See AI usage by account type and provider, with clearer cost estimates and a more secure CLI login
Costs, Insights, Agent Sessions, Tool Logs, and Employees now break down AI usage by account type (Team versus Personal) and provider (Claude, Codex, Cursor), with per-account cost estimates spelled out clearly. Logging in to the CLI as a device agent is also more secure, using a one-time PKCE code instead of passing a raw key in a URL.
Features
Break down AI usage by account type and provider#3755 - Costs, Insights, Agent Sessions, Tool Logs, and Employees now split AI usage by account type — Team (enterprise) versus Personal (individual, e.g., Claude Max) — and by provider (Claude, Codex, Cursor). Personal usage is flagged at a glance on sessions and logs, and each employee's linked AI accounts are listed with the option to scope their metrics to a single account. (Author: @daviddanialy)
Clearer cost estimates#3755 - Cost now reads as "Est. cost" (with an explanation on hover) everywhere it appears in Costs and Insights, since the figure is derived from token usage at standard API rates and only reflects real spend on metered accounts, not flat-fee plans like Claude Max, Pro, Team, or Enterprise. Admins can declare a provider integration's billing mode — Metered, Flat rate, or Unknown — under Settings → Logging & Telemetry, and once an account is declared metered, its cost reads as a confident "Cost". (Author: @daviddanialy)
service backs device-agent enrollment: the dashboard CLI callback authorizes a PKCE-bound one-time code against an active session, then redeems it for a per-user API key without the raw key ever traveling in a URL. Existing CLI producer-key login is unchanged. (Author: @bradcypert)
Surface Claude attribution dimensions in the cost explorer#3638 - Telemetry query results and the cost explorer now surface Claude attribution dimensions, giving a clearer view of where usage and cost originate. (Author: @subomi)
Bug fixes
Show historical findings for disabled policies in Risk Events#3847 - Filtering Risk Events by a disabled policy previously returned no results because the query required the policy to be enabled. An explicit policy filter now surfaces that policy's past matches, and the dashboard flags the inactive policy with a banner and an "(inactive)" label in the filter. The default unfiltered view is unchanged and still lists only active policies. (Author: @daviddanialy)
Drop false-positive US driver's license findings#3836 -
Presidio findings are now dropped at the finding level so they never surface, even when a policy pins no entities and Presidio scans its full default recognizer set. (Author: @disintegrator)
Fix dropped connections on function-runner calls#3846 - HTTP keep-alives are now disabled on function-runner calls, and that path gets its own timeout, so retries dial fresh connections instead of reusing pooled connections to Fly machines that were autostopped mid-flight (which surfaced as instant EOF errors). The timeout now sits above the runner's five-minute execution budget, so long tool calls are no longer cancelled by the caller. (Author: @disintegrator)
Fix a nil pointer panic in telemetry SearchUsers#3843 - Calling telemetry SearchUsers without a filter no longer panics. (Author: @disintegrator)
Adjust API endpoint paths to RPC conventions#3825 - Internal API endpoint paths were adjusted to follow existing RPC API conventions. (Author: @disintegrator)