This release draws a clean line between personal and server-wide settings, and gives every user visibility into what their agents are spending. Settings split into My Settings (/settings) and Server Settings (/admin/settings), with a new Administration dropdown in the top bar that only appears for admins (or a user delegated the list_users permission). Each user now manages their own vault connections and installs skills into a personal library, while server-wide credentials and shared skills stay admin-only. A new Usage dashboard breaks down cost, latency, and token consumption per model and per chat, and a live usage pill in the chat header tracks running tokens, cost, and context-window saturation as a conversation unfolds. SSO logins now merge by email case-insensitively and fall back to the UserInfo endpoint for IdPs that emit bare-sub ID tokens, and model context windows are sourced from a live catalog instead of a frozen built-in table.
Usage and cost tracking
- Persist token counts, USD cost (from a pricing snapshot), total duration, and time-to-first-token for every successful inference call, tagged by model, kind (text, tool turn, title generation, compaction, signal, router), and whether a fallback model was used.
- Add a per-user Usage dashboard (
/usage, reached from the profile dropdown) with Overview, Cost, Latency, and Tokens tabs and a global 24h / 7d / 30d / 90d time-range selector (default 30d). Breakdowns by kind, by model, and by chat (top sessions), plus over-time charts and a cache-hit ratio. - Add a usage pill to the chat header: running input/output tokens (with cached count), cost, and context-window saturation, updating live via a
usage_recordedSSE event and seeded from the backend on reload. Hover for a context bar, input cache split, and per-call counts; a⚠marks turns that used a fallback model. - Usage is strictly per-user —
GET /api/users/{id}/usageandGET /api/chats/{id}/usageonly return the caller's own data. No admin-wide rollup.
Admin and user separation
- Split the single settings page into My Settings (
/settings: Profile, Channels, Skills, MCP, Vault) and Server Settings (/admin/settings: Providers, Models, Skills, Search, Voice, Browser, Vault, Sandbox, Authentication, Single Sign-On, Users, Timezone, Server, Advanced). - Expose
is_adminonUserPermissionsand compute it in the/loginand/registerresponses so admin UI appears immediately without a reload. Admin status is membership in the built-inadminsgroup. - Add an Administration dropdown to the top bar that deep-links into admin tabs. It is hidden entirely unless the user is an admin or holds the
list_userspermission; a delegated user manager sees only the Users entry. - Merge the standalone Theme section into Profile (under a Preferences panel, alongside Timezone) and move the About section into an About dialog (version, CPUs, memory, sandbox driver) opened from the account menu. Add a shared
Dialogprimitive and a hash-aware router helper for deep-linking settings tabs. - Deleting a user now cascades: instead of refusing when the user owns resources, the delete tears down their live apps, MCP servers, and channels, then removes all owned rows — agents, spaces, chats, tasks, credentials, vault connections and grants, shares, memories, policies, API tokens, and OAuth identities. The last-admin safeguard still blocks deleting the final admin (#26).
Personal vault connections
- Split the vault settings into a personal Connections + Local view (
/settings) and a server-wide view (/admin/settings); server-managed connections are hidden from the personal panel. - Let any user add, test, enable/disable, and delete their own vault connections (1Password, Bitwarden, HashiCorp Vault, KeePass) from the UI, with credentials entered through a two-step dialog.
- Validate connections live: the dialog debounce-tests the credentials against the provider as you type (Testing… / Verified / Could not connect) and disables Create until the connection authenticates successfully.
- Drop the vault and advanced steps from the first-run setup wizard; provider configuration now lives in Server Settings → Vault and personal connections in My Settings → Vault.
Personal skills
- Add a per-user skill scope: skills now resolve agent → user → shared → built-in, with personal skills installed under each user's own library.
- Installing or uninstalling at user (personal) scope is self-service for any user and is the default; shared (server-wide) install/uninstall requires admin.
- Thread scope through the Skills settings section and skill browser: scope badges (Agent, Personal, Shared, Built-in), with only skills in the active scope manageable and the rest shown read-only.
SSO and login
- Normalize emails (trim + lowercase) before matching, so an SSO login merges into an existing account regardless of case or surrounding whitespace; the database lookup is now case-insensitive across the board.
- Fall back to the OIDC UserInfo endpoint when the ID token's email is missing or doesn't match a user, for IdPs that emit bare-
subID tokens and return email/name only from UserInfo. Fetch failures are non-fatal. - Fall back through
given_name+family_namethenpreferred_username(then the email local-part) when thenameclaim is missing, instead of jumping straight to "SSO User".
Model catalog
- Resolve OpenRouter-style vendor-namespaced model IDs (
anthropic/claude-…,qwen/qwen3-coder) against the catalog via a vendor-scoped longest-prefix lookup, including dated suffixes likeclaude-opus-4-7-20251210. - Fill model context window and max output from the live model catalog instead of a hardcoded per-provider table; an explicit
context_windowin config still wins, and the catalog only fills what's unset. - Rename the model parameters dialog's Max Tokens field to Max Output Tokens and add an explicit Close button.
Config and reliability
- Default missing config fields on load so a compact on-disk config — where fields left at their default are stripped on save — deserializes cleanly and the server starts even after a partial block is written (#27).
- Surface failures from app stop/restart/delete actions to the user instead of failing silently, and catch fire-and-forget API errors in chat tool resolution and app actions.
Get started
- Quickstart: bring up the stack with Docker Compose in minutes
- Screenshots: see the platform in action
- Documentation: full guides and reference