dataiku-sdk 0.2.3 → 0.3.0

package/dist/packages/types/src/index.d.ts

@@ -14,9 +14,9 @@ export type SafeParseResult<T> = {
     errors: string[];
 };
 /**
- * Validate `data` against a TypeBox schema without throwing.
- * Always returns the data (cast as T) — on mismatch, includes human-readable
- * error strings so callers can warn instead of crash.
+ * Validate `data` against a TypeBox schema without throwing, even when invalid
+ * values are not JSON-serializable. Always returns the original data (cast as T)
+ * and includes human-readable error strings so callers can warn instead of crash.
  */
 export declare function safeParseSchema<S extends TSchema>(schema: S, data: unknown): SafeParseResult<Static<S>>;
 export declare const ProjectSummarySchema: import("@sinclair/typebox").TObject<{

package/dist/packages/types/src/index.js

@@ -12,15 +12,65 @@ export function parseSchema(schema, data) {
     return data;
 }
 /**
- * Validate `data` against a TypeBox schema without throwing.
- * Always returns the data (cast as T) — on mismatch, includes human-readable
- * error strings so callers can warn instead of crash.
+ * Format invalid values for validation errors without throwing on BigInt, circular,
+ * function, symbol, or other non-JSON-serializable input.
+ */
+function formatInvalidValue(value) {
+    if (value === undefined)
+        return "undefined";
+    if (typeof value === "bigint")
+        return `${value.toString()}n`;
+    if (typeof value === "symbol") {
+        return value.description === undefined ? "Symbol()" : `Symbol(${value.description})`;
+    }
+    if (typeof value === "function") {
+        return value.name ? `[Function ${value.name}]` : "[Function anonymous]";
+    }
+    const seen = new WeakSet();
+    try {
+        const json = JSON.stringify(value, (_key, nestedValue) => {
+            if (typeof nestedValue === "bigint")
+                return `${nestedValue.toString()}n`;
+            if (typeof nestedValue === "symbol") {
+                return nestedValue.description === undefined
+                    ? "Symbol()"
+                    : `Symbol(${nestedValue.description})`;
+            }
+            if (typeof nestedValue === "function") {
+                return nestedValue.name
+                    ? `[Function ${nestedValue.name}]`
+                    : "[Function anonymous]";
+            }
+            if (nestedValue !== null && typeof nestedValue === "object") {
+                if (seen.has(nestedValue))
+                    return "[Circular]";
+                seen.add(nestedValue);
+            }
+            return nestedValue;
+        });
+        if (json !== undefined)
+            return json;
+    }
+    catch {
+        // Ignore serialization failures and fall back to a safer summary below.
+    }
+    try {
+        return Object.prototype.toString.call(value);
+    }
+    catch {
+        return "[Unformattable value]";
+    }
+}
+/**
+ * Validate `data` against a TypeBox schema without throwing, even when invalid
+ * values are not JSON-serializable. Always returns the original data (cast as T)
+ * and includes human-readable error strings so callers can warn instead of crash.
  */
 export function safeParseSchema(schema, data) {
     if (Value.Check(schema, data)) {
         return { success: true, data: data, };
     }
-    const errors = [...Value.Errors(schema, data),].map((e) => `${e.path}: ${e.message} (got ${JSON.stringify(e.value)})`);
+    const errors = [...Value.Errors(schema, data),].map((e) => `${e.path}: ${e.message} (got ${formatInvalidValue(e.value)})`);
     return { success: false, data: data, errors, };
 }
 // ---------------------------------------------------------------------------

package/dist/src/auth.d.ts

@@ -1,4 +1,11 @@
-export declare function validateCredentials(url: string, apiKey: string): Promise<{
+import { DataikuError } from "./errors.js";
+export interface CredentialValidationResult {
     valid: boolean;
     error?: string;
-}>;
+    dataikuError?: DataikuError;
+}
+export interface CredentialValidationOptions {
+    tlsRejectUnauthorized?: boolean;
+    caCertPath?: string;
+}
+export declare function validateCredentials(url: string, apiKey: string, options?: CredentialValidationOptions): Promise<CredentialValidationResult>;

package/dist/src/auth.js

@@ -1,19 +1,21 @@
 import { DataikuClient, } from "./client.js";
 import { DataikuError, } from "./errors.js";
-export async function validateCredentials(url, apiKey) {
+export async function validateCredentials(url, apiKey, options = {}) {
     try {
         const client = new DataikuClient({
             url,
             apiKey,
             requestTimeoutMs: 10_000,
             retryMaxAttempts: 1,
+            tlsRejectUnauthorized: options.tlsRejectUnauthorized,
+            caCertPath: options.caCertPath,
         });
         await client.projects.list();
         return { valid: true, };
     }
     catch (err) {
         if (err instanceof DataikuError) {
-            return { valid: false, error: err.message, };
+            return { valid: false, error: err.message, dataikuError: err, };
         }
         return { valid: false, error: err instanceof Error ? err.message : String(err), };
     }

package/dist/src/cli.js

@@ -42,9 +42,13 @@ function json(v) {
         return undefined;
     return JSON.parse(v);
 }
+const SQL_QUERY_USAGE = "dss sql query [SQL | --sql QUERY | --sql-file PATH | --sql - | --stdin] (--connection CONN | --dataset FULL_NAME) [--database DB] [--project-key KEY]";
+function readStdinText() {
+    return readFileSync(0, "utf-8");
+}
 function jsonInput(flags) {
     if (flags["stdin"] === true) {
-        return JSON.parse(readFileSync(0, "utf-8"));
+        return JSON.parse(readStdinText());
     }
     if (typeof flags["data-file"] === "string") {
         return JSON.parse(readFileSync(flags["data-file"], "utf-8"));
@@ -54,6 +58,62 @@ function jsonInput(flags) {
     }
     return undefined;
 }
+function parseTlsRejectUnauthorizedEnv(value) {
+    if (value === undefined)
+        return undefined;
+    const normalized = value.trim().toLowerCase();
+    if (normalized === "0" || normalized === "false" || normalized === "no")
+        return false;
+    if (normalized === "1" || normalized === "true" || normalized === "yes")
+        return true;
+    return undefined;
+}
+function resolveTlsSettings(flags, saved) {
+    let tlsRejectUnauthorized = flags["insecure"] === true ? false : undefined;
+    let caCertPath = flags["ca-cert"];
+    tlsRejectUnauthorized ??= parseTlsRejectUnauthorizedEnv(process.env.NODE_TLS_REJECT_UNAUTHORIZED);
+    caCertPath ??= process.env.NODE_EXTRA_CA_CERTS;
+    if (tlsRejectUnauthorized === undefined) {
+        tlsRejectUnauthorized = saved?.tlsRejectUnauthorized;
+    }
+    caCertPath ??= saved?.caCertPath;
+    return { tlsRejectUnauthorized, caCertPath, };
+}
+function resolveSqlInput(args, flags) {
+    const sources = [];
+    if (typeof flags["sql"] === "string") {
+        sources.push({
+            label: flags["sql"] === "-" ? "--sql -" : "--sql",
+            read: () => flags["sql"] === "-" ? readStdinText() : String(flags["sql"]),
+        });
+    }
+    if (typeof flags["sql-file"] === "string") {
+        sources.push({
+            label: "--sql-file",
+            read: () => readFileSync(flags["sql-file"], "utf-8"),
+        });
+    }
+    if (flags["stdin"] === true) {
+        sources.push({ label: "--stdin", read: readStdinText, });
+    }
+    if (args.length > 1) {
+        throw new UsageError(`Expected at most one positional SQL argument. Quote the SQL or use --sql-file/--stdin.\nUsage: ${SQL_QUERY_USAGE}`);
+    }
+    if (args[0] !== undefined) {
+        sources.push({ label: "positional SQL", read: () => args[0], });
+    }
+    if (sources.length === 0) {
+        throw new UsageError(`SQL input is required. Usage: ${SQL_QUERY_USAGE}`);
+    }
+    if (sources.length > 1) {
+        throw new UsageError(`Choose exactly one SQL input source: --sql, --sql-file, --stdin, or one positional SQL argument. Usage: ${SQL_QUERY_USAGE}`);
+    }
+    const query = sources[0].read();
+    if (query.trim().length === 0) {
+        throw new UsageError(`SQL input from ${sources[0].label} must not be empty. Usage: ${SQL_QUERY_USAGE}`);
+    }
+    return query;
+}
 async function resolveFolderId(client, nameOrId, flags) {
     return client.folders.resolveId(nameOrId, flags["project-key"]);
 }
@@ -150,7 +210,19 @@ function writeCommandResult(result, format) {
 // ---------------------------------------------------------------------------
 // Arg parsing
 // ---------------------------------------------------------------------------
-const BOOLEAN_FLAGS = new Set(["help", "verbose", "version", "stdin", "global", "list-agents",]);
+const BOOLEAN_FLAGS = new Set([
+    "help",
+    "verbose",
+    "version",
+    "stdin",
+    "insecure",
+    "global",
+    "list-agents",
+    "include-raw",
+    "include-payload",
+    "include-logs",
+    "replace",
+]);
 const SHORT_FLAGS = {
     h: "help",
     v: "verbose",
@@ -161,7 +233,18 @@ const SHORT_FLAGS = {
 /** Long-flag aliases: these are normalized to the canonical name in parseArgs. */
 const FLAG_ALIASES = {
     project: "project-key",
+    "skip-tls-verify": "insecure",
+    "extra-ca-certs": "ca-cert",
 };
+function isNegativeNumberToken(value) {
+    return value.startsWith("-") && Number.isFinite(Number(value));
+}
+function requireFlagValue(flagLabel, next) {
+    if (next === undefined || (next.startsWith("-") && !isNegativeNumberToken(next))) {
+        throw new UsageError(`Flag ${flagLabel} requires a value.`);
+    }
+    return next;
+}
 function parseArgs(argv) {
     const positional = [];
     const flags = {};
@@ -179,19 +262,15 @@ function parseArgs(argv) {
                 flags[FLAG_ALIASES[raw] ?? raw] = arg.slice(eqIdx + 1);
             }
             else {
-                const flagName = FLAG_ALIASES[arg.slice(2)] ?? arg.slice(2);
+                const rawFlagName = arg.slice(2);
+                const flagName = FLAG_ALIASES[rawFlagName] ?? rawFlagName;
                 if (BOOLEAN_FLAGS.has(flagName)) {
                     flags[flagName] = true;
                 }
                 else {
-                    const next = argv[i + 1];
-                    if (next !== undefined && !next.startsWith("-")) {
-                        flags[flagName] = next;
-                        i++;
-                    }
-                    else {
-                        flags[flagName] = true;
-                    }
+                    const next = requireFlagValue(`--${rawFlagName}`, argv[i + 1]);
+                    flags[flagName] = next;
+                    i++;
                 }
             }
         }
@@ -202,14 +281,9 @@ function parseArgs(argv) {
                     flags[long] = true;
                 }
                 else {
-                    const next = argv[i + 1];
-                    if (next !== undefined && !next.startsWith("-")) {
-                        flags[long] = next;
-                        i++;
-                    }
-                    else {
-                        flags[long] = true;
-                    }
+                    const next = requireFlagValue(`-${arg[1]}`, argv[i + 1]);
+                    flags[long] = next;
+                    i++;
                 }
             }
             else {
@@ -275,9 +349,10 @@ const commands = {
                 return c.datasets.preview(a[0], {
                     maxRows: num(f["max-rows"]),
                     projectKey: f["project-key"],
+                    timeoutMs: num(f["timeout"]),
                 });
             },
-            usage: "dss dataset preview <name> [--max-rows N] [--project-key KEY]",
+            usage: "dss dataset preview <name> [--max-rows N] [--project-key KEY] [--timeout MS]",
         },
         metadata: {
             handler: (c, a, f) => {
@@ -650,18 +725,22 @@ const commands = {
     },
     sql: {
         query: {
-            handler: (c, _a, f) => {
-                const query = f["sql"];
-                if (!query)
-                    throw new UsageError("--sql is required. Usage: dss sql query --sql 'SELECT ...'");
+            handler: (c, a, f) => {
+                const query = resolveSqlInput(a, f);
+                const connection = f["connection"];
+                const datasetFullName = f["dataset"];
+                if ((connection ? 1 : 0) + (datasetFullName ? 1 : 0) !== 1) {
+                    throw new UsageError(`Pass exactly one of --connection or --dataset. Usage: ${SQL_QUERY_USAGE}`);
+                }
                 return c.sql.query({
                     query,
-                    connection: f["connection"],
-                    datasetFullName: f["dataset"],
+                    connection,
+                    datasetFullName,
                     database: f["database"],
+                    projectKey: f["project-key"],
                 });
             },
-            usage: "dss sql query --sql 'SELECT ...' [--connection CONN] [--dataset FULL_NAME] [--database DB]",
+            usage: SQL_QUERY_USAGE,
         },
     },
     notebook: {
@@ -782,6 +861,8 @@ function printTopLevelHelp() {
         "      --api-key KEY        API key              (env: DATAIKU_API_KEY)",
         "      --project-key KEY    Default project key   (env: DATAIKU_PROJECT_KEY)",
         "      --timeout MS         Request timeout in ms  (default: 30000)",
+        "      --insecure           Disable TLS certificate verification",
+        "      --ca-cert PATH       Extra PEM CA bundle (env: NODE_EXTRA_CA_CERTS)",
         "",
         "Resources:",
         ...RESOURCE_NAMES.map((r) => `  ${r}`),
@@ -866,6 +947,7 @@ function loadEnvFile() {
 const AUTH_ACTIONS = {
     login: {
         handler: async (flags) => {
+            const tlsSettings = resolveTlsSettings(flags);
             let { url, apiKey, projectKey, } = resolveCredentials(flags);
             if (!url || !apiKey) {
                 if (!process.stdin.isTTY) {
@@ -883,41 +965,46 @@ const AUTH_ACTIONS = {
             if (!apiKey)
                 throw new UsageError("API key is required.");
             process.stderr.write("Validating credentials... ");
-            const result = await validateCredentials(url, apiKey);
+            const result = await validateCredentials(url, apiKey, tlsSettings);
             if (!result.valid) {
                 process.stderr.write(`✗ Failed\n`);
+                if (result.dataikuError)
+                    throw result.dataikuError;
                 throw new DataikuError(0, "Authentication Failed", result.error ?? "Credential validation failed");
             }
-            process.stderr.write("\u2713 Connected\n");
-            saveCredentials({ url, apiKey, projectKey, });
+            process.stderr.write("✓ Connected\n");
+            saveCredentials({ url, apiKey, projectKey, ...tlsSettings, });
             process.stderr.write(`Credentials saved to ${getCredentialsPath()}\n`);
         },
-        usage: "dss auth login [--url URL] [--api-key KEY] [--project-key KEY]",
+        usage: "dss auth login [--url URL] [--api-key KEY] [--project-key KEY] [--insecure] [--ca-cert PATH]",
     },
     status: {
-        handler: async (_flags) => {
+        handler: async (flags) => {
             const creds = loadCredentials();
             if (!creds) {
                 process.stderr.write("No saved credentials. Run: dss auth login\n");
                 return;
             }
+            const tlsSettings = resolveTlsSettings(flags, creds);
             const lines = [
                 `URL:         ${creds.url}`,
                 `API key:     ${maskApiKey(creds.apiKey)}`,
                 `Project key: ${creds.projectKey ?? "(not set)"}`,
+                `TLS verify:  ${tlsSettings.tlsRejectUnauthorized === false ? "disabled" : "strict"}`,
+                `CA cert:     ${tlsSettings.caCertPath ?? "(default trust store)"}`,
             ];
             for (const line of lines)
                 process.stderr.write(`${line}\n`);
-            const result = await validateCredentials(creds.url, creds.apiKey);
+            const result = await validateCredentials(creds.url, creds.apiKey, tlsSettings);
             if (result.valid) {
-                process.stderr.write("Connection:  \u2713 Valid\n");
+                process.stderr.write("Connection:  ✓ Valid\n");
             }
             else {
-                process.stderr.write(`Connection:  \u2717 Failed (${result.error ?? "unknown error"})\n`);
+                process.stderr.write(`Connection:  ✗ Failed (${result.error ?? "unknown error"})\n`);
             }
             process.stderr.write(`Config:      ${getCredentialsPath()}\n`);
         },
-        usage: "dss auth status",
+        usage: "dss auth status [--insecure] [--ca-cert PATH]",
     },
     logout: {
         handler: async (_flags) => {
@@ -964,18 +1051,21 @@ function resolveCredentials(flags) {
     let url = flags["url"];
     let apiKey = flags["api-key"];
     let projectKey = flags["project-key"];
+    const saved = loadCredentials();
     url ??= process.env.DATAIKU_URL;
     apiKey ??= process.env.DATAIKU_API_KEY;
     projectKey ??= process.env.DATAIKU_PROJECT_KEY;
-    if (!url || !apiKey) {
-        const saved = loadCredentials();
-        if (saved) {
-            url ||= saved.url;
-            apiKey ||= saved.apiKey;
-            projectKey ??= saved.projectKey;
-        }
+    if (saved) {
+        url ||= saved.url;
+        apiKey ||= saved.apiKey;
+        projectKey ??= saved.projectKey;
     }
-    return { url: url ?? "", apiKey: apiKey ?? "", projectKey, };
+    return {
+        url: url ?? "",
+        apiKey: apiKey ?? "",
+        projectKey,
+        ...resolveTlsSettings(flags, saved ?? undefined),
+    };
 }
 // ---------------------------------------------------------------------------
 // Main
@@ -1108,7 +1198,7 @@ async function main() {
         process.exit(0);
     }
     // Resolve credentials: flags > env > saved > .env
-    const { url, apiKey, projectKey, } = resolveCredentials(flags);
+    const { url, apiKey, projectKey, tlsRejectUnauthorized, caCertPath, } = resolveCredentials(flags);
     if (!url) {
         throw new UsageError("Missing Dataiku URL. Set DATAIKU_URL, pass --url, or run: dss auth login");
     }
@@ -1122,6 +1212,8 @@ async function main() {
         projectKey,
         verbose: flags["verbose"] === true,
         requestTimeoutMs,
+        tlsRejectUnauthorized,
+        caCertPath,
     });
     const args = positional.slice(2);
     const format = parseOutputFormat(flags["format"]);

package/dist/src/client.d.ts

@@ -23,6 +23,10 @@ export interface DataikuClientConfig {
     retryMaxAttempts?: number;
     /** Emit HTTP request/response logs to stderr for CLI debugging. */
     verbose?: boolean;
+    /** Override TLS certificate verification for HTTPS requests. */
+    tlsRejectUnauthorized?: boolean;
+    /** Extra PEM CA bundle to trust in addition to Bun's default trust store. */
+    caCertPath?: string;
     /**
      * Called when an API response fails schema validation but data is still usable.
      * Default: writes to stderr. Set to a throwing function for strict mode.
@@ -38,6 +42,7 @@ export declare class DataikuClient {
     private readonly requestTimeoutMs;
     private readonly retryMaxAttempts;
     private readonly verbose;
+    private readonly tlsOptions;
     private readonly onValidationWarning;
     private _projects?;
     private _datasets?;
@@ -62,6 +67,7 @@ export declare class DataikuClient {
     get sql(): SqlResource;
     get notebooks(): NotebooksResource;
     constructor(config: DataikuClientConfig);
+    getRequestTimeoutMs(): number;
     resolveProjectKey(paramValue?: string): string;
     get<T = unknown>(path: string): Promise<T>;
     getText(path: string): Promise<string>;
@@ -81,9 +87,10 @@ export declare class DataikuClient {
      */
     parse<S extends TSchema>(schema: S, data: unknown): Static<S>;
     /**
-     * Validate raw data against a TypeBox schema without throwing.
-     * Always returns the data. On mismatch, fires onValidationWarning callback
-     * with the method name and error details.
+     * Validate raw data against a TypeBox schema without throwing, even when
+     * mismatched values are not JSON-serializable. Always returns the original
+     * data, and on mismatch emits onValidationWarning with the method name and
+     * error details. If the callback throws, that error still propagates.
      */
     safeParse<S extends TSchema>(schema: S, data: unknown, method: string): Static<S>;
     /** Emit a validation warning via the configured callback. */

package/dist/src/client.js

@@ -1,3 +1,5 @@
+import { readFileSync, } from "node:fs";
+import { getCACertificates, } from "node:tls";
 import { Value, } from "@sinclair/typebox/value";
 import { safeParseSchema, } from "./schemas.js";
 import { classifyDataikuError, DataikuError, } from "./errors.js";
@@ -50,6 +52,27 @@ function buildRetryMetadata(method, enabled, maxAttempts, attempts, delaysMs, ti
         timedOut,
     };
 }
+function buildFetchTlsOptions(config) {
+    const rejectUnauthorized = config.tlsRejectUnauthorized;
+    const caCertPath = config.caCertPath?.trim();
+    if (rejectUnauthorized === undefined && !caCertPath)
+        return undefined;
+    const tls = {};
+    if (rejectUnauthorized !== undefined)
+        tls.rejectUnauthorized = rejectUnauthorized;
+    if (caCertPath) {
+        try {
+            tls.ca = [...getCACertificates("default"), readFileSync(caCertPath, "utf-8"),];
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            throw new Error(`Unable to read CA certificate bundle at ${caCertPath}: ${message}`, {
+                cause: error,
+            });
+        }
+    }
+    return tls;
+}
 /* ------------------------------------------------------------------ */
 /*  Client                                                             */
 /* ------------------------------------------------------------------ */
@@ -60,6 +83,7 @@ export class DataikuClient {
     requestTimeoutMs;
     retryMaxAttempts;
     verbose;
+    tlsOptions;
     onValidationWarning;
     /* Resource namespaces — lazily initialized to break circular imports */
     _projects;
@@ -120,8 +144,12 @@ export class DataikuClient {
         const rawMax = config.retryMaxAttempts ?? DEFAULT_RETRY_MAX_ATTEMPTS;
         this.retryMaxAttempts = Math.min(Math.max(1, rawMax), MAX_RETRY_ATTEMPTS_CAP);
         this.verbose = config.verbose === true;
+        this.tlsOptions = buildFetchTlsOptions(config);
         this.onValidationWarning = config.onValidationWarning ?? defaultValidationWarning;
     }
+    getRequestTimeoutMs() {
+        return this.requestTimeoutMs;
+    }
     /* ---- public: project key resolution ---- */
     resolveProjectKey(paramValue) {
         const pk = paramValue?.trim();
@@ -223,9 +251,10 @@ export class DataikuClient {
         return data;
     }
     /**
-     * Validate raw data against a TypeBox schema without throwing.
-     * Always returns the data. On mismatch, fires onValidationWarning callback
-     * with the method name and error details.
+     * Validate raw data against a TypeBox schema without throwing, even when
+     * mismatched values are not JSON-serializable. Always returns the original
+     * data, and on mismatch emits onValidationWarning with the method name and
+     * error details. If the callback throws, that error still propagates.
      */
     safeParse(schema, data, method) {
         const result = safeParseSchema(schema, data);
@@ -270,7 +299,14 @@ export class DataikuClient {
             }, this.requestTimeoutMs);
             this.logVerbose(`${method} ${url}`);
             try {
-                const res = await fetch(url, { ...init, method, signal: controller.signal, });
+                const requestInit = {
+                    ...init,
+                    method,
+                    signal: controller.signal,
+                };
+                if (this.tlsOptions)
+                    requestInit.tls = this.tlsOptions;
+                const res = await fetch(url, requestInit);
                 this.logVerbose(`${method} ${url} → ${res.status} (${Date.now() - startedAt}ms)`);
                 if (!res.ok) {
                     const text = await res.text();

package/dist/src/config.d.ts

@@ -2,6 +2,8 @@ export interface DssCredentials {
     url: string;
     apiKey: string;
     projectKey?: string;
+    tlsRejectUnauthorized?: boolean;
+    caCertPath?: string;
 }
 export declare function getConfigDir(): string;
 export declare function getCredentialsPath(): string;

package/dist/src/config.js

@@ -30,6 +30,10 @@ export function loadCredentials() {
             url: obj.url,
             apiKey: obj.apiKey,
             projectKey: typeof obj.projectKey === "string" ? obj.projectKey : undefined,
+            tlsRejectUnauthorized: typeof obj.tlsRejectUnauthorized === "boolean"
+                ? obj.tlsRejectUnauthorized
+                : undefined,
+            caCertPath: typeof obj.caCertPath === "string" ? obj.caCertPath : undefined,
         };
     }
     catch (err) {
@@ -44,6 +48,11 @@ export function saveCredentials(creds) {
     const data = { url: creds.url, apiKey: creds.apiKey, };
     if (creds.projectKey)
         data.projectKey = creds.projectKey;
+    if (creds.tlsRejectUnauthorized !== undefined) {
+        data.tlsRejectUnauthorized = creds.tlsRejectUnauthorized;
+    }
+    if (creds.caCertPath)
+        data.caCertPath = creds.caCertPath;
     writeFileSync(path, `${JSON.stringify(data, null, 2)}\n`, "utf-8");
     chmodSync(path, 0o600);
 }

package/dist/src/index.d.ts

@@ -1,5 +1,5 @@
 export { DataikuClient, type DataikuClientConfig, } from "./client.js";
-export { validateCredentials, } from "./auth.js";
+export { type CredentialValidationOptions, type CredentialValidationResult, validateCredentials, } from "./auth.js";
 export { deleteCredentials, type DssCredentials, getConfigDir, getCredentialsPath, loadCredentials, maskApiKey, saveCredentials, } from "./config.js";
 export { DataikuError, type DataikuErrorCategory, type DataikuErrorTaxonomy, type DataikuRetryMetadata, } from "./errors.js";
 export { CodeEnvsResource, } from "./resources/code-envs.js";

package/dist/src/resources/datasets.d.ts

@@ -28,6 +28,7 @@ export declare class DatasetsResource extends BaseResource {
         validateColumns?: {
             name: string;
         }[];
+        timeoutMs?: number;
     }): Promise<string>;
     /** Get dataset metadata (tags, custom fields, checklists). */
     metadata(datasetName: string, projectKey?: string): Promise<Record<string, unknown>>;

package/dist/src/resources/datasets.js

@@ -149,37 +149,65 @@ function emitCsvLineWithLimit(row, maxDataRows, emittedRows, onLine, onHeader) {
     }
     return false;
 }
-async function collectPreviewCsv(body, maxDataRows, onHeader) {
+function buildPreviewTimeoutError(timeoutMs) {
+    return new DataikuError(0, "Request Timeout", `Dataset preview timed out after ${timeoutMs}ms while waiting for rows.`);
+}
+async function readChunkWithTimeout(reader, remainingMs, timeoutMs) {
+    return new Promise((resolveChunk, rejectChunk) => {
+        const timer = setTimeout(() => {
+            void reader.cancel(buildPreviewTimeoutError(timeoutMs)).catch(() => { });
+            rejectChunk(buildPreviewTimeoutError(timeoutMs));
+        }, remainingMs);
+        reader.read().then((result) => {
+            clearTimeout(timer);
+            resolveChunk(result);
+        }, (error) => {
+            clearTimeout(timer);
+            rejectChunk(error);
+        });
+    });
+}
+async function collectPreviewCsv(body, maxDataRows, timeoutMs, onHeader) {
     const state = createTsvStreamState();
     const emittedRows = { value: 0, };
     const lines = [];
     let done = false;
-    const nodeStream = Readable.fromWeb(body);
-    for await (const chunk of nodeStream) {
-        if (done)
-            break;
-        consumeTsvChunk(Buffer.from(chunk).toString("utf-8"), state, (row) => {
-            if (done)
-                return;
-            done = emitCsvLineWithLimit(row, maxDataRows, emittedRows, (line) => {
-                lines.push(line);
-            }, onHeader);
-        });
-        if (done) {
-            nodeStream.destroy();
-            break;
+    const startedAt = Date.now();
+    const reader = body.getReader();
+    try {
+        while (true) {
+            if (done) {
+                void reader.cancel().catch(() => { });
+                break;
+            }
+            const remainingMs = timeoutMs - (Date.now() - startedAt);
+            if (remainingMs <= 0)
+                throw buildPreviewTimeoutError(timeoutMs);
+            const result = await readChunkWithTimeout(reader, remainingMs, timeoutMs);
+            if (result.done)
+                break;
+            consumeTsvChunk(Buffer.from(result.value).toString("utf-8"), state, (row) => {
+                if (done)
+                    return;
+                done = emitCsvLineWithLimit(row, maxDataRows, emittedRows, (line) => {
+                    lines.push(line);
+                }, onHeader);
+            });
+        }
+        if (!done) {
+            flushTsvStream(state, (row) => {
+                if (done)
+                    return;
+                done = emitCsvLineWithLimit(row, maxDataRows, emittedRows, (line) => {
+                    lines.push(line);
+                }, onHeader);
+            });
         }
+        return lines.join("\n");
     }
-    if (!done) {
-        flushTsvStream(state, (row) => {
-            if (done)
-                return;
-            done = emitCsvLineWithLimit(row, maxDataRows, emittedRows, (line) => {
-                lines.push(line);
-            }, onHeader);
-        });
+    finally {
+        reader.releaseLock();
     }
-    return lines.join("\n");
 }
 function tsvToCsvTransform(maxDataRows, onHeader) {
     const state = createTsvStreamState();
@@ -309,6 +337,7 @@ export class DatasetsResource extends BaseResource {
      */
     async preview(datasetName, opts) {
         const maxRows = Math.max(1, Math.min(opts?.maxRows ?? 50, 500));
+        const timeoutMs = Math.max(1, opts?.timeoutMs ?? this.client.getRequestTimeoutMs());
         const dsEnc = encodeURIComponent(datasetName);
         const res = await this.client.stream(`/public/api/projects/${this.enc(opts?.projectKey)}/datasets/${dsEnc}/data/?format=tsv-excel-header&limit=${maxRows}`);
         const onHeader = opts?.validateColumns
@@ -319,7 +348,9 @@ export class DatasetsResource extends BaseResource {
                 }
             }
             : undefined;
-        return collectPreviewCsv(res.body, maxRows, onHeader);
+        if (!res.body)
+            return "";
+        return collectPreviewCsv(res.body, maxRows, timeoutMs, onHeader);
     }
     /** Get dataset metadata (tags, custom fields, checklists). */
     async metadata(datasetName, projectKey) {

package/dist/src/resources/sql.d.ts

@@ -1,20 +1,23 @@
 import type { SqlQueryResponse, SqlQueryResult } from "../schemas.js";
 import { BaseResource } from "./base.js";
+type SqlQueryOptions = {
+    query: string;
+    connection?: string;
+    datasetFullName?: string;
+    database?: string;
+    preQueries?: string[];
+    postQueries?: string[];
+    type?: string;
+    projectKey?: string;
+};
 export declare class SqlResource extends BaseResource {
+    private resolveOptionalProjectKey;
     /**
      * Start a SQL query and return the queryId + schema.
      * Specify either `connection` (run against a DB connection)
      * or `datasetFullName` (run against a dataset's connection).
      */
-    startQuery(opts: {
-        query: string;
-        connection?: string;
-        datasetFullName?: string;
-        database?: string;
-        preQueries?: string[];
-        postQueries?: string[];
-        type?: string;
-    }): Promise<SqlQueryResult>;
+    startQuery(opts: SqlQueryOptions): Promise<SqlQueryResult>;
     /**
      * Stream results of a started query as parsed JSON (array of arrays).
      */
@@ -24,17 +27,12 @@ export declare class SqlResource extends BaseResource {
      * Throws on failure.
      */
     finishStreaming(queryId: string): Promise<void>;
+    private executeQuery;
+    private resolveDatasetQueryFallback;
     /**
      * Execute a SQL query end-to-end: start, stream all rows, verify, return combined result.
      * This is the primary method most callers want.
      */
-    query(opts: {
-        query: string;
-        connection?: string;
-        datasetFullName?: string;
-        database?: string;
-        preQueries?: string[];
-        postQueries?: string[];
-        type?: string;
-    }): Promise<SqlQueryResponse>;
+    query(opts: SqlQueryOptions): Promise<SqlQueryResponse>;
 }
+export {};

package/dist/src/resources/sql.js

@@ -13,7 +13,37 @@ function buildUnsupportedSqlDatasetConnectionMessage(datasetFullName) {
         : "This query uses a connection that DSS does not support for direct SQL queries.";
     return `${subject} Use --connection with a SQL-compatible connection instead.`;
 }
+function asRecord(value) {
+    if (!value || typeof value !== "object" || Array.isArray(value))
+        return undefined;
+    return value;
+}
+function asString(value) {
+    if (typeof value !== "string")
+        return undefined;
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : undefined;
+}
+function splitDatasetIdentifier(datasetFullName, fallbackProjectKey) {
+    const trimmed = datasetFullName.trim();
+    const dotIndex = trimmed.indexOf(".");
+    if (dotIndex <= 0) {
+        return { datasetName: trimmed, projectKey: fallbackProjectKey, };
+    }
+    return {
+        projectKey: trimmed.slice(0, dotIndex),
+        datasetName: trimmed.slice(dotIndex + 1),
+    };
+}
 export class SqlResource extends BaseResource {
+    resolveOptionalProjectKey(projectKey) {
+        try {
+            return this.resolveProjectKey(projectKey);
+        }
+        catch {
+            return undefined;
+        }
+    }
     /**
      * Start a SQL query and return the queryId + schema.
      * Specify either `connection` (run against a DB connection)
@@ -22,6 +52,7 @@ export class SqlResource extends BaseResource {
     async startQuery(opts) {
         return this.client.post("/public/api/sql/queries/", {
             ...opts,
+            projectKey: opts.projectKey ?? this.resolveOptionalProjectKey(opts.projectKey),
             type: opts.type ?? "sql",
         });
     }
@@ -44,6 +75,39 @@ export class SqlResource extends BaseResource {
             throw new Error(`SQL query ${queryId} failed: ${text}`);
         }
     }
+    async executeQuery(opts) {
+        const { queryId, schema, } = await this.startQuery(opts);
+        const rows = await this.streamResults(queryId);
+        await this.finishStreaming(queryId);
+        return { queryId, schema, rows, };
+    }
+    async resolveDatasetQueryFallback(opts) {
+        const datasetFullName = opts.datasetFullName;
+        if (!datasetFullName)
+            return null;
+        try {
+            const identifier = splitDatasetIdentifier(datasetFullName, opts.projectKey);
+            const projectKey = identifier.projectKey
+                ? identifier.projectKey
+                : this.resolveProjectKey(opts.projectKey);
+            const dsEnc = encodeURIComponent(identifier.datasetName);
+            const raw = await this.client.get(`/public/api/projects/${encodeURIComponent(projectKey)}/datasets/${dsEnc}`);
+            const params = asRecord(raw.params);
+            const connection = asString(params?.connection);
+            if (!connection)
+                return null;
+            return {
+                ...opts,
+                connection,
+                datasetFullName: undefined,
+                database: opts.database ?? asString(params?.schema) ?? asString(params?.catalog),
+                projectKey,
+            };
+        }
+        catch {
+            return null;
+        }
+    }
     /**
      * Execute a SQL query end-to-end: start, stream all rows, verify, return combined result.
      * This is the primary method most callers want.
@@ -51,17 +115,18 @@ export class SqlResource extends BaseResource {
     async query(opts) {
         const queryOpts = { ...opts, type: opts.type ?? "sql", };
         try {
-            const { queryId, schema, } = await this.startQuery(queryOpts);
-            const rows = await this.streamResults(queryId);
-            await this.finishStreaming(queryId);
-            return { queryId, schema, rows, };
+            return await this.executeQuery(queryOpts);
         }
         catch (error) {
             if (!isUnsupportedSqlDatasetConnectionError(error))
                 throw error;
-            throw new Error(buildUnsupportedSqlDatasetConnectionMessage(queryOpts.datasetFullName), {
-                cause: error,
-            });
+            const retryOpts = await this.resolveDatasetQueryFallback(queryOpts);
+            if (!retryOpts) {
+                throw new Error(buildUnsupportedSqlDatasetConnectionMessage(queryOpts.datasetFullName), {
+                    cause: error,
+                });
+            }
+            return this.executeQuery(retryOpts);
         }
     }
 }

package/dist/src/skill.js

@@ -36,7 +36,7 @@ dss auth login --url https://dss.example.com --api-key YOUR_KEY
 dss auth status                      # verify connection
 \`\`\`
 
-Credentials are saved to \`~/.dss/credentials.json\`. Alternatively set environment variables:
+Credentials are saved to \`~/.config/dataiku/credentials.json\`. Alternatively set environment variables:
 
 \`\`\`bash
 export DATAIKU_URL=https://dss.example.com
@@ -98,7 +98,9 @@ Use \`dss <resource> --help\` to see all actions and flags for any resource.
 -v, --verbose          log HTTP requests to stderr
     --project-key KEY  override default project for any command
     --timeout MS       request timeout (default: 30000)
-    --stdin            read JSON input from stdin
+    --insecure         disable TLS certificate verification
+    --ca-cert PATH     trust an extra PEM CA bundle
+    --stdin            read command input from stdin (JSON or SQL, depending on command)
 \`\`\`
 
 ## Gotchas
@@ -206,7 +208,7 @@ export function detectAgents() {
 // ---------------------------------------------------------------------------
 // Workspace root detection
 // ---------------------------------------------------------------------------
-const WORKSPACE_MARKERS = [".git", ".cursor", ".claude", ".codex", ".vscode",];
+const WORKSPACE_MARKERS = [".git", ".cursor", ".claude", ".codex", ".pi", ".omp", ".vscode",];
 /**
  * Walk upward from startDir looking for common workspace markers.
  * Returns the first directory containing a marker, or startDir if none found.

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "dataiku-sdk",
-	"version": "0.2.3",
+	"version": "0.3.0",
 	"description": "Dataiku DSS SDK and CLI for programmatic access to DSS REST APIs",
 	"type": "module",
 	"workspaces": [

package/packages/types/dist/index.d.ts

@@ -14,9 +14,9 @@ export type SafeParseResult<T> = {
     errors: string[];
 };
 /**
- * Validate `data` against a TypeBox schema without throwing.
- * Always returns the data (cast as T) — on mismatch, includes human-readable
- * error strings so callers can warn instead of crash.
+ * Validate `data` against a TypeBox schema without throwing, even when invalid
+ * values are not JSON-serializable. Always returns the original data (cast as T)
+ * and includes human-readable error strings so callers can warn instead of crash.
  */
 export declare function safeParseSchema<S extends TSchema>(schema: S, data: unknown): SafeParseResult<Static<S>>;
 export declare const ProjectSummarySchema: import("@sinclair/typebox").TObject<{

package/packages/types/dist/index.js

@@ -12,15 +12,65 @@ export function parseSchema(schema, data) {
     return data;
 }
 /**
- * Validate `data` against a TypeBox schema without throwing.
- * Always returns the data (cast as T) — on mismatch, includes human-readable
- * error strings so callers can warn instead of crash.
+ * Format invalid values for validation errors without throwing on BigInt, circular,
+ * function, symbol, or other non-JSON-serializable input.
+ */
+function formatInvalidValue(value) {
+    if (value === undefined)
+        return "undefined";
+    if (typeof value === "bigint")
+        return `${value.toString()}n`;
+    if (typeof value === "symbol") {
+        return value.description === undefined ? "Symbol()" : `Symbol(${value.description})`;
+    }
+    if (typeof value === "function") {
+        return value.name ? `[Function ${value.name}]` : "[Function anonymous]";
+    }
+    const seen = new WeakSet();
+    try {
+        const json = JSON.stringify(value, (_key, nestedValue) => {
+            if (typeof nestedValue === "bigint")
+                return `${nestedValue.toString()}n`;
+            if (typeof nestedValue === "symbol") {
+                return nestedValue.description === undefined
+                    ? "Symbol()"
+                    : `Symbol(${nestedValue.description})`;
+            }
+            if (typeof nestedValue === "function") {
+                return nestedValue.name
+                    ? `[Function ${nestedValue.name}]`
+                    : "[Function anonymous]";
+            }
+            if (nestedValue !== null && typeof nestedValue === "object") {
+                if (seen.has(nestedValue))
+                    return "[Circular]";
+                seen.add(nestedValue);
+            }
+            return nestedValue;
+        });
+        if (json !== undefined)
+            return json;
+    }
+    catch {
+        // Ignore serialization failures and fall back to a safer summary below.
+    }
+    try {
+        return Object.prototype.toString.call(value);
+    }
+    catch {
+        return "[Unformattable value]";
+    }
+}
+/**
+ * Validate `data` against a TypeBox schema without throwing, even when invalid
+ * values are not JSON-serializable. Always returns the original data (cast as T)
+ * and includes human-readable error strings so callers can warn instead of crash.
  */
 export function safeParseSchema(schema, data) {
     if (Value.Check(schema, data)) {
         return { success: true, data: data, };
     }
-    const errors = [...Value.Errors(schema, data),].map((e) => `${e.path}: ${e.message} (got ${JSON.stringify(e.value)})`);
+    const errors = [...Value.Errors(schema, data),].map((e) => `${e.path}: ${e.message} (got ${formatInvalidValue(e.value)})`);
     return { success: false, data: data, errors, };
 }
 // ---------------------------------------------------------------------------