Conversation
* Adds optional workflow to PAM project import / extend * Register missing enterprise enforcements in constants.py * Fix workflow time-of-day decoding (HHMM, not minutes-from-midnight) * Remove pre-GA dev/qa-only gate from PAM Workflow commands
…ation UserCheck, MachineCheck, and ApplicationCheck already default to ['*'] when not provided, so forcing users to explicitly pass --user-filter, --machine-filter, and --app-filter was unnecessary. Co-authored-by: Cursor <cursoragent@cursor.com>
Date, Time, and Day filters were being saved as ['*'] when not specified, inconsistent with Admin Console behaviour. These fields now default to [] to match the UI. UserCheck, MachineCheck, and ApplicationCheck remain ['*']. Co-authored-by: Cursor <cursoragent@cursor.com>
* Hard-close PAM session tubes on workflow lease expiry
When the workflow lease expires for `pam tunnel start` or `pam launch`,
soft-close the tube now and escalate to keeper_pam_webrtc_rs's new
force_close_tube after 3s. Force-close drops the local TCP listener and
severs in-flight forwarded TCP streams (SSH, MySQL, etc.), which the
prior soft-close did not — an active session would linger past expiry
until the user disconnected manually.
Escalation is gated on both endpoints supporting force_close_tube:
hasattr(tube_registry, "force_close_tube") on the local crate AND
remote SDP-advertised version >= FORCE_CLOSE_MIN_VERSION ("2.1.18").
Older peers fall back to soft close only.
- tunnel_helpers: add escalate_close() shared helper plus
FORCE_CLOSE_MIN_VERSION / FORCE_CLOSE_DELAY_SECONDS constants;
consolidate _version_at_least here as the single source of truth
(terminal_connection.py re-exports for back-compat with launch.py)
- tunnel_and_connections: replace the previously-commented-out soft
close in `pam tunnel start`'s lease-expiry callback with escalate_close
- pam_launch/launch: wire escalate_close into `pam launch`'s
_on_lease_expired (was only setting flags before, no tube close)
* Escalate-close when launch lease already expired at start
* Suppress runaway TURN refresh-permission log leak; harden rust-log filter for concurrent sessions
* Redraw keeper-shell prompt after async lease-expiry message
Adds a one-key path from the SuperShell TUI to a KeeperPAM connection for pamMachine and pamDatabase records. * `is_launchable(params, record_uid)` and `get_launch_info(...)` exposed as module-level helpers in `pam_launch/launch.py` so the TUI and CLI share the same eligibility/protocol logic without duplicating it. * SuperShell `L` keybinding suspends the Textual app, runs `PAMLaunchCommand` in the released terminal, and resumes the TUI when the session ends. `CommandError` failures show a clean message; other exceptions still log a traceback. Both pause for Enter so the user sees the message before the TUI redraws. * Detail view for pamMachine/pamDatabase strips the noisy `pamHostname`, `pamSettings`, `trafficEncryptionSeed`, and `checkbox:*` fields (multi-line dict continuations included via brace counting). JSON view is unchanged. * New "Launch" section rendered after the Title shows protocol, host, credential, and a visual "Press L to Launch <PROTOCOL>" button. `(prompted at launch)` placeholders cover `allowSupplyHost` / `allowSupplyUser` records that have no static value. * `pam launch` now prompts for `host:port` instead of erroring when `allowSupplyHost: True`, no `--host` is given, and the record has no static hostname. Up to 3 retries on bad input with the expected format shown in the prompt; non-TTY behavior preserved. * Help modal lists the new `L` action.
When `keeper login` runs from the system shell (batch mode), the hint to change the data center previously suggested `login --server <region>` which dispatches to macOS/Linux `login(1)` instead of Commander. The hint now reads `keeper login --server <region>` in batch mode and keeps `login --server <region>` for the interactive Keeper shell.
Co-authored-by: Craig Lurey <craiglurey@gmail.com>
…nose; fix log noise (#2020) tunnel_and_connections.py: - Add --turn-test flag: establishes a real WebRTC/TURN connection through the gateway without proxying traffic, reproducing the full ICE path - Add --stun-only flag: same probe with TURN credentials stripped on both sides, restricting ICE to host/srflx candidates; confirms the reflexive path works independently of the relay. Mutually exclusive with --turn-test - Add --probe-duration (default 30s) to hold the connection open; use 360+ to trigger and verify survival of the ~300s permission refresh cycle - Add --probe-count for concurrent connection load testing - Add --stress-test: connection cycling, throughput across 64B–256KB frame sizes, and concurrent load; implies --turn-test - Add --test-dns/--test-aws/--test-tcp/--test-udp/--test-ice/--test-webrtc flags as per-test alternatives to the comma-separated --test string; both styles can be combined and are merged into a single validated set - Add _yellow() color helper for diagnostic output - Section header, connect label, hold message, throughput, and stability labels all adapt to STUN vs TURN mode tunnel_helpers.py: - Add probe_stun_only param to start_rust_tunnel: strips turn_url, turn_username, turn_password from webrtc_settings so Commander's ICE agent gathers no relay candidates; sends stun_only=True to gateway - Add turn.client.relay_conn to webrtc crate suppression lists so the periodic "fail to refresh permissions" error no longer leaks to terminal - Add NullHandler to all loggers configured with propagate=False; without a handler Python's lastResort StreamHandler fires when callHandlers() finds found=0, bypassing propagate=False
* Implement workflow recent changes after apr 22 * Remove flow uid support in state * Remove column from my-access and fix mfa prompts * Fix flow uids starting with - and my-access table view * Add record type validation for workflows * Add better error handling * Update for review comments and tzlocal library for windows
* Implement Enforcement of Record Password and Types policies * Improve password complexity and record type enforcement validation * Add --effective flag in rti for list of allowed records.
* rename "shared-manager" role label to "share-manager" (#2040) * claude review changes * added share-manager mapping
* Updated master password grading to use zxcvbn * Added zxcvbn to install_requires * Added zxcvbn-based master password strength grading alongside BreachWatch score. * Addressed PR review comments on master_password_score
These commands(aws-secrets-import, azure-secrets-import, gcp-secrets-import) allow users to perform a one-time import of their secrets from AWS, Azure, or Google Cloud into Keeper. The secret values are parsed into key/value pairs and result in records with corresponding field names and field values. This is to allow customers to be able perform a one-time import and then use Universal Secrets Sync to let Keeper be the source of truth for these secrets going forward.
Change List: - Make rotation: block optional in credential-provision YAML - Add rotation.on_demand flag for manual-trigger rotation mode - Add rotation.rotate_on_provision flag to defer immediate rotation - Add account.existing_password for bring-your-own-password onboarding - Validator INVARIANT-001 rejects push-to-target combinations - Skip _create_ad_user_via_gateway when existing_password is set - Defer AD group-add to after PAM user creation + rotation - Fix NameError in cp --output json --dry-run (absorbs 97dc8893) - Update inline help text; rewrite _dry_run_report
* Implement SSO Cloud Command * Fix cloud create bug * Add different steps for different IDPs * Add guide command and fix download upload azure idp issues * Refactor sso cloud code * Fix for review comments * Update copyright mark with correct mail ID * Update logo in init file * Fix review comments * Fix review comment * Update minor ui fixes * fix json issue
When starting tunnels from Windows, Keeper reuses the same port (49152). This is because of SO_REUSEADDR and Windows behavior, and is resolved when disabling it.
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
An organization admin can view or raise the cap at claude.ai/admin-settings/claude-code. The cap resets at the start of the next billing period.
Once the cap resets or is raised, push a new commit or reopen this pull request to trigger a review.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.