feat(kernel): wire OAuth (M2M/U2M), TLS/mTLS, and Geometry on use_kernel path (#819)

* feat(kernel): wire OAuth (M2M/U2M), TLS/mTLS, and Geometry on use_kernel path

Consume the OAuth + TLS surface added to the Rust kernel's pyo3
binding so the use_kernel backend reaches feature parity with the
Thrift/SEA backends for these flows. Bumps KERNEL_REV to the kernel
commit that ships the new Session kwargs.

OAuth (kernel-owned lifecycle):
- auth_bridge.kernel_auth_kwargs now takes the raw connect() auth
  options (the OAuth secret is consumed during auth_provider
  construction and isn't recoverable from the built provider, so we
  read it from the original kwargs):
  - OAuth M2M: oauth_client_id + oauth_client_secret are forwarded to
    the kernel's auth_type='oauth-m2m'; the kernel acquires and
    refreshes tokens itself via workspace OIDC client-credentials.
  - OAuth U2M: auth_type 'databricks-oauth' / 'azure-oauth' route to
    the kernel's auth_type='oauth-u2m' (optional oauth_client_id /
    oauth_redirect_port forwarded); the kernel runs the browser flow.
  - A custom credentials_provider is rejected with a clear
    NotSupportedError — it's an opaque token source with no extractable
    raw creds, so the kernel can't own the lifecycle. Callers are
    pointed at oauth_client_id / oauth_client_secret.
  - oauth_client_secret is a new connect() kwarg, honored only on the
    use_kernel path; Thrift/SEA are unaffected.
- session.py forwards the raw auth kwargs into KernelDatabricksClient.

TLS / mTLS:
- client._kernel_tls_kwargs translates the connector's SSLOptions into
  the kernel's tls_* Session kwargs: tls_trusted_ca_file ->
  tls_ca_cert (PEM bytes), client cert/key files -> tls_client_cert /
  tls_client_key (mTLS), and inverts tls_verify -> tls_skip_verify /
  tls_verify_hostname -> tls_skip_hostname_verify. A password-protected
  client key is rejected (the kernel has no surface for it yet).
  ssl_options is no longer accept-and-ignored on this path.

Geometry:
- type_mapping recovers GEOGRAPHY / GEOMETRY result columns from the
  databricks.type_name metadata (they arrive as Arrow Utf8, like
  VARIANT) so PEP-249 description reports the precise type instead of
  collapsing to string.

Tests: 140 kernel unit tests pass (new M2M/U2M routing, custom-provider
rejection, SSLOptions->tls_* translation incl. mTLS + encrypted-key
rejection, and geospatial type recovery). black + mypy clean.

Note: KERNEL_REV points at the kernel's feat/pyo3-oauth-tls branch HEAD
until that PR merges; re-pin to the squash-merge SHA before this lands.

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>

* chore(kernel): re-pin KERNEL_REV to updated feat/pyo3-oauth-tls HEAD

The companion kernel PR (#107) was amended with review fixes (doc
backend-inversion fix, U2M degenerate-value validation), changing its
branch HEAD SHA. Re-pin so this PR's kernel-e2e builds against the
current kernel. Still the branch HEAD — re-pin to the squash-merge SHA
once #107 lands.

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>

* fix(kernel): address review — re-pin KERNEL_REV, secret hygiene, auth ambiguity, TLS superset

Addresses @gopalldb's review on #819.

P0:
- Re-pin KERNEL_REV to the squash-merge SHA of the now-merged kernel
  PR (ec2288742cbac0cd9fab50da353e8405972eefe9 on kernel main),
  replacing the orphaned branch-HEAD SHA.

P1:
- Scrub oauth_client_secret from the long-lived self._auth_options in
  open_session's finally (even on the failure path). It outlives the
  method, so a retained secret was exposed to vars()/pickle/debugger
  far longer than needed; the kernel now owns it.
- tls_verify=False now also emits tls_skip_hostname_verify=True —
  no-verify subsumes hostname verification, matching SSLOptions'
  create_ssl_context (check_hostname=False when tls_verify is False).
- Reject ambiguous auth combos before resolving, instead of silently
  picking M2M: (a) credentials_provider + oauth_client_secret, and
  (b) a U2M auth_type (databricks-oauth/azure-oauth) + oauth_client_secret.
  Both raise NotSupportedError naming the conflict, so the failure is at
  session-open rather than a confusing first-call 401 against the wrong
  principal.
- Secret-leak tests: oauth_client_secret is forwarded to the kernel but
  scrubbed from _auth_options, and absent from repr(conn) / vars(conn);
  scrub runs even when open_session raises.

P2:
- _read_pem_bytes rejects an empty/whitespace CA/cert file with a clear
  ProgrammingError instead of passing empty PEM to the kernel.
- _normalize_scopes raises ProgrammingError on a non-str/list/tuple
  oauth_scopes rather than silently dropping to default scopes.
- Added U2M oauth_scopes forwarding test.

150 kernel unit tests pass; black + mypy clean.

Note: KERNEL_REV now points at the merged kernel main SHA; no further
re-pin needed before merge.

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>

* fix(kernel): don't build connector OAuth provider on use_kernel path + add TLS e2e

Live mitmproxy TLS e2e (this commit) surfaced a real bug: on
use_kernel=True the connector still built its own auth provider in
Session.__init__ via get_python_sql_connector_auth_provider, BEFORE
use_kernel was consulted. For OAuth that constructor eagerly runs the
flow (DatabricksOAuthProvider calls _initial_get_token in __init__), so
passing oauth_client_id for kernel-managed M2M fired the U2M *browser*
flow at connect() time — opening a browser and using the M2M service
principal id as a U2M OAuth app client_id (which the account rejects).

Fix: on use_kernel=True, do NOT build the connector's provider. Hand
the kernel auth bridge a minimal AccessTokenAuthProvider when an
access_token is present, else None; OAuth M2M/U2M resolve purely from
the raw connect() kwargs the bridge already reads, and the kernel owns
the entire token lifecycle. Thrift/SEA backends are unchanged.

- session.py: branch the provider build on use_kernel; import
  AccessTokenAuthProvider; update the kernel-branch comment.
- auth_bridge.py: kernel_auth_kwargs / _is_pat / _extract_bearer_token
  accept Optional[AuthProvider] (None when no token on the kernel path);
  clearer "no credentials" error; refreshed module docstring.
- tests/unit/test_session.py: regression guards — use_kernel must NOT
  call get_python_sql_connector_auth_provider, forwards raw M2M creds
  via auth_options, and uses a minimal AccessTokenAuthProvider for PAT.

TLS e2e (the connector-side counterpart to the kernel's v0_tls_e2e.rs):
- tests/e2e/test_kernel_tls.py: 3 mitmproxy-backed tests driving
  sql.connect(use_kernel=True, _tls_*=...) — strict default rejects the
  re-signed cert, _tls_trusted_ca_file trusts it, _tls_no_verify
  bypasses. Skips cleanly without the kernel wheel / creds /
  MITMPROXY_CA_CERT. Verified live against the dogfood workspace on the
  OAuth M2M path (all 3 green) — this is what caught the bug above.
- kernel-e2e.yml: run test_kernel_tls.py in the existing (label/merge-
  queue-gated) run-kernel-e2e job behind a mitmproxy service. The kernel
  wheel is built before the proxy is in scope so cargo's JFrog fetch
  isn't routed through it; HTTPS_PROXY is scoped to the TLS test step.
  Path filter now also triggers on session.py and test_kernel_tls.py.

184 unit tests pass; black + mypy clean.

Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>

* test(kernel): make use_kernel auth-provider guards wheel-independent

The two TestKernelAuthProviderBypass tests went through
databricks.sql.connect(use_kernel=True), which triggers the lazy
`import databricks_sql_kernel` in the kernel client module. That import
fails in the unit-test job (no Rust wheel installed), so the tests
errored with ImportError before their patches applied — green locally
(wheel present) but red in CI.

Rewrite them to exercise Session.__init__'s provider-selection logic
directly with _create_backend stubbed, so the kernel client (and its
import) is never touched. Assert on session.auth_provider and that
get_python_sql_connector_auth_provider is not called. Verified passing
both with the wheel present and with `import databricks_sql_kernel`
forcibly blocked (reproducing the CI environment).

Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>

---------

Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>

Author: vikrantpuppala

.github/workflows/kernel-e2e.yml

@@ -178,7 +178,7 @@ jobs:
           echo "$CHANGED"
           # Run when the connector kernel backend, kernel e2e tests,
           # this workflow, the kernel revision pin, or core deps move.
-          if echo "$CHANGED" | grep -qE "^(src/databricks/sql/backend/kernel/|tests/e2e/test_kernel_backend\.py|tests/unit/test_kernel_|\.github/workflows/kernel-e2e\.yml|KERNEL_REV|pyproject\.toml|poetry\.lock)"; then
+          if echo "$CHANGED" | grep -qE "^(src/databricks/sql/backend/kernel/|src/databricks/sql/session\.py|tests/e2e/test_kernel_backend\.py|tests/e2e/test_kernel_tls\.py|tests/unit/test_kernel_|\.github/workflows/kernel-e2e\.yml|KERNEL_REV|pyproject\.toml|poetry\.lock)"; then
             echo "run_tests=true" >> "$GITHUB_OUTPUT"
           else
             echo "run_tests=false" >> "$GITHUB_OUTPUT"
@@ -319,6 +319,58 @@ jobs:
       - name: Run kernel e2e tests
         run: poetry run pytest tests/e2e/test_kernel_backend.py -v
 
+      # ── TLS e2e through an intercepting proxy ───────────────────────
+      # mitmproxy re-signs every TLS connection with its own CA. The
+      # connector tests (tests/e2e/test_kernel_tls.py) prove the whole
+      # stack — sql.connect(use_kernel=True, _tls_*=...) → SSLOptions →
+      # kernel handshake — trusts the CA / accepts no-verify / rejects
+      # by default. The kernel wheel is already built above, BEFORE any
+      # proxy is in scope, so cargo's JFrog registry fetch was never
+      # routed through (and broken by) mitmproxy.
+      - name: Start mitmproxy
+        run: |
+          docker run -d --name mitmproxy \
+            -p 8080:8080 \
+            mitmproxy/mitmproxy:12.2.1@sha256:743b6cdc817211d64bc269f5defacca8d14e76e647fc474e5c7244dbcb645141 \
+            mitmdump --set stream_large_bodies=0
+          for i in $(seq 1 15); do
+            if docker exec mitmproxy test -f /home/mitmproxy/.mitmproxy/mitmproxy-ca-cert.pem 2>/dev/null; then
+              echo "mitmproxy CA cert is ready"
+              break
+            fi
+            echo "Waiting for mitmproxy CA cert... ($i/15)"
+            sleep 1
+          done
+
+      - name: Extract mitmproxy CA certificate
+        run: |
+          docker cp mitmproxy:/home/mitmproxy/.mitmproxy/mitmproxy-ca-cert.pem /tmp/mitmproxy-ca-cert.pem
+          echo "MITMPROXY_CA_CERT=/tmp/mitmproxy-ca-cert.pem" >> "$GITHUB_ENV"
+          echo "Extracted mitmproxy CA cert:"
+          openssl x509 -in /tmp/mitmproxy-ca-cert.pem -noout -subject -issuer
+
+      - name: Run kernel TLS e2e tests
+        # HTTPS_PROXY is scoped to THIS step so only the test's own HTTP
+        # traffic flows through mitmproxy — not cargo / pip / anything
+        # the earlier build steps needed from the JFrog registry.
+        env:
+          HTTPS_PROXY: http://localhost:8080
+        run: poetry run pytest tests/e2e/test_kernel_tls.py -v
+
+      - name: Verify traffic flowed through mitmproxy
+        if: always()
+        run: |
+          echo "=== mitmproxy logs (tail) ==="
+          docker logs mitmproxy 2>&1 | tail -50
+          echo "=== checking for proxied-connection entries ==="
+          docker logs mitmproxy 2>&1 \
+            | grep -i "CONNECT\|clientconnect\|<<" \
+            || (echo "FAIL: no traffic in mitmproxy logs — proxy was not used" && exit 1)
+
+      - name: Cleanup mitmproxy
+        if: always()
+        run: docker rm -f mitmproxy 2>/dev/null || true
+
       # Post a Kernel E2E check on both the labeled-PR and merge-queue
       # paths so the named check on the PR reflects the latest real
       # run (overwriting the synthetic-success check that
@@ -341,7 +393,7 @@ jobs:
               completed_at: new Date().toISOString(),
               output: {
                 title: 'Kernel E2E passed',
-                summary: 'tests/e2e/test_kernel_backend.py ran green against the pinned kernel SHA.'
+                summary: 'test_kernel_backend.py and the mitmproxy-backed test_kernel_tls.py ran green against the pinned kernel SHA.'
               }
             });
 

KERNEL_REV

@@ -1 +1 @@
-3aa25b219ac4ec2c1e95c6f836b67d5475ae9a7d
+ec2288742cbac0cd9fab50da353e8405972eefe9

src/databricks/sql/backend/kernel/auth_bridge.py

@@ -1,19 +1,41 @@
-"""Translate the connector's ``AuthProvider`` into ``databricks_sql_kernel``
-``Session`` auth kwargs.
-
-This phase ships PAT only. The kernel-side PyO3 binding accepts
-``auth_type='pat'``; OAuth / federation / custom credentials
-providers are reserved but not yet wired in either layer. Non-PAT
-auth raises ``NotSupportedError`` from this bridge so the failure
-surfaces at session-open time with a clear message rather than
-deep inside the kernel.
-
-Token extraction goes through ``AuthProvider.add_headers({})``
-rather than touching auth-provider-specific attributes, so the
-bridge works uniformly for every PAT shape — including
-``AccessTokenAuthProvider`` wrapped in ``TokenFederationProvider``
-(which ``get_python_sql_connector_auth_provider`` does for every
-provider it builds).
+"""Translate the connector's auth configuration into
+``databricks_sql_kernel`` ``Session`` auth kwargs.
+
+Three auth shapes are supported on the kernel path:
+
+- **PAT** — extracted from the built ``AuthProvider`` (works for
+  ``AccessTokenAuthProvider``, including the ``TokenFederationProvider``
+  wrapper that ``get_python_sql_connector_auth_provider`` always
+  applies). Maps to the kernel's ``auth_type='pat'``.
+- **OAuth M2M** — when the caller passes ``oauth_client_id`` +
+  ``oauth_client_secret``, the *raw* credentials are forwarded to the
+  kernel's ``auth_type='oauth-m2m'`` and the kernel owns the full
+  token lifecycle (acquire + refresh via workspace OIDC
+  client-credentials). We forward the raw pair rather than reusing the
+  connector's own OAuth provider because the kernel re-mints tokens
+  itself and the client secret is not recoverable from a built
+  provider.
+- **OAuth U2M** — for ``auth_type`` ``databricks-oauth`` /
+  ``azure-oauth`` (the browser authorization-code flow), the optional
+  ``oauth_client_id`` / ``oauth_redirect_port`` are forwarded to the
+  kernel's ``auth_type='oauth-u2m'`` and the kernel runs the browser
+  flow itself.
+
+A user-supplied custom ``credentials_provider`` is **rejected** on the
+kernel path with ``NotSupportedError``: it's an opaque token source
+with no extractable raw credentials, so the kernel can't own the
+lifecycle. Such callers should pass ``oauth_client_id`` /
+``oauth_client_secret`` (M2M) instead. Anything else non-PAT also
+raises ``NotSupportedError`` so the failure surfaces at session-open
+with a clear message rather than deep inside the kernel.
+
+The M2M / U2M decisions are driven by the *raw* connect() kwargs
+(``auth_options``), not a built ``AuthProvider``. On the kernel path
+the connector deliberately does **not** build its own OAuth provider
+(that would eagerly run the U2M browser flow / M2M token exchange at
+connect() time, before the kernel is consulted), so ``auth_provider``
+is either a minimal PAT provider or ``None`` and the OAuth credentials
+are available only from the raw kwargs.
 """
 
 from __future__ import annotations
@@ -46,7 +68,7 @@
 _TOKEN_REJECT_RE = re.compile(r"[\x00-\x20\x7f]")
 
 
-def _is_pat(auth_provider: AuthProvider) -> bool:
+def _is_pat(auth_provider: Optional[AuthProvider]) -> bool:
     """Return True iff this provider ultimately wraps an
     ``AccessTokenAuthProvider``.
 
@@ -65,18 +87,20 @@ def _is_pat(auth_provider: AuthProvider) -> bool:
     return False
 
 
-def _extract_bearer_token(auth_provider: AuthProvider) -> Optional[str]:
+def _extract_bearer_token(auth_provider: Optional[AuthProvider]) -> Optional[str]:
     """Pull the current bearer token out of an ``AuthProvider``.
 
     The connector's ``AuthProvider.add_headers`` mutates a header
     dict and writes the ``Authorization: Bearer <token>`` value.
     Going through that public surface keeps us insulated from
     provider-specific internals.
 
-    Returns ``None`` if the provider did not write an Authorization
-    header or wrote a non-Bearer scheme — neither is representable
-    in the kernel's PAT auth surface.
+    Returns ``None`` if there is no provider, the provider did not
+    write an Authorization header, or it wrote a non-Bearer scheme —
+    none of which is representable in the kernel's PAT auth surface.
     """
+    if auth_provider is None:
+        return None
     headers: Dict[str, str] = {}
     auth_provider.add_headers(headers)
     auth = headers.get("Authorization")
@@ -93,15 +117,83 @@ def _extract_bearer_token(auth_provider: AuthProvider) -> Optional[str]:
     return token
 
 
-def kernel_auth_kwargs(auth_provider: AuthProvider) -> Dict[str, Any]:
+def kernel_auth_kwargs(
+    auth_provider: Optional[AuthProvider],
+    auth_options: Optional[Dict[str, Any]] = None,
+) -> Dict[str, Any]:
     """Build the kwargs passed to ``databricks_sql_kernel.Session(...)``.
 
-    PAT (including ``TokenFederationProvider``-wrapped PAT) routes
-    through the kernel's PAT path. Anything else raises
-    ``NotSupportedError`` — the kernel binding doesn't accept OAuth
-    today, and routing OAuth through PAT would silently break
-    token refresh during long-running sessions.
+    ``auth_options`` carries the raw connect() kwargs relevant to auth
+    (``auth_type``, ``oauth_client_id``, ``oauth_client_secret``,
+    ``oauth_redirect_port``, ``credentials_provider``). They drive the
+    OAuth decisions because the OAuth secret is consumed during
+    ``AuthProvider`` construction and can't be read back off the built
+    provider.
+
+    Resolution order:
+
+    0. **Ambiguity guards** — reject conflicting auth signals *before*
+       resolving, so an ambiguous request fails loudly at session-open
+       rather than silently picking one flow (and failing later as a
+       confusing 401 against the wrong principal):
+       - a custom ``credentials_provider`` *and* M2M kwargs together;
+       - a U2M ``auth_type`` (``databricks-oauth`` / ``azure-oauth``)
+         *and* ``oauth_client_secret`` together.
+    1. **OAuth M2M** — ``oauth_client_id`` + ``oauth_client_secret``
+       both present → forward raw creds to the kernel's ``oauth-m2m``.
+    2. **PAT** — the built provider is (or wraps) an
+       ``AccessTokenAuthProvider`` → extract the bearer token.
+    3. **OAuth U2M** — ``auth_type`` is ``databricks-oauth`` /
+       ``azure-oauth`` → forward optional ``oauth_client_id`` /
+       ``oauth_redirect_port`` to the kernel's ``oauth-u2m``.
+    4. **Custom credentials_provider** → ``NotSupportedError`` (opaque
+       token source; no raw creds for the kernel to own).
+    5. Anything else → ``NotSupportedError``.
+
+    M2M is checked before PAT so that a workload passing both an
+    access token *and* M2M creds resolves to the (refreshing) M2M path
+    rather than a static token. (Token + M2M is not treated as
+    ambiguous: a PAT is often present as ambient config the caller
+    didn't intend as the primary credential, whereas an explicit
+    ``oauth_client_secret`` is unambiguous M2M intent.)
     """
+    opts = auth_options or {}
+
+    client_id = opts.get("oauth_client_id")
+    client_secret = opts.get("oauth_client_secret")
+    auth_type = opts.get("auth_type")
+    has_m2m = bool(client_id and client_secret)
+
+    # 0. Ambiguity guards — fail before any flow is chosen.
+    if client_secret and opts.get("credentials_provider") is not None:
+        raise NotSupportedError(
+            "Ambiguous auth on use_kernel=True: both a custom "
+            "credentials_provider and oauth_client_secret were provided. "
+            "Pass exactly one — oauth_client_id + oauth_client_secret for "
+            "kernel-managed M2M, or use the Thrift backend (default) for "
+            "credentials_provider."
+        )
+    if client_secret and auth_type in ("databricks-oauth", "azure-oauth"):
+        raise NotSupportedError(
+            f"Ambiguous auth on use_kernel=True: auth_type={auth_type!r} selects "
+            "the U2M browser flow, but oauth_client_secret was also provided "
+            "(machine-to-machine). Drop oauth_client_secret for U2M, or drop "
+            "auth_type for M2M."
+        )
+
+    # 1. OAuth M2M — raw client-credentials pair forwarded to the kernel.
+    if has_m2m:
+        kwargs: Dict[str, Any] = {
+            "auth_type": "oauth-m2m",
+            "client_id": client_id,
+            "client_secret": client_secret,
+        }
+        scopes = _normalize_scopes(opts.get("oauth_scopes"))
+        if scopes is not None:
+            kwargs["oauth_scopes"] = scopes
+        return kwargs
+
+    # 2. PAT (including TokenFederationProvider-wrapped PAT).
     if _is_pat(auth_provider):
         token = _extract_bearer_token(auth_provider)
         if not token:
@@ -111,8 +203,66 @@ def kernel_auth_kwargs(auth_provider: AuthProvider) -> Dict[str, Any]:
             )
         return {"auth_type": "pat", "access_token": token}
 
+    # 3. OAuth U2M — browser authorization-code flow; the kernel runs it.
+    if auth_type in ("databricks-oauth", "azure-oauth"):
+        kwargs = {"auth_type": "oauth-u2m"}
+        if client_id:
+            kwargs["client_id"] = client_id
+        redirect_port = opts.get("oauth_redirect_port")
+        if redirect_port is not None:
+            kwargs["redirect_port"] = int(redirect_port)
+        scopes = _normalize_scopes(opts.get("oauth_scopes"))
+        if scopes is not None:
+            kwargs["oauth_scopes"] = scopes
+        return kwargs
+
+    # 4. Custom credentials_provider — the connector's primary M2M path
+    #    on Thrift/SEA, but unusable on the kernel: it's an opaque token
+    #    source with no extractable client_id/secret, so the kernel
+    #    can't own the token lifecycle. Point the caller at the raw
+    #    M2M kwargs instead.
+    if opts.get("credentials_provider") is not None:
+        raise NotSupportedError(
+            "use_kernel=True does not support a custom credentials_provider. "
+            "For OAuth machine-to-machine auth, pass oauth_client_id and "
+            "oauth_client_secret so the kernel can manage the token lifecycle "
+            "directly; or use the Thrift backend (default) with "
+            "credentials_provider."
+        )
+
+    # 5. Everything else (including no usable credentials at all —
+    #    ``auth_provider`` is None on the kernel path when no access
+    #    token was supplied and no OAuth kwargs resolved above).
+    provider_desc = (
+        type(auth_provider).__name__ if auth_provider is not None else "no credentials"
+    )
     raise NotSupportedError(
-        f"The kernel backend (use_kernel=True) currently only supports PAT auth, "
-        f"but got {type(auth_provider).__name__}. Use the Thrift backend "
-        "(default) for OAuth / federation / custom credential providers."
+        f"use_kernel=True requires PAT (access_token), OAuth M2M "
+        f"(oauth_client_id + oauth_client_secret), or OAuth U2M "
+        f"(auth_type='databricks-oauth' / 'azure-oauth'), but got "
+        f"{provider_desc} with auth_type={auth_type!r}. Use the Thrift "
+        "backend (default) for other auth flows."
+    )
+
+
+def _normalize_scopes(scopes: Any) -> Optional[list]:
+    """Normalise an ``oauth_scopes`` value to a list of strings, or
+    ``None`` to let the kernel apply its defaults.
+
+    Accepts a list/tuple of strings or a single space-delimited string
+    (the shape ``DatabricksOAuthProvider`` stores internally)."""
+    if scopes is None:
+        return None
+    if isinstance(scopes, str):
+        parts = scopes.split()
+        return parts or None
+    if isinstance(scopes, (list, tuple)):
+        parts = [str(s) for s in scopes if s]
+        return parts or None
+    # Anything else (int, dict, bool, …) is a caller error. Fail loudly
+    # rather than silently dropping the scopes to None and surprising
+    # the user with default scopes.
+    raise ProgrammingError(
+        f"oauth_scopes must be a list/tuple of strings or a space-delimited "
+        f"string, got {type(scopes).__name__}."
     )