v0.53.0 — conflict-aware `sync pull --force`

Minor release over 0.52.1.

Fixes

• sync pull --force silent baseline corruption → data loss (#376) — a config with un-pushed local edits could be silently de-synced. When a force-pull ran while that config's remote was unchanged (typically to resolve an unrelated config's conflict), --force re-stamped the manifest pull_hash from the edited on-disk file, so sync diff and sync push then reported "in sync" and shipped nothing — while the live remote still held the old config. The edits were stranded with no visible signal.

  --force is now conflict-aware, branching on the 3-way diff state (config and row granularity):

  • local edited, remote unchanged → the edit and its sync baseline are preserved (the pending delta stays pushable; no discard, no silent re-stamp).
  • local edited AND remote also changed (a true merge conflict) → the pull aborts before writing anything with the new SyncConflictError (exit 1, error code SYNC_CONFLICT), listing every conflicting config/row so you can resolve it.
  • local untouched, remote changed → takes remote, as before.

  Note: --force no longer discards non-conflicting local edits — to drop a local edit on purpose, delete the file (or config dir) and pull. --all-projects surfaces a per-project conflict as a structured SYNC_CONFLICT entry (with the conflicts list) without aborting the batch.

Also

• The sync command group is now documented in CLAUDE.md (it was previously missing entirely), plus gotchas.md (since v0.53.0), sync-workflow.md, keboola-expert.md, commands-reference.md, and kbagent context (AGENT_CONTEXT).
• New tests: service-layer regression (config + row, preserve case b / abort case a / remote-only-changed), CLI (exit 1 + human + --json SYNC_CONFLICT envelope), and an E2E force-pull test.

Full changelog: v0.52.1...v0.53.0

v0.52.1 — swap-tables wording fix

Patch release over 0.52.0.

Fixes

• swap-tables wording (#373) — completes the 0.52.0 semantics correction. The user-facing ConfigError raised on a missing --branch (exit 5) no longer claims "The Storage API rejects this on production" — a swap on the default/production branch is supported (it is how a typed rebuild is applied to prod). The same stale "dev branch only" wording was corrected in commands-reference.md, the swap-tables command docstring (which feeds the auto-generated SKILL.md decision table), and the AGENT_CONTEXT block (kbagent context). A CLI test that mocked and asserted the old phantom "dev branch" error string was fixed to match the real service message. No behaviour change — branch_id stays mandatory; clone-table wording is intentionally untouched (clone legitimately targets a dev branch).

Maintenance

• Dependency bumps: pip 26.0.1→26.1 (#371), python-multipart 0.0.26→0.0.27 (#372).

Full changelog: v0.52.0...v0.52.1

v0.52.0 — clone-table + Dev Portal admin/MFA fixes

v0.52.0 — clone-table + Dev Portal admin/MFA fixes

First release since v0.51.0. One new storage command, a docs correction verified against a live project, and three Developer Portal fixes (the in-flight 0.51.1 work ships here too).

Highlights

🌿 Pull a production table into a dev branch — kbagent storage clone-table (#368)
On a storage-branches project a dev branch reads production tables transparently until its first write — so trying to reshape one in the branch (swap-tables, dropping a column) fails with a misleading "bucket not found". clone-table materializes the table branch-local so those edits work, leaving production untouched. One-way (default → branch), safe to --dry-run, polls the storage job to completion, and is exposed under kbagent serve. Closes #362.

kbagent storage clone-table --project P --table-id ID --branch ID [--dry-run]

📝 Corrected typify & swap-tables guidance (#368)
Verified live: a dev-branch swap does not reach production via merge (Keboola merges only configurations, not table schema), and swap-tables is supported on the production branch. The typify workflow is reworked into a rehearse-in-a-branch-then-redo-in-prod model; the old "merge promotes the typed schema to production" step was wrong and is removed. Docs only — no behavior change.

🔑 Developer Portal — admin PATCH routing, MFA login, --password-stdin (#366)
Three fixes to kbagent dev-portal: admin identities now route to the permissive PATCH /admin/apps/{app} endpoint (with a fail-fast preflight that explains the misleading 422 a vendor identity hits on admin-only fields); MFA logins send the challenge field the server actually requires (no more bare 404, and the response body is surfaced on failure); and --password-stdin no longer hangs on a terminal (hidden prompt on a TTY, read-to-EOF on a pipe). — thanks @matyas-jirat-keboola

Under the hood

• New layers for clone-table: KeboolaClient.pull_table, StorageService.clone_table, the clone-table command, and a 1:1 REST route POST /storage/tables/{project}/{table_id}/pull. Permission class write; refuses with exit 5 (before any HTTP call) when neither --branch nor an active branch is set.
• Dependency bumps: urllib3 → 2.7.0, idna → 3.15, pip → 26.1, python-multipart → 0.0.27; vitest → 4.1.0 in web/backend (dev).

Credits

Thanks to @matyas-jirat-keboola for the Developer Portal fixes.

Upgrade

kbagent update

Full changelog: kbagent changelog.

v0.51.0 — Data Streams web UI

Data Streams web UI. The kbagent stream command group (OTLP/HTTP sources, shipped in 0.50.0) now has a page in the kbagent serve --ui web UI under Browse → Data Streams: list sources, create an OTLP/HTTP source (with sink auto-provisioning), inspect endpoints/destination with a reveal toggle for the masked OTLP secret, and delete. Full parity with the kbagent stream * CLI.

Fix — stream now documented in OpenAPI. The router was registered and callable, but its tag was missing from OPENAPI_TAGS, so /docs#/stream rendered as a bare, description-less section. A new smoke test asserts every router tag has an OpenAPI description block, so a router can't ship invisible in /docs again.

Full changelog: kbagent changelog.

v0.50.0

kbagent stream — Data Streams (OpenTelemetry / OTLP) · #364 (closes #357)

New command group to provision and introspect OTLP Data Streams sources from the CLI instead of copy-pasting endpoints out of the UI:

• stream list / create-source / detail / delete
• create-source --type otlp auto-provisions the logs/metrics/traces sinks (bucket in.c-otlp-<source>) so data lands in Storage out of the box; --no-sinks opts out.
• The ingest endpoint embeds its secret in the URL path → masked by default in every surface; --reveal prints it (e.g. to wire OTEL_EXPORTER_OTLP_ENDPOINT for a daemon).
• Storage-token auth (no manage token). Control plane stream.<region> derived from connection.<region>; ingest URL comes from source.otlp.url (never derived). 1:1 kbagent serve REST router.

Headless / token-only invocation — the __env__ project · #363 (closes #359)

• Set KBAGENT_PROJECT_FROM_ENV=1 + KBC_TOKEN + KBC_STORAGE_API_URL and run any command with --project __env__ — no kbagent project add, no config.json on disk. The token is ephemeral and never persisted. Works for both the CLI and kbagent serve.
• Forgiving stack-URL normalization (bare host, trailing slash, or a full project deep-link all reduce to https://<host>) on project add / project edit --url / the headless injection.

---

Full per-line details: kbagent changelog.

v0.49.0 — Developer Portal, Feature Flags & GitOps reliability

v0.49.0 — Developer Portal, Feature Flags & GitOps reliability

First release since v0.47.1. Bundles four user-facing additions (the in-flight 0.47.2 and 0.48.0 work ships here too).

Highlights

🛠 Developer Portal management — kbagent dev-portal (#354)
Manage your Keboola component listings straight from the terminal: list and inspect a vendor's apps, patch metadata, upload icons, publish, and deprecate. Production-safe by design — every write prints a diff and requires a human to type a one-time confirmation code on a real terminal. There is no --yes and no env-var bypass, so an AI agent or CI job can read the portal but never silently mutate it. Reads are open (handy for peer-config research) and also exposed via kbagent serve. — thanks @matyas-jirat-keboola

🚩 Feature flag management — kbagent feature (#356)
View and toggle Keboola feature flags at stack, project, and user scope via the Manage API. Same safe super-admin-token handling as org setup (interactive prompt, never persisted, never a CLI argument); writes support --dry-run and confirmation, with a 1:1 REST surface under kbagent serve.

🔁 GitOps sync push reliability (#360)
A transformation scaffolded alongside its variables config is now runnable after a single sync push — variable bindings and default values resolve automatically, no post-push workaround. sync push --branch <id> promotes the local default tree onto a target dev branch. — thanks @ottomansky

❄️ Snowflake workspace fix (#351)
New Snowflake sandbox workspaces now use the Query-Service-compatible key-pair login type, so SQL workspaces created via kbagent work out of the box (the one-time creation output returns the private key). — thanks @zajca

Under the hood

• --hint code generation is deprecated in favor of the kbagent serve REST API; the PR-review agent and contributor docs were updated accordingly. (#355)

Credits

Thanks to @matyas-jirat-keboola, @ottomansky, and @zajca for the contributions in this cycle.

Upgrade

kbagent update

v0.47.1 — semantic-layer reads, fresh-CREATE writeback, sync/storage ergonomics

Bundles every change merged since v0.46.1 — the 0.47.0 feature set (#348) and the 0.47.1 follow-up fix (#350) — into one release.

Highlights

• New: semantic-layer search-context + get-context — project-wide glob search and single-id lookup that mirror the upstream keboola-mcp-server search_semantic_context / get_semantic_context tools, so downstream callers (FIIA, scheduled agents, pre-flight scripts) can drop the MCP dependency for the common "is the model populated?" / "what's at this id?" checks.
• sync push fresh-CREATE writeback — placeholder manifest entries (the FIIA / scaffold seed pattern) are now updated in place instead of appended, and KBC.configuration.* metadata on a placeholder is propagated to the remote. Re-pushes are naturally idempotent.
• Storage & sync ergonomics — storage create-table --if-not-exists, sync push|pull|diff --branch <id>, sync push --no-name-drift-warnings.

New commands

• kbagent semantic-layer search-context --project P [--pattern G ...] [--type model|dataset|metric|relationship|constraint|glossary|all] [--limit N] (#348)
• kbagent semantic-layer get-context --project P --context-id ID (#348)

Both are read operations, exposed 1:1 over kbagent serve.

sync push / pull / diff

• Fresh-CREATE writeback (#348): a single CREATE now produces a single manifest entry (placeholder updated in place by (branch_id, component_id, path)), not placeholder + new ULID. KBC.configuration.* keys on the placeholder are propagated via set_config_metadata.
• --branch <id> (#348): per-invocation dev-branch override that wins over manifest.branches[0], active_branch_id, and branch-mapping.json. Symmetric across push / pull / diff. Mutually exclusive with --all-projects.
• --no-name-drift-warnings (#348): drops the cosmetic name_drift_warnings array; detection still runs.

storage create-table

• --if-not-exists (#348): opt-in idempotency for parallel workers. A duplicate-display-name failure becomes action: "skipped" when the table really exists at the expected id; a different table sharing the display name still surfaces the original error.
• Skipped envelope reports the actual existing schema (#350, closes #349): on a skip, columns / primary_key / name now report the existing table's real schema (not a re-echo of the request). The request is preserved under requested_columns / requested_primary_key, and schema_drift: bool flags divergence. Human-mode output warns on drift.

Breaking change (direct manifest readers only)

Pre-0.47.0 a single sync push CREATE produced two manifest entries (placeholder + assigned ULID). Post-0.47.0 it produces one (placeholder updated in place). Downstream tooling that worked around the duplication by post-processing the manifest must drop that workaround. Manifest.version is unchanged at 3 (no schema diff; only the writeback flow changed).

Notes

• sync push|pull|diff remain filesystem-local and intentionally have no HTTP router; the new --branch / --no-name-drift-warnings flags consequently have no REST counterpart. All other new surfaces are exposed 1:1 over kbagent serve.

Full changelog: v0.46.1...v0.47.1

Credits

The 0.47.0 feature set — semantic-layer reads, fresh-CREATE writeback, and the storage/sync ergonomics — was designed and implemented by @ottomansky (#348), who also filed the follow-up #349 that drove the 0.47.1 schema-reporting fix (#350). Thanks Max!

v0.46.1

Patch release. No CLI runtime behavior change — both items are plugin/tooling.

What's new

Skill now surfaces kbagent data-app logs (#336, closes #335). The kbagent Claude Code skill and the keboola-expert subagent now route log-troubleshooting requests to kbagent data-app logs (shipped in 0.43.8). The SKILL.md description-trigger list gained data-app logs, container logs, app logs, tail logs, build logs, app stdout, app stderr, troubleshoot data app, debug data app, and the keboola-expert Tool Selection Matrix gained a row:

kbagent data-app logs --project P --app-id N [--lines N | --since ISO8601]   (0.43.8+)

Before this, asking the agent for a data app's container logs fell back to the UI "Terminal Log" tab or the 20-line-capped get_data_apps MCP tool.

Frontend dev-tooling fix (#341). Bumped web/frontend dev dependencies — vite 5→8, vitest 2→4, and @vitejs/plugin-react 4→5.2 to keep the peer range consistent with vite 8. The earlier Dependabot PRs (#337, #338) bumped only vite + vitest, leaving plugin-react pinned below vite 8; that broke npm ci (ERESOLVE) in the Windows wheel-build job and silently shipped a UI-less wheel. The bundled SPA and kbagent serve --ui are unchanged.

Install

uv tool install git+https://github.com/keboola/cli

v0.46.0 — Repository moved to keboola/cli

Repository moved to keboola/cli

The project's canonical home moved from github.com/padak/keboola_agent_cli to github.com/keboola/cli. This release ships from the new home so the fleet migrates itself.

Change. The auto-update and self-install constants (KBAGENT_GITHUB_REPO, KBAGENT_INSTALL_SOURCE) now point at the new repo: the startup version check hits api.github.com/repos/keboola/cli/releases/latest and kbagent update installs from git+https://github.com/keboola/cli. The Claude Code plugin manifest (homepage/repository), the marketplace install instructions (/plugin marketplace add keboola/cli), README / TUTORIAL / CONTRIBUTING, the doctor/serve install hints, the AGENT_CONTEXT snippet, and the README dev-setup clone target were all updated in lock-step. The marketplace name (keboola-agent-cli) and the /plugin install kbagent@keboola-agent-cli identifier are unchanged — they are logical names, not repo paths.

Migration note. Existing installs migrate themselves in a single update cycle: GitHub serves a 301 from the old repo path to keboola/cli, and both auto-update phases follow it (the version check uses httpx with follow_redirects=True; uv/git follow the redirect on clone/fetch). Once you are on >= 0.46.0 the baked-in constants already name the new repo, so the redirect is needed for at most one hop. The old padak/keboola_agent_cli path must not be re-created as a new repository, or the redirect dies and pre-0.46.0 installs are cut off from updates.

Install

uv tool install git+https://github.com/keboola/cli

v0.45.0 — Reliability & code quality

Reliability & code-quality release.

• Fixed ~12 silently-broken REST API endpoints in kbagent serve (config rename / folder / search, table column descriptions, file download, data-app password, variables). They would have failed on the first call — now they work and are covered by regression tests so the issue can't quietly come back.
• Strict type-checking is now enforced across the whole codebase (blocking). This is what surfaced the broken endpoints, and it stops the same class of bug from shipping again.
• Fleet observability: every Keboola API call now reports OS + version, so CLI usage can be segmented in monitoring. No tokens, secrets, or user identity are exposed.
• --hint is deprecated in favour of the kbagent serve REST API, which now covers every command. The flag still works (with a deprecation notice) and will be removed in a future release.

No breaking changes for CLI users. Upgrade with kbagent update.