Assistants self-serve signup, credit gating, and risk policy expansions
This release lets unauthenticated users land on Gram with and have an org auto-provisioned with the free-tier Polar subscription pre-attached. It also adds a credit-balance gate on
, environment cloning, user session management APIs, and two new risk policy sources for destructive CLI commands and prompt injection.
Features
- Auto-provision org on assistants signup #2656 - Auto-provisions an org and attaches the free-tier Polar subscription when an unauthenticated user lands on Gram with and has no org after IDP signin. Materializes the default project and environment, marks the org as whitelisted to bypass the BookDemo gate, and redirects to. (Author: @danielkov )
- User session management API #2645 - Adds management APIs for user sessions: ,,, andfor configuring auth servers, inspecting OAuth clients, listing minted sessions, and managing consent records. (Author: @qstearns )
- Destructive CLI command policy #2607 - Adds a risk-policy source for flagging destructive CLI commands. Covers shell (,,,,), git (,,), database (,, unguarded), and cloud (,,) destructive patterns. Surfaces in PolicyCenter as a "Destructive CLI Commands" rule category. (Author: @bradcypert )
- Heuristic prompt injection detection #2606 - Adds a "Prompt Injection" risk policy category to flag or block instruction overrides, role hijacks, system-prompt leaks, encoded payloads, delimiter injection, and shell tool-abuse attempts. (Author: @vishalg0wda )
- Credit-balance gate on chat completions #2566 - Adds a pre-request credit check on for free-tier orgs. Returns HTTP 402once the cached Polar Chat Credits balance is exhausted. Pro and enterprise stay bounded by the existing OpenRouter monthly key cap. Self-serve top-up checkout is available via. (Author: @danielkov )
- Model context window in chat completions metadata #2641 - Decorates responses with the upstream model's context window via aextension. Pulled from OpenRouter's per-model listing and cached for 72 hours. The streaming path injects the value into the final SSE frame. (Author: @danielkov )
- Environment cloning #2561 - Adds a clone action to environment cards on the Environments page. The clone dialog lets users pick a new name and choose whether to copy only variable names with empty placeholders or duplicate the encrypted secret values. Ciphertext is copied row-to-row inside Postgres, never decrypted. Gated by plus a per-resource read check on the source environment. (Author: @simplesagar )
Bug fixes
- Catalog registry pagination #2649 - Fixes catalog registry pagination so infinite scroll fetches all entries beyond the first page. now returns the upstream registry'salongside the server list, whichpasses through to the API response. (Author: @walker-tx )
- OAuth discovery for root-level well-known metadata #2662 - Fixes OAuth discovery for MCP servers that host well-known metadata at the origin root regardless of endpoint path (such as Atlassian). The discovery chain now retries both andagainst the origin root with the path stripped. (Author: @walker-tx )
- Marketplace plugin restart caching #2670 - Fixes private Claude Code plugins showing "not cached at (not recorded)" after restarting Claude Code. The marketplace proxy now fetches the current HEAD commit SHA and embeds it alongside in eachplugin source, giving Claude Code a stable cache key that survives restarts. (Author: @bradcypert )
- PostHog event on assistants auto-provision #2673 - Captures a PostHog event when the auth callback auto-provisions an org for a user landing with. The event carries,,, andso the funnel from signup to benefit attach is observable. (Author: @danielkov )
- Denied challenges widget filter #2676 - Filters the "Recent Challenges" widget on the org home page to only show denied, unresolved challenges. When there are no denied challenges, the widget now renders the same empty state used on the Denied tab of the Challenges page. (Author: @adaam2 )
