[SEA-NodeJS] feat(kernel): support the explicit proxy ConnectionOption on the kernel backend

Map the public Thrift-shaped `ConnectionOptions.proxy`
(`{protocol, host, port, auth}`) onto the kernel napi binding's
`proxy?: string`, so the SAME proxy connection option that works on the
Thrift backend now also routes kernel/SEA traffic through a proxy.

`buildKernelProxyOptions` composes `protocol://[user:pass@]host:port`,
percent-encoding any `auth.{username,password}` into the URL userinfo so
credentials with reserved characters survive; the kernel parses the
userinfo off and applies it as proxy basic-auth. Wired into
`buildKernelConnectionOptions` alongside the TLS / HTTP option builders.

The regenerated napi contract (`native/kernel/index.d.ts`) carries the
new `proxy?: string` and `socketTimeoutMs?: number` fields exposed by the
kernel PR (databricks/databricks-sql-kernel#129).

Note: env-var proxying (`HTTPS_PROXY` / `HTTP_PROXY` / `NO_PROXY`) already
worked on the kernel backend (reqwest honours it natively); this adds the
*programmatic* path for callers who cannot set process env vars.

Verified end-to-end via mitmproxy against a live serverless warehouse:
explicit `proxy` option (no env var) routes all SEA calls through the
proxy; a dead proxy port fails the connection (proving the proxy is used).

Co-authored-by: Isaac

Author: msrathore-db

lib/kernel/KernelAuth.ts

@@ -173,9 +173,22 @@ export interface KernelHttpOptions {
   customHeaders?: Array<{ name: string; value: string }>;
 }
 
+/**
+ * HTTP(S) proxy forwarded to the napi binding's `ConnectionOptions.proxy`
+ * (kernel `ProxyConfig.url`). The public `ConnectionOptions.proxy` is the
+ * Thrift-shaped `{protocol, host, port, auth}`; `buildKernelProxyOptions`
+ * composes a single proxy URL string (with any basic-auth credentials
+ * percent-encoded into the `userinfo`) so the SAME connection option works
+ * on both backends. The napi contract takes a flat `proxy?: string`.
+ */
+export interface KernelProxyOptions {
+  proxy?: string;
+}
+
 export type KernelNativeConnectionOptions = KernelSessionDefaults &
   KernelTlsOptions &
   KernelHttpOptions &
+  KernelProxyOptions &
   (
     | {
         hostName: string;
@@ -492,6 +505,29 @@ export function buildKernelRetryOptions(config: {
   return out;
 }
 
+/**
+ * Map the public `ConnectionOptions.proxy` (`{protocol, host, port, auth}` —
+ * the same shape the Thrift backend accepts) onto the kernel's napi
+ * `proxy?: string`. Composes `protocol://[user:pass@]host:port`, percent-
+ * encoding any `auth.{username,password}` into the URL `userinfo` so
+ * credentials containing reserved characters (`@`, `:`, `/`) survive intact —
+ * the kernel parses the userinfo off and applies it as basic-auth. The kernel
+ * accepts only `http://` / `https://`; a SOCKS protocol surfaces a clear
+ * kernel error at connect (reqwest SOCKS support is not compiled in).
+ */
+export function buildKernelProxyOptions(options: ConnectionOptions): KernelProxyOptions {
+  const { proxy } = options;
+  if (!proxy) {
+    return {};
+  }
+  const { username, password } = proxy.auth ?? {};
+  const userinfo =
+    username !== undefined ? `${encodeURIComponent(username)}:${encodeURIComponent(password ?? '')}@` : '';
+  return {
+    proxy: `${proxy.protocol}://${userinfo}${proxy.host}:${proxy.port}`,
+  };
+}
+
 export function buildKernelConnectionOptions(options: ConnectionOptions): KernelNativeConnectionOptions {
   const { authType } = options as { authType?: string };
 
@@ -501,7 +537,8 @@ export function buildKernelConnectionOptions(options: ConnectionOptions): Kernel
     intervalsAsString: boolean;
     maxConnections?: number;
   } & KernelTlsOptions &
-    KernelHttpOptions = {
+    KernelHttpOptions &
+    KernelProxyOptions = {
     hostName: options.host,
     httpPath: prependSlash(options.path),
     // Match the NodeJS Thrift driver, which surfaces INTERVAL columns as
@@ -517,6 +554,8 @@ export function buildKernelConnectionOptions(options: ConnectionOptions): Kernel
     ...buildKernelTlsOptions(options),
     // HTTP headers (caller `customHeaders` + composed `User-Agent`).
     ...buildKernelHttpOptions(options),
+    // HTTP(S) proxy — the same `ConnectionOptions.proxy` the Thrift path uses.
+    ...buildKernelProxyOptions(options),
   };
 
   // kernel-only pool sizing; read via cast to match how this function reads the