Skip to content

server@0.83.0

Choose a tag to compare

@gram-bot gram-bot released this 10 Jul 05:47
c8b1af0

Minor Changes

  • 5a0f98a: Add organization-scoped externalCredentials management API for CRUD of external credentials (AWS/GCP IAM) used to authenticate Gram into a customer cloud account. Per-provider create/update/get/delete plus a generic supertype-only list with an optional provider filter. Gated on org:read/org:admin and audited under per-provider subjects (aws_iam_credential, gcp_iam_credential).
  • 317d86e: Hook browser login now delivers the minted API key to the local listener as a form POST instead of appending it to the callback URL, keeping the key out of browser history and request logs, and the sign-in tab closes itself once authentication completes. Older dashboards that still redirect with query parameters keep working.
  • 02ac329: Issuer discovery now parses RFC 8414 service_documentation, op_policy_uri, and op_tos_uri and persists them on remote_session_issuers across the project, organization, and global admin surfaces.
  • 4fa3e51: Split the org-admin organizationRemoteSessionIssuers service into three per-resource services mirroring the project-scoped layer: organizationRemoteSessionIssuers, organizationRemoteSessionClients, and organizationRemoteSessions. Pure refactor with no behavior or RBAC change, but breaking for the management API and SDK: every method drops its redundant resource suffix, so the RPC paths and SDK method names change (e.g. organizationRemoteSessionIssuers.createClient becomes organizationRemoteSessionClients.create).

Patch Changes

  • e223d08: fix(telemetry): keep deleted MCP servers' tool-usage classification. Tool-usage target_type now resolves against live + soft-deleted MCP servers, so a managed remote/tunneled server's history no longer flips to shadow_mcp_server once the server is deleted or recreated.
  • dfee73b: fix: make Claude session user attribution deterministic. The hook-supplied device-enrolled employee email now always wins over the OTEL-cached account email (the AI account's own report, e.g. a personal gmail) when both are present — previously whichever ingest stream created the chat row first determined the session's external_user_id. The account's own email is unaffected and remains surfaced via user_accounts / account_email.
  • 11da690: feat: show which users are running the device agent. The org Device Agent page gains an admin-only "Active Users" tab listing who has synced, attributed by the email each agent reports on its ~60s agent.getPlugins poll, with Page.Toolbar search (name/email) and an Active/Stale status filter. A best-effort per-(org, email) last-seen record (throttled to ≤1 write/min) backs a session-secured, org-admin-gated agent.listSyncedUsers endpoint.
  • 74dbfed: feat: add a token usage breakdown to the billing page's Tokens Under Management section (DNO-404). A billing-cycle picker scopes the TUM usage card and a new "Token usage" panel to any contracted cycle; the panel renders a stacked bar chart of org-wide tokens for that cycle, sliced via a grouped, searchable breakdown picker — total, by token type (input / output / cache read / cache write), by risk involvement (tokens from sessions with at least one active risk finding, via the new org-scoped telemetry.queryRiskTokens endpoint), or by analytics dimensions — with daily/weekly/monthly granularity and a cumulative view. Beneath the chart, a usage details table lists per-metric cycle totals with sparklines: token types, agent sessions, tool calls, and message-level stats (tokens in messages with risk findings and tokens from tool-call messages, read from Postgres per-message token counts). The table's measures arrive in a single telemetry.queryTumDetails request, and its totals and time-based overage attribution are normalized to match the billed tokens-under-management numbers exactly, with finalized cycles served from the durable billing snapshots. The section also supports drill-down: clicking a chart bar (or dragging across bars) narrows the whole view to that range (re-bucketing daily), and a time-range picker beside the cycle selector accepts any custom period — typed in natural language or picked from a calendar — with billed normalization and overage reserved for full organization cycles; the usage card is labeled with the billing cycle its totals describe. Cycles are named by month ("June Billing Cycle"), table sections collapse individually or all at once, and a Reset button restores the initial view.
  • 0517e60: Restrict the Observe dashboard section (Costs, MCP & Tools Insights, Employee Enrollment, Agent Sessions, Tool Logs) to org admins. The Observe nav stays visible (like the Secure section), but each Observe page is gated on org:admin, so basic members see an "Access restricted" notice. Basic members also no longer receive environment:read by default.
  • dfee73b: feat: surface the AI account email on agent sessions. chat.listChats and chat.load now return account_email from the linked AI account, and the dashboard shows the personal account's email (e.g. a gmail on Claude Max) on session list rows, the transcript's user messages, and the session details popover — instead of only the attributed employee's work email.
  • 3f15c7c: fix: apply the Tool Logs http.response.status_code filter at the trace level so status-less rows no longer leak 200/success traces into "Non-2xx responses", and add a first-class Error/Success/Blocked/Pending Status filter to the Tool Logs page.