Apply SecretScopeFixups in upload_state_for_yaml_sync.go

Add SecretScopeFixups(EngineDirect) before reading b.Config.Value()
so the config includes .permissions entries for secret scopes. Without
this, CalculatePlan sees .permissions in state but not in config and
produces incorrect plan entries during YAML sync conversion.

Co-authored-by: Isaac

Author: denik

bundle/statemgmt/upload_state_for_yaml_sync.go

@@ -11,6 +11,7 @@ import (
 	"github.com/databricks/cli/bundle"
 	"github.com/databricks/cli/bundle/config"
 	"github.com/databricks/cli/bundle/config/engine"
+	"github.com/databricks/cli/bundle/config/mutator/resourcemutator"
 	"github.com/databricks/cli/bundle/deploy"
 	"github.com/databricks/cli/bundle/deploy/terraform"
 	"github.com/databricks/cli/bundle/deployplan"
@@ -22,6 +23,7 @@ import (
 	"github.com/databricks/cli/libs/dyn/dynvar"
 	"github.com/databricks/cli/libs/filer"
 	"github.com/databricks/cli/libs/log"
+	"github.com/databricks/cli/libs/logdiag"
 	"github.com/databricks/cli/libs/structs/structaccess"
 	"github.com/databricks/cli/libs/structs/structpath"
 )
@@ -135,6 +137,14 @@ func (m *uploadStateForYamlSync) convertState(ctx context.Context, b *bundle.Bun
 		},
 	}
 
+	// Apply SecretScopeFixups so the config matches what the direct engine expects.
+	// This adds MANAGE ACL for the current user to all secret scopes, ensuring
+	// the migrated state and config agree on .permissions entries.
+	bundle.ApplyContext(ctx, b, resourcemutator.SecretScopeFixups(engine.EngineDirect))
+	if logdiag.HasError(ctx) {
+		return diag.Errorf("failed to apply secret scope fixups")
+	}
+
 	// Get the dynamic value from b.Config and reverse the interpolation
 	// b.Config has been modified by terraform.Interpolate which converts bundle-style
 	// references (${resources.pipelines.x.id}) to terraform-style (${databricks_pipeline.x.id})