Implementation of PAM Workflow Commands

[amangalampalli-ks]

PAM Workflow / Just-In-Time Access Commands

Summary

• Implements all 13 PAM Workflow API endpoints as Commander CLI commands under pam workflow <subcommand>, enabling just-in-time privileged access management with approval workflows, check-in/check-out and MFA enforcement.
• Adds workflow access gating to existing tunnel and launch flows — users must have an active checked-out workflow session before connecting to a workflow-protected PAM resource.
• Commands are gated to dev environments only (dev.keepersecurity.com) until the backend is production-ready; non-dev servers show a "coming soon" notice.

Commands

Category	Commands
Configuration (admin)	create, read, update, delete, add-approver, remove-approver
Approver actions	pending, approve, deny
Requester actions	request, start (check-out), end (check-in)
State inspection	state, my-access

Key changes

• Verify pam workflow shows "coming soon" on non-dev servers
• On dev: create a workflow, add approvers, request access, approve, start (check-out), connect/tunnel, end (check-in)
• Verify MFA prompt appears when --require-mfa is enabled on a workflow
• Verify --format json output for all commands
• Verify tunnel/launch is blocked when workflow access is not checked out