feat(kernel): session-level query tags + Thrift-parity OAuth scopes (configurable) (#430)

* feat(kernel): wire session-level query tags into KernelBackend.openSession

Ports the session-level query-tags wiring onto the post-#428 lib/kernel path
(originally lib/sea/SeaBackend, before the SEA→kernel rename). openSession
serializes request.queryTags into the reserved QUERY_TAGS session conf, which
the kernel allowlists (SESSION_CONF_ALLOWLIST) and forwards onto the SEA
CreateSession session_confs — mirroring ThriftBackend.openSession. queryTags
takes precedence over an explicit configuration.QUERY_TAGS.

Verified end-to-end against a live warehouse: the tag lands in
system.query.history.query_tags.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

* fix(kernel): request Thrift-parity OAuth scopes, configurable via oauthScopes

The kernel U2M flow passed no scopes, so it fell through to the kernel's bare
default (all-apis offline_access). The databricks-sql-connector OAuth app is
registered for `sql`, so U2M auth used the wrong scope set. Pass scopes
explicitly from the driver:

  - U2M defaults to ['sql', 'offline_access'] (matches the Thrift driver's
    defaultOAuthScopes), overriding the kernel's all-apis default.
  - M2M defaults to ['all-apis'] (matches Thrift + the kernel's M2M default).
  - Both overridable via a new `oauthScopes` connect option — closing the
    configurability gap with pyo3, which already forwards `scopes` on M2M.

Driver-only change: the napi binding already forwards oauth_scopes and the
kernel's u2m.rs/m2m.rs feed them into the authorize/token request.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

* fix(kernel): no-op unsupported per-statement options instead of throwing

Per-statement options the kernel backend doesn't honour are now NO-OPs (logged
at warn), not HiveDriverErrors, so call sites written for the Thrift backend are
drop-in on the kernel path:

  - useCloudFetch / useLZ4Compression — kernel-governed perf/format hints
  - stagingAllowedLocalPath — staging not yet exposed on the kernel

Ignoring these can't change query results. Parameter binding (compound/BINARY)
is deliberately NOT no-op'd — a dropped param would silently change results, so
it still throws.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

* feat(kernel): route OAuth identically to Thrift (strict parity) + custom U2M client id

Make the kernel auth flow selector + client-id resolution byte-for-byte identical
to the Thrift driver (`DBSQLClient.createAuthProvider`):

  - flow     = `oauthClientSecret === undefined ? U2M : M2M`  (strict undefined)
  - clientId = `oauthClientId ?? defaultClientId`             (`??` guards null/undefined only)

No blank/reserved normalization on the OAuth fields — a present-but-degenerate
value (`""` / `"undefined"` / whitespace) is forwarded verbatim, exactly as Thrift
forwards it. This removes every divergence from the Thrift backend across the full
(clientId × clientSecret) input matrix (verified). Consequences vs the prior
id-presence routing:

  - `oauthClientId` + no secret now runs U2M (browser) and forwards the id as a
    custom U2M client (Thrift does the same).
  - M2M with no/blank id no longer throws "id required" — it uses the default
    client (`?? defaultClientId`), matching Thrift.
  - A present-but-empty/`"undefined"` secret routes to M2M (not U2M), matching
    Thrift's strict `=== undefined` check.

Trade-off (accepted for parity): this re-imports Thrift's env-stringification
behaviour — a secret/id env var that resolved to `""`/`"undefined"` is taken
literally rather than treated as unset.

Updated the auth unit tests (u2m/m2m/edge-cases) to assert the strict-parity
matrix.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

* chore(kernel): bump KERNEL_REV to kernel main (statement-level query tags + proxy + UA)

Bump the pinned kernel from b676275 to 34b4c20 (current kernel main), which
brings:
  - #150 — per-statement query tags on the SEA wire (native query_tags array).
    This is what makes `executeStatement(sql, { queryTags })` actually reach the
    server on the kernel path — bringing statement-level query tags to parity
    with the Thrift backend (the driver already serialized them into
    statement_conf["query_tags"]; the kernel previously dropped that before the
    wire). Verified e2e: the tag now lands in system.query.history.query_tags.
  - #129 — programmatic HTTP/HTTPS proxy + per-connection socket timeout
    (additive optional napi ConnectionOptions fields; refreshed in index.d.ts).
  - #151 — caller User-Agent overwrites the kernel base UA for accurate
    query-source attribution.

Refreshes the committed napi types (native/kernel/index.d.ts) accordingly; the
new fields are optional, so no driver-side change is required.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

---------

Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

Author: msrathore-db

KERNEL_REV

@@ -1 +1 @@
-b676275f234b11a68cb4c8a2955d69cb3b786d97
+34b4c202cc127021c923903d59c841daa2b44fef

lib/contracts/IDBSQLClient.ts

@@ -22,6 +22,10 @@ type AuthOptions =
       oauthClientId?: string;
       oauthClientSecret?: string;
       useDatabricksOAuthInAzure?: boolean;
+      // OAuth scopes to request. When omitted, the kernel backend defaults the
+      // U2M flow to `['sql', 'offline_access']` (parity with the Thrift driver's
+      // `defaultOAuthScopes`), overriding the kernel's bare `all-apis offline_access`.
+      oauthScopes?: Array<string>;
     }
   | {
       authType: 'custom';

lib/kernel/KernelAuth.ts

@@ -28,6 +28,25 @@ import { buildUserAgentString } from '../utils';
  */
 const U2M_DEFAULT_REDIRECT_PORT = 8030;
 
+// U2M OAuth scopes default. Matches the standalone Thrift driver's
+// `defaultOAuthScopes` (lib/connection/auth/DatabricksOAuth/OAuthScope.ts):
+// `['sql', 'offline_access']`. The kernel's bare default is
+// `['all-apis', 'offline_access']`; the `databricks-sql-connector` OAuth app is
+// registered for the `sql` scope, so we pass the Thrift-parity scopes explicitly
+// unless the caller overrides via `oauthScopes`.
+const U2M_DEFAULT_SCOPES = ['sql', 'offline_access'];
+
+// M2M OAuth scopes default. Matches the standalone Thrift driver (`getScopes`
+// forces `['all-apis']` for the client-credentials flow) and the kernel's own
+// M2M default (`m2m.rs` → `['all-apis']`). Overridable via `oauthScopes`
+// (parity with pyo3, which forwards `scopes` on M2M).
+const M2M_DEFAULT_SCOPES = ['all-apis'];
+
+// Default OAuth client id — identical to the Thrift driver's
+// `DatabricksOAuthManager.defaultClientId` and the kernel napi's own U2M default.
+// Used for `oauthClientId ?? default`, mirroring Thrift's `getClientId()`.
+const DEFAULT_OAUTH_CLIENT_ID = 'databricks-sql-connector';
+
 /**
  * Shape consumed by the napi-binding's `openSession()` (see
  * `native/kernel/index.d.ts`). Mirrors `ConnectionOptions` in the binding's
@@ -189,12 +208,15 @@ export type KernelNativeConnectionOptions = KernelSessionDefaults &
         authMode: 'OAuthM2m';
         oauthClientId: string;
         oauthClientSecret: string;
+        oauthScopes?: Array<string>;
       }
     | {
         hostName: string;
         httpPath: string;
         authMode: 'OAuthU2m';
         oauthRedirectPort: number;
+        oauthScopes?: Array<string>;
+        oauthClientId?: string;
       }
   );
 
@@ -541,6 +563,7 @@ export function buildKernelConnectionOptions(options: ConnectionOptions): Kernel
   const oauth = options as {
     oauthClientId?: string;
     oauthClientSecret?: string;
+    oauthScopes?: Array<string>;
     azureTenantId?: string;
     useDatabricksOAuthInAzure?: boolean;
     persistence?: unknown;
@@ -579,40 +602,18 @@ export function buildKernelConnectionOptions(options: ConnectionOptions): Kernel
       );
     }
 
-    // Flow selector — DELIBERATELY DIFFERENT from thrift's
-    // `DBSQLClient.createAuthProvider` (`DBSQLClient.ts:216`), which keys off
-    // the secret (`oauthClientSecret === undefined ? U2M : M2M`). kernel keys off
-    // `oauthClientId` *presence* (the "do I have an id?" signal) instead, so a
-    // user who set an id but typoed/forgot the secret gets the actionable M2M
-    // "secret is required" error rather than being silently routed to U2M
-    // (which would hide their intent). Cost: `id + no secret` throws here
-    // where thrift would run U2M, and kernel U2M has no custom-client-id support
-    // (see buildKernelConnectionOptions header). The U2M arm still defends against an id
-    // sneaking through: fires only when `oauthClientId` is provided as
-    // a blank-reserved literal (e.g., whitespace, `"null"`, `"undefined"`)
-    // alongside an absent/blank secret — both `idIsBlank` and
-    // `secretIsBlank` are true so U2M wins routing, but the caller's
-    // intent to use U2M with a partially-set id is ambiguous and
-    // rejected explicitly.
-    const idIsBlank =
-      oauth.oauthClientId === undefined ||
-      (typeof oauth.oauthClientId === 'string' && isBlankOrReserved(oauth.oauthClientId));
-    const secretIsBlank =
-      oauth.oauthClientSecret === undefined ||
-      (typeof oauth.oauthClientSecret === 'string' && isBlankOrReserved(oauth.oauthClientSecret));
-
-    if (idIsBlank && secretIsBlank) {
-      // U2M — neither id nor secret supplied.
-      if (oauth.oauthClientId !== undefined) {
-        // Defense-in-depth: id was set but blank/reserved literal.
-        // The kernel hardcodes `client_id = "databricks-cli"` for U2M;
-        // there's no JS-side override knob.
-        throw new HiveDriverError(
-          'kernel backend: `oauthClientId` is not supported on the OAuth U2M flow; ' +
-            "the kernel uses the built-in 'databricks-cli' client. " +
-            'Omit `oauthClientId` for U2M, or supply `oauthClientSecret` for the M2M flow.',
-        );
-      }
+    // Flow selector + client-id resolution mirror the Thrift driver EXACTLY
+    // (`DBSQLClient.createAuthProvider`, DBSQLClient.ts:220):
+    //   flow     = oauthClientSecret === undefined ? U2M : M2M   (strict undefined)
+    //   clientId = oauthClientId ?? defaultClientId              (`??` guards null/undefined only)
+    // No blank/reserved normalization on the OAuth fields — a present-but-
+    // degenerate value (`""`, `"undefined"`, whitespace) is forwarded verbatim,
+    // exactly as Thrift forwards it, so the kernel path does not diverge from the
+    // Thrift backend. (This intentionally re-imports Thrift's env-stringification
+    // behaviour: a secret that resolved to `""`/`"undefined"` counts as a real
+    // secret ⇒ M2M, just like Thrift.)
+    if (oauth.oauthClientSecret === undefined) {
+      // U2M (browser) — no secret, exactly like Thrift.
       if (oauth.persistence !== undefined) {
         throw new HiveDriverError(
           'kernel backend: `persistence` (custom OAuth token store) is not yet wired through ' +
@@ -623,24 +624,21 @@ export function buildKernelConnectionOptions(options: ConnectionOptions): Kernel
             'when the kernel exposes it.',
         );
       }
-      return {
+      const u2m = {
         ...base,
-        authMode: 'OAuthU2m',
+        authMode: 'OAuthU2m' as const,
         oauthRedirectPort: U2M_DEFAULT_REDIRECT_PORT,
+        // Scopes default to Thrift parity (`sql offline_access`); overridable.
+        oauthScopes:
+          Array.isArray(oauth.oauthScopes) && oauth.oauthScopes.length > 0 ? oauth.oauthScopes : U2M_DEFAULT_SCOPES,
       };
+      // clientId: Thrift uses `oauthClientId ?? default`. Forward it verbatim
+      // when set; when absent the napi applies the same default
+      // (`databricks-sql-connector`), so omitting it is identical to Thrift.
+      return oauth.oauthClientId !== undefined ? { ...u2m, oauthClientId: oauth.oauthClientId } : u2m;
     }
 
-    // M2M.
-    if (typeof oauth.oauthClientId !== 'string' || isBlankOrReserved(oauth.oauthClientId)) {
-      throw new AuthenticationError(
-        'kernel backend: `oauthClientId` is required (non-empty, non-whitespace) for OAuth M2M.',
-      );
-    }
-    if (typeof oauth.oauthClientSecret !== 'string' || isBlankOrReserved(oauth.oauthClientSecret)) {
-      throw new AuthenticationError(
-        'kernel backend: `oauthClientSecret` must be a non-empty non-whitespace string for OAuth M2M.',
-      );
-    }
+    // M2M (client credentials) — a secret is present, exactly like Thrift.
     if (oauth.persistence !== undefined) {
       throw new HiveDriverError(
         'kernel backend: `persistence` is not supported on OAuth M2M ' +
@@ -650,8 +648,12 @@ export function buildKernelConnectionOptions(options: ConnectionOptions): Kernel
     return {
       ...base,
       authMode: 'OAuthM2m',
-      oauthClientId: oauth.oauthClientId,
+      // Thrift: `getClientId()` = `oauthClientId ?? defaultClientId`.
+      oauthClientId: oauth.oauthClientId ?? DEFAULT_OAUTH_CLIENT_ID,
       oauthClientSecret: oauth.oauthClientSecret,
+      // Configurable (parity with pyo3); defaults to `['all-apis']`.
+      oauthScopes:
+        Array.isArray(oauth.oauthScopes) && oauth.oauthScopes.length > 0 ? oauth.oauthScopes : M2M_DEFAULT_SCOPES,
     };
   }
 

lib/kernel/KernelBackend.ts

@@ -19,6 +19,7 @@ import { ConnectionOptions, OpenSessionRequest } from '../contracts/IDBSQLClient
 import { InternalConnectionOptions } from '../contracts/InternalConnectionOptions';
 import { LogLevel } from '../contracts/IDBSQLLogger';
 import HiveDriverError from '../errors/HiveDriverError';
+import { serializeQueryTags } from '../utils';
 import { getKernelNative, KernelNativeBinding, KernelConnection } from './KernelNativeLoader';
 import { decodeNapiKernelError } from './KernelErrorMapping';
 import { buildKernelConnectionOptions, buildKernelRetryOptions, KernelNativeConnectionOptions } from './KernelAuth';
@@ -145,6 +146,20 @@ export default class KernelBackend implements IBackend {
     if (request.configuration !== undefined) {
       sessionOptions.sessionConf = { ...request.configuration };
     }
+    // Session-level query tags: serialize into the reserved `QUERY_TAGS`
+    // session conf. The kernel allowlists `QUERY_TAGS` (SESSION_CONF_ALLOWLIST)
+    // and forwards it onto the SEA `CreateSession` `session_confs`, mirroring
+    // the Thrift backend's `ThriftBackend.openSession`. Runs after the
+    // `configuration` merge so `queryTags` takes precedence over an explicit
+    // `configuration.QUERY_TAGS`, matching the documented contract.
+    if (request.queryTags !== undefined) {
+      const serialized = serializeQueryTags(request.queryTags);
+      if (serialized) {
+        sessionOptions.sessionConf = { ...(sessionOptions.sessionConf ?? {}), QUERY_TAGS: serialized };
+      } else if (sessionOptions.sessionConf) {
+        delete sessionOptions.sessionConf.QUERY_TAGS;
+      }
+    }
 
     let nativeConnection: KernelConnection;
     try {

lib/kernel/KernelSessionBackend.ts

@@ -156,20 +156,36 @@ export default class KernelSessionBackend implements ISessionBackend {
   public async executeStatement(statement: string, options: ExecuteStatementOptions): Promise<IOperationBackend> {
     this.failIfClosed();
 
+    // Per-statement options the kernel backend doesn't honour are treated as
+    // NO-OPs (logged at warn), not errors — so call sites written for the Thrift
+    // backend are drop-in on the kernel path. These are perf/format hints the
+    // kernel governs internally (useCloudFetch / useLZ4Compression) or a feature
+    // it doesn't expose yet (staging); ignoring them cannot change query results.
+    // NB: parameter binding (compound/BINARY) is deliberately NOT no-op'd — a
+    // dropped param would silently change results, so it still throws.
     if (options.useCloudFetch !== undefined) {
-      throw new HiveDriverError(
-        'kernel executeStatement: useCloudFetch is controlled by the kernel result configuration and is not a per-statement option on kernel',
-      );
+      this.context
+        .getLogger()
+        .log(
+          LogLevel.warn,
+          'kernel executeStatement: ignoring per-statement `useCloudFetch` — result fetching is governed by the kernel result configuration (no-op on kernel).',
+        );
     }
     if (options.useLZ4Compression !== undefined) {
-      throw new HiveDriverError(
-        'kernel executeStatement: useLZ4Compression is not supported on kernel (result compression is governed by the kernel)',
-      );
+      this.context
+        .getLogger()
+        .log(
+          LogLevel.warn,
+          'kernel executeStatement: ignoring per-statement `useLZ4Compression` — result compression is governed by the kernel (no-op on kernel).',
+        );
     }
     if (options.stagingAllowedLocalPath !== undefined) {
-      throw new HiveDriverError(
-        'kernel executeStatement: stagingAllowedLocalPath (volume operations) is not supported on kernel',
-      );
+      this.context
+        .getLogger()
+        .log(
+          LogLevel.warn,
+          'kernel executeStatement: ignoring `stagingAllowedLocalPath` — volume/staging operations are not yet supported on the kernel backend (no-op).',
+        );
     }
 
     // `runAsync` selects the kernel execution path. NOTE: this is a kernel-