle loader's script
hook mutator currently requires a shell to be present even when no
scripts are configured (fixing that separately)
- Normalize existing `PATH="/nothing"` in prompt tests to `PATH=""`

The SDK upgrade to v0.117.0 (databricks/databricks-sdk-go#1505, bumped
in #4631) removed per-strategy cloud guards from Azure CLI credentials,
causing `az` to be probed on all platforms regardless of the configured
host. This added ~0.5–2.5s per affected test and wrote `.azure/` cache
files into the source tree.

Verified on macOS and Windows.

## Test plan

- [x] `go test -count=1 ./cmd/root` passes on macOS (1.2s, down from
5.2s)
- [x] `go test -count=1 ./cmd/root` passes on Windows (0.19s)
- [x] No `.azure/` or `Library/` directories created in `cmd/root/`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>

## Summary

- Clear `PATH` in `cmd/root` auth tests to prevent the Go SDK
(v0.117.0+) from shelling out to `az account show` during credential
resolution
- For `TestBundleConfigureDefault`, restrict `PATH` to system
directories instead of clearing it fully — the bundle loader's script
hook mutator currently requires a shell to be present even when no
scripts are configured (fixing that separately)
- Normalize existing `PATH="/nothing"` in prompt tests to `PATH=""`

The SDK upgrade to v0.117.0 (databricks/databricks-sdk-go#1505, bumped
in #4631) removed per-strategy cloud guards from Azure CLI credentials,
causing `az` to be probed on all platforms regardless of the configured
host. This added ~0.5–2.5s per affected test and wrote `.azure/` cache
files into the source tree.

Verified on macOS and Windows.

## Test plan

- [x] `go test -count=1 ./cmd/root` passes on macOS (1.2s, down from
5.2s)
- [x] `go test -count=1 ./cmd/root` passes on Windows (0.19s)
- [x] No `.azure/` or `Library/` directories created in `cmd/root/`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>