feat(pam): add RDP CLI access and recording chunk batching

[bernie-g]

Context

Adds CLI support for PAM RDP sessions and caps recording chunk size with batched live uploads.
https://linear.app/infisical/issue/PAM-263/add-windows-account-rdp-web-and-cli

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

[infisical-review-police]

💬 Discussion in Slack: #pr-review-cli-269-feat-pam-add-rdp-cli-access-and-recording-chunk-batching

Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel.

[greptile-apps]

Greptile Summary

This PR activates RDP/Windows PAM sessions through the unified StartPAMAccess path and refactors RDPProxyServer.handleConnection to use the shared NewDisconnectChannels/WaitForDisconnect abstraction that distinguishes gateway-side drops from normal client disconnects.

• access.go adds startRDPProxy, wiring Windows accounts into the existing switch-dispatch the same way database accounts are handled; the function is nearly identical to startDatabaseProxy but omits the auto-launch step present in StartRDPLocalProxy.
• rdp-proxy.go replaces the old done chan struct{} (buffer 2, both goroutines shared one channel) with separate gatewayErrCh/clientErrCh channels — a meaningful semantic change, because receiving from gatewayErrCh now triggers a full proxy shutdown via HandleGatewayDisconnect, whereas the client-disconnect path just returns. A race exists between the buffered send to gatewayErrCh and the immediately-following defer connCancel(), which can cause the select to resolve on connCtx.Done() instead and silently skip shutdown.

Confidence Score: 3/5

The RDP proxy integration is straightforward, but the refactored disconnect logic in handleConnection has a real concurrency flaw that can leave the proxy alive after the gateway terminates a session.

The gateway-disconnect race in rdp-proxy.go is not theoretical: Go's asynchronous preemption means the scheduler can context-switch between gatewayErrCh <- err and defer connCancel(), making both select cases simultaneously ready. When that happens, Go randomly chooses between them, and if connCtx.Done() wins, the proxy stays running after an admin-forced termination instead of shutting down cleanly. The rest of the change is a faithful port of the database proxy pattern and looks correct.

packages/pam/local/rdp-proxy.go — specifically the select logic change in handleConnection and how WaitForDisconnect interacts with the deferred connCancel in the gateway goroutine.

Important Files Changed

Filename	Overview
packages/pam/local/access.go	Enables Windows/RDP accounts in StartPAMAccess via a new startRDPProxy function that closely mirrors startDatabaseProxy; auto-launch of the RDP client is absent compared to the existing StartRDPLocalProxy entry point
packages/pam/local/rdp-proxy.go	Refactors handleConnection to use NewDisconnectChannels/WaitForDisconnect, introducing a race where connCtx.Done() can be selected over gatewayErrCh and silently skip HandleGatewayDisconnect on a gateway-side drop

_{Reviews (1): Last reviewed commit: "fix(pam): write RDP session banner to st..." | Re-trigger Greptile}

[veria-ai]

PR overview

All previously flagged issues have been addressed. No open security concerns remain on this pull request.

Security review

No open security issues remain on this pull request.

Fixed/addressed: 1 · PR risk: 0/10