Add --keeper-db-proxy to pam tunnel edit and --launch-user to pam connection edit

[tbjones-ks]

Summary

• Move --keeper-db-proxy (-kdbp) option from pam connection edit to pam tunnel edit
• Add --launch-user (-lu) option to pam connection edit for assigning launch credentials
• Add launch credential validation when enabling DB proxy

Jira / GitHub Issue

keeperdb-proxy#45

Changes

• pam tunnel edit: Added --keeper-db-proxy (on/off/default) to configure allowKeeperDBProxy PAM setting on pamDatabase records
• pam tunnel edit: When enabling (on), validates that launch credentials are assigned to the record
• pam connection edit: Added --launch-user (-lu) to assign a pamUser record as the launch credential on a PAM resource via DAG
• pam connection edit: Removed --keeper-db-proxy (moved to tunnel edit)
• TunnelDAG: Added check_if_resource_has_launch_credential() method
• TunnelDAG: Added is_launch_credential parameter to link_user() and link_user_to_resource()

Breaking Changes

• --keeper-db-proxy is no longer available on pam connection edit. Use pam tunnel edit instead.

Testing Performed

• Syntax validation passes
• Argument parsing verified for all new flags
• Invalid choices correctly rejected
• Manual testing with live environment (pending)

Usage

# Assign launch credentials to a pamDatabase record
pam connection edit <record> --launch-user <pamUser_record>

# Enable DB proxy (requires launch credentials)
pam tunnel edit <record> --keeper-db-proxy=on

# Disable DB proxy
pam tunnel edit <record> --keeper-db-proxy=off

# Reset to default
pam tunnel edit <record> --keeper-db-proxy=default