feat(sea): expose TLS verification toggle + custom CA on ConnectionOptions

Surface the kernel/napi TLS knobs on the public SEA ConnectionOptions so
NodeJS callers reach the connectivity-parity TLS controls:

- checkServerCertificate?: boolean — default false. Matches the legacy
  Thrift driver's permissive rejectUnauthorized:false (accept
  self-signed/untrusted/expired + skip hostname check) for drop-in
  parity. Set true for strict validation (JDBC/ODBC parity).
- customCaCert?: Buffer | string — PEM CA added to the trust store on top
  of system roots, for corporate TLS-inspecting proxies / on-prem
  internal CAs. Honoured regardless of checkServerCertificate. A PEM
  string is normalised to a Buffer before crossing the FFI boundary.

buildSeaTlsOptions validates customCaCert (PEM header / non-empty) and
SeaBackend.connect emits a one-line DEBUG note whenever verification is
left disabled, so an insecure connection is discoverable in logs without
being noisy on every connect (the default is deliberately permissive for
thrift parity).

mTLS (clientCert/clientKey) is intentionally out of scope. Pairs with the
kernel napi change exposing checkServerCertificate + customCaCert.

215 -> 224 SEA unit tests pass (14 new TLS/log cases).

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

Author: msrathore-db

lib/contracts/IDBSQLClient.ts

@@ -60,6 +60,34 @@ export type ConnectionOptions = {
    * @internal Not stable; M0 stub only.
    */
   useSEA?: boolean;
+  /**
+   * Whether to verify the server's TLS certificate (SEA backend only).
+   *
+   * Defaults to `false`, which matches the legacy NodeJS Thrift driver's
+   * permissive behaviour (`rejectUnauthorized: false`): self-signed,
+   * untrusted, and expired certificates are accepted and the
+   * hostname-vs-certificate check is skipped. This is **insecure** — it
+   * provides no protection against active man-in-the-middle attacks — but
+   * is the historical NodeJS-driver default, so the SEA backend matches it
+   * for drop-in compatibility.
+   *
+   * Set to `true` for strict validation against the system trust store
+   * (full chain + expiry + hostname), matching the JDBC/ODBC drivers and
+   * every modern HTTPS client. Recommended for production.
+   *
+   * For corporate TLS-inspecting proxies or on-prem deployments with an
+   * internal CA, prefer `checkServerCertificate: true` together with
+   * `customCaCert` over disabling verification entirely.
+   */
+  checkServerCertificate?: boolean;
+  /**
+   * PEM-encoded CA certificate to add to the trust store on top of the
+   * system roots (SEA backend only). Accepts a PEM string or its raw
+   * `Buffer` bytes. Use this for a corporate proxy that re-signs TLS or an
+   * on-prem Databricks deployment that uses an internal CA. Honoured
+   * regardless of `checkServerCertificate`.
+   */
+  customCaCert?: Buffer | string;
 } & AuthOptions;
 
 export interface OpenSessionRequest {

lib/sea/SeaAuth.ts

@@ -86,7 +86,28 @@ export interface SeaSessionDefaults {
   complexTypesAsJson?: boolean;
 }
 
+/**
+ * TLS options shared across all auth-mode variants. Mirror the napi
+ * binding's `ConnectionOptions.checkServerCertificate` / `.customCaCert`
+ * (kernel `Session::builder().tls(TlsConfig)`).
+ *
+ * The napi shape takes `customCaCert` as a `Buffer` only; the public
+ * `ConnectionOptions` additionally accepts a PEM string, which
+ * `buildSeaConnectionOptions` normalises to a `Buffer` before crossing
+ * the FFI boundary.
+ */
+export interface SeaTlsOptions {
+  /**
+   * Verify the server cert. Omitted ⇒ napi default (permissive,
+   * thrift-compatible). See `ConnectionOptions.checkServerCertificate`.
+   */
+  checkServerCertificate?: boolean;
+  /** PEM-encoded CA bytes to add to the trust store. */
+  customCaCert?: Buffer;
+}
+
 export type SeaNativeConnectionOptions = SeaSessionDefaults &
+  SeaTlsOptions &
   (
     | {
         hostName: string;
@@ -132,6 +153,55 @@ export function isBlankOrReserved(s: string): boolean {
   return normalized.length === 0 || normalized === 'undefined' || normalized === 'null';
 }
 
+/**
+ * Normalise the public TLS options (`checkServerCertificate` /
+ * `customCaCert`) into the napi shape.
+ *
+ * - `checkServerCertificate` passes through verbatim (only when set; an
+ *   absent value leaves the napi default, which is permissive /
+ *   thrift-compatible).
+ * - `customCaCert` accepts a PEM string or `Buffer` on the public
+ *   surface; we convert a string to a `Buffer` here and do a light PEM
+ *   sanity check. The bytes are NOT parsed in JS — the kernel returns a
+ *   meaningful error if the PEM is malformed.
+ *
+ * Throws `HiveDriverError` when `customCaCert` is supplied but empty or
+ * (for strings) lacks a PEM certificate header.
+ */
+export function buildSeaTlsOptions(options: ConnectionOptions): SeaTlsOptions {
+  const { checkServerCertificate, customCaCert } = options as {
+    checkServerCertificate?: boolean;
+    customCaCert?: Buffer | string;
+  };
+
+  const tls: SeaTlsOptions = {};
+
+  if (checkServerCertificate !== undefined) {
+    tls.checkServerCertificate = checkServerCertificate;
+  }
+
+  if (customCaCert !== undefined) {
+    if (typeof customCaCert === 'string') {
+      if (!customCaCert.includes('-----BEGIN CERTIFICATE-----')) {
+        throw new HiveDriverError(
+          'SEA backend: `customCaCert` string does not look like a PEM certificate ' +
+            "(missing '-----BEGIN CERTIFICATE-----'). Pass PEM text or a Buffer of PEM bytes.",
+        );
+      }
+      tls.customCaCert = Buffer.from(customCaCert, 'utf8');
+    } else if (Buffer.isBuffer(customCaCert)) {
+      if (customCaCert.length === 0) {
+        throw new HiveDriverError('SEA backend: `customCaCert` Buffer is empty.');
+      }
+      tls.customCaCert = customCaCert;
+    } else {
+      throw new HiveDriverError('SEA backend: `customCaCert` must be a PEM string or a Buffer.');
+    }
+  }
+
+  return tls;
+}
+
 /**
  * Validate the user-supplied `ConnectionOptions` and build the
  * napi-binding's connection-options shape.
@@ -186,6 +256,10 @@ export function buildSeaConnectionOptions(options: ConnectionOptions): SeaNative
     // the kernel default (native Arrow) — they already decode identically
     // to Thrift via the shared Arrow converter.
     intervalsAsString: true,
+    // TLS knobs (server-cert verification toggle + custom CA). Validated
+    // and normalised (string PEM → Buffer) here so the napi shape only
+    // ever sees a Buffer.
+    ...buildSeaTlsOptions(options),
   };
 
   const oauth = options as {
@@ -200,7 +274,7 @@ export function buildSeaConnectionOptions(options: ConnectionOptions): SeaNative
     const { token } = options as { token?: string };
     if (typeof token !== 'string' || isBlankOrReserved(token)) {
       throw new AuthenticationError(
-        'SEA backend: a non-empty PAT must be supplied via `token` when using `authType: \'access-token\'`.',
+        "SEA backend: a non-empty PAT must be supplied via `token` when using `authType: 'access-token'`.",
       );
     }
     if (oauth.oauthClientId !== undefined || oauth.oauthClientSecret !== undefined) {

lib/sea/SeaBackend.ts

@@ -16,12 +16,9 @@ import IBackend from '../contracts/IBackend';
 import ISessionBackend from '../contracts/ISessionBackend';
 import IClientContext from '../contracts/IClientContext';
 import { ConnectionOptions, OpenSessionRequest } from '../contracts/IDBSQLClient';
+import { LogLevel } from '../contracts/IDBSQLLogger';
 import HiveDriverError from '../errors/HiveDriverError';
-import {
-  getSeaNative,
-  SeaNativeBinding,
-  SeaNativeConnection,
-} from './SeaNativeLoader';
+import { getSeaNative, SeaNativeBinding, SeaNativeConnection } from './SeaNativeLoader';
 import { decodeNapiKernelError } from './SeaErrorMapping';
 import { buildSeaConnectionOptions, SeaNativeConnectionOptions } from './SeaAuth';
 import SeaSessionBackend from './SeaSessionBackend';
@@ -82,6 +79,25 @@ export default class SeaBackend implements IBackend {
     // Any non-PAT mode (or a missing/empty token) throws here, before
     // we ever touch the native binding.
     this.nativeOptions = buildSeaConnectionOptions(options);
+
+    // Server-cert verification defaults to OFF (thrift-compatible). When
+    // it's not explicitly enabled, emit a one-line DEBUG note so an
+    // insecure connection is discoverable in logs without being noisy on
+    // every connect — the default is deliberately permissive for thrift
+    // parity, so this stays at debug level rather than warn.
+    if (this.nativeOptions.checkServerCertificate !== true) {
+      this.context
+        ?.getLogger()
+        .log(
+          LogLevel.debug,
+          'SEA backend: TLS server-certificate verification is DISABLED ' +
+            '(checkServerCertificate is not set to true). The connection accepts ' +
+            'self-signed/untrusted/expired certs and skips the hostname check — this ' +
+            'matches the legacy Thrift driver but offers no protection against active ' +
+            'man-in-the-middle attacks. Set `checkServerCertificate: true` for strict ' +
+            'validation, optionally with `customCaCert` for corporate/on-prem CAs.',
+        );
+    }
   }
 
   public async openSession(request: OpenSessionRequest): Promise<ISessionBackend> {

native/sea/index.d.ts

@@ -233,6 +233,32 @@ export interface ConnectionOptions {
    * already renders identically to the Thrift path).
    */
   complexTypesAsJson?: boolean
+  /**
+   * Whether to verify the server's TLS certificate.
+   *
+   * Omitted / `false` ⇒ the driver matches the legacy NodeJS Thrift
+   * driver's permissive behaviour (`rejectUnauthorized: false`): it
+   * accepts self-signed / untrusted / expired certs AND skips the
+   * hostname-vs-SNI check. This is **insecure** (no protection
+   * against active MITM) but is the historical NodeJS-driver default
+   * since 2020, so the SEA backend matches it for drop-in parity.
+   *
+   * `true` ⇒ strict validation against the system / Mozilla trust
+   * store (full chain + expiry + hostname), matching JDBC / ODBC and
+   * every modern HTTPS client. Recommended.
+   *
+   * Maps onto the kernel [`TlsConfig::accept_self_signed`] +
+   * [`TlsConfig::skip_hostname_verification`] (both = `!check`).
+   */
+  checkServerCertificate?: boolean
+  /**
+   * PEM-encoded CA certificate bytes to add to the trust store on
+   * top of the system roots. Use for corporate TLS-inspecting
+   * proxies that re-sign TLS, or on-prem deployments with an
+   * internal CA. Honoured regardless of `check_server_certificate`.
+   * Maps onto the kernel [`TlsConfig::custom_ca_cert`].
+   */
+  customCaCert?: Buffer
 }
 /**
  * Open a Databricks SQL session and return an opaque `Connection`

tests/unit/sea/SeaBackend-tls-warn.test.ts

@@ -0,0 +1,73 @@
+// Copyright (c) 2026 Databricks, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { expect } from 'chai';
+import SeaBackend from '../../../lib/sea/SeaBackend';
+import { ConnectionOptions } from '../../../lib/contracts/IDBSQLClient';
+import { LogLevel } from '../../../lib/contracts/IDBSQLLogger';
+
+interface LoggedLine {
+  level: LogLevel;
+  message: unknown;
+}
+
+/** Minimal IClientContext stub that records logger calls. */
+function fakeContext(sink: LoggedLine[]) {
+  const logger = {
+    log(level: LogLevel, message: unknown) {
+      sink.push({ level, message });
+    },
+  };
+  return { getLogger: () => logger } as any;
+}
+
+function patOpts(extra: Partial<ConnectionOptions> = {}): ConnectionOptions {
+  return {
+    host: 'example.cloud.databricks.com',
+    path: '/sql/1.0/warehouses/abc',
+    token: 'dapi-fake-pat',
+    ...extra,
+  } as ConnectionOptions;
+}
+
+describe('SeaBackend — TLS verification log', () => {
+  it('logs a debug note when server-cert verification is left at the default (disabled)', async () => {
+    const lines: LoggedLine[] = [];
+    const backend = new SeaBackend({ context: fakeContext(lines), nativeBinding: {} as any });
+
+    await backend.connect(patOpts());
+
+    const notes = lines.filter((l) => l.level === LogLevel.debug);
+    expect(notes).to.have.lengthOf(1);
+    expect(String(notes[0].message)).to.match(/verification is DISABLED/);
+  });
+
+  it('logs a debug note when checkServerCertificate is explicitly false', async () => {
+    const lines: LoggedLine[] = [];
+    const backend = new SeaBackend({ context: fakeContext(lines), nativeBinding: {} as any });
+
+    await backend.connect(patOpts({ checkServerCertificate: false }));
+
+    expect(lines.filter((l) => l.level === LogLevel.debug)).to.have.lengthOf(1);
+  });
+
+  it('does NOT log when checkServerCertificate is true', async () => {
+    const lines: LoggedLine[] = [];
+    const backend = new SeaBackend({ context: fakeContext(lines), nativeBinding: {} as any });
+
+    await backend.connect(patOpts({ checkServerCertificate: true }));
+
+    expect(lines.filter((l) => l.level === LogLevel.debug)).to.have.lengthOf(0);
+  });
+});

tests/unit/sea/tls-options.test.ts

@@ -0,0 +1,97 @@
+// Copyright (c) 2026 Databricks, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { expect } from 'chai';
+import { buildSeaConnectionOptions, buildSeaTlsOptions } from '../../../lib/sea/SeaAuth';
+import { ConnectionOptions } from '../../../lib/contracts/IDBSQLClient';
+import HiveDriverError from '../../../lib/errors/HiveDriverError';
+
+const PEM = '-----BEGIN CERTIFICATE-----\nMIIBfakebase64\n-----END CERTIFICATE-----\n';
+
+function patOpts(extra: Partial<ConnectionOptions> = {}): ConnectionOptions {
+  return {
+    host: 'example.cloud.databricks.com',
+    path: '/sql/1.0/warehouses/abc',
+    token: 'dapi-fake-pat',
+    ...extra,
+  } as ConnectionOptions;
+}
+
+describe('SeaAuth — TLS options', () => {
+  describe('buildSeaTlsOptions', () => {
+    it('returns an empty object when no TLS options are set (thrift-compatible default)', () => {
+      expect(buildSeaTlsOptions(patOpts())).to.deep.equal({});
+    });
+
+    it('passes checkServerCertificate: true through', () => {
+      expect(buildSeaTlsOptions(patOpts({ checkServerCertificate: true }))).to.deep.equal({
+        checkServerCertificate: true,
+      });
+    });
+
+    it('passes checkServerCertificate: false through explicitly', () => {
+      expect(buildSeaTlsOptions(patOpts({ checkServerCertificate: false }))).to.deep.equal({
+        checkServerCertificate: false,
+      });
+    });
+
+    it('converts a PEM string customCaCert to a Buffer', () => {
+      const tls = buildSeaTlsOptions(patOpts({ customCaCert: PEM }));
+      expect(Buffer.isBuffer(tls.customCaCert)).to.equal(true);
+      expect(tls.customCaCert!.toString('utf8')).to.equal(PEM);
+    });
+
+    it('passes a Buffer customCaCert through unchanged', () => {
+      const buf = Buffer.from(PEM, 'utf8');
+      const tls = buildSeaTlsOptions(patOpts({ customCaCert: buf }));
+      expect(tls.customCaCert).to.equal(buf);
+    });
+
+    it('honours customCaCert regardless of checkServerCertificate', () => {
+      const tls = buildSeaTlsOptions(patOpts({ checkServerCertificate: true, customCaCert: PEM }));
+      expect(tls.checkServerCertificate).to.equal(true);
+      expect(Buffer.isBuffer(tls.customCaCert)).to.equal(true);
+    });
+
+    it('throws on a customCaCert string without a PEM header', () => {
+      expect(() => buildSeaTlsOptions(patOpts({ customCaCert: 'not-a-pem' }))).to.throw(
+        HiveDriverError,
+        /does not look like a PEM certificate/,
+      );
+    });
+
+    it('throws on an empty customCaCert Buffer', () => {
+      expect(() => buildSeaTlsOptions(patOpts({ customCaCert: Buffer.alloc(0) }))).to.throw(HiveDriverError, /empty/);
+    });
+  });
+
+  describe('buildSeaConnectionOptions integration', () => {
+    it('omits TLS keys entirely when not supplied', () => {
+      const native = buildSeaConnectionOptions(patOpts());
+      expect(native).to.not.have.property('checkServerCertificate');
+      expect(native).to.not.have.property('customCaCert');
+    });
+
+    it('threads TLS options onto the napi shape alongside auth', () => {
+      const native = buildSeaConnectionOptions(patOpts({ checkServerCertificate: true, customCaCert: PEM }));
+      expect(native.authMode).to.equal('Pat');
+      expect(native.checkServerCertificate).to.equal(true);
+      expect(native.customCaCert!.toString('utf8')).to.equal(PEM);
+    });
+
+    it('propagates customCaCert validation errors', () => {
+      expect(() => buildSeaConnectionOptions(patOpts({ customCaCert: 'garbage' }))).to.throw(HiveDriverError);
+    });
+  });
+});