feat(pam): in-browser web access terminal for PAM postgres accounts

[saifsmailbox98]

Context

Adds browser-based web access for PAM accounts (PostgreSQL)

Screenshots

Steps to verify the change

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[linear]

PAM-4 PAM Web launcher: Implement Postgres access via browser

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

Adds browser-based web access for PAM PostgreSQL accounts by issuing a one-time WebSocket ticket, establishing a gateway-v2 relay tunnel, and running a pg-backed SQL REPL over the socket. Introduces session tracking (duration, concurrent-session limit, expiry scheduling) and a new SessionEnd server message so the frontend terminal can show completion/quit/connection-lost reasons. Also extends gateway proxy protocols to support PAM and adds long-lived relay socket support.

Confidence Score: 3/5

• This PR is close to mergeable, but has a couple of concrete issues to address before it’s safe to ship.
• Core flow (ticket -> tunnel -> pg REPL) is coherent and covered by unit tests for lexer/formatter/REPL. However, cleanup currently opens a relay connection that may not be closed (FD leak risk), and the frontend introduces new native-regex usage that violates the repo’s ReDoS policy.
• backend/src/ee/services/pam-web-access/pam-web-access-service.ts; frontend/src/pages/pam/PamAccountsPage/components/PamWebAccess/usePamWebAccessSession.ts

Important Files Changed

Filename	Overview
backend/src/db/migrations/20260210074536_pam-session-access-method.ts	Adds idempotent migration to add nullable accessMethod column to PamSession.
backend/src/ee/routes/v1/pam-account-routers/pam-account-router.ts	Adds web-access ticket + WebSocket routes and tightens auditLogInfo typing for ticket payload.
backend/src/ee/services/pam-session/pam-session-dal.ts	Adds DAL method countActiveWebSessions to enforce per-user concurrent session limit.
backend/src/ee/services/pam-web-access/pam-web-access-service.ts	Replaces echo-mode with actual pg-backed SQL REPL over gateway tunnel; adds session lifecycle, keepalive, and cancellation (one cleanup socket-close issue noted).
backend/src/lib/gateway-v2/gateway-v2.ts	Exports createGatewayConnection and adds longLived option to disable timeouts and enable keepalive for relay/gateway sockets.
frontend/src/pages/pam/PamAccountsPage/components/PamWebAccess/usePamWebAccessSession.ts	Adds disconnect helper, syncs Ctrl+C buffer clearing, and handles SessionEnd (introduces native regex use per policy).

[greptile-apps]

_{20 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[saifsmailbox98]

Suppressed the toast errors coming from the errors generated by the ticket generation API when MFA or approval is required.

[sheensantoscapadngan]

LGTM