Release 18.0.0

Keeper Commander 18.0.0 — Release Notes

This is a major release headlined by KeeperDrive — a brand-new command suite for managing folders, records, sharing, and permissions through the Keeper API. It also adds KCM/Guacamole import for PAM, JSON output for rotation status, automation modes for tunnels, and a new way to add KSM tokens to existing applications.

KeeperDrive

A new kd-* command family for working with KeeperDrive folders, records, sharing, and permissions. All commands require authentication and a synced vault. Visibility is gated behind a feature flag so the commands appear only for permitted users.

The full reference is in KEEPER_DRIVE_COMMANDS.md.

Permission roles

The five sharing roles supported across folder and record commands:

Role	Description
viewer	Read-only access
shared-manager	Can manage access grants
content-manager	Can add / edit records
content-share-manager	Can add / remove / edit records and manage access
full-manager	Full control

Folder commands

• kd-mkdir — create a folder. Supports --color {none,red,orange,yellow,green,blue,gray} and --no-inherit for permission inheritance. // escapes a literal / inside a folder name.
• kd-rndir — rename a folder, change its color, or toggle permission inheritance (--inherit / --no-inherit). -q suppresses the confirmation message.
• kd-list — list KeeperDrive folders and records from the local cache. --folders / --records filters, --format {table,csv,json} and --output FILE for export. Each row reports share status and accessor count.
• kd-rmdir — remove folders. Always shows an impact preview before prompting. Modes: folder-trash (default, recoverable) or delete-permanent (irreversible). Supports --force, --dry-run, --quiet, max 100 folders per invocation.
• kd-share-folder — grant or remove access (-a {grant,remove}) to one or more folders for one or more recipients (-e is repeatable). @existing / @current targets all current users in the folder. Time-limited shares via --expire-at <ISO> or --expire-in <30d|6mo|1y|24h|30mi|never>.

Record commands

• kd-record-add — create a record. Required: -t TITLE, -rt TYPE. Optional: -n NOTES, --folder. Fields use type=value or type.label=value notation; run with --syntax-help for the full grammar.
• kd-record-update — update title, type, notes, or field values for one or more records (-r is repeatable).
• kd-rm — remove records with an impact preview. Operations:
  • owner-trash (default) — move to owner's trash, recoverable.
  • folder-trash — remove from a folder and trash.
  • unlink — remove from a specific folder only (requires --folder).
    Supports --force, --dry-run, max 500 records per invocation.
• kd-ln — link a record into a folder (kd-ln <record> <folder>) without removing it from its current location.
• kd-shortcut list / kd-shortcut keep — manage records that appear in more than one folder. list shows multi-folder records with --format {table,csv,json} and --output; keep retains a record in one folder and unlinks it from all others, with -f to skip the confirmation prompt.

Sharing commands

• kd-share-record — single command for grant / revoke / transfer-ownership via -a {grant,revoke,owner}. Required: -e EMAIL (repeatable), -r ROLE for grant. Supports -R/--recursive for bulk sharing across a folder tree, --contacts-only, --force, --dry-run, and --expire-at / --expire-in. -a grant on an already-shared record updates the existing role.
• kd-record-permission — bulk update sharing across all records in a folder (and optionally sub-folders with -R). Required: -a {grant,revoke}, -r ROLE for grant. Always shows a change plan before executing. Supports --force and --dry-run.
• kd-transfer-record — transfer ownership of one or more records to another user. Irreversible — you lose access after the transfer.

Inspection commands

• kd-record-details — batch metadata (title, type, version, revision) for one or more records. --format {table,json}.
• kd-get — full details for a record or folder (fields, notes, access list). --format {detail,json}, -v/--verbose for a per-permission flag breakdown per accessor, --unmask to reveal masked values like passwords.

Cross-type validation (#2008)

Commands now validate that the target's type matches the operation (e.g. record-only commands reject folder UIDs, and vice versa) so a mistyped UID gets a clear error instead of a silent no-op.

PAM

pam project export (new)

Walks the vault graph for a given PAM project configuration UID and emits a JSON document directly re-importable by pam project import.

• Output schema matches PROJECT_IMPORT_JSON_TEMPLATE exactly (project, shared_folder_users, shared_folder_resources, pam_configuration, pam_data.{resources,users}).
• Resource UIDs derive deterministically from Keeper record UIDs, so re-imports across tenants are idempotent.
• sort_keys=True produces deterministic JSON suitable for git diffs.
• --output FILE writes to disk; omitting prints to stdout.
• tool_version: "commander-export-1.0" is emitted to enable generator-aware behavior on the import side.
• Registered as the shortcut x under pam project.

pam project kcm-import / pam project kcm-cleanup (new)

Import connections directly from a KCM / Guacamole database into Keeper PAM.

• Docker auto-detect.
• Group filtering.
• Adaptive throttling.
• 150+ parameter mappings across SSH, RDP, VNC, Telnet, HTTP, MySQL, PostgreSQL, Oracle, SQL Server, LDAP, and Kubernetes protocols.
• Round-trip support: KCM-imported records reference users by title in pam_settings.connection.launch_credentials / administrative_credentials. pam project export now resolves title-shaped values against a per-export title-to-UID index built once from record_cache, so exporting and re-importing a KCM project preserves the user list. 22-character UID-shaped values are still accepted as direct UIDs for back-compat with hand-edited records.

pam tunnel automation modes (#1993)

Non-interactive tunnel modes for CI/CD, systemd, and scripts, plus a cross-process session registry so pam tunnel list / pam tunnel stop work across Commander processes.

PAMTunnelStartCommand:

• --foreground — run in the current process; exit on Ctrl-C or --timeout.
• --background — spawn a detached child; the parent returns immediately.
• --run "<cmd>" — start the tunnel, run the command, tear the tunnel down on exit.
• --timeout / --pid-file for lifecycle control.
• Mutual-exclusivity checks; safe defaults when no TTY (batch mode).

PAMTunnelListCommand / PAMTunnelStopCommand:

• Surface tunnels owned by other processes via the file registry.
• stop sends SIGTERM (Unix) / TerminateProcess (Windows) and cleans the registry row.

New keepercommander/commands/tunnel_registry.py:

• Atomic JSON writes at <tmp>/keeper-tunnel-sessions/<pid>.json.
• Stale-entry cleanup, duplicate-bind detection (host/port aware).
• 0o700 directory permissions on POSIX.

pam launch improvements (#2009)

• Surfaces involuntary terminations to the user. KeeperAI close prints a red Session terminated by KeeperAI.; admin close prints a yellow Session terminated by administrator.; other involuntary reasons print a single Session ended (<reason>). info line; normal/client-initiated closes remain silent.
• Distinct exit codes in batch mode. keeper pam launch UID raises SystemExit(40) for KeeperAI termination and SystemExit(41) for admin termination so callers can branch. In the interactive shell, the prompt is restored without tearing the shell down.
• Fixed close-reason name table in python_handler — previously only mapped codes 0-6 (with the wrong name for code 0) and missed every reason added since, including the two we now act on.
• Fuzzy record resolution. Falls back to a case-insensitive substring match on PAM record titles and any host / pamHostname field when UID / path / exact-title yield nothing. Multiple matches show a numbered picker (or list-and-exit on non-TTY).

pam rotation info --format=json (KC-1230)

Adds JSON output to PAMRouterGetRotationInfo via the shared json_output_parser (--format {table,json}, --output FILE).

JSON fields when online:

status, ready_to_rotate, pam_config_uid, node_id, gateway_name,
gateway_uid, admin_resource_uid, password_complexity,
password_complexity_detail, schedule_type, schedule_data,
disabled, script_name

Non-online: status, ready_to_rotate=false. Same pattern applied to discoveryrotation_v1.py for parity.

Secrets Manager

secrets-manager token add <APP_UID_OR_NAME> (new)

A thin wrapper around the existing client add flow so operators and automation scripts can add one-time access tokens to an existing KSM application without recreating it. Closes the gap where the only token-generation path was app creation.

Supported flags (same as client add):

--count, --unlock-ip, --first-access-expires-in-min,
--access-expire-in-min, --name, --config-init, --return-tokens

Implementation delegates entirely to KSMCommand.add_client() — no new API surface.

Fixes

• pam project import rejects duplicate UIDs. process_data now collects all UID values assigned to resources and nested users after the UID-normalization loop and aborts with a clear error if any UID appears more than once. Duplicate UIDs produced an ambiguous dependency gra...

Release 17.2.16

Keeper Commander 17.2.16 — Release Notes

This release brings pam launch and pam tunnel start to parity with the web vault's PAM workflow gates, plus GovCloud router support and a few targeted fixes.

PAM

Workflow (pam launch / pam tunnel start) — web-vault parity (#1997)

Gating order on every launch/tunnel is now: enterprise enforcement → PAM config allowed-settings → workflow, matching the web vault.

• Allowed-time window enforced. Launches outside the configured allowedDays / timeRanges (in the workflow's IANA timezone) are blocked. Overnight ranges that cross midnight are handled; falls back to local time when zoneinfo is unavailable or the tz name is unknown.
• Hard disconnect at lease expiry. When expiresOn is reached during an active session, both pam launch (interactive shell/RDP) and pam tunnel start tear the connection down immediately — no grace period, no reconnect — matching ConnectionManager.scheduleWorkflowAccessExpiry in the web vault. The "Access expired — session terminated" line prints after the terminal reset so it survives.
• Inline reason / ticket prompts. When a workflow is in WS_NEEDS_ACTION with AC_REASON or AC_TICKET pending, Commander now prompts inline (multi-line for reason, single-line for ticket) and re-validates, instead of telling the user to run pam workflow request and re-launch. New flags --reason / -r and --ticket / -tk drive the same flow non-interactively. Pure-approval workflows are auto-submitted.
• Inline check-out prompt. When a workflow is approved but not yet checked out (WS_READY_TO_START), Commander offers Check out 'RECORD' now? [Y/n] and proceeds inline. New --auto-checkout / -aco flag confirms automatically for non-interactive runs.
• --wait for pending approval. When a workflow lands in WS_WAITING, the new --wait / -w flag polls every 8 seconds until the workflow transitions out of waiting, with --wait-timeout (default 600s). Ctrl+C cancels cleanly.
• Auto check-in on session end. When pam launch itself triggered the checkout, the lease is released via end_workflow(flow_uid) in the session-end finally. Skipped when the lease already expired or when the user pre-checked-out manually via pam workflow start. (pam tunnel stop intentionally does not release the lease — see note below.)
• Skip MFA prompt when gateway is offline. Mirrors web vault LaunchButton.tsx: if the controller is not Online, the workflow MFA prompt is skipped and the launch surfaces its own gateway-offline error.
• pam launch controller fallback. Falls back to pam/get_configuration_controller when get_controllers misses, matching the web vault.
• Workflow gate is permissive on transport error. Production routers without the workflow API no longer hard-block legacy launch/tunnel.
• pam tunnel stop does not release the workflow lease (intentional, matches web vault). The lease and the tunnel are decoupled so a single approval window can host many sequential or concurrent tunnels; release via expiresOn or explicit pam workflow end.

Workflow configuration (pam workflow create / delete)

• pam workflow create pre-checks for an existing config and fails with an actionable message instead of silently overwriting.
• Creator is no longer auto-added as an approver. When approvalsNeeded > 0, --approver is now required.
• TimeOfDayRange is now encoded as HHMM (server format) instead of minutes-since-midnight.
• pam workflow delete pre-checks and bails with a clear message when there is nothing to delete.
• First-time-launch flow: when a workflow is in no_workflow / needs_start, Commander prompts inline and submits the initial request (matches web vault).

Rotation (pam action rotate)

Rotation now applies the same two gates the web vault applies on the Rotate Now button — and only those two (no workflow gates, no MFA, no time window):

1. Enterprise enforcement — allow_rotate_credentials. The legacy allow_pam_rotation fallback has been dropped so an explicit allow_rotate_credentials: false is honored.
2. Per-PAM-config allowedSettings.rotation — when explicitly false on the PAM config DAG, rotation is skipped with a clear "disabled by PAM Configuration" message.

Personal / non-enterprise accounts are never blocked: malformed or missing enforcement payloads fall through to allow.

PAM project import / extend (#1996)

• --sample-data is fixed.
• Enterprise data is now loaded lazily so pam project import / pam project extend no longer pay an unnecessary upfront cost on accounts with large enterprise trees.

GovCloud

• KRouter and KRelay GovCloud hostnames added for tunneling and rotation in GovCloud environments. (KC-1231)

Fixes

• sf <folder> -e <user> ShareFolderCommand error. Fixed Folder.SharedFolderUpdateUser.manageRecords: Expected an int, got a boolean. — the SharedFolderUpdateUser proto expects SetBooleanValue for manageRecords / manageUsers, which is now what Commander sends. (SharedFolderUpdateTeam and SharedFolderUpdateRecord were not affected.)

Release 17.2.15

Keeper Commander 17.2.15 — Release Notes

PAM bug fixes

• Added proper error message when Workflow blocks connection
• Increased WebRTC connect timeout to accomodate for ephemeral accounts
• Added JIT / Ephemeral suport to pam launch command

Release 17.2.14

Keeper Commander 17.2.14 — Release Notes

PAM

New: Privileged Workflow Commands

Fixes & polish

• pam launch performance
• pam launch MySQL: spinner + CR/LF normalization option (#1963).
• pam config list: verbose JSON now includes single-config details.
• pam-debug: corrected IIS pool text.
• Remote Browser: GET now returns JSON response data.

EPM / PEDM

• kepm scim now supports Kerberos (KC-1228).
• PEDM policy creation requires --policy-name and, for elevation / file_access / command policies, at least one user, machine, and application collection — matching the admin console (#1940, #1950).
• --machine-filter accepts UIDs not in the local collection cache; adds type 201 (CustomMachineCollection) and fixes a KeyError on missing keys (#1971).
• Automator Create now warns and lists conflicting enabled Automators in the same node before proceeding.

Vault / Records

• rm --purge flag (KC-625, #1965): default rm unlinks the record from the current user's vault; --purge hard-deletes for all users (owner-only). Adds post-purge sync_down, ambiguous-title UID listing, and a global fallback search for records in shared folders.
• Fixed ambiguous title-match check so it applies to all record-lookup paths.
• Added missing record field (#1964).

Import / Integrations

• CyberArk portal: fixed authentication, added folder import, restored legacy support.
• JSON import methods now support stringified JSON as filename instead of a local file, for SDK integrations

Service Mode

• Security hardening of parser responses; improved tree -s -v structure; added share-report, ls, and tree to Slack/Teams setup command lists; corrected flag handling in convert / convert-all (#1945).
• Removed sync-down from service mode.

Other

• Fixed Keeper server hostname parsing; deduplicated test module names; security-audit tests migrated to typed records only (#1980).
• Minor spelling fix.
• Enterprise Node --wipeout flag now deletes Automator objects and checks for pam gateways in the node (doesn't delete them, suggests moving them)

Release 17.2.13

Keeper Commander release version v17.2.13

PAM Fixes

• Fix rotation settings linking to PAM Configuration instead of PAM Directory when directory_uid is provided
• Skip email delivery gracefully when email.config_name is set to none/null
• Add Gateway version check
• Continue with PAM User creation when AD user already exists instead of failing
• Send DN instead of username for add-to-group operations
• Warn when delivery.share_to user may not exist in Keeper
• Remove stale delivery.method and resource_uid references

Service Mode Fixes

• Add concurrent v1 compatibility to service queue mode
• Fix queued v1 timeout race in service mode
• Keep queue-backed v1 requests waiting after processing starts

Release 17.2.12

Release Notes — v17.2.12

New Features

• Bulk Legacy Record Conversion — Added convert-all command for converting legacy records in bulk
• Secrets Manager Client Revoke — Added command for quick device revocation in secrets-manager
• Secrets Manager Update — Added update option for secret-manager and updated the app get command
• PAM Gateway Edit — Added pam gateway edit command
• Action Report Move — Added move option to action-report with all-status and recursive search support

Improvements

• EPM Policy Fixes — Multiple fixes and improvements to EPM policies
• EPM Policy Time Filter — Fixed time filter to use hour integer format (HH-HH)
• EPM Policy Controls — Corrected file access policy name and control handling
• PAM Launch Improvements — Improved pam launch command

Bug Fixes

• Shared Folder get by Name — Resolved an issue where get on a shared folder returned only basic fields
• KDBX Export Sanitization — Sanitize XML text in KDBX exports and fix workflow proto import

Full Changelog: v17.2.11...v17.2.12

Release 17.2.11

Release Notes — v17.2.11 (April 1, 2026)

New Features

• Atlassian Onboarding: Added AD user creation via Gateway with support for username templates.
• Domain Alias Commands — New commands for managing domain aliases.
• KEPM Report Value Command — Added report value command for KEPM.
• PAM Launch "Connect As" — Added "Connect As" options to pam launch, allowing additional records to provide credentials and host:port (#1871).
• PAM Launch Key-Event Input — Added key-event input support in pam launch for session recording (#1900).
• PAM Tunnel Diagnose Enhancements — Extended pam tunnel diagnose with full gateway readiness testing (#1885).
• Share Folder Enhancements — Added path, userId, and expiration date fields to the share folder command (#1893).

Improvements

• Share Report & Security Audit Report — Updates to share-report and security-audit-report commands (#1896).
• Secrets Folder Matching — Folders are now matched by name at any depth, reusing their IDs for secrets lookup.
• PAM Launch SSH Key Lookup — Improved lookup for launch credentials with SSH keys only (#1886).
• Decreased WebRTC Log Verbosity — Reduced log noise from keeper-pam-webrtc-rs during terminal sessions (#1879).
• Updated DAG & Discovery Modules — Updated keeper_dag and discovery_common modules.

Bug Fixes

• PEDM Policy Filters — policy add command now creates all filters.
• V2 Record Restriction — New clients are prevented from editing or adding v2 records.
• PAM Launch Fixes — Fixed double newlines on some terminals (Linux, macOS), improved handling of non-terminal protocols (#1870).
• Launch Credential Update — Fixed launch credential not updating on repeated edit of launch-user (#1884).
• PAM Launch Port Override — Fixed connection port override for pamHostname (#1881).
• Security Audit Logic — Fixed needs_security_audit logic.
• Duplicate Warnings — Fixed duplicate warnings in msp-add and en add.
• Two-Factor Duration Display — Fixed enforcement display to show single value instead of cumulative list.
• EPM Bugfixes
• Service Mode JSON — Fixed JSON handling in service mode (#1882).
• Broken Import — Fixed broken import after refactoring (#1888).

Release 17.2.10

Keeper Commander release version v17.2.10

New Features

• CSPM Integration Type — Added CSPM as a supported integration type for public-api-key
• pam action debug command — New pam action debug command that dumps all record-related data as JSON for troubleshooting.
• PAM Graph Inspection — Added inspect_resource_in_graph functionality with a bugfix for JIT/AI encryption settings.
• KCM Export Script — Script to export KCM resources into a PAM Project template

• PAM KCM Importer: Template File Support — The PAM KCM Importer now accepts a template JSON file as input

Improvements

• Terminal Resize Support — Added terminal size tracking and resize event forwarding to guacd for better remote session handling.
• Custom-Field Fallback — Implemented fallback for config and service_config file types when no file storage is configured (KC-KEPM related).
• Field Label Population — record-add now populates field labels from the record type schema.
• Field Lookup by Type — Field lookup now falls back to field type when field type label is missing.
• SaaS User ACL Fix — Ensured ACL attributes are correctly set for SaaS users.

Bug Fixes

• Password Score Hang — Fixed an issue where password score calculation would hang if the password was too long.

Release 17.2.9

Keeper Commander release version v17.2.9

New Features

• Implemented teams-app-setup command for Microsoft Teams integration
• Added launch_credentials support to pam project import and pam project extend commands
• Added Kubernetes config generation to PAM import tooling
• Added example PAM import generator script

Improvements

• Fixed stdout/stderr separation for POSIX-compliant piping
• Upgraded keeper_pam_webrtc_rs to >= 2.0.1

Bug Fixes

• Suppressed noisy "Successfully authenticated with Persistent Login" message in batch mode
• Fixed aging row mapping bug that could map aging columns to wrong records when rows had identical content
• Fixed staleness scope for filtered compliance queries to prevent full enterprise sync on filtered runs
• Fixed MSP node resolution and enforcement JSON output

Full Changelog: v17.2.8...v17.2.9

Release 17.2.8

Keeper Commander release version v17.2.8

New Features

• Added --aging flag to compliance report with record aging data (created, last_modified, last_rotation, last_pw_change)
• Added --username and --team filters to all compliance subcommands
• Added --resolve-teams flag to sfr and team-report for expanding team filter to individual team members
• Added pam project extend command
• Added --keeper-db-proxy (-kdbp) flag to pam tunnel edit for pamDatabase records
• Added --launch-user (-lu) flag to pam connection edit for setting launch credentials
• Updated SaaS commands to use new saasConfiguration record type
• Added Enforcement and Managed Node Details to enterprise-info Roles output

Improvements

• Incremental compliance data sync with per-user staleness tracking to avoid full re-fetches on warm cache
• Per-user cache invalidation for filtered compliance reports — only stale users are fetched from the API
• Dynamic chunking with probe timeouts for preliminary compliance data fetching
• Client-side request timeouts to prevent indefinite hangs during compliance sync
• Enterprise and MSP command improvements

Bug Fixes

• Fixed trickle ICE handling for pam launch command
• Fixed lsf returning "No shared folders found" when no search string was provided
• Fixed cc and ls commands to restore regex search behavior
• Fixed invalid base64 handling
• Fixed ACL lookup skipping for configuration records (which have no parent)
• Prevented PAM records from being used in One-Time Shares
• Filtered false-positive record_password_change events in compliance report (first-set events discarded)

Full Changelog: v17.2.7...v17.2.8