feat: add Flexible Password Policy support for database connections

[ankita10119]

🔧 Changes

Adds first-class deploy-cli support for the Flexible Password PolicyManagement API spec (password_options) and the new signup_behavior field on database connections.

Schema additions (databases.ts)

• options.authentication_methods.password.signup_behavior - new enum field ("allow" | "block") alongside the existing api_behavior
• options.password_options - new block covering:
  • complexity: min_length, character_types, character_type_rule,identical_characters, sequential_characters, max_length_exceeded
  • profile_data: active, blocked_fields
  • history: active, size
  • dictionary: active, default, custom

Pre-deploy validation (validatePasswordOptions)

• Throws if password_options and any legacy policy field (passwordPolicy, password_complexity_options, password_history,password_no_personal_info, password_dictionary) are present in the same config - the Management API rejects this combination
• Throws if character_type_rule is "three_of_four" without all four character types specified
• Throws if profile_data.blocked_fields exceeds 12 items or any single item exceeds 100 characters
• signup_behavior/api_behavior co-dependency rule added tovalidatePasswordlessSettings (wired in when feature reaches GA, consistent with existing PR:feat: add support for passwordless authentication methods on database connections EA #1282 gate)

Safe update path (getClientFN update)

The databases handler fetches existing connection state and shallow-merges it with the desired payload before every PATCH. Two new pre-merge guards:

• Legacy ↔ Flexible policy switch: strips the conflicting group from the existing state before the merge (legacy fields when switching topassword_options, and vice versa), preventing the 400 the API returns when both groups appear in the same request body
• signup_behavior/api_behavior merge-time check: computes the effective api_behavior from the merged result (payload takes precedence over existing tenant value) and throws a clear, actionable error if signup_behavior: "block" would be set without
  api_behavior: "optional", rather than surfacing a cryptic API 400

📚 References

🔬 Testing

📝 Checklist

• All new/changed/fixed functionality is covered by tests (or N/A)
• I have added documentation for all new/changed functionality (or N/A)

[codecov-commenter]

Codecov Report

❌ Patch coverage is 87.17949% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.15%. Comparing base (d77396e) to head (47cc74c).

Files with missing lines	Patch %	Lines
src/tools/auth0/handlers/databases.ts	87.17%	4 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1362      +/-   ##
==========================================
+ Coverage   80.11%   80.15%   +0.04%     
==========================================
  Files         152      152              
  Lines        6280     6319      +39     
  Branches     1314     1328      +14     
==========================================
+ Hits         5031     5065      +34     
- Misses        704      708       +4     
- Partials      545      546       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.