# Commander 17.2.16 This release brings `pam launch` and `pam tunnel start` to parity with the web vault's PAM workflow gates, plus GovCloud router support and a few targeted fixes. ### PAM #### Workflow (`pam launch` / `pam tunnel start`) — web-vault parity ([#1997](https://github.com/Keeper-Security/Commander/pull/1997)) Gating order on every launch/tunnel is now: **enterprise enforcement → PAM config allowed-settings → workflow**, matching the web vault. * **Allowed-time window enforced.** Launches outside the configured `allowedDays` / `timeRanges` (in the workflow's IANA timezone) are blocked. Overnight ranges that cross midnight are handled; falls back to local time when `zoneinfo` is unavailable or the tz name is unknown. * **Hard disconnect at lease expiry.** When `expiresOn` is reached during an active session, both `pam launch` (interactive shell/RDP) and `pam tunnel start` tear the connection down immediately — no grace period, no reconnect — matching `ConnectionManager.scheduleWorkflowAccessExpiry` in the web vault. The "Access expired — session terminated" line prints after the terminal reset so it survives. * **Inline reason / ticket prompts.** When a workflow is in `WS_NEEDS_ACTION` with `AC_REASON` or `AC_TICKET` pending, Commander now prompts inline (multi-line for reason, single-line for ticket) and re-validates, instead of telling the user to run `pam workflow request` and re-launch. New flags `--reason` / `-r` and `--ticket` / `-tk` drive the same flow non-interactively. Pure-approval workflows are auto-submitted. * **Inline check-out prompt.** When a workflow is approved but not yet checked out (`WS_READY_TO_START`), Commander offers `Check out 'RECORD' now? [Y/n]` and proceeds inline. New `--auto-checkout` / `-aco` flag confirms automatically for non-interactive runs. * **`--wait` for pending approval.** When a workflow lands in `WS_WAITING`, the new `--wait` / `-w` flag polls every 8 seconds until the workflow transitions out of waiting, with `--wait-timeout` (default 600s). Ctrl+C cancels cleanly. * **Auto check-in on session end.** When `pam launch` itself triggered the checkout, the lease is released via `end_workflow(flow_uid)` in the session-end finally. Skipped when the lease already expired or when the user pre-checked-out manually via `pam workflow start`. (`pam tunnel stop` intentionally does **not** release the lease — see note below.) * **Skip MFA prompt when gateway is offline.** Mirrors web vault `LaunchButton.tsx`: if the controller is not Online, the workflow MFA prompt is skipped and the launch surfaces its own gateway-offline error. * **`pam launch` controller fallback.** Falls back to `pam/get_configuration_controller` when `get_controllers` misses, matching the web vault. * **Workflow gate is permissive on transport error.** Production routers without the workflow API no longer hard-block legacy launch/tunnel. * **`pam tunnel stop` does not release the workflow lease** (intentional, matches web vault). The lease and the tunnel are decoupled so a single approval window can host many sequential or concurrent tunnels; release via `expiresOn` or explicit `pam workflow end`. #### Workflow configuration (`pam workflow create` / `delete`) * **`pam workflow create`** pre-checks for an existing config and fails with an actionable message instead of silently overwriting. * Creator is no longer auto-added as an approver. When `approvalsNeeded > 0`, `--approver` is now required. * `TimeOfDayRange` is now encoded as HHMM (server format) instead of minutes-since-midnight. * **`pam workflow delete`** pre-checks and bails with a clear message when there is nothing to delete. * First-time-launch flow: when a workflow is in `no_workflow` / `needs_start`, Commander prompts inline and submits the initial request (matches web vault). #### Rotation (`pam action rotate`) Rotation now applies the same two gates the web vault applies on the **Rotate Now** button — and only those two (no workflow gates, no MFA, no time window): 1. **Enterprise enforcement** — `allow_rotate_credentials`. The legacy `allow_pam_rotation` fallback has been dropped so an explicit `allow_rotate_credentials: false` is honored. 2. **Per-PAM-config `allowedSettings.rotation`** — when explicitly `false` on the PAM config DAG, rotation is skipped with a clear "disabled by PAM Configuration" message. Personal / non-enterprise accounts are never blocked: malformed or missing enforcement payloads fall through to allow. #### PAM project import / extend ([#1996](https://github.com/Keeper-Security/Commander/pull/1996)) * `--sample-data` is fixed. * Enterprise data is now loaded lazily so `pam project import` / `pam project extend` no longer pay an unnecessary upfront cost on accounts with large enterprise trees. #### GovCloud * **KRouter and KRelay GovCloud hostnames** added for tunneling and rotation in GovCloud environments. (KC-1231) ### Fixes * **`sf -e ` ShareFolderCommand error.** Fixed `Folder.SharedFolderUpdateUser.manageRecords: Expected an int, got a boolean.` — the `SharedFolderUpdateUser` proto expects `SetBooleanValue` for `manageRecords` / `manageUsers`, which is now what Commander sends. (`SharedFolderUpdateTeam` and `SharedFolderUpdateRecord` were not affected.) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/release-notes/developer-tools/commander/commander-17.2.16.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.