feature(pam): error when gateway does not support resource type

[x032205]

Error when gateway does not support resource type

[greptile-apps]

Greptile Overview

Greptile Summary

Added gateway capability checking to provide clear error messages when a gateway doesn't support a requested PAM resource type (postgres, mysql, ssh, kubernetes).

• Introduced new PAM_CAPABILITIES ALPN protocol for querying gateway-supported resource types
• Client-side validation occurs before starting proxy, showing actionable upgrade instructions if resource type is unsupported
• Uses length-prefixed JSON protocol for capability exchange between client and gateway
• Applied consistently across database, SSH, and Kubernetes proxy implementations

Confidence Score: 5/5

• This PR is safe to merge - it adds a pre-flight capability check without modifying existing proxy logic.
• The changes are well-structured and consistent across all proxy types. The new capability checking is additive and doesn't modify existing proxy behavior. Communication occurs over mTLS connections ensuring trust. No breaking API changes.
• No files require special attention

Important Files Changed

File Analysis

Filename	Score	Overview
packages/gateway-v2/gateway.go	5/5	Added ForwardModePAMCapabilities mode and handler for the new capabilities endpoint. Changes are straightforward protocol additions.
packages/pam/local/base-proxy.go	4/5	Added FetchGatewayCapabilities and ValidateResourceTypeSupported methods. Added resourceType field. The length-prefixed read could allocate up to 4GB on malformed input, though this is mitigated by mTLS trust.
packages/pam/local/database-proxy.go	5/5	Added ALPNInfisicalPAMCapabilities constant and resourceType field initialization. Calls ValidateResourceTypeSupported before starting proxy.
packages/pam/local/kubernetes-proxy.go	5/5	Added resourceType field initialization and ValidateResourceTypeSupported call before starting proxy.
packages/pam/local/ssh-proxy.go	5/5	Added resourceType field initialization and ValidateResourceTypeSupported call before starting proxy.
packages/pam/pam-proxy.go	5/5	Added PAMCapabilitiesResponse type, GetSupportedResourceTypes function, and HandlePAMCapabilities handler for the gateway side.

[greptile-apps]

_{6 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[x032205]

@greptile review this

[greptile-apps]

_{6 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}