[SEA-NodeJS] Kernel-parity batch: mTLS + custom headers/UA + retry/backoff + operation-status fields

KERNEL_REV

@@ -1 +1 @@
-80b68e1eef3b613910183a50dfa4dace854d50dd
+fcc459bbf3f39bf57e2ee02f14b99c0ec7a70123

lib/contracts/InternalConnectionOptions.ts

@@ -29,16 +29,49 @@ export interface InternalConnectionOptions {
   /**
    * SEA-only: verify the server's TLS certificate. Secure-by-default — omit
    * to keep full chain + hostname verification; set `false` only to opt into
-   * the insecure accept-anything mode.
+   * the insecure accept-anything mode. This is the master verify toggle:
+   * `false` also subsumes the hostname check (see
+   * `checkServerCertificateHostname`). Mirrors the Python connector's
+   * `_tls_no_verify` (inverted).
    * @internal SEA path only.
    */
   checkServerCertificate?: boolean;
 
+  /**
+   * SEA-only: verify that the server certificate matches the host
+   * (hostname-vs-SNI check), independently of full chain validation. Omit
+   * to keep the secure default (on); set `false` to skip only the hostname
+   * check while still validating the chain — e.g. connecting via an IP
+   * literal or a host the cert wasn't issued for. No-op when
+   * `checkServerCertificate` is `false` (that disables everything). Mirrors
+   * the Python connector's `_tls_verify_hostname`.
+   * @internal SEA path only.
+   */
+  checkServerCertificateHostname?: boolean;
+
   /**
    * SEA-only: PEM-encoded CA certificate (string or `Buffer`) added to the
    * trust store on top of the system roots — for TLS-inspecting proxies or
    * on-prem internal CAs. Honoured regardless of `checkServerCertificate`.
    * @internal SEA path only.
    */
   customCaCert?: Buffer | string;
+
+  /**
+   * SEA-only: PEM-encoded client certificate (string or `Buffer`) for
+   * mutual TLS (mTLS). Must be supplied together with `clientKeyPem`; a
+   * leaf cert optionally followed by its intermediate chain is accepted.
+   * Mirrors the Python connector's `_tls_client_cert_file`.
+   * @internal SEA path only.
+   */
+  clientCertPem?: Buffer | string;
+
+  /**
+   * SEA-only: PEM-encoded private key (string or `Buffer`) for the mTLS
+   * client certificate. Must be supplied together with `clientCertPem`.
+   * For portability supply a PKCS#8 key (`BEGIN PRIVATE KEY`). Mirrors the
+   * Python connector's `_tls_client_cert_key_file`.
+   * @internal SEA path only.
+   */
+  clientKeyPem?: Buffer | string;
 }

lib/contracts/OperationStatus.ts

@@ -53,4 +53,33 @@ export interface OperationStatus {
    * to `WaitUntilReadyOptions.callback` for the consumer to interpret.
    */
   progressUpdateResponse?: unknown;
+
+  /**
+   * Number of rows modified by a DML statement (UPDATE / INSERT / DELETE /
+   * MERGE). `undefined`/`null` for SELECT and on backends/warehouses that do
+   * not surface the counter. Mirrors Thrift's
+   * `TGetOperationStatusResp.numModifiedRows`.
+   */
+  numModifiedRows?: number | null;
+
+  /**
+   * Server-supplied user-facing message, when the backend exposes one. Mirrors
+   * Thrift's `TGetOperationStatusResp.displayMessage`. May contain SQL
+   * fragments or parameter values — treat as potentially sensitive.
+   */
+  displayMessage?: string | null;
+
+  /**
+   * Server-supplied diagnostic detail (multi-line operator / stack context),
+   * when available. Mirrors Thrift's `TGetOperationStatusResp.diagnosticInfo`.
+   * For support surfaces, not user-facing.
+   */
+  diagnosticInfo?: string | null;
+
+  /**
+   * Server-supplied JSON blob with extended error details, when available.
+   * Mirrors Thrift's `TGetOperationStatusResp.errorDetailsJson`. Pass-through
+   * string — callers parse with `JSON.parse` if they need structured access.
+   */
+  errorDetailsJson?: string | null;
 }