[SEA-NodeJS] SEA connection & statement options

Wire the SEA connection-level and per-statement option surfaces onto the
merged-kernel napi binding (thin forwarding — the kernel owns the behaviour):

Connection options (SeaAuth.buildSeaConnectionOptions):
- `maxConnections` → kernel pool size, validated as a positive integer within
  the napi u32 range.
- TLS: `checkServerCertificate` (secure-by-default — omit to keep the kernel's
  verify-on default; `false` opts into insecure) and `customCaCert` (PEM string
  or Buffer; strings are PEM-sanity-checked and normalised to a Buffer before
  the FFI boundary), via the new `buildSeaTlsOptions`.
- `intervalsAsString: true` is always set so SEA interval/duration columns
  render as strings — a byte-compatible drop-in for the Thrift backend.
  `complexTypesAsJson` is intentionally left at the kernel default (native
  Arrow), which already decodes identically to Thrift via the shared converter.

Statement options (SeaSessionBackend.executeStatement, via buildExecuteOptions):
- `queryTimeout` → `queryTimeoutSecs`; `rowLimit` → `rowLimit` (SEA-only cap).
- `queryTags` serialised JS-side (reusing Thrift's `serializeQueryTags`) into
  the reserved `query_tags` conf key, merged with any explicit `statementConf` —
  the napi `queryTags` field can't carry null-valued tags, and the kernel
  rejects setting both. `queryTags` / `queryTimeout` are no longer rejected.
- Still rejected (genuinely unsupported on SEA): `useCloudFetch`,
  `useLZ4Compression`, `stagingAllowedLocalPath`.

`rowLimit` / `statementConf` added to the public `ExecuteStatementOptions`;
SEA-only knobs (`maxConnections` / `checkServerCertificate` / `customCaCert`)
added to the internal `InternalConnectionOptions`.

Validated against a live warehouse: secure-by-default connect, maxConnections,
checkServerCertificate, rowLimit (caps rows), queryTimeout, queryTags,
statementConf, and non-PEM customCaCert rejection.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

Author: msrathore-db

lib/contracts/IDBSQLSession.ts

@@ -27,6 +27,18 @@ export type ExecuteStatementOptions = {
    * These tags apply only to this statement and do not persist across queries.
    */
   queryTags?: Record<string, string | null | undefined>;
+  /**
+   * SEA-only: server-side row cap for this statement (kernel `row_limit`). The
+   * Thrift backend has no execute-time server cap, so this is a no-op there;
+   * use `maxRows` for the cross-backend client-side fetch limit.
+   */
+  rowLimit?: number;
+  /**
+   * SEA-only: per-statement Spark conf overlay (kernel `statement_conf`).
+   * Merged with the serialized `queryTags` (which land under the reserved
+   * `query_tags` key). Ignored by the Thrift backend.
+   */
+  statementConf?: Record<string, string>;
 };
 
 export type TypeInfoRequest = {

lib/contracts/InternalConnectionOptions.ts

@@ -18,4 +18,27 @@ export interface InternalConnectionOptions {
    * @internal Not stable; M0 stub only.
    */
   useSEA?: boolean;
+
+  /**
+   * SEA-only: kernel connection-pool size (`ConnectionOptions.max_connections`).
+   * Validated as a positive integer within the napi `u32` range.
+   * @internal SEA path only.
+   */
+  maxConnections?: number;
+
+  /**
+   * SEA-only: verify the server's TLS certificate. Secure-by-default — omit
+   * to keep full chain + hostname verification; set `false` only to opt into
+   * the insecure accept-anything mode.
+   * @internal SEA path only.
+   */
+  checkServerCertificate?: boolean;
+
+  /**
+   * SEA-only: PEM-encoded CA certificate (string or `Buffer`) added to the
+   * trust store on top of the system roots — for TLS-inspecting proxies or
+   * on-prem internal CAs. Honoured regardless of `checkServerCertificate`.
+   * @internal SEA path only.
+   */
+  customCaCert?: Buffer | string;
 }

lib/sea/SeaAuth.ts

@@ -66,9 +66,58 @@ export interface SeaSessionDefaults {
   catalog?: string;
   schema?: string;
   sessionConf?: Record<string, string>;
+  /**
+   * Render `INTERVAL` / `DURATION` result columns as strings
+   * (kernel `ResultConfig.intervals_as_string`). The kernel default is
+   * native Arrow `month_interval` / `duration[us]`, but the NodeJS
+   * Thrift driver surfaces intervals as strings — so the SEA path sets
+   * this `true` so its result shape is a byte-compatible drop-in for the
+   * Thrift backend. Omitting it falls back to the kernel's native types.
+   */
+  intervalsAsString?: boolean;
+  /**
+   * Render complex (`ARRAY` / `MAP` / `STRUCT` / `VARIANT`) result
+   * columns as JSON strings (kernel `ResultConfig.complex_types_as_json`).
+   * Left unset on the SEA path: native Arrow nested types already decode
+   * identically to the Thrift backend through the shared Arrow converter,
+   * so forcing JSON here would *introduce* a divergence rather than
+   * remove one.
+   */
+  complexTypesAsJson?: boolean;
+  /**
+   * Per-session kernel connection-pool size
+   * (kernel `ConnectionOptions.max_connections`). Validated as a positive
+   * integer within the napi `u32` range by `buildSeaConnectionOptions`.
+   */
+  maxConnections?: number;
+}
+
+/**
+ * TLS options shared across all auth-mode variants. Mirror the napi
+ * binding's `ConnectionOptions.checkServerCertificate` / `.customCaCert`
+ * (kernel `Session::builder().tls(TlsConfig)`).
+ *
+ * The napi shape takes `customCaCert` as a `Buffer` only; the public
+ * `ConnectionOptions` additionally accepts a PEM string, which
+ * `buildSeaConnectionOptions` normalises to a `Buffer` before crossing
+ * the FFI boundary.
+ */
+export interface SeaTlsOptions {
+  /**
+   * Verify the server's TLS certificate. The SEA backend is
+   * **secure-by-default**: omitting this leaves the kernel default of
+   * `true` (full chain + hostname verification). Set `false` only to opt
+   * into the insecure, accept-anything mode (analogous to Thrift's
+   * `rejectUnauthorized: false`); prefer pairing strict checking with
+   * `customCaCert` over disabling verification entirely.
+   */
+  checkServerCertificate?: boolean;
+  /** PEM-encoded CA bytes to add to the trust store. */
+  customCaCert?: Buffer;
 }
 
 export type SeaNativeConnectionOptions = SeaSessionDefaults &
+  SeaTlsOptions &
   (
     | {
         hostName: string;
@@ -114,6 +163,57 @@ export function isBlankOrReserved(s: string): boolean {
   return normalized.length === 0 || normalized === 'undefined' || normalized === 'null';
 }
 
+/** napi-rs marshals `maxConnections` as a `u32`; reject values it can't hold. */
+const MAX_U32 = 0xffffffff;
+
+/**
+ * Normalise the public TLS options (`checkServerCertificate` /
+ * `customCaCert`) into the napi shape.
+ *
+ * - `checkServerCertificate` passes through verbatim (only when set; an
+ *   absent value leaves the kernel default, which is secure — verify on).
+ * - `customCaCert` accepts a PEM string or `Buffer` on the public
+ *   surface; we convert a string to a `Buffer` here and do a light PEM
+ *   sanity check. The bytes are NOT parsed in JS — the kernel returns a
+ *   meaningful error if the PEM is malformed.
+ *
+ * Throws `HiveDriverError` when `customCaCert` is supplied but empty or
+ * (for strings) lacks a PEM certificate header.
+ */
+export function buildSeaTlsOptions(options: ConnectionOptions): SeaTlsOptions {
+  const { checkServerCertificate, customCaCert } = options as {
+    checkServerCertificate?: boolean;
+    customCaCert?: Buffer | string;
+  };
+
+  const tls: SeaTlsOptions = {};
+
+  if (checkServerCertificate !== undefined) {
+    tls.checkServerCertificate = checkServerCertificate;
+  }
+
+  if (customCaCert !== undefined) {
+    if (typeof customCaCert === 'string') {
+      if (!customCaCert.includes('-----BEGIN CERTIFICATE-----')) {
+        throw new HiveDriverError(
+          'SEA backend: `customCaCert` string does not look like a PEM certificate ' +
+            "(missing '-----BEGIN CERTIFICATE-----'). Pass PEM text or a Buffer of PEM bytes.",
+        );
+      }
+      tls.customCaCert = Buffer.from(customCaCert, 'utf8');
+    } else if (Buffer.isBuffer(customCaCert)) {
+      if (customCaCert.length === 0) {
+        throw new HiveDriverError('SEA backend: `customCaCert` Buffer is empty.');
+      }
+      tls.customCaCert = customCaCert;
+    } else {
+      throw new HiveDriverError('SEA backend: `customCaCert` must be a PEM string or a Buffer.');
+    }
+  }
+
+  return tls;
+}
+
 /**
  * Validate the user-supplied `ConnectionOptions` and build the
  * napi-binding's connection-options shape.
@@ -170,11 +270,45 @@ export function isBlankOrReserved(s: string): boolean {
 export function buildSeaConnectionOptions(options: ConnectionOptions): SeaNativeConnectionOptions {
   const { authType } = options as { authType?: string };
 
-  const base = {
+  const base: {
+    hostName: string;
+    httpPath: string;
+    intervalsAsString: boolean;
+    maxConnections?: number;
+  } & SeaTlsOptions = {
     hostName: options.host,
     httpPath: prependSlash(options.path),
+    // Match the NodeJS Thrift driver, which surfaces INTERVAL columns as
+    // strings. The kernel defaults to native Arrow interval/duration types;
+    // forcing the string rendering here keeps the SEA path a byte-compatible
+    // drop-in. Complex types are intentionally left at the kernel default
+    // (native Arrow) — they already decode identically to Thrift via the
+    // shared Arrow converter, so `complexTypesAsJson` is not forced on.
+    intervalsAsString: true,
+    // TLS knobs (server-cert verification toggle + custom CA). Validated and
+    // normalised (string PEM → Buffer) here so the napi shape only sees a Buffer.
+    ...buildSeaTlsOptions(options),
   };
 
+  // SEA-only pool sizing; read via cast to match how this function reads the
+  // other SEA-specific options (TLS) — they live on the internal options
+  // surface, not the published public `ConnectionOptions` `.d.ts`.
+  const { maxConnections } = options as { maxConnections?: number };
+  if (maxConnections !== undefined) {
+    if (!Number.isInteger(maxConnections) || maxConnections < 1) {
+      throw new HiveDriverError(
+        `SEA backend: \`maxConnections\` must be a positive integer; got ${maxConnections}.`,
+      );
+    }
+    if (maxConnections > MAX_U32) {
+      throw new HiveDriverError(
+        `SEA backend: \`maxConnections\` exceeds the napi u32 limit (${MAX_U32}); got ${maxConnections}. ` +
+          'Typical pool sizes are 10-500.',
+      );
+    }
+    base.maxConnections = maxConnections;
+  }
+
   const oauth = options as {
     oauthClientId?: string;
     oauthClientSecret?: string;

lib/sea/SeaSessionBackend.ts

@@ -36,6 +36,7 @@ import { decodeNapiKernelError } from './SeaErrorMapping';
 import SeaOperationBackend from './SeaOperationBackend';
 import { buildSeaPositionalParams, buildSeaNamedParams } from './SeaPositionalParams';
 import { seaServerInfoValue } from './SeaServerInfo';
+import { serializeQueryTags } from '../utils';
 
 export interface SeaSessionBackendOptions {
   /** The opaque napi `Connection` handle returned by `openSession`. */
@@ -105,68 +106,42 @@ export default class SeaSessionBackend implements ISessionBackend {
   /**
    * Execute a SQL statement through the napi binding.
    *
-   * Catalog / schema / sessionConf were applied at session open, so
-   * there are no per-statement options to thread through.
+   * Catalog / schema / sessionConf are session-level (applied at open).
+   * Per-statement options forwarded to the kernel `ExecuteOptions`:
+   *   - `ordinalParameters` / `namedParameters` → bound params (mutually
+   *     exclusive — the kernel binds one placeholder style per statement);
+   *   - `queryTimeout` → `queryTimeoutSecs` (SEA server wait timeout);
+   *   - `rowLimit` → `rowLimit` (SEA-only server-side row cap);
+   *   - `queryTags` → serialised into the conf overlay's reserved
+   *     `query_tags` key (the same wire shape Thrift's `serializeQueryTags`
+   *     produces), merged with any explicit `statementConf`.
    *
-   * M0 intentionally rejects `queryTimeout`, `namedParameters`, and
-   * `ordinalParameters` with explicit deferred-to-M1 errors. `useCloudFetch`
-   * is a no-op on the SEA path — the kernel hardcodes the SEA
-   * `disposition` to `INLINE_OR_EXTERNAL_LINKS`, and per-statement
-   * conf overrides have no reader on the kernel; cloud-fetch behaviour
-   * is governed entirely by the kernel's `ResultConfig` (M1 binding
-   * surface).
-   *
-   * The Thrift backend remains the path for consumers that need any
-   * of those today.
+   * Still rejected (genuinely unsupported on SEA, rather than silently
+   * dropped): `useCloudFetch` (governed by the kernel `ResultConfig`, not a
+   * per-statement knob), `useLZ4Compression` (kernel owns result compression),
+   * and `stagingAllowedLocalPath` (volume operations). `maxRows` is applied by
+   * the facade at fetch time, so it is intentionally not handled here.
    */
   public async executeStatement(statement: string, options: ExecuteStatementOptions): Promise<IOperationBackend> {
     this.failIfClosed();
 
-    // Positional (`?`) and named (`:name`) parameters are mutually exclusive —
-    // the kernel param codec binds exactly one placeholder style per
-    // statement, so passing both is a caller error we surface up-front.
-    const positionalParams = buildSeaPositionalParams(options.ordinalParameters);
-    const namedParams = buildSeaNamedParams(options.namedParameters);
-    if (positionalParams !== undefined && namedParams !== undefined) {
-      throw new HiveDriverError(
-        'SEA executeStatement: ordinalParameters and namedParameters are mutually exclusive — pass only one.',
-      );
-    }
-
-    if (options.queryTimeout !== undefined) {
-      throw new HiveDriverError('SEA executeStatement: queryTimeout is not supported in M0 (deferred to M1)');
-    }
     if (options.useCloudFetch !== undefined) {
       throw new HiveDriverError(
         'SEA executeStatement: useCloudFetch is controlled by the kernel result configuration and is not a per-statement option on SEA',
       );
     }
-    // Reject — rather than silently ignore — the remaining Thrift-path
-    // options the SEA M0 backend does not honor. Silently dropping them
-    // is the worst failure mode for an agent/caller: passing e.g.
-    // `queryTags` or `useLZ4Compression` would no-op with zero signal.
-    // (`maxRows` is intentionally NOT here — the facade applies it at
-    // fetch time.)
-    if (options.queryTags !== undefined) {
-      throw new HiveDriverError('SEA executeStatement: queryTags is not supported in M0 (deferred to M1)');
-    }
     if (options.useLZ4Compression !== undefined) {
       throw new HiveDriverError(
         'SEA executeStatement: useLZ4Compression is not supported on SEA (result compression is governed by the kernel)',
       );
     }
     if (options.stagingAllowedLocalPath !== undefined) {
       throw new HiveDriverError(
-        'SEA executeStatement: stagingAllowedLocalPath (volume operations) is not supported in M0 (deferred to M1)',
+        'SEA executeStatement: stagingAllowedLocalPath (volume operations) is not supported on SEA',
       );
     }
 
-    // Only build the napi options object when there is something to send —
-    // the no-params path keeps the minimal call shape (`executeStatement(sql)`).
-    let execOptions: SeaNativeExecuteOptions | undefined;
-    if (positionalParams !== undefined || namedParams !== undefined) {
-      execOptions = { positionalParams, namedParams };
-    }
+    const execOptions = this.buildExecuteOptions(options);
 
     let nativeStatement;
     try {
@@ -180,6 +155,56 @@ export default class SeaSessionBackend implements ISessionBackend {
     return this.wrapStatement(nativeStatement!);
   }
 
+  /**
+   * Translate the public `ExecuteStatementOptions` into the kernel napi
+   * `ExecuteOptions`, returning `undefined` when nothing is set so the
+   * no-options call shape (`executeStatement(sql)`) is preserved.
+   */
+  private buildExecuteOptions(options: ExecuteStatementOptions): SeaNativeExecuteOptions | undefined {
+    // Positional (`?`) and named (`:name`) parameters are mutually exclusive.
+    const positionalParams = buildSeaPositionalParams(options.ordinalParameters);
+    const namedParams = buildSeaNamedParams(options.namedParameters);
+    if (positionalParams !== undefined && namedParams !== undefined) {
+      throw new HiveDriverError(
+        'SEA executeStatement: ordinalParameters and namedParameters are mutually exclusive — pass only one.',
+      );
+    }
+
+    const execOptions: SeaNativeExecuteOptions = {};
+    if (positionalParams !== undefined) {
+      execOptions.positionalParams = positionalParams;
+    }
+    if (namedParams !== undefined) {
+      execOptions.namedParams = namedParams;
+    }
+    // JDBC `setQueryTimeout` is whole seconds; the kernel's `queryTimeoutSecs`
+    // (SEA wait timeout) is the native equivalent. The SEA wire caps it at 50s.
+    if (options.queryTimeout !== undefined) {
+      execOptions.queryTimeoutSecs = Number(options.queryTimeout);
+    }
+    if (options.rowLimit !== undefined) {
+      execOptions.rowLimit = Number(options.rowLimit);
+    }
+    // Per-statement conf overlay plus query tags. Tags are serialised JS-side
+    // into the reserved `query_tags` key (the same wire shape the Thrift
+    // backend produces via `serializeQueryTags` → `confOverlay`), rather than
+    // via the napi `queryTags` field: napi's `HashMap<String,String>` can't
+    // represent a null-valued tag, and the kernel rejects setting both the
+    // `queryTags` field and a `query_tags` conf key.
+    const serializedQueryTags = serializeQueryTags(options.queryTags);
+    if (options.statementConf !== undefined || serializedQueryTags !== undefined) {
+      const statementConf: Record<string, string> = { ...(options.statementConf ?? {}) };
+      if (serializedQueryTags !== undefined) {
+        statementConf.query_tags = serializedQueryTags;
+      }
+      if (Object.keys(statementConf).length > 0) {
+        execOptions.statementConf = statementConf;
+      }
+    }
+
+    return Object.keys(execOptions).length > 0 ? execOptions : undefined;
+  }
+
   /** Wrap a napi `Statement` (from execute or a metadata call) as an operation backend. */
   private wrapStatement(nativeStatement: SeaStatement): IOperationBackend {
     return new SeaOperationBackend({

tests/unit/sea/auth-m2m.test.ts

@@ -35,6 +35,7 @@ describe('SeaAuth + SeaBackend — OAuth M2M auth flow', () => {
       expect(native).to.deep.equal({
         hostName: 'example.cloud.databricks.com',
         httpPath: '/sql/1.0/warehouses/abc',
+        intervalsAsString: true,
         authMode: 'OAuthM2m',
         oauthClientId: 'client-uuid',
         oauthClientSecret: 'dose-fake-secret',
@@ -165,6 +166,7 @@ describe('SeaAuth + SeaBackend — OAuth M2M auth flow', () => {
       expect(calls[0].args[0]).to.deep.equal({
         hostName: 'example.cloud.databricks.com',
         httpPath: '/sql/1.0/warehouses/abc',
+        intervalsAsString: true,
         authMode: 'OAuthM2m',
         oauthClientId: 'client-uuid',
         oauthClientSecret: 'dose-fake-secret',

tests/unit/sea/auth-pat.test.ts

@@ -31,6 +31,7 @@ describe('SeaAuth — PAT auth options builder', () => {
       expect(native).to.deep.equal({
         hostName: 'example.cloud.databricks.com',
         httpPath: '/sql/1.0/warehouses/abc',
+        intervalsAsString: true,
         authMode: 'Pat',
         token: 'dapi-fake-pat',
       });