Fix formatting and add changelog entry

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: tejaskochar-db

NEXT_CHANGELOG.md

@@ -5,6 +5,7 @@
 ### New Features and Improvements
 
 ### Bug Fixes
+* Fixed Databricks CLI authentication to detect when the cached token's scopes don't match the SDK's configured scopes. Previously, a scope mismatch was silently ignored, causing requests to use wrong permissions. The SDK now raises an error with instructions to re-authenticate.
 
 ### Security Vulnerabilities
 

databricks-sdk-java/src/main/java/com/databricks/sdk/core/DatabricksCliCredentialsProvider.java

@@ -5,7 +5,6 @@
 import com.databricks.sdk.core.oauth.Token;
 import com.databricks.sdk.core.utils.OSUtils;
 import com.databricks.sdk.support.InternalApi;
-import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import java.nio.charset.StandardCharsets;
 import java.util.*;
@@ -200,8 +199,7 @@ private static Map<String, Object> getJwtClaims(String accessToken) {
     try {
       String[] parts = accessToken.split("\\.");
       if (parts.length != 3) {
-        LOG.debug(
-            "Tried to decode access token as JWT, but failed: {} components", parts.length);
+        LOG.debug("Tried to decode access token as JWT, but failed: {} components", parts.length);
         return null;
       }
       byte[] payloadBytes = Base64.getUrlDecoder().decode(parts[1]);

databricks-sdk-java/src/test/java/com/databricks/sdk/core/DatabricksCliScopeValidationTest.java

@@ -25,9 +25,7 @@ private static String makeJwt(Map<String, Object> claims) {
               .withoutPadding()
               .encodeToString("{\"alg\":\"none\"}".getBytes(StandardCharsets.UTF_8));
       String payload =
-          Base64.getUrlEncoder()
-              .withoutPadding()
-              .encodeToString(MAPPER.writeValueAsBytes(claims));
+          Base64.getUrlEncoder().withoutPadding().encodeToString(MAPPER.writeValueAsBytes(claims));
       return header + "." + payload + ".sig";
     } catch (Exception e) {
       throw new RuntimeException(e);
@@ -89,13 +87,11 @@ void testScopeValidation(
       assertThrows(
           DatabricksException.class,
           () ->
-              DatabricksCliCredentialsProvider.validateTokenScopes(
-                  token, configuredScopes, HOST));
+              DatabricksCliCredentialsProvider.validateTokenScopes(token, configuredScopes, HOST));
     } else {
       assertDoesNotThrow(
           () ->
-              DatabricksCliCredentialsProvider.validateTokenScopes(
-                  token, configuredScopes, HOST));
+              DatabricksCliCredentialsProvider.validateTokenScopes(token, configuredScopes, HOST));
     }
   }