Commander 17.2.16

This release brings pam launch and pam tunnel start to parity with the web vault's PAM workflow gates, plus GovCloud router support and a few targeted fixes.

PAM

Workflow (pam launch / pam tunnel start) — web-vault parity (#1997)

Gating order on every launch/tunnel is now: enterprise enforcement → PAM config allowed-settings → workflow, matching the web vault.

• Allowed-time window enforced. Launches outside the configured allowedDays / timeRanges (in the workflow's IANA timezone) are blocked. Overnight ranges that cross midnight are handled; falls back to local time when zoneinfo is unavailable or the tz name is unknown.

• Hard disconnect at lease expiry. When expiresOn is reached during an active session, both pam launch (interactive shell/RDP) and pam tunnel start tear the connection down immediately — no grace period, no reconnect — matching ConnectionManager.scheduleWorkflowAccessExpiry in the web vault. The "Access expired — session terminated" line prints after the terminal reset so it survives.

• Inline reason / ticket prompts. When a workflow is in WS_NEEDS_ACTION with AC_REASON or AC_TICKET pending, Commander now prompts inline (multi-line for reason, single-line for ticket) and re-validates, instead of telling the user to run pam workflow request and re-launch. New flags --reason / -r and --ticket / -tk drive the same flow non-interactively. Pure-approval workflows are auto-submitted.

• Inline check-out prompt. When a workflow is approved but not yet checked out (WS_READY_TO_START), Commander offers Check out 'RECORD' now? [Y/n] and proceeds inline. New --auto-checkout / -aco flag confirms automatically for non-interactive runs.

• --wait for pending approval. When a workflow lands in WS_WAITING, the new --wait / -w flag polls every 8 seconds until the workflow transitions out of waiting, with --wait-timeout (default 600s). Ctrl+C cancels cleanly.

• Auto check-in on session end. When pam launch itself triggered the checkout, the lease is released via end_workflow(flow_uid) in the session-end finally. Skipped when the lease already expired or when the user pre-checked-out manually via pam workflow start. (pam tunnel stop intentionally does not release the lease — see note below.)

• Skip MFA prompt when gateway is offline. Mirrors web vault LaunchButton.tsx: if the controller is not Online, the workflow MFA prompt is skipped and the launch surfaces its own gateway-offline error.

• pam launch controller fallback. Falls back to pam/get_configuration_controller when get_controllers misses, matching the web vault.

• Workflow gate is permissive on transport error. Production routers without the workflow API no longer hard-block legacy launch/tunnel.

• pam tunnel stop does not release the workflow lease (intentional, matches web vault). The lease and the tunnel are decoupled so a single approval window can host many sequential or concurrent tunnels; release via expiresOn or explicit pam workflow end.

Workflow configuration (pam workflow create / delete)

• pam workflow create pre-checks for an existing config and fails with an actionable message instead of silently overwriting.

• Creator is no longer auto-added as an approver. When approvalsNeeded > 0, --approver is now required.

• TimeOfDayRange is now encoded as HHMM (server format) instead of minutes-since-midnight.

• pam workflow delete pre-checks and bails with a clear message when there is nothing to delete.

• First-time-launch flow: when a workflow is in no_workflow / needs_start, Commander prompts inline and submits the initial request (matches web vault).

Rotation (pam action rotate)

Rotation now applies the same two gates the web vault applies on the Rotate Now button — and only those two (no workflow gates, no MFA, no time window):

1. Enterprise enforcement — allow_rotate_credentials. The legacy allow_pam_rotation fallback has been dropped so an explicit allow_rotate_credentials: false is honored.

2. Per-PAM-config allowedSettings.rotation — when explicitly false on the PAM config DAG, rotation is skipped with a clear "disabled by PAM Configuration" message.

Personal / non-enterprise accounts are never blocked: malformed or missing enforcement payloads fall through to allow.

PAM project import / extend (#1996)

• --sample-data is fixed.

• Enterprise data is now loaded lazily so pam project import / pam project extend no longer pay an unnecessary upfront cost on accounts with large enterprise trees.

GovCloud

• KRouter and KRelay GovCloud hostnames added for tunneling and rotation in GovCloud environments. (KC-1231)

Fixes

• sf <folder> -e <user> ShareFolderCommand error. Fixed Folder.SharedFolderUpdateUser.manageRecords: Expected an int, got a boolean. — the SharedFolderUpdateUser proto expects SetBooleanValue for manageRecords / manageUsers, which is now what Commander sends. (SharedFolderUpdateTeam and SharedFolderUpdateRecord were not affected.)