Promote manage-external-lineage with v1.1.1 audit pass

Re-staged with v1.1.1 holistic prompt that adds stopping-point markers,
correct INSTRUCTIONS.md sub-flow cross-refs, and drops invalid tool
snowflake_object_search.

Author: jdanielmyers

skills/manage-external-lineage/LICENSE

@@ -0,0 +1,22 @@
+Snowflake Skills License 
+
+© 2026 Snowflake Inc. All rights reserved.
+
+LICENSE: Use of these materials (including all code, prompts, assets, files, and other components of these skills (collectively, “Skills”)) is governed by your agreement with Snowflake for the Service. If no separate agreement exists, use is governed by Snowflake’s Terms of Service (available at: https://www.snowflake.com/en/legal/terms-of-service/). 
+
+Your applicable agreement is referred to as the "Agreement." "Service" is as defined in the Agreement.
+
+ADDITIONAL RESTRICTIONS: Notwithstanding anything in the Agreement to the contrary, you may not:
+
+* Extract from the Service or retain copies of the Skills outside use with the Service;
+* Reproduce or copy the Skills , except for temporary copies created automatically during authorized use of the Service;
+* Create derivative works based on the Skills; 
+* Distribute, sublicense, or transfer the Skills to any third party;
+* Make, offer to sell, sell, or import any inventions embodied in the Skills; nor, 
+* Reverse engineer, decompile, or disassemble the Skills. 
+
+The receipt, viewing, or possession of the Skills does not convey or imply any license or right beyond those expressly granted above.
+
+Snowflake retains all rights, title, and interest in the Skills, including all copyrights, trademarks, patents, and all other applicable intellectual property rights.
+
+THE SKILLS ARE PROVIDED “AS IS,” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SKILLS OR THE USE OR OTHER DEALINGS IN THE SKILLS.

skills/manage-external-lineage/SKILL.md

@@ -0,0 +1,144 @@
+---
+name: manage-external-lineage
+title: Manage External Lineage
+summary: Send and delete OpenLineage COMPLETE events to connect external systems to Snowflake's lineage graph.
+description: |
+  Use when you need to surface external systems (Postgres, MySQL, S3, Kafka, etc.) in Snowflake's lineage view, send OpenLineage COMPLETE events via REST, or remove existing external lineage links. Triggers: external lineage, openlineage event, send lineage, establish lineage, delete lineage, connect postgres to snowflake lineage, connect mysql to snowflake lineage, connect s3 to snowflake lineage, document data pipeline, lineage api, ingest lineage.
+tools:
+  - snowflake_sql_execute
+  - Bash
+  - Read
+  - Write
+  - Edit
+prompt: Create a COMPLETE external lineage event from postgres://prod-db:5432 public.orders into MYDB.PUBLIC.ORDERS.
+language: en
+status: Published
+author: Snowflake Solutions Team
+type: snowflake
+---
+
+# Manage External Lineage
+
+## Overview
+
+Snowflake's lineage graph natively tracks objects inside the account. To show data flowing in from (or out to) external systems — Postgres, MySQL, S3, Kafka, DB2, Trino, etc. — you POST OpenLineage `COMPLETE` events to the external lineage REST endpoint. Once accepted, those external nodes appear in Snowsight under **Catalog → Database Explorer → [Table] → Lineage**.
+
+This skill helps you:
+
+- Build a valid OpenLineage payload
+- Send it using your existing Snowflake connection (no token juggling)
+- Delete external lineage relationships when sources are retired
+
+## Prerequisites
+
+- `INGEST LINEAGE` privilege on the account (and `DELETE LINEAGE` for deletes)
+- An active `cortex` connection, OR a Programmatic Access Token (PAT)
+- Python deps: `requests`, `snowflake-connector-python`
+
+## Workflow
+
+### Step 1: Verify privileges and target
+
+```sql
+SHOW GRANTS ON ACCOUNT;
+-- Look for INGEST LINEAGE granted to your role
+DESCRIBE TABLE <db>.<schema>.<table>;
+```
+
+If missing: `GRANT INGEST LINEAGE ON ACCOUNT TO ROLE <role>;`
+
+### Step 2: Build the payload
+
+```json
+{
+  "eventType": "COMPLETE",
+  "eventTime": "2026-02-20T19:00:00.000Z",
+  "job": {"namespace": "external-etl", "name": "orders_pipeline"},
+  "run": {"runId": "f47ac10b-58cc-4372-a567-0e02b2c3d479"},
+  "producer": "https://github.com/OpenLineage/OpenLineage/blob/v1-0-0/client",
+  "schemaURL": "https://openlineage.io/spec/0-0-1/OpenLineage.json",
+  "inputs": [
+    {"namespace": "postgres://prod-db:5432", "name": "public.orders"}
+  ],
+  "outputs": [
+    {"namespace": "snowflake://<ORG>-<ACCOUNT>", "name": "<DB>.<SCHEMA>.<TABLE>"}
+  ]
+}
+```
+
+Rules:
+- `eventType` must be `COMPLETE` — other types are ignored.
+- `inputs` and `outputs` must mix Snowflake and external objects.
+- Do NOT include `facets` for external objects — they render as "External Node" by default.
+- See `namespace_conventions.md` for per-source namespace formats.
+
+⚠️ STOPPING POINT: Show the payload to the user and wait for confirmation before sending.
+
+### Step 3: Send the event
+
+Preferred — use your Cortex Code connection:
+
+```bash
+SNOWFLAKE_CONNECTION_NAME=<connection> python <SKILL_DIR>/send_lineage_via_connection.py -p payload.json
+```
+
+Or generate + send in one go:
+
+```bash
+<SKILL_DIR>/generate_payload.sh -a <ACCOUNT> -o <DB>.<SCHEMA>.<TABLE> \
+  -i 'postgres://host:5432::db.schema.source' -f /tmp/payload.json
+SNOWFLAKE_CONNECTION_NAME=<connection> python <SKILL_DIR>/send_lineage_via_connection.py -p /tmp/payload.json
+```
+
+PAT alternative: `<SKILL_DIR>/send_lineage.sh -a <ACCOUNT> -t token.txt -p payload.json`
+
+### Step 4: Verify
+
+Open Snowsight → Catalog → Database Explorer → your table → Lineage tab. Allow 1–2 minutes for propagation.
+
+### Step 5: Delete external lineage (optional)
+
+⚠️ STOPPING POINT: Confirm the source/target before sending DELETE. The endpoint always returns HTTP 200 — verify removal in Snowsight.
+
+```bash
+curl --globoff -X DELETE \
+  -H "Authorization: Bearer $API_KEY" \
+  "https://<ACCOUNT>.snowflakecomputing.com/api/v2/lineage/external-lineage?sourceNamespace=<NS>&sourceName=<NAME>&sourceDatasetType=External%20Node&targetName=<DB>.<SCHEMA>.<TABLE>&targetDatasetType=TABLE"
+```
+
+Delete scopes:
+- Source + target → break that one link
+- Source only → break all downstream from that source
+- Target only → strip the target from the graph
+
+## Common Mistakes
+
+- Using `eventType` other than `COMPLETE` — silently dropped.
+- Underscores in the account URL — use hyphens (`ORG-ACCOUNT`).
+- Forgetting `--globoff` on curl — it mangles `External%20Node`.
+- Including `facets` on external nodes — breaks the "External Node" rendering.
+- Treating DELETE's `200` as success — always verify in Snowsight.
+- Mismatched delete direction — if external was the INPUT on create, it must be the source on delete.
+- Case-insensitive matching — namespaces and names are case-sensitive.
+
+## Limitations
+
+- 1-year retention, 10,000 events per account
+- 1000-char max FQN
+- No column-level lineage
+- External lineage isn't returned by `GET_LINEAGE`
+
+## Stopping Points
+
+- Step 2 — wait for payload review before sending
+- Step 5 — confirm targets before DELETE
+- Step 5 — verify in Snowsight (HTTP 200 does not confirm deletion)
+
+## Reference files
+
+- `namespace_conventions.md` — namespace formats per source
+- `token_setup.md` — creating a PAT
+- `troubleshooting.md` — 401 / 403 / 404 fixes
+- `send_lineage_via_connection.py` — recommended sender
+- `send_lineage.sh` — PAT-based sender
+- `generate_payload.sh` — payload builder

skills/manage-external-lineage/generate_payload.sh

@@ -0,0 +1,111 @@
+#!/bin/bash
+set -e
+
+usage() {
+    echo "Usage: $0 -a ACCOUNT -o OUTPUT_TABLE [-i INPUT...]"
+    echo ""
+    echo "Generate OpenLineage payload JSON for external lineage"
+    echo ""
+    echo "Required:"
+    echo "  -a ACCOUNT       Snowflake account (ORG-ACCOUNT format)"
+    echo "  -o OUTPUT        Output table (DATABASE.SCHEMA.TABLE)"
+    echo ""
+    echo "Optional:"
+    echo "  -i INPUT         Input source (namespace::name format, can repeat)"
+    echo "  -j JOB_NAME      Job name (default: auto-generated)"
+    echo "  -n JOB_NAMESPACE Job namespace (default: external-etl)"
+    echo "  -f OUTPUT_FILE   Output file (default: stdout)"
+    echo "  -h               Show this help"
+    echo ""
+    echo "Examples:"
+    echo "  # Single input"
+    echo "  $0 -a MYORG-MYACCOUNT -o DB.SCHEMA.TABLE \\"
+    echo "     -i 'postgres://host:5432::db.schema.table'"
+    echo ""
+    echo "  # Multiple inputs"
+    echo "  $0 -a MYORG-MYACCOUNT -o DB.SCHEMA.TABLE \\"
+    echo "     -i 'postgres://host:5432::public.users' \\"
+    echo "     -i 's3://bucket::path/to/file.parquet' \\"
+    echo "     -f payload.json"
+    exit 1
+}
+
+INPUTS=()
+JOB_NAMESPACE="external-etl"
+JOB_NAME=""
+OUTPUT_FILE=""
+
+while getopts "a:o:i:j:n:f:h" opt; do
+    case $opt in
+        a) ACCOUNT="$OPTARG" ;;
+        o) OUTPUT_TABLE="$OPTARG" ;;
+        i) INPUTS+=("$OPTARG") ;;
+        j) JOB_NAME="$OPTARG" ;;
+        n) JOB_NAMESPACE="$OPTARG" ;;
+        f) OUTPUT_FILE="$OPTARG" ;;
+        h) usage ;;
+        *) usage ;;
+    esac
+done
+
+if [[ -z "$ACCOUNT" || -z "$OUTPUT_TABLE" ]]; then
+    echo "Error: -a ACCOUNT and -o OUTPUT_TABLE are required"
+    usage
+fi
+
+if [[ ${#INPUTS[@]} -eq 0 ]]; then
+    echo "Error: At least one -i INPUT is required"
+    usage
+fi
+
+if [[ -z "$JOB_NAME" ]]; then
+    TABLE_NAME=$(echo "$OUTPUT_TABLE" | tr '.' '_' | tr '[:upper:]' '[:lower:]')
+    JOB_NAME="${TABLE_NAME}_pipeline"
+fi
+
+RUN_ID=$(uuidgen | tr '[:upper:]' '[:lower:]')
+EVENT_TIME=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z")
+
+INPUT_JSON=""
+for input in "${INPUTS[@]}"; do
+    NAMESPACE=$(echo "$input" | cut -d':' -f1-3)
+    NAME=$(echo "$input" | cut -d':' -f4-)
+    
+    if [[ -n "$INPUT_JSON" ]]; then
+        INPUT_JSON="$INPUT_JSON,"
+    fi
+    INPUT_JSON="$INPUT_JSON
+    {\"namespace\": \"$NAMESPACE\", \"name\": \"$NAME\"}"
+done
+
+PAYLOAD=$(cat <<EOF
+{
+  "eventType": "COMPLETE",
+  "eventTime": "$EVENT_TIME",
+  "job": {
+    "namespace": "$JOB_NAMESPACE",
+    "name": "$JOB_NAME"
+  },
+  "run": {
+    "runId": "$RUN_ID"
+  },
+  "producer": "https://github.com/OpenLineage/OpenLineage/blob/v1-0-0/client",
+  "schemaURL": "https://openlineage.io/spec/0-0-1/OpenLineage.json",
+  "inputs": [$INPUT_JSON
+  ],
+  "outputs": [
+    {
+      "namespace": "snowflake://$ACCOUNT",
+      "name": "$OUTPUT_TABLE"
+    }
+  ]
+}
+EOF
+)
+
+if [[ -n "$OUTPUT_FILE" ]]; then
+    echo "$PAYLOAD" > "$OUTPUT_FILE"
+    echo "Payload written to: $OUTPUT_FILE"
+else
+    echo "$PAYLOAD"
+fi

skills/manage-external-lineage/namespace_conventions.md

@@ -0,0 +1,56 @@
+# OpenLineage Namespace Naming Conventions
+
+Datasets and jobs have their own namespaces. Dataset namespaces are derived from datasources, job namespaces from schedulers.
+
+## Dataset Namespace & Name Format
+
+| Source | Type | Namespace Format | Name Format |
+|--------|------|------------------|-------------|
+| **Snowflake** | Warehouse | `snowflake://{org name}-{account name}` or `snowflake://{account-locator}(.{region})(.{cloud})` | `{database}.{schema}.{table}` |
+| **Postgres** | Warehouse | `postgres://{host}:{port}` | `{database}.{schema}.{table}` |
+| **MySQL** | Warehouse | `mysql://{host}:{port}` | `{database}.{table}` |
+| **MSSQL** | Warehouse | `mssql://{host}:{port}` | `{database}.{schema}.{table}` |
+| **Oracle** | Warehouse | `oracle://{host}:{port}` | `{serviceName}.{schema}.{table}` |
+| **BigQuery** | Warehouse | `bigquery` | `{project id}.{dataset name}.{table name}` |
+| **Redshift** | Warehouse | `redshift://{cluster_identifier}.{region_name}:{port}` | `{database}.{schema}.{table}` |
+| **Athena** | Warehouse | `awsathena://athena.{region_name}.amazonaws.com` | `{catalog}.{database}.{table}` |
+| **AWS Glue** | Data catalog | `arn:aws:glue:{region}:{account id}` | `table/{database name}/{table name}` |
+| **Hive** | Warehouse | `hive://{host}:{port}` | `{database}.{table}` |
+| **Trino** | Warehouse | `trino://{host}:{port}` | `{catalog}.{schema}.{table}` |
+| **Cassandra** | Warehouse | `cassandra://{host}:{port}` | `{keyspace}.{table}` |
+| **DB2** | Warehouse | `db2://{host}:{port}` | `{database}.{schema}.{table}` |
+| **Teradata** | Warehouse | `teradata://{host}:{port}` | `{database}.{table}` |
+| **Azure Synapse** | Warehouse | `sqlserver://{host}:{port}` | `{schema}.{table}` |
+| **Azure Cosmos DB** | Warehouse | `azurecosmos://{host}/dbs/{database}` | `colls/{table}` |
+| **Azure Data Explorer** | Warehouse | `azurekusto://{host}.kusto.windows.net` | `{database}/{table}` |
+| **Spanner** | Warehouse | `spanner://{projectId}:{instanceId}` | `{database}.{schema}.{table}` |
+| **S3** | Blob Storage | `s3://{bucket name}` | `{object key}` |
+| **GCS** | Blob Storage | `gs://{bucket name}` | `{object key}` |
+| **ABFSS** | Data Lake | `abfss://{container}@{service}.dfs.core.windows.net` | `{path}` |
+| **WASBS** | Blob Storage | `wasbs://{container}@{service}.dfs.core.windows.net` | `{object key}` |
+| **HDFS** | Distributed FS | `hdfs://{namenode host}:{namenode port}` | `{path}` |
+| **DBFS** | Distributed FS | `dbfs://{workspace name}` | `{path}` |
+| **Kafka** | Event Streaming | `kafka://{bootstrap server host}:{port}` | `{topic}` |
+| **PubSub** | Event Streaming | `pubsub` | `topic:{projectId}:{topicId}` or `subscription:{projectId}:{subscriptionId}` |
+| **Local File** | File System | `file` | `{path}` |
+| **Remote File** | File System | `file://{host}` | `{path}` |
+
+## Snowflake Namespace - Important Notes
+
+Snowflake has two namespace formats:
+1. **Preferred:** `snowflake://{org name}-{account name}` (e.g., `snowflake://MYORG-MYACCOUNT`)
+2. **Legacy:** `snowflake://{account-locator}.{region}.{cloud}` (e.g., `snowflake://xy12345.us-east-1.aws`)
+
+**Warning:** Using legacy account locator format creates dataset IDs that won't match IDs created with the org-account format. If you switch formats later, existing lineage nodes won't connect to new ones. Use the org-account format when possible.
+
+## Job Namespace & Name Format
+
+| Scheduler | Name Format | Example |
+|-----------|-------------|---------|
+| Airflow task | `{dag_id}.{task_id}` | `orders_etl.count_orders` |
+| Spark job | `{appName}.{command}.{table}` | `my_app.execute_insert_into_hive_table.mydb_mytable` |
+| SQL | `{schema}.{table}` | `gx.validate_datasets` |
+| Debezium | `{topic.prefix}.{taskId}` | `inventory.0` |
+
+## Run ID Format
+Runs use client-generated UUIDs (e.g., `f47ac10b-58cc-4372-a567-0e02b2c3d479`)

skills/manage-external-lineage/pyproject.toml

@@ -0,0 +1,9 @@
+[project]
+name = "manage-external-lineage"
+version = "0.1.0"
+description = "Send and manage OpenLineage external lineage events for Snowflake"
+requires-python = ">=3.11"
+dependencies = [
+    "requests>=2.32.0",
+    "snowflake-connector-python>=3.6.0",
+]