@desplega.ai/agent-swarm 1.56.6 → 1.57.1

package/openapi.json

@@ -2,7 +2,7 @@
   "openapi": "3.1.0",
   "info": {
     "title": "Agent Swarm API",
-    "version": "1.56.5",
+    "version": "1.57.0",
     "description": "Multi-agent orchestration API for Claude Code, Codex, and Gemini CLI. Enables task distribution, agent communication, and service discovery.\n\nMCP tools are documented separately in [MCP.md](./MCP.md)."
   },
   "servers": [
@@ -1646,6 +1646,37 @@
         }
       }
     },
+    "/api/keys/costs": {
+      "get": {
+        "summary": "Get aggregated cost data per API key",
+        "tags": [
+          "API Keys"
+        ],
+        "security": [
+          {
+            "bearerAuth": []
+          }
+        ],
+        "parameters": [
+          {
+            "schema": {
+              "type": "string"
+            },
+            "required": false,
+            "name": "keyType",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Per-key cost aggregation"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        }
+      }
+    },
     "/api/events": {
       "post": {
         "summary": "Store a single event",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@desplega.ai/agent-swarm",
-  "version": "1.56.6",
+  "version": "1.57.1",
   "description": "Multi-agent orchestration for Claude Code, Codex, Gemini CLI, and other AI coding assistants",
   "license": "MIT",
   "author": "desplega.sh <contact@desplega.sh>",

package/src/be/date-utils.ts

@@ -0,0 +1,28 @@
+/**
+ * Normalizes date strings from SQLite to ISO 8601 UTC format.
+ *
+ * SQLite's `datetime('now')` and `CURRENT_TIMESTAMP` produce bare format
+ * `YYYY-MM-DD HH:MM:SS` which browsers parse as local time. This utility
+ * converts them to `YYYY-MM-DDTHH:MM:SS.000Z` so they're unambiguously UTC.
+ */
+
+const BARE_DATETIME_RE = /^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}$/;
+
+export function normalizeDate(date: string | null | undefined): string | null {
+  if (date == null) return null;
+  if (BARE_DATETIME_RE.test(date)) {
+    return `${date.replace(" ", "T")}.000Z`;
+  }
+  return date;
+}
+
+/**
+ * Non-null variant for required date fields.
+ * Returns the input unchanged if already ISO 8601, or converts bare format.
+ */
+export function normalizeDateRequired(date: string): string {
+  if (BARE_DATETIME_RE.test(date)) {
+    return `${date.replace(" ", "T")}.000Z`;
+  }
+  return date;
+}

package/src/be/db-queries/oauth.ts

@@ -1,12 +1,30 @@
 import type { OAuthApp, OAuthTokens } from "../../tracker/types";
+import { normalizeDateRequired } from "../date-utils";
 import { getDb } from "../db";
 
 // ── OAuth Apps ──
 
+function normalizeOAuthApp(row: OAuthApp): OAuthApp {
+  return {
+    ...row,
+    createdAt: normalizeDateRequired(row.createdAt),
+    updatedAt: normalizeDateRequired(row.updatedAt),
+  };
+}
+
+function normalizeOAuthTokens(row: OAuthTokens): OAuthTokens {
+  return {
+    ...row,
+    createdAt: normalizeDateRequired(row.createdAt),
+    updatedAt: normalizeDateRequired(row.updatedAt),
+  };
+}
+
 export function getOAuthApp(provider: string): OAuthApp | null {
-  return getDb()
+  const row = getDb()
     .query("SELECT * FROM oauth_apps WHERE provider = ?")
     .get(provider) as OAuthApp | null;
+  return row ? normalizeOAuthApp(row) : null;
 }
 
 export function upsertOAuthApp(
@@ -33,7 +51,7 @@ export function upsertOAuthApp(
          redirectUri = excluded.redirectUri,
          scopes = excluded.scopes,
          metadata = excluded.metadata,
-         updatedAt = datetime('now')`,
+         updatedAt = strftime('%Y-%m-%dT%H:%M:%fZ', 'now')`,
     )
     .run(
       provider,
@@ -50,9 +68,10 @@ export function upsertOAuthApp(
 // ── OAuth Tokens ──
 
 export function getOAuthTokens(provider: string): OAuthTokens | null {
-  return getDb()
+  const row = getDb()
     .query("SELECT * FROM oauth_tokens WHERE provider = ?")
     .get(provider) as OAuthTokens | null;
+  return row ? normalizeOAuthTokens(row) : null;
 }
 
 export function storeOAuthTokens(
@@ -73,7 +92,7 @@ export function storeOAuthTokens(
          refreshToken = COALESCE(excluded.refreshToken, oauth_tokens.refreshToken),
          expiresAt = excluded.expiresAt,
          scope = COALESCE(excluded.scope, oauth_tokens.scope),
-         updatedAt = datetime('now')`,
+         updatedAt = strftime('%Y-%m-%dT%H:%M:%fZ', 'now')`,
     )
     .run(provider, data.accessToken, data.refreshToken ?? null, data.expiresAt, data.scope ?? null);
 }

package/src/be/db-queries/tracker.ts

@@ -1,6 +1,22 @@
 import type { TrackerAgentMapping, TrackerSync } from "../../tracker/types";
+import { normalizeDateRequired } from "../date-utils";
 import { getDb } from "../db";
 
+function normalizeTrackerSync(row: TrackerSync): TrackerSync {
+  return {
+    ...row,
+    lastSyncedAt: normalizeDateRequired(row.lastSyncedAt),
+    createdAt: normalizeDateRequired(row.createdAt),
+  };
+}
+
+function normalizeTrackerAgentMapping(row: TrackerAgentMapping): TrackerAgentMapping {
+  return {
+    ...row,
+    createdAt: normalizeDateRequired(row.createdAt),
+  };
+}
+
 // ── Tracker Sync ──
 
 export function getTrackerSync(
@@ -8,9 +24,10 @@ export function getTrackerSync(
   entityType: "task",
   swarmId: string,
 ): TrackerSync | null {
-  return getDb()
+  const row = getDb()
     .query("SELECT * FROM tracker_sync WHERE provider = ? AND entityType = ? AND swarmId = ?")
     .get(provider, entityType, swarmId) as TrackerSync | null;
+  return row ? normalizeTrackerSync(row) : null;
 }
 
 export function getTrackerSyncByExternalId(
@@ -18,9 +35,10 @@ export function getTrackerSyncByExternalId(
   entityType: "task",
   externalId: string,
 ): TrackerSync | null {
-  return getDb()
+  const row = getDb()
     .query("SELECT * FROM tracker_sync WHERE provider = ? AND entityType = ? AND externalId = ?")
     .get(provider, entityType, externalId) as TrackerSync | null;
+  return row ? normalizeTrackerSync(row) : null;
 }
 
 export function createTrackerSync(data: {
@@ -53,7 +71,7 @@ export function createTrackerSync(data: {
       data.lastDeliveryId ?? null,
       data.syncDirection ?? "inbound",
     ) as TrackerSync;
-  return result;
+  return normalizeTrackerSync(result);
 }
 
 export function updateTrackerSync(
@@ -124,9 +142,11 @@ export function getAllTrackerSyncs(provider?: string, entityType?: "task"): Trac
   }
 
   const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
-  return getDb()
-    .query(`SELECT * FROM tracker_sync ${where} ORDER BY createdAt DESC`)
-    .all(...values) as TrackerSync[];
+  return (
+    getDb()
+      .query(`SELECT * FROM tracker_sync ${where} ORDER BY createdAt DESC`)
+      .all(...values) as TrackerSync[]
+  ).map(normalizeTrackerSync);
 }
 
 // ── Tracker Agent Mapping ──
@@ -135,18 +155,20 @@ export function getTrackerAgentMapping(
   provider: string,
   agentId: string,
 ): TrackerAgentMapping | null {
-  return getDb()
+  const row = getDb()
     .query("SELECT * FROM tracker_agent_mapping WHERE provider = ? AND agentId = ?")
     .get(provider, agentId) as TrackerAgentMapping | null;
+  return row ? normalizeTrackerAgentMapping(row) : null;
 }
 
 export function getTrackerAgentMappingByExternalUser(
   provider: string,
   externalUserId: string,
 ): TrackerAgentMapping | null {
-  return getDb()
+  const row = getDb()
     .query("SELECT * FROM tracker_agent_mapping WHERE provider = ? AND externalUserId = ?")
     .get(provider, externalUserId) as TrackerAgentMapping | null;
+  return row ? normalizeTrackerAgentMapping(row) : null;
 }
 
 export function createTrackerAgentMapping(data: {
@@ -155,13 +177,14 @@ export function createTrackerAgentMapping(data: {
   externalUserId: string;
   agentName: string;
 }): TrackerAgentMapping {
-  return getDb()
+  const result = getDb()
     .query(
       `INSERT INTO tracker_agent_mapping (provider, agentId, externalUserId, agentName)
        VALUES (?, ?, ?, ?)
        RETURNING *`,
     )
     .get(data.provider, data.agentId, data.externalUserId, data.agentName) as TrackerAgentMapping;
+  return normalizeTrackerAgentMapping(result);
 }
 
 export function deleteTrackerAgentMapping(provider: string, agentId: string): void {
@@ -172,11 +195,15 @@ export function deleteTrackerAgentMapping(provider: string, agentId: string): vo
 
 export function getAllTrackerAgentMappings(provider?: string): TrackerAgentMapping[] {
   if (provider) {
-    return getDb()
-      .query("SELECT * FROM tracker_agent_mapping WHERE provider = ? ORDER BY createdAt DESC")
-      .all(provider) as TrackerAgentMapping[];
+    return (
+      getDb()
+        .query("SELECT * FROM tracker_agent_mapping WHERE provider = ? ORDER BY createdAt DESC")
+        .all(provider) as TrackerAgentMapping[]
+    ).map(normalizeTrackerAgentMapping);
   }
-  return getDb()
-    .query("SELECT * FROM tracker_agent_mapping ORDER BY createdAt DESC")
-    .all() as TrackerAgentMapping[];
+  return (
+    getDb()
+      .query("SELECT * FROM tracker_agent_mapping ORDER BY createdAt DESC")
+      .all() as TrackerAgentMapping[]
+  ).map(normalizeTrackerAgentMapping);
 }

package/src/be/db.ts

@@ -55,6 +55,7 @@ import type {
   WorkflowSnapshot,
   WorkflowVersion,
 } from "../types";
+import { normalizeDate, normalizeDateRequired } from "./date-utils";
 import { runMigrations } from "./migrations/runner";
 import { seedDefaultTemplates } from "./seed";
 
@@ -727,6 +728,8 @@ type AgentTaskRow = {
   totalContextTokensUsed: number | null;
   contextWindowSize: number | null;
   was_paused: number;
+  credentialKeySuffix: string | null;
+  credentialKeyType: string | null;
 };
 
 function rowToAgentTask(row: AgentTaskRow): AgentTask {
@@ -780,6 +783,8 @@ function rowToAgentTask(row: AgentTaskRow): AgentTask {
     output: row.output ?? undefined,
     progress: row.progress ?? undefined,
     wasPaused: !!row.was_paused,
+    credentialKeySuffix: row.credentialKeySuffix ?? undefined,
+    credentialKeyType: row.credentialKeyType ?? undefined,
   };
 }
 
@@ -3956,17 +3961,17 @@ function rowToScheduledTask(row: ScheduledTaskRow): ScheduledTask {
     priority: row.priority,
     targetAgentId: row.targetAgentId ?? undefined,
     enabled: row.enabled === 1,
-    lastRunAt: row.lastRunAt ?? undefined,
-    nextRunAt: row.nextRunAt ?? undefined,
+    lastRunAt: normalizeDate(row.lastRunAt) ?? undefined,
+    nextRunAt: normalizeDate(row.nextRunAt) ?? undefined,
     createdByAgentId: row.createdByAgentId ?? undefined,
     timezone: row.timezone,
     consecutiveErrors: row.consecutiveErrors ?? 0,
-    lastErrorAt: row.lastErrorAt ?? undefined,
+    lastErrorAt: normalizeDate(row.lastErrorAt) ?? undefined,
     lastErrorMessage: row.lastErrorMessage ?? undefined,
     model: (row.model as "haiku" | "sonnet" | "opus" | null) ?? undefined,
     scheduleType: row.scheduleType as "recurring" | "one_time",
-    createdAt: row.createdAt,
-    lastUpdatedAt: row.lastUpdatedAt,
+    createdAt: normalizeDateRequired(row.createdAt),
+    lastUpdatedAt: normalizeDateRequired(row.lastUpdatedAt),
   };
 }
 
@@ -5237,8 +5242,8 @@ function rowToWorkflow(row: WorkflowRow): Workflow {
     dir: row.dir ?? undefined,
     vcsRepo: row.vcs_repo ?? undefined,
     createdByAgentId: row.createdByAgentId ?? undefined,
-    createdAt: row.createdAt,
-    lastUpdatedAt: row.lastUpdatedAt,
+    createdAt: normalizeDateRequired(row.createdAt),
+    lastUpdatedAt: normalizeDateRequired(row.lastUpdatedAt),
   };
 }
 
@@ -5442,9 +5447,9 @@ function rowToWorkflowRun(row: WorkflowRunRow): WorkflowRun {
     triggerData: row.triggerData ? JSON.parse(row.triggerData) : undefined,
     context: row.context ? (JSON.parse(row.context) as Record<string, unknown>) : undefined,
     error: row.error ?? undefined,
-    startedAt: row.startedAt,
-    lastUpdatedAt: row.lastUpdatedAt,
-    finishedAt: row.finishedAt ?? undefined,
+    startedAt: normalizeDateRequired(row.startedAt),
+    lastUpdatedAt: normalizeDateRequired(row.lastUpdatedAt),
+    finishedAt: normalizeDate(row.finishedAt) ?? undefined,
   };
 }
 
@@ -5551,11 +5556,11 @@ function rowToWorkflowRunStep(row: WorkflowRunStepRow): WorkflowRunStep {
     input: row.input ? JSON.parse(row.input) : undefined,
     output: row.output ? JSON.parse(row.output) : undefined,
     error: row.error ?? undefined,
-    startedAt: row.startedAt,
-    finishedAt: row.finishedAt ?? undefined,
+    startedAt: normalizeDateRequired(row.startedAt),
+    finishedAt: normalizeDate(row.finishedAt) ?? undefined,
     retryCount: row.retryCount,
     maxRetries: row.maxRetries,
-    nextRetryAt: row.nextRetryAt ?? undefined,
+    nextRetryAt: normalizeDate(row.nextRetryAt) ?? undefined,
     idempotencyKey: row.idempotencyKey ?? undefined,
     diagnostics: row.diagnostics ?? undefined,
     nextPort: row.nextPort ?? undefined,
@@ -5802,7 +5807,7 @@ function rowToWorkflowVersion(row: WorkflowVersionRow): WorkflowVersion {
     version: row.version,
     snapshot: JSON.parse(row.snapshot) as WorkflowSnapshot,
     changedByAgentId: row.changedByAgentId ?? undefined,
-    createdAt: row.createdAt,
+    createdAt: normalizeDateRequired(row.createdAt),
   };
 }
 
@@ -6311,7 +6316,7 @@ function rowToChannelActivityCursor(row: ChannelActivityCursorRow): ChannelActiv
   return {
     channelId: row.channelId,
     lastSeenTs: row.lastSeenTs,
-    updatedAt: row.updatedAt,
+    updatedAt: normalizeDateRequired(row.updatedAt),
   };
 }
 
@@ -6335,7 +6340,7 @@ export function upsertChannelActivityCursor(channelId: string, lastSeenTs: strin
   getDb()
     .prepare(
       `INSERT INTO channel_activity_cursors (channelId, lastSeenTs, updatedAt)
-       VALUES (?, ?, datetime('now'))
+       VALUES (?, ?, strftime('%Y-%m-%dT%H:%M:%fZ', 'now'))
        ON CONFLICT(channelId) DO UPDATE SET lastSeenTs = excluded.lastSeenTs, updatedAt = excluded.updatedAt`,
     )
     .run(channelId, lastSeenTs);
@@ -6395,12 +6400,12 @@ function rowToApprovalRequest(row: ApprovalRequestRow): ApprovalRequest {
     status: row.status as ApprovalRequest["status"],
     responses: row.responses ? JSON.parse(row.responses) : null,
     resolvedBy: row.resolvedBy,
-    resolvedAt: row.resolvedAt,
+    resolvedAt: normalizeDate(row.resolvedAt),
     timeoutSeconds: row.timeoutSeconds,
-    expiresAt: row.expiresAt,
+    expiresAt: normalizeDate(row.expiresAt),
     notificationChannels: row.notificationChannels ? JSON.parse(row.notificationChannels) : null,
-    createdAt: row.createdAt,
-    updatedAt: row.updatedAt,
+    createdAt: normalizeDateRequired(row.createdAt),
+    updatedAt: normalizeDateRequired(row.updatedAt),
   };
 }
 
@@ -6561,7 +6566,7 @@ export function getStuckApprovalRuns(): StuckApprovalRun[] {
       JOIN approval_requests ar ON ar.workflowRunStepId = wrs.id
       WHERE wr.status = 'waiting'
         AND (ar.status IN ('approved', 'rejected', 'timeout')
-             OR (ar.status = 'pending' AND ar.expiresAt IS NOT NULL AND ar.expiresAt < datetime('now')))`,
+             OR (ar.status = 'pending' AND ar.expiresAt IS NOT NULL AND ar.expiresAt < strftime('%Y-%m-%dT%H:%M:%fZ', 'now')))`,
     )
     .all();
 }
@@ -6582,7 +6587,7 @@ export function getExpiredPendingApprovals(): ApprovalRequest[] {
       `SELECT * FROM approval_requests
        WHERE status = 'pending'
          AND expiresAt IS NOT NULL
-         AND expiresAt < datetime('now')`,
+         AND expiresAt < strftime('%Y-%m-%dT%H:%M:%fZ', 'now')`,
     )
     .all();
   return rows.map(rowToApprovalRequest);
@@ -7575,10 +7580,9 @@ export function recordKeyUsage(
 
   // Record which key was used on the task
   if (taskId) {
-    db.prepare("UPDATE agent_tasks SET credentialKeySuffix = ? WHERE id = ?").run(
-      keySuffix,
-      taskId,
-    );
+    db.prepare(
+      "UPDATE agent_tasks SET credentialKeySuffix = ?, credentialKeyType = ? WHERE id = ?",
+    ).run(keySuffix, keyType, taskId);
   }
 }
 
@@ -7641,3 +7645,43 @@ export function getKeyStatuses(
     .prepare<ApiKeyStatus, string[]>(`SELECT * FROM api_key_status ${where} ORDER BY keyIndex`)
     .all(...params);
 }
+
+export interface KeyCostSummary {
+  keyType: string;
+  keySuffix: string;
+  totalCost: number;
+  totalInputTokens: number;
+  totalOutputTokens: number;
+  taskCount: number;
+}
+
+/**
+ * Aggregate cost data per API key by joining session_costs through agent_tasks.
+ */
+export function getKeyCostSummary(keyType?: string): KeyCostSummary[] {
+  const db = getDb();
+  const conditions = ["t.credentialKeySuffix IS NOT NULL"];
+  const params: string[] = [];
+
+  if (keyType) {
+    conditions.push("t.credentialKeyType = ?");
+    params.push(keyType);
+  }
+
+  const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+  return db
+    .prepare<KeyCostSummary, string[]>(
+      `SELECT
+        t.credentialKeyType as keyType,
+        t.credentialKeySuffix as keySuffix,
+        COALESCE(SUM(sc.totalCostUsd), 0) as totalCost,
+        COALESCE(SUM(sc.inputTokens), 0) as totalInputTokens,
+        COALESCE(SUM(sc.outputTokens), 0) as totalOutputTokens,
+        COUNT(DISTINCT sc.taskId) as taskCount
+      FROM session_costs sc
+      JOIN agent_tasks t ON sc.taskId = t.id
+      ${where}
+      GROUP BY t.credentialKeyType, t.credentialKeySuffix`,
+    )
+    .all(...params);
+}

package/src/be/migrations/029_task_credential_key_type.sql

@@ -0,0 +1,2 @@
+-- Store which credential type (env var name) was used per task
+ALTER TABLE agent_tasks ADD COLUMN credentialKeyType TEXT;

package/src/be/migrations/030_iso8601_date_consistency.sql

@@ -0,0 +1,108 @@
+-- Fix date storage format inconsistency: convert bare datetime format
+-- (YYYY-MM-DD HH:MM:SS) to ISO 8601 UTC (YYYY-MM-DDTHH:MM:SS.000Z).
+--
+-- Affected tables use datetime('now') or CURRENT_TIMESTAMP defaults which
+-- produce bare format. Browsers parse these as local time instead of UTC.
+
+-- Update existing bare-format dates to ISO 8601 in all affected tables.
+-- The pattern: replace space with T and append .000Z for dates matching bare format.
+
+-- workflows
+UPDATE workflows SET
+  createdAt = replace(createdAt, ' ', 'T') || '.000Z'
+  WHERE createdAt LIKE '____-__-__ __:__:__' AND createdAt NOT LIKE '%T%';
+UPDATE workflows SET
+  lastUpdatedAt = replace(lastUpdatedAt, ' ', 'T') || '.000Z'
+  WHERE lastUpdatedAt LIKE '____-__-__ __:__:__' AND lastUpdatedAt NOT LIKE '%T%';
+
+-- workflow_runs
+UPDATE workflow_runs SET
+  startedAt = replace(startedAt, ' ', 'T') || '.000Z'
+  WHERE startedAt LIKE '____-__-__ __:__:__' AND startedAt NOT LIKE '%T%';
+UPDATE workflow_runs SET
+  lastUpdatedAt = replace(lastUpdatedAt, ' ', 'T') || '.000Z'
+  WHERE lastUpdatedAt LIKE '____-__-__ __:__:__' AND lastUpdatedAt NOT LIKE '%T%';
+UPDATE workflow_runs SET
+  finishedAt = replace(finishedAt, ' ', 'T') || '.000Z'
+  WHERE finishedAt IS NOT NULL AND finishedAt LIKE '____-__-__ __:__:__' AND finishedAt NOT LIKE '%T%';
+
+-- workflow_run_steps
+UPDATE workflow_run_steps SET
+  startedAt = replace(startedAt, ' ', 'T') || '.000Z'
+  WHERE startedAt LIKE '____-__-__ __:__:__' AND startedAt NOT LIKE '%T%';
+UPDATE workflow_run_steps SET
+  finishedAt = replace(finishedAt, ' ', 'T') || '.000Z'
+  WHERE finishedAt IS NOT NULL AND finishedAt LIKE '____-__-__ __:__:__' AND finishedAt NOT LIKE '%T%';
+UPDATE workflow_run_steps SET
+  nextRetryAt = replace(nextRetryAt, ' ', 'T') || '.000Z'
+  WHERE nextRetryAt IS NOT NULL AND nextRetryAt LIKE '____-__-__ __:__:__' AND nextRetryAt NOT LIKE '%T%';
+
+-- tracker_sync
+UPDATE tracker_sync SET
+  lastSyncedAt = replace(lastSyncedAt, ' ', 'T') || '.000Z'
+  WHERE lastSyncedAt LIKE '____-__-__ __:__:__' AND lastSyncedAt NOT LIKE '%T%';
+UPDATE tracker_sync SET
+  createdAt = replace(createdAt, ' ', 'T') || '.000Z'
+  WHERE createdAt LIKE '____-__-__ __:__:__' AND createdAt NOT LIKE '%T%';
+
+-- tracker_agent_mapping
+UPDATE tracker_agent_mapping SET
+  createdAt = replace(createdAt, ' ', 'T') || '.000Z'
+  WHERE createdAt LIKE '____-__-__ __:__:__' AND createdAt NOT LIKE '%T%';
+
+-- approval_requests
+UPDATE approval_requests SET
+  createdAt = replace(createdAt, ' ', 'T') || '.000Z'
+  WHERE createdAt LIKE '____-__-__ __:__:__' AND createdAt NOT LIKE '%T%';
+UPDATE approval_requests SET
+  updatedAt = replace(updatedAt, ' ', 'T') || '.000Z'
+  WHERE updatedAt LIKE '____-__-__ __:__:__' AND updatedAt NOT LIKE '%T%';
+UPDATE approval_requests SET
+  resolvedAt = replace(resolvedAt, ' ', 'T') || '.000Z'
+  WHERE resolvedAt IS NOT NULL AND resolvedAt LIKE '____-__-__ __:__:__' AND resolvedAt NOT LIKE '%T%';
+UPDATE approval_requests SET
+  expiresAt = replace(expiresAt, ' ', 'T') || '.000Z'
+  WHERE expiresAt IS NOT NULL AND expiresAt LIKE '____-__-__ __:__:__' AND expiresAt NOT LIKE '%T%';
+
+-- channel_activity_cursors
+UPDATE channel_activity_cursors SET
+  updatedAt = replace(updatedAt, ' ', 'T') || '.000Z'
+  WHERE updatedAt LIKE '____-__-__ __:__:__' AND updatedAt NOT LIKE '%T%';
+
+-- oauth_apps
+UPDATE oauth_apps SET
+  createdAt = replace(createdAt, ' ', 'T') || '.000Z'
+  WHERE createdAt LIKE '____-__-__ __:__:__' AND createdAt NOT LIKE '%T%';
+UPDATE oauth_apps SET
+  updatedAt = replace(updatedAt, ' ', 'T') || '.000Z'
+  WHERE updatedAt LIKE '____-__-__ __:__:__' AND updatedAt NOT LIKE '%T%';
+
+-- oauth_tokens
+UPDATE oauth_tokens SET
+  createdAt = replace(createdAt, ' ', 'T') || '.000Z'
+  WHERE createdAt LIKE '____-__-__ __:__:__' AND createdAt NOT LIKE '%T%';
+UPDATE oauth_tokens SET
+  updatedAt = replace(updatedAt, ' ', 'T') || '.000Z'
+  WHERE updatedAt LIKE '____-__-__ __:__:__' AND updatedAt NOT LIKE '%T%';
+
+-- workflow_versions
+UPDATE workflow_versions SET
+  createdAt = replace(createdAt, ' ', 'T') || '.000Z'
+  WHERE createdAt LIKE '____-__-__ __:__:__' AND createdAt NOT LIKE '%T%';
+
+-- scheduled_tasks (defense-in-depth — dates are written from JS toISOString() but normalize any legacy data)
+UPDATE scheduled_tasks SET
+  createdAt = replace(createdAt, ' ', 'T') || '.000Z'
+  WHERE createdAt LIKE '____-__-__ __:__:__' AND createdAt NOT LIKE '%T%';
+UPDATE scheduled_tasks SET
+  lastUpdatedAt = replace(lastUpdatedAt, ' ', 'T') || '.000Z'
+  WHERE lastUpdatedAt LIKE '____-__-__ __:__:__' AND lastUpdatedAt NOT LIKE '%T%';
+UPDATE scheduled_tasks SET
+  lastRunAt = replace(lastRunAt, ' ', 'T') || '.000Z'
+  WHERE lastRunAt IS NOT NULL AND lastRunAt LIKE '____-__-__ __:__:__' AND lastRunAt NOT LIKE '%T%';
+UPDATE scheduled_tasks SET
+  nextRunAt = replace(nextRunAt, ' ', 'T') || '.000Z'
+  WHERE nextRunAt IS NOT NULL AND nextRunAt LIKE '____-__-__ __:__:__' AND nextRunAt NOT LIKE '%T%';
+UPDATE scheduled_tasks SET
+  lastErrorAt = replace(lastErrorAt, ' ', 'T') || '.000Z'
+  WHERE lastErrorAt IS NOT NULL AND lastErrorAt LIKE '____-__-__ __:__:__' AND lastErrorAt NOT LIKE '%T%';

package/src/http/api-keys.ts

@@ -2,6 +2,7 @@ import type { IncomingMessage, ServerResponse } from "node:http";
 import { z } from "zod";
 import {
   getAvailableKeyIndices,
+  getKeyCostSummary,
   getKeyStatuses,
   markKeyRateLimited,
   recordKeyUsage,
@@ -93,6 +94,22 @@ const listStatuses = route({
   auth: { apiKey: true },
 });
 
+const getCosts = route({
+  method: "get",
+  path: "/api/keys/costs",
+  pattern: ["api", "keys", "costs"],
+  summary: "Get aggregated cost data per API key",
+  tags: ["API Keys"],
+  query: z.object({
+    keyType: z.string().optional(),
+  }),
+  responses: {
+    200: { description: "Per-key cost aggregation" },
+    401: { description: "Unauthorized" },
+  },
+  auth: { apiKey: true },
+});
+
 // ─── Handler ─────────────────────────────────────────────────────────────────
 
 export async function handleApiKeys(
@@ -149,6 +166,21 @@ export async function handleApiKeys(
     return true;
   }
 
+  // GET /api/keys/costs
+  if (getCosts.match(req.method, pathSegments)) {
+    const parsed = await getCosts.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+
+    const { keyType } = parsed.query;
+    try {
+      const costs = getKeyCostSummary(keyType);
+      json(res, { success: true, costs });
+    } catch (err) {
+      jsonError(res, err instanceof Error ? err.message : "Failed to get key costs", 500);
+    }
+    return true;
+  }
+
   // GET /api/keys/status
   if (listStatuses.match(req.method, pathSegments)) {
     const parsed = await listStatuses.parse(req, res, pathSegments, queryParams);

package/src/tests/api-key-tracking.test.ts

@@ -103,12 +103,16 @@ describe("resolveCredentialPools", () => {
     expect(env.ANTHROPIC_API_KEY).toBe("key-ccc33");
   });
 
-  test("non-pool vars are unchanged", async () => {
+  test("single keys are tracked with index 0", async () => {
     const env: Record<string, string | undefined> = {
       ANTHROPIC_API_KEY: "single-key",
     };
     const selections = await resolveCredentialPools(env);
-    expect(selections.length).toBe(0);
+    expect(selections.length).toBe(1);
+    expect(selections[0]!.index).toBe(0);
+    expect(selections[0]!.total).toBe(1);
+    expect(selections[0]!.keySuffix).toBe("e-key");
+    expect(selections[0]!.keyType).toBe("ANTHROPIC_API_KEY");
     expect(env.ANTHROPIC_API_KEY).toBe("single-key");
   });
 });

package/src/tests/date-utils.test.ts

@@ -0,0 +1,48 @@
+import { describe, expect, it } from "bun:test";
+import { normalizeDate, normalizeDateRequired } from "../be/date-utils";
+
+describe("normalizeDate", () => {
+  it("returns null for null input", () => {
+    expect(normalizeDate(null)).toBe(null);
+  });
+
+  it("returns null for undefined input", () => {
+    expect(normalizeDate(undefined)).toBe(null);
+  });
+
+  it("converts bare datetime format to ISO 8601", () => {
+    expect(normalizeDate("2026-03-31 14:30:00")).toBe("2026-03-31T14:30:00.000Z");
+  });
+
+  it("converts midnight bare datetime", () => {
+    expect(normalizeDate("2026-01-01 00:00:00")).toBe("2026-01-01T00:00:00.000Z");
+  });
+
+  it("passes through ISO 8601 with Z suffix unchanged", () => {
+    expect(normalizeDate("2026-03-31T14:30:00.000Z")).toBe("2026-03-31T14:30:00.000Z");
+  });
+
+  it("passes through ISO 8601 with milliseconds and Z", () => {
+    expect(normalizeDate("2026-03-31T14:30:00.123Z")).toBe("2026-03-31T14:30:00.123Z");
+  });
+
+  it("passes through toISOString() output unchanged", () => {
+    const iso = new Date().toISOString();
+    expect(normalizeDate(iso)).toBe(iso);
+  });
+
+  it("passes through strftime output unchanged", () => {
+    // strftime('%Y-%m-%dT%H:%M:%fZ', 'now') produces this format
+    expect(normalizeDate("2026-03-31T14:30:00.000Z")).toBe("2026-03-31T14:30:00.000Z");
+  });
+});
+
+describe("normalizeDateRequired", () => {
+  it("converts bare datetime format to ISO 8601", () => {
+    expect(normalizeDateRequired("2026-03-31 14:30:00")).toBe("2026-03-31T14:30:00.000Z");
+  });
+
+  it("passes through ISO 8601 unchanged", () => {
+    expect(normalizeDateRequired("2026-03-31T14:30:00.123Z")).toBe("2026-03-31T14:30:00.123Z");
+  });
+});

package/src/tests/heartbeat.test.ts

@@ -68,7 +68,7 @@ describe("Heartbeat Triage", () => {
       createTaskExtended("Completed task", { agentId: agent.id });
       // Manually mark as completed
       getDb().run(
-        "UPDATE agent_tasks SET status = 'completed', finishedAt = datetime('now') WHERE agentId = ?",
+        "UPDATE agent_tasks SET status = 'completed', finishedAt = strftime('%Y-%m-%dT%H:%M:%fZ', 'now') WHERE agentId = ?",
         [agent.id],
       );
 

package/src/types.ts

@@ -149,6 +149,10 @@ export const AgentTaskSchema = z.object({
   peakContextPercent: z.number().min(0).max(100).optional(),
   totalContextTokensUsed: z.number().int().min(0).optional(),
   contextWindowSize: z.number().int().min(0).optional(),
+
+  // Credential tracking
+  credentialKeySuffix: z.string().optional(),
+  credentialKeyType: z.string().optional(),
 });
 
 export const AgentStatusSchema = z.enum(["idle", "busy", "offline"]);

package/src/utils/credentials.ts

@@ -91,8 +91,8 @@ async function fetchAvailableIndices(
   const availableIndicesMap: Record<string, number[]> = {};
   for (const envVar of CREDENTIAL_POOL_VARS) {
     const val = env[envVar];
-    if (val?.includes(",")) {
-      const totalKeys = val.split(",").filter((s) => s.trim()).length;
+    if (val) {
+      const totalKeys = val.includes(",") ? val.split(",").filter((s) => s.trim()).length : 1;
       try {
         const resp = await fetch(
           `${apiUrl}/api/keys/available?keyType=${encodeURIComponent(envVar)}&totalKeys=${totalKeys}`,
@@ -134,7 +134,7 @@ export async function resolveCredentialPools(
   const selections: CredentialSelection[] = [];
   for (const envVar of CREDENTIAL_POOL_VARS) {
     const val = env[envVar];
-    if (val?.includes(",")) {
+    if (val) {
       const available = availableIndicesMap?.[envVar];
       const result = selectCredential(val, available, envVar);
       env[envVar] = result.selected;