fix(pam): bind and advertise local session proxies on loopback

[Vligai]

Context

The local PAM proxies for database, redis, and kubernetes sessions create their TCP listener with an
empty host (":0" / ":<port>"), which Go resolves to all interfaces (0.0.0.0 / [::]). These
proxies are consumed by the local client on the same machine, so they should only accept loopback
connections. This binds them to 127.0.0.1 and advertises 127.0.0.1 in the printed connection
string, so the client connects to exactly the address the proxy listens on. The rdp proxy already
binds and advertises 127.0.0.1; this brings the other three in line.

Behavior: the proxy now accepts connections only from the local host. A client running on the same
machine connects via the printed 127.0.0.1 URL, as it already does for rdp sessions. Reaching the
proxy from another host, or from outside a container via a published port, no longer works (run the
client on the same machine). The printed connection string changes from localhost:<port> to
127.0.0.1:<port>.

• Before: listener on :0 / :<port> (all interfaces); connection string used localhost.
• After: listener on 127.0.0.1:0 / 127.0.0.1:<port> (loopback only); connection string uses
  127.0.0.1.

Changed files:

• packages/pam/local/database-proxy.go
• packages/pam/local/redis-proxy.go
• packages/pam/local/kubernetes-proxy.go
• packages/pam/local/proxy_loopback_test.go (test)

Screenshots

Steps to verify the change

• Unit test (included in this PR): go test ./packages/pam/local/ -run TestLocalProxiesBindLoopback.
  It drives each proxy's Start() and asserts the listener binds a loopback address.
• Manual: start a database / redis / kubernetes PAM session and confirm the proxy port listens on
  127.0.0.1 only (for example lsof -iTCP -sTCP:LISTEN or netstat), and that the local client
  still connects via the printed 127.0.0.1 URL.

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Updated CLAUDE.md files (if needed)
• Read the contributing guide

[infisical-review-police]

💬 Discussion in Slack: #pr-review-cli-279-fix-pam-bind-and-advertise-local-session-proxies-on-loopback

Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel.

[greptile-apps]

Greptile Summary

This PR tightens the network exposure of the local PAM session proxies by binding their TCP listeners to 127.0.0.1 instead of all interfaces (0.0.0.0/::), and updates the advertised connection strings to match. The RDP proxy already did this; the change brings database, redis, and kubernetes proxies in line with that pattern.

• Listener binding (database-proxy.go, redis-proxy.go, kubernetes-proxy.go): both the dynamic-port (":0") and fixed-port paths now use "127.0.0.1:0" / "127.0.0.1:<port>", so the OS-assigned address is always a loopback address.
• Advertised URLs: all printed connection strings (postgres://, mysql://, redis://, etc.) and the kubeconfig Server field are updated from localhost to 127.0.0.1, keeping the client address consistent with where the listener actually binds.
• Test (proxy_loopback_test.go): a new white-box test exercises Start(0) on each changed proxy and asserts addr.IP.IsLoopback().

Confidence Score: 4/5

The change is safe to merge; it narrows the listener surface from all interfaces to loopback-only and is backed by a targeted regression test.

All three proxy files follow the exact same two-line pattern change and the logic is straightforward. The RDP proxy already used this pattern and serves as a proven reference. The only gap is that the new test omits the RDP proxy, leaving a small blind spot for future regressions on that proxy type.

proxy_loopback_test.go — consider adding the RDP proxy case for complete coverage.

Important Files Changed

Filename	Overview
packages/pam/local/database-proxy.go	Listener now bound to 127.0.0.1 for both random-port and fixed-port cases; all six advertised connection strings updated from localhost to 127.0.0.1.
packages/pam/local/redis-proxy.go	Same loopback-bind fix as database proxy; both username and anonymous redis:// connection strings updated to 127.0.0.1.
packages/pam/local/kubernetes-proxy.go	Listener bound to loopback and kubeconfig cluster Server URL updated to http://127.0.0.1:; behaviour matches the pre-existing RDP proxy pattern.
packages/pam/local/proxy_loopback_test.go	New white-box test verifying loopback binding for database, redis, and kubernetes proxies; RDP proxy (which was already correct) is not included in the test suite.

_{Reviews (1): Last reviewed commit: "fix(pam): bind and advertise local sessi..." | Re-trigger Greptile}