SURF Admin — Release Notes (June 2026)

<aside> 🗓️ Release: June 2026 · Scope: Admin dashboard backend · Prepared from a code/PR scan of the release window (merged through PR #2974, 2026-06-05). Every item is mapped to the merged code so the notes reflect what actually shipped.

</aside>

New features

PAM / Boundary / Guacamole

Forward proxy support for Boundary & Guacamole — route the admin backend's outbound calls to Boundary controllers and Guacamole servers through an HTTP/HTTPS forward proxy, with per-proxy auth and independent target-TLS verification. (PR #2512)
Guacamole session-recording viewer — view and download recorded PAM sessions under Remote Desktop Gateway → Gateway Dashboard → Recordings tab (per active user: Remote Host, Connection Name, Start Time, Duration, ▶ playback). Gated by the useVideoRecording company feature. (commit a57a37683)
Monthly AD password rotation interval (JIT PAM) — reuse one encrypted JIT AD password across Temporal Guacamole + Boundary RDP for N days (1–365; 30 = monthly); null/0 = rotate every connection. Open Guacamole JIT sessions close only after a successful LDAP change. (PR #2974)

Authentication & access control

Auto identity-switch on IdP login domains — when a user reaches a corporate IdP login page (login.microsoftonline.com, accounts.google.com, okta.com, or any admin-added domain) the agent enforces the corporate login flow. Admins manage the enforced-login domain list with CSV import/export.
Personal login by category — control personal logins in three modes: block all · specific allow/block URL lists · by URL category. (PRs #2896, #2903)
Per-user, time-boxed web-filter access — grant a single user temporary access from an Alert (scope = User) until a chosen revocation date; auto-expires. WebFilter violations only. (PRs #2686, #2689)

Policy management

Product-Owner policy exclusion per company — exclude specific parent policies (Download, DLP, WebFilter, Advanced Protection, …); excluding disables the policy + dependent feature flags and is audited. Full feature-profile companies only. (PR #2957)
Clone policies to an existing group (J&T) — copy all policies from one existing group to another; re-copying overwrites (no duplication). (PR #2963)

Shadow AI / Shadow IT

Shared-account (credential-sharing) evidence — count of other users on the same shared login + a drill-down of who shared it; sensitive-prompt settings are role-restricted (Super Admin / Product Owner). (PR #2946)

Improvements

Alerts view — grouped, paginated, with statistics — violations collapse by group/policy/resource/classification with per-group counts and an aggregate header (total groups, total alerts, affected distinct users, unresolved), plus drill-down per group. (PR #2945)
Sortable Shadow AI/IT detail tables — sort by any column, not just timestamp.
Azure / Entra group sync hardening — expands nested groups and fully pages large groups (>999 members); no members dropped.
Entra sync — match users by email (UPN fallback) via a Sync-by-email toggle. (PR #2697)