Preserve profile fields on re-login instead of wiping all keys (#4597)

## Why

`SaveToProfile` deleted **every key** in a `.databrickscfg` profile
section before writing, then only wrote back the small subset of fields
the caller explicitly set. This meant every `databricks auth login` or
`databricks configure` silently destroyed fields like `cluster_id`,
`warehouse_id`, `scopes`, `azure_environment`, and any custom keys the
user had added to their profile.

This is especially problematic as profiles carry more explicit fields in
the host-agnostic auth work (`workspace_id`, `account_id`,
`azure_environment`). Users shouldn't have to re-specify everything
every time they re-login.

## Changes

### Core: `SaveToProfile` merge semantics (`libs/databrickscfg/ops.go`)

**Before:** Delete all keys in the section, then write only non-zero
fields from the new config.
**After:** Existing keys not mentioned in the new config are preserved.
Non-zero fields from the new config overwrite existing values. A new
`clearKeys ...string` variadic parameter lets callers explicitly remove
specific keys.

### `auth login` (`cmd/auth/login.go`)

**Before:** Re-login wiped everything. `cluster_id` and
`serverless_compute_id` were manually read back from the existing
profile in the default case (no
`--configure-cluster`/`--configure-serverless`), but `warehouse_id`,
`azure_environment`, custom keys, etc. were always lost.

**After:**
- All non-auth fields are preserved automatically via merge semantics
(no manual read-back needed).
- Incompatible auth credentials (PAT token, basic auth, M2M client
secrets, Azure/GCP credentials, metadata service URL, OIDC tokens) are
explicitly cleared when switching to OAuth.
- `--configure-cluster` explicitly clears `serverless_compute_id` (and
vice versa) for mutual exclusion.
- `experimental_is_unified_host` is explicitly cleared when `false`
(since `false` is a zero value and would otherwise be skipped by the
merge, leaving a stale `true` from a previous login).
- **Scopes are preserved:** when `--scopes` is not passed, existing
scopes from the profile are read back and used for the OAuth challenge.
This means the minted token matches the profile's scope configuration.
Previously, scopes were always wiped and the default `all-apis` was
used.

### Inline login in `auth token` (`cmd/auth/token.go`)

**Before:** `runInlineLogin` (the "create new profile" path in the
interactive `auth token` flow) saved a minimal set of fields and wiped
everything else. Did not handle scopes or `experimental_is_unified_host`
clearing.

**After:**
- Same auth credential clearing as `auth login`.
- `experimental_is_unified_host` explicitly cleared when `false`.
- Existing profile scopes are read back and used for the OAuth challenge
(same as `auth login`).

### `databricks configure` (`cmd/configure/configure.go`)

**Before:** PAT configure wiped all keys including `auth_type`,
`scopes`, `azure_environment`, etc. — which was correct for
`auth_type`/`scopes` but destroyed useful non-auth fields.

**After:**
- Non-auth fields (`cluster_id`, `warehouse_id`, `azure_environment`,
`account_id`, `workspace_id`, custom keys) are preserved.
- OAuth metadata (`auth_type`, `scopes`, `databricks_cli_path`) is
explicitly cleared — a PAT profile shouldn't keep OAuth artifacts.
- All non-PAT auth credentials (basic auth, M2M, Azure, GCP, OIDC,
metadata service) are explicitly cleared to prevent multi-auth
conflicts.
- `experimental_is_unified_host` is always cleared (PAT profiles don't
use unified hosts).
- `serverless_compute_id` is cleared when `cluster_id` is set — whether
via `--configure-cluster` flag **or** via `DATABRICKS_CLUSTER_ID` env
var (previously only the flag was checked).

### Profile struct (`libs/databrickscfg/profile/`)

- Added `Scopes` field to `profile.Profile` struct and read it from the
INI file in `LoadProfiles`. This allows `auth login` and `auth token` to
read existing scopes back from the profile.

## Test plan

**Unit tests (`libs/databrickscfg/ops_test.go`):**
- [x] `TestSaveToProfile_MergePreservesExistingKeys` — token survives
when only auth_type is written
- [x] `TestSaveToProfile_ClearKeysRemovesSpecifiedKeys` — token and
cluster_id cleared, serverless_compute_id added
- [x] `TestSaveToProfile_OverwritesExistingValues` — host updated from
old to new
- [x] `TestSaveToProfile_ClearKeysOnNonExistentKeyIsNoop` — clearing
nonexistent keys doesn't error

**Unit tests (`cmd/configure/configure_test.go`):**
- [x] `TestConfigureClearsOAuthAuthType` — PAT configure clears
`auth_type` and `scopes` from a previously OAuth-configured profile
- [x] `TestConfigureClearsUnifiedHostMetadata` — PAT configure clears
`experimental_is_unified_host` while preserving
`account_id`/`workspace_id`
- [x] `TestConfigureClearsServerlessWhenClusterFromEnv` —
`serverless_compute_id` cleared when `DATABRICKS_CLUSTER_ID` env var
provides cluster_id

**Acceptance test (`acceptance/cmd/auth/login/preserve-fields/`):**
- [x] Profile with `cluster_id`, `warehouse_id`, `azure_environment`,
and `custom_key` → all four survive `auth login` re-login without
`--configure-cluster`/`--configure-serverless`

**Existing tests:**
- [x] All 7 `auth login` acceptance tests pass (including
`configure-serverless` which verifies `cluster_id` is still cleared)
- [x] All `cmd/auth/` unit tests pass
- [x] All `cmd/configure/` unit tests pass
- [x] `make checks` clean
- [x] `make lintfull` clean (0 issues)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Author: simonfaltum

acceptance/cmd/auth/login/preserve-fields/out.test.toml

@@ -0,0 +1,21 @@
+
+=== Initial profile
+[DEFAULT]
+host = [DATABRICKS_URL]
+cluster_id = existing-cluster-123
+warehouse_id = warehouse-456
+azure_environment = USGOVERNMENT
+custom_key = my-custom-value
+
+=== Run auth login (no --configure-cluster or --configure-serverless)
+>>> [CLI] auth login --host [DATABRICKS_URL] --profile DEFAULT
+Profile DEFAULT was successfully saved
+
+=== Profile after auth login — all non-auth fields should be preserved
+[DEFAULT]
+host              = [DATABRICKS_URL]
+cluster_id        = existing-cluster-123
+warehouse_id      = warehouse-456
+azure_environment = USGOVERNMENT
+custom_key        = my-custom-value
+auth_type         = databricks-cli

acceptance/cmd/auth/login/preserve-fields/output.txt

@@ -0,0 +1,25 @@
+sethome "./home"
+
+# Create an initial profile with cluster_id, warehouse_id, azure_environment,
+# and a custom key that is not a recognized SDK config attribute.
+cat > "./home/.databrickscfg" <<EOF
+[DEFAULT]
+host = $DATABRICKS_HOST
+cluster_id = existing-cluster-123
+warehouse_id = warehouse-456
+azure_environment = USGOVERNMENT
+custom_key = my-custom-value
+EOF
+
+title "Initial profile\n"
+cat "./home/.databrickscfg"
+
+# Use a fake browser that performs a GET on the authorization URL
+# and follows the redirect back to localhost.
+export BROWSER="browser.py"
+
+title "Run auth login (no --configure-cluster or --configure-serverless)"
+trace $CLI auth login --host $DATABRICKS_HOST --profile DEFAULT
+
+title "Profile after auth login — all non-auth fields should be preserved\n"
+cat "./home/.databrickscfg"

acceptance/cmd/auth/login/preserve-fields/script

@@ -0,0 +1,3 @@
+Ignore = [
+    "home"
+]

acceptance/cmd/auth/login/preserve-fields/test.toml

@@ -0,0 +1,19 @@
+
+=== Initial profile (OAuth with unified host)
+[DEFAULT]
+host                         = https://host
+auth_type                    = databricks-cli
+scopes                       = all-apis
+experimental_is_unified_host = true
+account_id                   = acc-123
+workspace_id                 = ws-456
+
+=== Run configure with PAT token
+>>> [CLI] configure --token --host https://host
+
+=== Profile after PAT configure
+[DEFAULT]
+host         = https://host
+account_id   = acc-123
+workspace_id = ws-456
+token        = [DATABRICKS_TOKEN]

acceptance/cmd/configure/clears-oauth-on-pat/out.test.toml

@@ -0,0 +1,22 @@
+sethome "./home"
+
+# Pre-populate a profile with OAuth metadata and unified host fields
+# (as if `auth login` was previously run against a unified host).
+cat > "./home/.databrickscfg" <<EOF
+[DEFAULT]
+host                         = https://host
+auth_type                    = databricks-cli
+scopes                       = all-apis
+experimental_is_unified_host = true
+account_id                   = acc-123
+workspace_id                 = ws-456
+EOF
+
+title "Initial profile (OAuth with unified host)\n"
+cat "./home/.databrickscfg"
+
+title "Run configure with PAT token"
+echo "new-token" | trace $CLI configure --token --host https://host
+
+title "Profile after PAT configure\n"
+cat "./home/.databrickscfg"

acceptance/cmd/configure/clears-oauth-on-pat/output.txt

@@ -0,0 +1,3 @@
+Ignore = [
+    "home"
+]

acceptance/cmd/configure/clears-oauth-on-pat/script

@@ -0,0 +1,14 @@
+
+=== Initial profile with serverless_compute_id
+[DEFAULT]
+host                  = https://host
+serverless_compute_id = auto
+
+=== Run configure with cluster from env var
+>>> [CLI] configure --token --host https://host
+
+=== Profile after configure (serverless should be cleared)
+[DEFAULT]
+host       = https://host
+cluster_id = env-cluster-789
+token      = [DATABRICKS_TOKEN]