[SEA-NodeJS] Kernel backend: connection/statement options, TLS & configurable sync/async execution (#416)

* [SEA-NodeJS] SEA connection & statement options

Wire the SEA connection-level and per-statement option surfaces onto the
merged-kernel napi binding (thin forwarding — the kernel owns the behaviour):

Connection options (SeaAuth.buildSeaConnectionOptions):
- `maxConnections` → kernel pool size, validated as a positive integer within
  the napi u32 range.
- TLS: `checkServerCertificate` (secure-by-default — omit to keep the kernel's
  verify-on default; `false` opts into insecure) and `customCaCert` (PEM string
  or Buffer; strings are PEM-sanity-checked and normalised to a Buffer before
  the FFI boundary), via the new `buildSeaTlsOptions`.
- `intervalsAsString: true` is always set so SEA interval/duration columns
  render as strings — a byte-compatible drop-in for the Thrift backend.
  `complexTypesAsJson` is intentionally left at the kernel default (native
  Arrow), which already decodes identically to Thrift via the shared converter.

Statement options (SeaSessionBackend.executeStatement, via buildExecuteOptions):
- `queryTimeout` → `queryTimeoutSecs`; `rowLimit` → `rowLimit` (SEA-only cap).
- `queryTags` serialised JS-side (reusing Thrift's `serializeQueryTags`) into
  the reserved `query_tags` conf key, merged with any explicit `statementConf` —
  the napi `queryTags` field can't carry null-valued tags, and the kernel
  rejects setting both. `queryTags` / `queryTimeout` are no longer rejected.
- Still rejected (genuinely unsupported on SEA): `useCloudFetch`,
  `useLZ4Compression`, `stagingAllowedLocalPath`.

`rowLimit` / `statementConf` added to the public `ExecuteStatementOptions`;
SEA-only knobs (`maxConnections` / `checkServerCertificate` / `customCaCert`)
added to the internal `InternalConnectionOptions`.

Validated against a live warehouse: secure-by-default connect, maxConnections,
checkServerCertificate, rowLimit (caps rows), queryTimeout, queryTags,
statementConf, and non-PEM customCaCert rejection.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

* [SEA-NodeJS] SEA async execute (submit / poll / awaitResult)

Switch the SEA query path from the blocking `executeStatement` to the kernel's
async `submitStatement`, matching the Thrift backend's always-async
(`runAsync: true`) model. `submitStatement` returns immediately with a pending
`AsyncStatement` (kernel `wait_timeout=0s`) while the query runs server-side.

SeaOperationBackend becomes dual-mode (exactly one of):
- `asyncStatement` (query path): `waitUntilReady()` polls `status()` to a
  terminal state on a 100ms cadence (matching Thrift), firing the progress
  callback each tick. Polling `status()` rather than blocking on `awaitResult()`
  keeps `cancel()` responsive — a blocking awaitResult would hold the kernel
  statement mutex for the whole query and queue cancel behind it. On Succeeded
  it materialises the result handle (first fetch is free); on Failed it drives
  `awaitResult()` to surface the kernel's typed SQL-error envelope; on a
  server-side Cancelled/Closed/Unknown it throws a clear error. `status()`
  reports the real Pending/Running/Succeeded state.
- `statement` (metadata path): the kernel `list*`/`get*` statement is already
  terminal, so `waitUntilReady()` stays the one-shot completion tick.

The fetch pipeline is shared: `awaitResult()`'s `AsyncResultHandle` and the
metadata `Statement` expose the same `fetchNextBatch()` / `schema()` surface, so
`SeaResultsProvider` → `ArrowResultConverter` → `ResultSlicer` consume either
interchangeably via a single memoised fetch handle. cancel()/close() route
through a `lifecycleHandle` abstraction over whichever handle backs the op.

Re-exports the kernel `AsyncStatement` / `AsyncResultHandle` types from
`SeaNativeLoader`.

Validated against a live warehouse: async fetchAll correctness, multi-row drain
(5000 rows), long-running aggregate (count over 20M), kernel SQL-error
surfacing, and cancellation mid-execution. PR1's params/metadata/getInfo all
still pass through the new async path.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

* [SEA-NodeJS] prettier-format SEA connection/options + async files (CI code-style)

The CI "Check code style" step runs `prettier . --check` (whole repo);
these files were committed without prettier formatting. Formatting-only.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

* [SEA-NodeJS] Address code-review findings on async/TLS/options (#413)

Code-review #413 (81/100). Validated each against the code + a live warehouse:

- F1 (HIGH): the async poll loop threw plain HiveDriverError for server-driven
  Cancelled/Closed/Unknown. The DBSQLOperation facade only mirrors its
  cancelled/closed flags when `err instanceof OperationStateError` (and
  OperationStateError extends HiveDriverError, not the reverse), so a
  server-side cancel/close/admin-kill left the facade desynced. Now throws
  OperationStateError(Canceled/Closed/Unknown) — matching the Thrift backend.
  The Failed branch still surfaces the kernel SQL-error envelope via awaitResult.

- F2 (MED): the server-Cancelled test asserted only instanceOf(HiveDriverError),
  which passes for both the correct and incorrect type — it couldn't catch F1.
  Now asserts instanceOf(OperationStateError) + errorCode, plus a new Closed test.

- F3 (MED): queryTimeout was forwarded to submitStatement but the kernel ignores
  queryTimeoutSecs on submit (always wait_timeout=0s), so the documented public
  option was a silent no-op, and the poll loop had no client-side deadline (a
  stalled Running statement polled forever). Now enforced client-side: the poll
  loop tracks a deadline, best-effort cancels the statement on expiry, and
  throws OperationStateError(Timeout) — matching Thrift's server TIMEDOUT
  outcome. Stopped forwarding the ignored queryTimeoutSecs to the napi options.
  Validated live: a 2s timeout interrupts a slow cross-join with TIMEOUT.

- F4 (LOW): customCaCert PEM string check now requires the END marker too (a
  truncated/headerless cert no longer passes), consistent with the Buffer path.

- F5 (LOW): SeaAuth reads the SEA-only fields (checkServerCertificate /
  customCaCert / maxConnections) through `InternalConnectionOptions` instead of
  ad-hoc inline casts, so a typo'd key fails to compile.

- F6 (LOW): corrected the poll-loop comment — the prior text justified polling
  by an incorrect "blocking awaitResult holds the mutex and queues cancel"
  claim; cancel() is documented lock-free. The real rationale (real-time
  status to the progress callback + cancel observed between ticks) is now stated.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

* [SEA-NodeJS] add TIMESTAMP_NTZ / TIMESTAMP_LTZ bound-param types

Consolidates the last net-new bit of the superseded #408: two SEA-path
DBSQLParameterType variants for binding timezone-explicit timestamps. The type
name flows through the existing param codec (toSparkParameter → sqlType), which
the kernel accepts — validated live (SELECT ? with TIMESTAMP_NTZ/LTZ returns the
bound values). On the Thrift backend they degrade to a plain TIMESTAMP bind.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

* [SEA-NodeJS] Address #413 review: TIMESTAMP_LTZ wire type + Int64 queryTimeout coercion

Code-review #413 (gopalldb). Two P1s:

- TIMESTAMP_LTZ was sent verbatim on the wire, but Spark has no distinct
  TIMESTAMP_LTZ type (TIMESTAMP already carries LTZ semantics) — so a Thrift
  caller got an opaque server bind error, and the enum comment falsely claimed
  NTZ/LTZ "degrade to a plain TIMESTAMP bind" (there was no such logic).
  `toSparkParameter` now maps TIMESTAMP_LTZ → `TIMESTAMP` (valid on both Thrift
  and kernel); TIMESTAMP_NTZ stays native (a real Spark type). Comment corrected.
  Added DBSQLParameter tests for both wire types (the Thrift behaviour the
  review flagged as untested) and updated the kernel positional-params test.

- queryTimeout (`number | bigint | Int64`) was coerced with `Number(...)`, which
  yields NaN for an Int64 (node-int64 has no valueOf) → the client-side deadline
  was silently disabled for Int64 inputs. Now uses
  `numberToInt64(...).toNumber()`, matching the Thrift backend. Added a
  regression test that an `Int64(1)` queryTimeout actually fires the deadline
  (OperationStateError(Timeout)) rather than polling forever.

(P1 "queryTimeout silently dropped on submit" and the unbounded-poll note were
already resolved earlier by the client-side deadline fix; doc comment updated to
match. P2 polarity/Date-NTZ items noted for the public-surface follow-up.)

Validated live: NTZ binds natively and LTZ binds as TIMESTAMP on the kernel path.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

* [SEA-NodeJS] configurable sync/async execute via runAsync (default sync)

Make the SEA execution path user-configurable between sync and async,
toggled by the EXISTING `runAsync` option — no new public field, exactly
mirroring the Thrift backend's `runAsync` distinction. Default is SYNC
(`runAsync: false`): faster, and with the kernel sync canceller fully
cancellable mid-compute.

SeaSessionBackend.executeStatement now branches on `options.runAsync`:
  - false/undefined (DEFAULT) -> Connection.executeStatementCancellable:
    the kernel blocks on execute() (poll-to-terminal server-side), driven
    lazily in the operation backend's result(). `queryTimeoutSecs` IS
    forwarded (the kernel execute() honours it).
  - true -> Connection.submitStatement (submit + poll), unchanged.
    `queryTimeoutSecs` stays client-side (kernel ignores it on submit).

SeaOperationBackend gains a third dual-mode handle kind,
`cancellableExecution`, alongside `asyncStatement` and `statement`:
  - waitUntilReadyCancellable drives result() to the terminal Statement
    (memoised as the fetch handle + close target);
  - the lifecycle handle is a composite: cancel() routes to the detached
    canceller (lock-free, interrupts a running result() mid-COMPUTE and
    is a no-op once terminal); close() routes to the resolved statement;
  - a cancel-induced result() rejection maps to OperationStateError(
    Canceled) so the DBSQLOperation facade mirrors its cancelled flag,
    matching the Thrift path.

Public API, result shape, schema (TTableSchema), and error classes are
identical across both modes and to Thrift — the only observable
difference is lifecycle timing (when executeStatement resolves).

Built against databricks-sql-kernel napi
639e19ef97decc1c5aa2365c0b3a229c1ccd5b58 (executeStatementCancellable /
CancellableExecution); KERNEL_REV bumped to match. Refreshed the
committed binding surface (native/sea/index.{js,d.ts}).

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

* [SEA-NodeJS] surface server statement_id as op.id on the sync path

On the sync (cancellable) execute path the operation id was a client UUID,
because the server statement_id isn't known at construction — the kernel
publishes it mid-`result()` once the initial execute round-trip returns. That
left a cancelled/closed sync op untraceable against server/kernel logs (the
async path already had the id from `submit`).

`id` now prefers the server statement_id once known (captured from the resolved
`Statement`, then the live canceller slot), falling back to the construction-time
UUID until then. Updated the fake to model the real null-until-resolved
`statementId` and assert op.id flips from UUID → server id after the execute
completes. Validated live: SELECT 1 op.id is a UUID before fetch and the real
`01f1…` statement id after.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

* [SEA-NodeJS] Address #416 review: stable op.id (telemetry), runAsync contract, doc + signal/coverage gaps

Review findings (databricks-sql-nodejs#416):

- F2 (HIGH): revert the sync-path op.id mutation. `op.id` flipped from a client
  UUID to the server statement_id after `result()` resolved, but the facade keys
  telemetry start/complete on it (DBSQLOperation → MetricsAggregator), so the
  flip split the records across two keys and dropped the summary. `id` is now
  stable for the operation's lifetime; the resolved server statement_id is
  surfaced via a debug log for server/kernel correlation instead. Test updated:
  asserts id is stable AND the server id is logged.

- F1 (HIGH): `runAsync` is the SEA sync/async toggle but was JSDoc-@deprecated,
  and a comment falsely claimed it "mirrors Thrift's runAsync distinction"
  (Thrift hardcodes runAsync:true and never reads the option). Replaced the
  @deprecated tag with the cross-backend contract (Thrift: no-op; kernel:
  selects sync-default vs async) and corrected the in-code comment.

- Doc: SeaSessionBackend class comment still said metadata "defers to M1 —
  throws"; metadata is fully implemented. Rewritten to list the implemented
  surface.

- F3 (MED): ThriftSessionBackend now debug-logs when rowLimit / statementConf
  (kernel-only options) are set on the Thrift path, instead of dropping silently.

- F4 (MED): added the missing coverage using the previously-dead fakes —
  sync-path Failed/SQL-error envelope (`resultError`), submit-time error mapping
  on both paths (`throwOnExecute`), and queryTags-vs-statementConf.query_tags
  collision precedence.

- F5 (MED): the query-timeout best-effort cancel now warn-logs a failed cancel
  (mirrors the fetch-error cleanup) so a still-running server statement is
  diagnosable.

- F10 (LOW): hoisted `Object.values(OperationState)` to a module const off the
  100ms async poll loop.

Validated: tsc/eslint/prettier clean; 243 SEA / 1162 full unit tests pass; live
smoke confirms op.id is stable across fetch on both paths and both return
correct data.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

* [SEA-NodeJS] Address #416 P1 review round 2: cancel-intent, statement-leak, PEM order, TLS warn, Thrift signal

databricks-sql-nodejs#416 (gopalldb P1):

- P1.1: `seaCancel` no longer rolls `isCancelled` back to false when the kernel
  cancel RPC fails. The caller asked to cancel, so the op stays cancelled
  (subsequent fetches fail fast, poll-loop observers stay consistent); the RPC
  failure is still surfaced via the rethrow. Rolling back silently resurrected a
  cancelled op while the server statement might still run. Test asserts the flag
  stays set on failure.

- P1.5: the async poll loop now best-effort `close()`s the kernel statement on
  every server-driven terminal error (Failed / Cancelled / Closed / Unknown /
  Timeout) before throwing — previously it leaked the statement handle until
  session close (only `fetchChunk` cleaned up). Warn-logs a close failure.

- P1.3: `customCaCert` PEM check is now an ordered regex
  (`BEGIN…END` block) instead of two independent substring checks, so a blob
  containing both markers out of order (e.g. a proxy-intercept page) is rejected.

- P1.4: warn when `customCaCert` is set together with
  `checkServerCertificate: false` — verification is fully off so the custom CA
  is unused; the combo is still honoured but no longer silently masks it.

- P1.6: the Thrift `rowLimit`/`statementConf` ignored-option signal is now a
  WARN (was debug) — these materially change results (e.g. `rowLimit` not
  capping), so a caller on the Thrift path gets a visible warning.

P1.2 (race in-flight `status()` against a cancel signal) deferred: bounded by the
HTTP transport timeout today; the proper fix needs a cancel-signal promise +
napi `AbortSignal`, which the binding doesn't yet expose — tracked as a
follow-up.

Validated: tsc/eslint/prettier clean; 243 SEA / 1162 full unit tests pass; live
smoke confirms both modes execute correctly.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

* [SEA-NodeJS] tests: ordered PEM markers + poll-loop terminal close (P1.3/P1.5 coverage)

Locks the round-2 fixes the review flagged as untested:
- PEM customCaCert rejects out-of-order / BEGIN-only / END-only blobs (ordered
  regex, not two independent substring checks).
- The async poll loop best-effort close()s the kernel statement on every
  server-driven terminal error (Cancelled/Closed/Unknown), proving no handle
  leak. All round-2 behaviours additionally verified end-to-end against a live
  warehouse (insecure-combo warn, async-Failed SQL error + close, Thrift
  rowLimit warn).

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

* [SEA-NodeJS] Address #416 round-3 review: KERNEL_REV bump, binding-shape check, sync close cancels

databricks-sql-nodejs#416 (gopalldb round 3):

- P0 (KERNEL_REV): bumped from 639e19e → 9a50904 (current kernel PR #122 head)
  and rebuilt the committed binding. This pulls in fix(reader) #115 (which the
  old pin was missing) and the napi cancel-status normalisation. The pin still
  references the (unmerged) #122 branch — that's inherent to the stacked PR;
  #416 must merge AFTER #122, with a final KERNEL_REV bump to the merged SHA.

- P1 (binding shape): assertBindingShape now also validates AsyncStatement,
  AsyncResultHandle, and CancellableExecution. A stale cached .node missing
  these now fails fast at load instead of crashing mid-query at
  `submitStatement` / `executeStatementCancellable`. Added a negative test
  (and the loader stub now includes the new classes).

- P2 (sync close leak): close() on a still-running sync op now proactively
  cancels the cancellable execution (server stops computing immediately)
  instead of no-oping and relying on the kernel drop-guard firing at JS GC.
  Added a test.

(Stale-review note: round-1/2 findings — PEM ordering, TLS insecure-combo warn,
seaCancel rollback, poll-loop close, Thrift signal — were already addressed in
0422f27 + 9d13f11 and are on HEAD; the round-3 comment reviewed an earlier SHA.)

Validated: tsc/eslint/prettier clean; 247 SEA / 1166 full unit tests pass; live
smoke on the 9a50904 binding confirms both modes execute correctly.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

* [SEA-NodeJS] bump KERNEL_REV to dcbbf57 (kernel #122 cancel-normalisation fix)

Picks up the kernel-side fix for the first-window cancel mis-attribution
(genuine InvalidArgument no longer mislabelled Cancelled) + the terminal-flag
gating, so this PR's pinned binding doesn't ship the pre-fix behaviour.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

* [SEA-NodeJS] bump KERNEL_REV to 754f162 (race-free cancel-dispatch signal)

Picks up the kernel fix that makes StatementCanceller::cancel() report whether
it dispatched, closing the TOCTOU in the cancel→Cancelled normalisation that
the prior pinned binding (dcbbf57) still carried.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

* [SEA-NodeJS] bump KERNEL_REV to merged #122 (8bedaab)

Pin to the squashed merge commit of databricks-sql-kernel#122
(feat(napi): expose sync StatementCanceller via executeStatementCancellable),
now on kernel main. Supersedes the pre-merge branch-tip pin (754f162).

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

---------

Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

Author: msrathore-db

KERNEL_REV

@@ -0,0 +1 @@
+8bedaabf69f5bce5a957a8775f29dbb8dbdd2e71

lib/DBSQLParameter.ts

@@ -8,6 +8,15 @@ export enum DBSQLParameterType {
   STRING = 'STRING',
   DATE = 'DATE',
   TIMESTAMP = 'TIMESTAMP',
+  // `TIMESTAMP_NTZ` binds a timezone-free (wall-clock) timestamp. It is a real
+  // Spark type, bound natively on both the Thrift and kernel backends (requires
+  // a server that supports TIMESTAMP_NTZ; Spark 3.4+ / recent DBR).
+  TIMESTAMP_NTZ = 'TIMESTAMP_NTZ',
+  // `TIMESTAMP_LTZ` is an alias for `TIMESTAMP`: Spark has no distinct
+  // TIMESTAMP_LTZ type — `TIMESTAMP` already carries local/instant (LTZ)
+  // semantics. `toSparkParameter` therefore binds it as `TIMESTAMP` on the wire
+  // (valid on both backends); it exists only as a self-documenting alias.
+  TIMESTAMP_LTZ = 'TIMESTAMP_LTZ',
   FLOAT = 'FLOAT',
   DECIMAL = 'DECIMAL',
   DOUBLE = 'DOUBLE',
@@ -50,10 +59,16 @@ export class DBSQLParameter {
       return new TSparkParameter({ name }); // for NULL neither `type` nor `value` should be set
     }
 
+    // Map timezone-explicit timestamp aliases to their Spark wire type. Spark
+    // has no distinct TIMESTAMP_LTZ type (TIMESTAMP carries LTZ semantics), so
+    // bind it as TIMESTAMP — valid on both the Thrift and kernel backends.
+    // TIMESTAMP_NTZ is a real Spark type and is bound natively.
+    const wireType = this.type === DBSQLParameterType.TIMESTAMP_LTZ ? DBSQLParameterType.TIMESTAMP : this.type;
+
     if (typeof this.value === 'boolean') {
       return new TSparkParameter({
         name,
-        type: this.type ?? DBSQLParameterType.BOOLEAN,
+        type: wireType ?? DBSQLParameterType.BOOLEAN,
         value: new TSparkParameterValue({
           stringValue: this.value ? 'TRUE' : 'FALSE',
         }),
@@ -63,7 +78,7 @@ export class DBSQLParameter {
     if (typeof this.value === 'number') {
       return new TSparkParameter({
         name,
-        type: this.type ?? (Number.isInteger(this.value) ? DBSQLParameterType.INTEGER : DBSQLParameterType.DOUBLE),
+        type: wireType ?? (Number.isInteger(this.value) ? DBSQLParameterType.INTEGER : DBSQLParameterType.DOUBLE),
         value: new TSparkParameterValue({
           stringValue: Number(this.value).toString(),
         }),
@@ -73,7 +88,7 @@ export class DBSQLParameter {
     if (this.value instanceof Int64 || typeof this.value === 'bigint') {
       return new TSparkParameter({
         name,
-        type: this.type ?? DBSQLParameterType.BIGINT,
+        type: wireType ?? DBSQLParameterType.BIGINT,
         value: new TSparkParameterValue({
           stringValue: this.value.toString(),
         }),
@@ -83,7 +98,7 @@ export class DBSQLParameter {
     if (this.value instanceof Date) {
       return new TSparkParameter({
         name,
-        type: this.type ?? DBSQLParameterType.TIMESTAMP,
+        type: wireType ?? DBSQLParameterType.TIMESTAMP,
         value: new TSparkParameterValue({
           stringValue: this.value.toISOString(),
         }),
@@ -92,7 +107,7 @@ export class DBSQLParameter {
 
     return new TSparkParameter({
       name,
-      type: this.type ?? DBSQLParameterType.STRING,
+      type: wireType ?? DBSQLParameterType.STRING,
       value: new TSparkParameterValue({
         stringValue: this.value,
       }),

lib/contracts/IDBSQLSession.ts

@@ -12,7 +12,18 @@ export type ExecuteStatementOptions = {
    */
   queryTimeout?: number | bigint | Int64;
   /**
-   * @deprecated This option is no longer supported and will be removed in future releases
+   * Selects the execution lifecycle. The only observable effect is WHEN
+   * `executeStatement` resolves; the result data, schema, and error classes are
+   * identical regardless.
+   *
+   * - **Thrift backend:** no-op. The Thrift path always submits asynchronously
+   *   (`runAsync: true` on the wire) and polls during fetch; this option is not
+   *   read.
+   * - **Kernel backend (`useSEA`):** selects the kernel execution path —
+   *   `false`/unset (default) runs the blocking direct-results path (faster,
+   *   cancellable mid-compute); `true` submits and polls (returns a pending
+   *   handle before completion). Default is sync, matching the python
+   *   connector's `cursor.execute()`.
    */
   runAsync?: boolean;
   maxRows?: number | bigint | Int64 | null;
@@ -27,6 +38,18 @@ export type ExecuteStatementOptions = {
    * These tags apply only to this statement and do not persist across queries.
    */
   queryTags?: Record<string, string | null | undefined>;
+  /**
+   * SEA-only: server-side row cap for this statement (kernel `row_limit`). The
+   * Thrift backend has no execute-time server cap, so this is a no-op there;
+   * use `maxRows` for the cross-backend client-side fetch limit.
+   */
+  rowLimit?: number;
+  /**
+   * SEA-only: per-statement Spark conf overlay (kernel `statement_conf`).
+   * Merged with the serialized `queryTags` (which land under the reserved
+   * `query_tags` key). Ignored by the Thrift backend.
+   */
+  statementConf?: Record<string, string>;
 };
 
 export type TypeInfoRequest = {

lib/contracts/InternalConnectionOptions.ts

@@ -18,4 +18,27 @@ export interface InternalConnectionOptions {
    * @internal Not stable; M0 stub only.
    */
   useSEA?: boolean;
+
+  /**
+   * SEA-only: kernel connection-pool size (`ConnectionOptions.max_connections`).
+   * Validated as a positive integer within the napi `u32` range.
+   * @internal SEA path only.
+   */
+  maxConnections?: number;
+
+  /**
+   * SEA-only: verify the server's TLS certificate. Secure-by-default — omit
+   * to keep full chain + hostname verification; set `false` only to opt into
+   * the insecure accept-anything mode.
+   * @internal SEA path only.
+   */
+  checkServerCertificate?: boolean;
+
+  /**
+   * SEA-only: PEM-encoded CA certificate (string or `Buffer`) added to the
+   * trust store on top of the system roots — for TLS-inspecting proxies or
+   * on-prem internal CAs. Honoured regardless of `checkServerCertificate`.
+   * @internal SEA path only.
+   */
+  customCaCert?: Buffer | string;
 }

lib/sea/SeaAuth.ts

@@ -13,6 +13,7 @@
 // limitations under the License.
 
 import { ConnectionOptions } from '../contracts/IDBSQLClient';
+import { InternalConnectionOptions } from '../contracts/InternalConnectionOptions';
 import AuthenticationError from '../errors/AuthenticationError';
 import HiveDriverError from '../errors/HiveDriverError';
 
@@ -66,9 +67,58 @@ export interface SeaSessionDefaults {
   catalog?: string;
   schema?: string;
   sessionConf?: Record<string, string>;
+  /**
+   * Render `INTERVAL` / `DURATION` result columns as strings
+   * (kernel `ResultConfig.intervals_as_string`). The kernel default is
+   * native Arrow `month_interval` / `duration[us]`, but the NodeJS
+   * Thrift driver surfaces intervals as strings — so the SEA path sets
+   * this `true` so its result shape is a byte-compatible drop-in for the
+   * Thrift backend. Omitting it falls back to the kernel's native types.
+   */
+  intervalsAsString?: boolean;
+  /**
+   * Render complex (`ARRAY` / `MAP` / `STRUCT` / `VARIANT`) result
+   * columns as JSON strings (kernel `ResultConfig.complex_types_as_json`).
+   * Left unset on the SEA path: native Arrow nested types already decode
+   * identically to the Thrift backend through the shared Arrow converter,
+   * so forcing JSON here would *introduce* a divergence rather than
+   * remove one.
+   */
+  complexTypesAsJson?: boolean;
+  /**
+   * Per-session kernel connection-pool size
+   * (kernel `ConnectionOptions.max_connections`). Validated as a positive
+   * integer within the napi `u32` range by `buildSeaConnectionOptions`.
+   */
+  maxConnections?: number;
+}
+
+/**
+ * TLS options shared across all auth-mode variants. Mirror the napi
+ * binding's `ConnectionOptions.checkServerCertificate` / `.customCaCert`
+ * (kernel `Session::builder().tls(TlsConfig)`).
+ *
+ * The napi shape takes `customCaCert` as a `Buffer` only; the public
+ * `ConnectionOptions` additionally accepts a PEM string, which
+ * `buildSeaConnectionOptions` normalises to a `Buffer` before crossing
+ * the FFI boundary.
+ */
+export interface SeaTlsOptions {
+  /**
+   * Verify the server's TLS certificate. The SEA backend is
+   * **secure-by-default**: omitting this leaves the kernel default of
+   * `true` (full chain + hostname verification). Set `false` only to opt
+   * into the insecure, accept-anything mode (analogous to Thrift's
+   * `rejectUnauthorized: false`); prefer pairing strict checking with
+   * `customCaCert` over disabling verification entirely.
+   */
+  checkServerCertificate?: boolean;
+  /** PEM-encoded CA bytes to add to the trust store. */
+  customCaCert?: Buffer;
 }
 
 export type SeaNativeConnectionOptions = SeaSessionDefaults &
+  SeaTlsOptions &
   (
     | {
         hostName: string;
@@ -114,6 +164,63 @@ export function isBlankOrReserved(s: string): boolean {
   return normalized.length === 0 || normalized === 'undefined' || normalized === 'null';
 }
 
+/** napi-rs marshals `maxConnections` as a `u32`; reject values it can't hold. */
+const MAX_U32 = 0xffffffff;
+
+/**
+ * Normalise the public TLS options (`checkServerCertificate` /
+ * `customCaCert`) into the napi shape.
+ *
+ * - `checkServerCertificate` passes through verbatim (only when set; an
+ *   absent value leaves the kernel default, which is secure — verify on).
+ * - `customCaCert` accepts a PEM string or `Buffer` on the public
+ *   surface; we convert a string to a `Buffer` here and do a light PEM
+ *   sanity check. The bytes are NOT parsed in JS — the kernel returns a
+ *   meaningful error if the PEM is malformed.
+ *
+ * Throws `HiveDriverError` when `customCaCert` is supplied but empty or
+ * (for strings) lacks a PEM certificate header.
+ */
+export function buildSeaTlsOptions(options: ConnectionOptions): SeaTlsOptions {
+  // Read the SEA-only fields through the purpose-built internal options type
+  // rather than an ad-hoc inline cast, so the shape can't silently drift from
+  // its declaration and a typo'd key fails to compile.
+  const { checkServerCertificate, customCaCert } = options as ConnectionOptions & InternalConnectionOptions;
+
+  const tls: SeaTlsOptions = {};
+
+  if (checkServerCertificate !== undefined) {
+    tls.checkServerCertificate = checkServerCertificate;
+  }
+
+  if (customCaCert !== undefined) {
+    if (typeof customCaCert === 'string') {
+      // Light PEM sanity check — require a well-ordered BEGIN…END block so a
+      // truncated/headerless cert (or a stray page that merely contains both
+      // literals out of order, e.g. a proxy-intercept page) is rejected here
+      // rather than surfacing as an opaque kernel TLS error. Ordered match, not
+      // two independent substring checks. Full parsing is deferred to the kernel.
+      if (!/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/.test(customCaCert)) {
+        throw new HiveDriverError(
+          'SEA backend: `customCaCert` string does not look like a PEM certificate ' +
+            "(expected a '-----BEGIN CERTIFICATE-----' … '-----END CERTIFICATE-----' block). " +
+            'Pass PEM text or a Buffer of PEM bytes.',
+        );
+      }
+      tls.customCaCert = Buffer.from(customCaCert, 'utf8');
+    } else if (Buffer.isBuffer(customCaCert)) {
+      if (customCaCert.length === 0) {
+        throw new HiveDriverError('SEA backend: `customCaCert` Buffer is empty.');
+      }
+      tls.customCaCert = customCaCert;
+    } else {
+      throw new HiveDriverError('SEA backend: `customCaCert` must be a PEM string or a Buffer.');
+    }
+  }
+
+  return tls;
+}
+
 /**
  * Validate the user-supplied `ConnectionOptions` and build the
  * napi-binding's connection-options shape.
@@ -170,11 +277,43 @@ export function isBlankOrReserved(s: string): boolean {
 export function buildSeaConnectionOptions(options: ConnectionOptions): SeaNativeConnectionOptions {
   const { authType } = options as { authType?: string };
 
-  const base = {
+  const base: {
+    hostName: string;
+    httpPath: string;
+    intervalsAsString: boolean;
+    maxConnections?: number;
+  } & SeaTlsOptions = {
     hostName: options.host,
     httpPath: prependSlash(options.path),
+    // Match the NodeJS Thrift driver, which surfaces INTERVAL columns as
+    // strings. The kernel defaults to native Arrow interval/duration types;
+    // forcing the string rendering here keeps the SEA path a byte-compatible
+    // drop-in. Complex types are intentionally left at the kernel default
+    // (native Arrow) — they already decode identically to Thrift via the
+    // shared Arrow converter, so `complexTypesAsJson` is not forced on.
+    intervalsAsString: true,
+    // TLS knobs (server-cert verification toggle + custom CA). Validated and
+    // normalised (string PEM → Buffer) here so the napi shape only sees a Buffer.
+    ...buildSeaTlsOptions(options),
   };
 
+  // SEA-only pool sizing; read via cast to match how this function reads the
+  // other SEA-specific options (TLS) — they live on the internal options
+  // surface, not the published public `ConnectionOptions` `.d.ts`.
+  const { maxConnections } = options as ConnectionOptions & InternalConnectionOptions;
+  if (maxConnections !== undefined) {
+    if (!Number.isInteger(maxConnections) || maxConnections < 1) {
+      throw new HiveDriverError(`SEA backend: \`maxConnections\` must be a positive integer; got ${maxConnections}.`);
+    }
+    if (maxConnections > MAX_U32) {
+      throw new HiveDriverError(
+        `SEA backend: \`maxConnections\` exceeds the napi u32 limit (${MAX_U32}); got ${maxConnections}. ` +
+          'Typical pool sizes are 10-500.',
+      );
+    }
+    base.maxConnections = maxConnections;
+  }
+
   const oauth = options as {
     oauthClientId?: string;
     oauthClientSecret?: string;

lib/sea/SeaBackend.ts

@@ -16,6 +16,8 @@ import IBackend from '../contracts/IBackend';
 import ISessionBackend from '../contracts/ISessionBackend';
 import IClientContext from '../contracts/IClientContext';
 import { ConnectionOptions, OpenSessionRequest } from '../contracts/IDBSQLClient';
+import { InternalConnectionOptions } from '../contracts/InternalConnectionOptions';
+import { LogLevel } from '../contracts/IDBSQLLogger';
 import HiveDriverError from '../errors/HiveDriverError';
 import { getSeaNative, SeaNativeBinding, SeaConnection } from './SeaNativeLoader';
 import { decodeNapiKernelError } from './SeaErrorMapping';
@@ -78,6 +80,22 @@ export default class SeaBackend implements IBackend {
     // Any non-PAT mode (or a missing/empty token) throws here, before
     // we ever touch the native binding.
     this.nativeOptions = buildSeaConnectionOptions(options);
+
+    // Warn on the insecure combo: a `customCaCert` paired with
+    // `checkServerCertificate: false` is almost always a mistake — verification
+    // is fully off, so the custom trust anchor is never used. The combo is
+    // still honoured (kernel contract), but a secure-looking `customCaCert`
+    // shouldn't silently mask disabled verification.
+    const tlsOpts = options as ConnectionOptions & InternalConnectionOptions;
+    if (tlsOpts.checkServerCertificate === false && tlsOpts.customCaCert !== undefined) {
+      this.context
+        .getLogger()
+        .log(
+          LogLevel.warn,
+          'SEA: `customCaCert` is set but `checkServerCertificate: false` disables certificate ' +
+            'verification entirely — the custom CA is not used. Set `checkServerCertificate: true` to use it.',
+        );
+    }
   }
 
   public async openSession(request: OpenSessionRequest): Promise<ISessionBackend> {

lib/sea/SeaNativeLoader.ts

@@ -36,6 +36,9 @@ import type {
   ExecuteOptions as NativeExecuteOptions,
   TypedValueInput as NativeTypedValueInput,
   NamedTypedValueInput as NativeNamedTypedValueInput,
+  AsyncStatement as NativeAsyncStatement,
+  AsyncResultHandle as NativeAsyncResultHandle,
+  CancellableExecution as NativeCancellableExecution,
 } from '../../native/sea';
 
 // SEA-prefixed re-exports. The kernel-generated `.d.ts` keeps the
@@ -59,6 +62,22 @@ export type SeaNativeExecuteOptions = NativeExecuteOptions;
 export type SeaNativeTypedValueInput = NativeTypedValueInput;
 export type SeaNativeNamedTypedValueInput = NativeNamedTypedValueInput;
 
+// Async-submit surface: `Connection.submitStatement` returns an
+// `AsyncStatement` (status / awaitResult / cancel / close); `awaitResult`
+// yields an `AsyncResultHandle` whose `fetchNextBatch` / `schema` match the
+// blocking `Statement`'s fetch surface, so the results pipeline consumes
+// either interchangeably.
+export type SeaNativeAsyncStatement = NativeAsyncStatement;
+export type SeaNativeAsyncResultHandle = NativeAsyncResultHandle;
+
+// Cancellable sync-execute surface: `Connection.executeStatementCancellable`
+// returns a `CancellableExecution` that captures a detached StatementCanceller
+// BEFORE dispatching the blocking `execute()`, so a concurrent `cancel()`
+// interrupts a still-running query mid-compute. `result()` drives the blocking
+// execute and resolves to the same terminal `Statement` `executeStatement`
+// returns.
+export type SeaNativeCancellableExecution = NativeCancellableExecution;
+
 /**
  * The full native binding surface, derived from the generated module
  * so it can never drift from the `.d.ts` contract: when the kernel
@@ -124,6 +143,13 @@ function assertBindingShape(binding: SeaNativeBinding): void {
   if (typeof binding.openSession !== 'function') missing.push('openSession');
   if (typeof binding.Connection !== 'function') missing.push('Connection');
   if (typeof binding.Statement !== 'function') missing.push('Statement');
+  // Classes the async (submit/poll) and cancellable-sync execution paths depend
+  // on. Checking them here turns a stale/older cached `.node` into a clear
+  // load-time error instead of an `X is not a function` mid-query (e.g.
+  // `Connection.submitStatement` / `executeStatementCancellable`).
+  if (typeof binding.AsyncStatement !== 'function') missing.push('AsyncStatement');
+  if (typeof binding.AsyncResultHandle !== 'function') missing.push('AsyncResultHandle');
+  if (typeof binding.CancellableExecution !== 'function') missing.push('CancellableExecution');
   if (missing.length > 0) {
     throw new Error(
       `SEA native binding loaded but is missing expected export(s): ${missing.join(', ')}. ` +