feat(pam): windows server

[x032205]

Context

windows server resource

Screenshots

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds first-class PAM support for Windows Server resources (RDP) across backend + frontend, including:

• New PamResource.Windows type, schemas, and factory wiring.
• Gateway-proxied connection validation via a minimal RDP handshake, and account credential validation via SMB (port 445).
• A new pam_accounts.metadata JSONB field (used for Windows account type) and pam_resources.adServerResourceId self-reference.
• Frontend forms and detail views for creating Windows resources and accounts, plus docs for discoverability.

Key integration points are the PAM resource factory map (backend/src/ee/services/pam-resource/pam-resource-factory.ts) and the generic account/resource endpoint registries.

Issues to fix before merge:

• Migration rollback reliability: down() drops adServerResourceId without dropping the FK constraint first.
• Auditability gap: account metadata is accepted/persisted but not captured in PAM account create/update audit log metadata.
• UX consistency: Windows access is temporarily disabled, but UI suppression relies on CSS wrappers; ensure access actions are explicitly disabled to avoid confusing user flows.

Confidence Score: 3/5

• This PR is mergeable after fixing a few concrete correctness/auditability issues.
• Most changes are additive and follow existing PAM patterns, but there are at least two definite pre-merge fixes: the down migration can fail due to an undeleted FK constraint, and new account metadata is persisted without being included in audit logs for create/update events. There is also a UX inconsistency around temporarily disabled Windows access that can lead to confusing behavior.
• backend/src/db/migrations/20260206001358_windows-server-pam-resource.ts, backend/src/ee/routes/v1/pam-account-routers/pam-account-endpoints.ts, frontend/src/pages/pam/PamAccountByIDPage/components/PamAccountResourcesSection.tsx

Important Files Changed

Filename	Overview
backend/src/db/migrations/20260206001358_windows-server-pam-resource.ts	Adds pam_resources.adServerResourceId self-FK and pam_accounts.metadata columns; down migration currently drops column without dropping FK constraint first.
backend/src/db/schemas/pam-accounts.ts	Extends PamAccountsSchema with nullable metadata field to persist account metadata.
backend/src/db/schemas/pam-resources.ts	Extends PamResourcesSchema with nullable adServerResourceId UUID field.
backend/src/ee/routes/v1/pam-account-routers/index.ts	Registers Windows PAM account endpoints alongside existing resource types.
backend/src/ee/routes/v1/pam-account-routers/pam-account-endpoints.ts	Adds metadata to create/update account request types; audit log event metadata does not include this new field.
backend/src/ee/routes/v1/pam-account-routers/pam-account-router.ts	Includes Windows account schema in union types for account responses.
backend/src/ee/routes/v1/pam-resource-routers/index.ts	Registers Windows PAM resource endpoints alongside existing resource types.
backend/src/ee/routes/v1/pam-resource-routers/pam-resource-router.ts	Includes Windows resource schemas in unions for resource responses and options.
backend/src/ee/services/pam-account/pam-account-service.ts	Persists metadata on create/update and temporarily blocks Windows access in access; introduces behavior change for Windows accounts.
backend/src/ee/services/pam-account/pam-account-types.ts	Adds optional metadata to PAM account create/update DTOs.
backend/src/ee/services/pam-resource/pam-resource-enums.ts	Adds new PamResource.Windows enum value.
backend/src/ee/services/pam-resource/pam-resource-factory.ts	Wires Windows resource factory into PAM resource factory map.
backend/src/ee/services/pam-resource/pam-resource-fns.ts	Adds Windows resource list item to resource options returned to clients.
backend/src/ee/services/pam-resource/pam-resource-types.ts	Extends PAM resource/account unions with Windows resource and account types.
backend/src/ee/services/pam-resource/windows-server/windows-server-resource-enums.ts	Defines WindowsProtocol (RDP) and WindowsAccountType enums.
backend/src/ee/services/pam-resource/windows-server/windows-server-resource-factory.ts	Implements gateway-proxied RDP connectivity check and SMB-based credential validation for Windows resources.
backend/src/ee/services/pam-resource/windows-server/windows-server-resource-fns.ts	Adds helper to expose Windows resource option list item.
backend/src/ee/services/pam-resource/windows-server/windows-server-resource-schemas.ts	Adds Zod schemas for Windows resources/accounts with constrained port validation.
backend/src/ee/services/pam-resource/windows-server/windows-server-resource-types.ts	Exports inferred TypeScript types for Windows resource/account schemas.
docs/docs.json	Adds Windows Server resource page to PAM docs navigation.
docs/documentation/platform/pam/getting-started/resources/windows-server.mdx	Adds documentation for configuring Windows Server (RDP) resources and accounts, including SMB credential validation details.
frontend/src/hooks/api/pam/enums.ts	Adds Windows to PamResourceType enum on the frontend.
frontend/src/hooks/api/pam/maps.ts	Adds Windows Server display name and icon mapping for PAM resources.
frontend/src/hooks/api/pam/types/index.ts	Extends PAM resource/account unions and create/update DTOs with optional metadata and Windows types.
frontend/src/hooks/api/pam/types/windows-server-resource.ts	Defines Windows Server resource/account types for frontend consumption.
frontend/src/pages/pam/PamAccountByIDPage/PamAccountByIDPage.tsx	Hides Access button for Windows accounts to reflect temporary backend access block.
frontend/src/pages/pam/PamAccountByIDPage/components/PamAccountCredentialsSection.tsx	Adds Windows credentials display (username only) in account credentials section.
frontend/src/pages/pam/PamAccountByIDPage/components/PamAccountResourcesSection.tsx	Adds CSS-based disabling for Windows account resource cards; behavior relies on wrapper pointer-events for click prevention.
frontend/src/pages/pam/PamAccountsPage/components/PamAccountForm/PamAccountForm.tsx	Adds WindowsAccountForm and passes optional metadata through create/update mutations.
frontend/src/pages/pam/PamAccountsPage/components/PamAccountForm/WindowsAccountForm.tsx	Implements Windows account form capturing username/password and accountType metadata with unchanged-password sentinel behavior.
frontend/src/pages/pam/PamResourceByIDPage/components/PamResourceAccountsSection.tsx	Hides Connect button for Windows resources to match temporary backend access block.
frontend/src/pages/pam/PamResourceByIDPage/components/PamResourceConnectionSection.tsx	Adds Windows connection details rendering (protocol/hostname/port).
frontend/src/pages/pam/PamResourcesPage/components/PamResourceForm/PamResourceForm.tsx	Adds WindowsResourceForm selection for create/update resource flows.
frontend/src/pages/pam/PamResourcesPage/components/PamResourceForm/WindowsResourceForm.tsx	Implements Windows resource form capturing hostname and port with validation.

[x032205]

@greptile review the latest doc changes commit

[greptile-apps]

_{7 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

backend/src/ee/routes/v1/pam-account-routers/pam-account-router.ts
/access schema vs behavior

Windows Server accounts/resources are now creatable/listable, but pamAccountService.access hard-throws for PamResource.Windows ("Windows resources cannot be accessed at this time"). The /access route’s 200 response schema is a discriminated union that omits Windows, and it also doesn’t document the intentional 400 for Windows access attempts. That makes the OpenAPI/types incorrect and will break typed clients.

Either remove/disable Windows registration until access is supported, or update the route schema to reflect the current behavior (including the error response) / add a Windows branch when implemented.

[x032205]

@greptile re-review this PR

[greptile-apps]

_{34 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

backend/src/ee/routes/v1/pam-account-routers/pam-account-endpoints.ts
Audit log misses metadata

registerPamAccountEndpoints now accepts metadata in the request body (and the service persists it), but the audit log metadata for both PAM_ACCOUNT_CREATE and PAM_ACCOUNT_UPDATE events never includes req.body.metadata. This makes Windows account type changes (and any other metadata updates) invisible in audit logs even though they’re persisted.

Also affected: backend/src/ee/routes/v1/pam-account-routers/pam-account-endpoints.ts:117-127.