feat: add mysql account support

[sheensantoscapadngan]

Context

This PR adds MySQL support in PAM

Screenshots

Steps to verify the change

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Updated CLAUDE.md files (if needed)
• Read the contributing guide

[infisical-review-police]

💬 Discussion in Slack: #pr-review-infisical-6917-feat-add-mysql-account-support

Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel.

[greptile-apps]

Greptile Summary

This PR adds MySQL as a supported PAM account type, mirroring the existing Postgres/SSH patterns with a connection details schema (host, port, optional database, SSL fields) and credentials schema (username/password).

• Adds PamAccountType.MySQL to ACCOUNT_TYPE_CONFIGS with Zod validation, including credential length limits matching MySQL's native constraints (username ≤ 32, password ≤ 80).
• Extends extractGatewayTarget to route MySQL through the same host/port extraction as Postgres and SSH.
• Updates the session access flow so database is included in session metadata for both Postgres and MySQL when present, with a proper existence check.

Confidence Score: 4/5

The change is small and closely follows the established Postgres pattern; the session service change is straightforward and correct.

The two findings are both non-blocking: one is dead-code cleanup (the unreachable .transform on database), and the other is an unvalidated host field that could reach internal network endpoints via the gateway — a risk that exists today for Postgres and SSH but is worth addressing as MySQL support is added.

backend/src/ee/services/pam-account/pam-account-schemas.ts — the host field and dead transform warrant a second look.

Security Review

• SSRF via unvalidated host (pam-account-schemas.ts): The MySQL host field accepts any string, including private IP ranges and cloud metadata endpoints. This value is forwarded to the gateway service to establish the actual TCP connection. An actor with PAM account creation rights could configure the gateway to probe or connect to internal infrastructure. The same gap exists in the Postgres and SSH schemas; this PR is a good opportunity to add an IP-range blocklist or allowlist across all account types.

Important Files Changed

Filename	Overview
backend/src/ee/services/pam-account/pam-account-schemas.ts	Adds MySQL account type schema with connection details and credentials validation; includes a dead .transform() on the database field and an unvalidated host field that could reach internal network targets through the gateway.
backend/src/ee/services/pam-session/pam-session-service.ts	Small, correct change: extends the database metadata population to cover MySQL alongside Postgres, with a proper presence check.

_{Reviews (1): Last reviewed commit: "feat: add mysql account support" | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4b2c48be37

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".