You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Minor Changes
5a0f98a: Add organization-scoped externalCredentials management API for CRUD of external credentials (AWS/GCP IAM) used to authenticate Gram into a customer cloud account. Per-provider create/update/get/delete plus a generic supertype-only list with an optional provider filter. Gated on org:read/org:admin and audited under per-provider subjects (aws_iam_credential, gcp_iam_credential).
317d86e: Hook browser login now delivers the minted API key to the local listener as a form POST instead of appending it to the callback URL, keeping the key out of browser history and request logs, and the sign-in tab closes itself once authentication completes. Older dashboards that still redirect with query parameters keep working.
02ac329: Issuer discovery now parses RFC 8414 service_documentation, op_policy_uri, and op_tos_uri and persists them on remote_session_issuers across the project, organization, and global admin surfaces.
4fa3e51: Split the org-admin organizationRemoteSessionIssuers service into three per-resource services mirroring the project-scoped layer: organizationRemoteSessionIssuers, organizationRemoteSessionClients, and organizationRemoteSessions. Pure refactor with no behavior or RBAC change, but breaking for the management API and SDK: every method drops its redundant resource suffix, so the RPC paths and SDK method names change (e.g. organizationRemoteSessionIssuers.createClient becomes organizationRemoteSessionClients.create).
Patch Changes
e223d08: fix(telemetry): keep deleted MCP servers' tool-usage classification. Tool-usage target_type now resolves against live + soft-deleted MCP servers, so a managed remote/tunneled server's history no longer flips to shadow_mcp_server once the server is deleted or recreated.
dfee73b: fix: make Claude session user attribution deterministic. The hook-supplied device-enrolled employee email now always wins over the OTEL-cached account email (the AI account's own report, e.g. a personal gmail) when both are present — previously whichever ingest stream created the chat row first determined the session's external_user_id. The account's own email is unaffected and remains surfaced via user_accounts / account_email.
11da690: feat: show which users are running the device agent. The org Device Agent page gains an admin-only "Active Users" tab listing who has synced, attributed by the email each agent reports on its ~60s agent.getPlugins poll, with Page.Toolbar search (name/email) and an Active/Stale status filter. A best-effort per-(org, email) last-seen record (throttled to ≤1 write/min) backs a session-secured, org-admin-gated agent.listSyncedUsers endpoint.
74dbfed: feat: add a token usage breakdown to the billing page's Tokens Under Management section (DNO-404). A billing-cycle picker scopes the TUM usage card and a new "Token usage" panel to any contracted cycle; the panel renders a stacked bar chart of org-wide tokens for that cycle, sliced via a grouped, searchable breakdown picker — total, by token type (input / output / cache read / cache write), by risk involvement (tokens from sessions with at least one active risk finding, via the new org-scoped telemetry.queryRiskTokens endpoint), or by analytics dimensions — with daily/weekly/monthly granularity and a cumulative view. Beneath the chart, a usage details table lists per-metric cycle totals with sparklines: token types, agent sessions, tool calls, and message-level stats (tokens in messages with risk findings and tokens from tool-call messages, read from Postgres per-message token counts). The table's measures arrive in a single telemetry.queryTumDetails request, and its totals and time-based overage attribution are normalized to match the billed tokens-under-management numbers exactly, with finalized cycles served from the durable billing snapshots. The section also supports drill-down: clicking a chart bar (or dragging across bars) narrows the whole view to that range (re-bucketing daily), and a time-range picker beside the cycle selector accepts any custom period — typed in natural language or picked from a calendar — with billed normalization and overage reserved for full organization cycles; the usage card is labeled with the billing cycle its totals describe. Cycles are named by month ("June Billing Cycle"), table sections collapse individually or all at once, and a Reset button restores the initial view.
0517e60: Restrict the Observe dashboard section (Costs, MCP & Tools Insights, Employee Enrollment, Agent Sessions, Tool Logs) to org admins. The Observe nav stays visible (like the Secure section), but each Observe page is gated on org:admin, so basic members see an "Access restricted" notice. Basic members also no longer receive environment:read by default.
dfee73b: feat: surface the AI account email on agent sessions. chat.listChats and chat.load now return account_email from the linked AI account, and the dashboard shows the personal account's email (e.g. a gmail on Claude Max) on session list rows, the transcript's user messages, and the session details popover — instead of only the attributed employee's work email.
3f15c7c: fix: apply the Tool Logs http.response.status_code filter at the trace level so status-less rows no longer leak 200/success traces into "Non-2xx responses", and add a first-class Error/Success/Blocked/Pending Status filter to the Tool Logs page.