feat: access key rotation and policy management commands

[designcode]

Summary

• Add access-keys rotate command to rotate an access key's secret with confirmation prompt
• Add access-keys attach-policy, detach-policy, and list-policies commands to manage IAM policies on access keys (with interactive policy selection when --policy-arn is omitted)
• Add iam policies link-key, unlink-key, and list-keys commands for managing access keys from the policy side (with interactive selection for both policy and key)
• Fix iam policies get displaying attached users as [object Object]

Test plan

• tigris access-keys rotate <id> --yes rotates the key and displays the new secret
• tigris access-keys attach-policy <id> shows interactive policy picker (excludes already-attached)
• tigris access-keys detach-policy <id> shows interactive picker of attached policies, confirms before detaching
• tigris access-keys list-policies <id> lists attached policies in table/json
• tigris iam policies link-key interactive flow: pick policy → pick unlinked key → links
• tigris iam policies unlink-key interactive flow: pick policy → pick linked key → confirms → unlinks
• tigris iam policies list-keys <arn> lists attached keys with Name/ID columns
• tigris iam policies get <arn> displays attached users correctly as name (id)
• All commands work with --json output format
• Non-interactive mode works with all required flags provided

🤖 Generated with Claude Code

---

Note

Medium Risk
Adds new IAM- and credential-management CLI commands (policy attach/detach/link and access-key secret rotation) that directly change permissions and invalidate secrets, so mistakes could impact access for users. Behavior depends on updated @tigrisdata/iam APIs and new interactive flows/confirmations.

Overview
Adds new CLI commands for access-key and IAM policy management: access-keys rotate (with confirmation and one-time secret output), plus access-keys attach-policy, detach-policy, and list-policies including interactive selection when ARNs aren’t provided.

Extends iam policies with link-key, unlink-key, and list-keys to manage access key attachments from the policy side, and refactors policy selection into a shared selectPolicy helper. Updates iam policies get to render attached users as name (id) instead of printing objects, and bumps @tigrisdata/iam from ^1.4.1 to ^2.1.0 to support the new functionality.

^{Reviewed by Cursor Bugbot for commit 89570b8. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 89570b8. Configure here.}

[github-actions]

🎉 This PR is included in version 2.17.0 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)

Your semantic-release bot 📦🚀