diff --git a/content/docs/cli/automation/headless-runs.mdx b/content/docs/cli/automation/headless-runs.mdx
index c9e0ecd..8bb6567 100644
--- a/content/docs/cli/automation/headless-runs.mdx
+++ b/content/docs/cli/automation/headless-runs.mdx
@@ -166,7 +166,7 @@ final line is `{"runId":"...","status":"success"}`. Perfect for piping into
The events feed is sanitized server-side: sensitive payload keys are redacted,
strings/arrays/objects are capped. Safe to dump into a public CI log without
-leaking provider keys or session tokens.
+leaking credentials or session tokens.
## Cancel a run
diff --git a/content/docs/cli/concepts/attach.mdx b/content/docs/cli/concepts/attach.mdx
index a4c7508..a5eec7a 100644
--- a/content/docs/cli/concepts/attach.mdx
+++ b/content/docs/cli/concepts/attach.mdx
@@ -50,7 +50,7 @@ You're a real operator on the run, not a read-only observer.
## Auth and permissions
-Attach uses your local Mogplex token (or provider key) the same way as any other session. Permission mode is still respected — if you attach in `approval` mode and the run produces a gated action, the Approval drawer surfaces it for **you** to decide.
+Attach uses your local Mogplex token the same way as any other session. Permission mode is still respected — if you attach in `approval` mode and the run produces a gated action, the Approval drawer surfaces it for **you** to decide.
## Detach without killing the run
diff --git a/content/docs/cli/guides/authentication.mdx b/content/docs/cli/guides/authentication.mdx
index 86e36fc..94b37fa 100644
--- a/content/docs/cli/guides/authentication.mdx
+++ b/content/docs/cli/guides/authentication.mdx
@@ -1,6 +1,6 @@
---
title: Authentication
-description: In-app login, credential precedence, browser sign-in, stored provider keys, and what `/login` and `/logout` actually change.
+description: In-app login, credential precedence, browser sign-in, account-backed access, and what `/login` and `/logout` actually change.
---
import { Callout } from 'fumadocs-ui/components/callout';
@@ -9,22 +9,12 @@ The CLI ships to end users — auth is in-app. You do **not** need to set enviro
## Resolution order
-When the CLI starts up, it resolves credentials in this order:
+When the CLI starts up, it resolves credentials in this order. The normal
+customer path is account-backed login; provider env vars are compatibility and
+development overrides.
-1. **Provider env var in the current shell.** If set, it wins — no matter what is stored on disk.
-
- | Provider | Environment variable |
- | ---------- | ------------------------------ |
- | Mogplex | `MOGPLEX_API_KEY` |
- | Anthropic | `ANTHROPIC_API_KEY` |
- | OpenAI | `OPENAI_API_KEY` |
- | Google | `GOOGLE_GENERATIVE_AI_API_KEY` |
- | Groq | `GROQ_API_KEY` |
- | Mistral | `MISTRAL_API_KEY` |
- | DeepSeek | `DEEPSEEK_API_KEY` |
- | xAI | `XAI_API_KEY` |
- | Cohere | `COHERE_API_KEY` |
- | Vercel | `VERCEL_API_TOKEN` |
+1. **Auth env var in the current shell.** `MOGPLEX_API_KEY` and legacy local
+ provider env vars can override what is stored on disk.
2. **Stored credentials** in `~/.mogplex/auth.json` (mode `0600`). If you previously used Codex and have `CODEX_HOME` set, the CLI still honors it but it is deprecated — set `MOGPLEX_HOME` instead. See [Configuration and Flags → Storage](/cli/guides/configuration-and-flags#storage).
@@ -34,10 +24,11 @@ The practical rule: shell env vars outrank everything else.
## In-app login
-On first run, the login screen offers two paths:
+On first run, use the Mogplex account path:
- **Sign in with Mogplex** — opens a browser flow for account-backed login. The CLI listens on a local callback and stores a Mogplex token. Recommended.
-- **Use a provider API key** — store an Anthropic, OpenAI, Google, Groq, Mistral, DeepSeek, xAI, Cohere, or Vercel AI Gateway key locally.
+
+Account-backed login is the product path for normal use.
You can re-open the login screen later from the composer:
@@ -47,26 +38,26 @@ You can re-open the login screen later from the composer:
## What account-backed login means
-Browser login is not the same thing as storing a direct provider key.
-
-When you sign in with Mogplex, the CLI stores a `mogplex` credential in `~/.mogplex/auth.json` and can reuse hosted state:
+When you sign in with Mogplex, the CLI stores a `mogplex` credential in
+`~/.mogplex/auth.json` and can reuse hosted state:
- synced model catalog
- remote MCP server definitions
-- account-backed model access configured for your Mogplex user
+- plan-backed model access configured for your Mogplex user
-If account login succeeds but prompts fail, the hosted account usually does not have usable model access yet. Add a provider key in [Web Settings](/web/settings).
+If account login succeeds but prompts fail, the hosted account usually does not
+have usable model access yet. Check [Available Models](/web/models) and
+[Plans & Billing](/plans-and-billing).
-## Provider keys (env or stored)
+## Provider env vars
-Direct provider credentials still work and still take precedence over the account login path. This is the preferred pattern for CI and ephemeral shells.
-
-```bash
-export OPENAI_API_KEY=sk-...
-mogplex
-```
+Direct provider environment variables are a compatibility and development
+escape hatch, not the product setup path for billed Mogplex accounts. They
+still take precedence over the account login path when they are present, so
+unset them before debugging billed account behavior.
-If both a stored credential and an env var exist for the same provider, the env var wins.
+If both a stored credential and an env var exist for the same provider, the env
+var wins.
## `/logout`
@@ -74,7 +65,7 @@ If both a stored credential and an env var exist for the same provider, the env
/logout
```
-Clears the Mogplex token (and provider key, if stored) from `~/.mogplex/auth.json`. Three things to remember:
+Clears the Mogplex token from `~/.mogplex/auth.json`. Three things to remember:
- **Env vars still win.** If the matching env var is set, the next session will still authenticate through it.
- **Restart for certainty.** The current process may still hold the old adapter. Quit (`/quit`) and relaunch if you need an immediate clean slate.
@@ -94,8 +85,8 @@ mogplex --attach run_abc123 --logout
## Common outcomes
-- The login screen appears at startup → no credentials anywhere; sign in or store a provider key.
-- Login succeeds but prompts fail → account login is active but the hosted account lacks model access. Fix in [Web Settings](/web/settings).
+- The login screen appears at startup → no Mogplex credential is available; sign in.
+- Login succeeds but prompts fail → account login is active but the hosted account lacks model access. Check [Available Models](/web/models) and [Plans & Billing](/plans-and-billing).
- The CLI behaves differently than the in-app login implies → check env vars first; they outrank stored auth.
## See also
diff --git a/content/docs/cli/guides/configuration-and-flags.mdx b/content/docs/cli/guides/configuration-and-flags.mdx
index ce482f0..cad6ed4 100644
--- a/content/docs/cli/guides/configuration-and-flags.mdx
+++ b/content/docs/cli/guides/configuration-and-flags.mdx
@@ -28,9 +28,11 @@ the login screen, model picker, and permissions picker.
## Environment variables
-### Auth (provider keys)
+### Auth escape hatches
-See the table in [Authentication → Resolution order](/cli/guides/authentication#resolution-order). Setting any provider env var overrides stored credentials for that provider.
+See the table in [Authentication → Resolution order](/cli/guides/authentication#resolution-order).
+Provider env vars are compatibility and development escape hatches; normal
+Mogplex usage should start with account-backed login.
### Transport selection
@@ -65,7 +67,7 @@ The runtime loader merges built-in defaults, user config, project config,
environment-derived values, and launcher overrides. In normal interactive use,
prefer the visible cockpit controls first:
-- `/login` and the login screen for account and provider credentials
+- `/login` and the login screen for account credentials
- `/permissions` for permission mode
- `/model` for current model selection
- `/mcp` for MCP inspection and sync actions
@@ -77,7 +79,7 @@ better owned by the current session UI.
| Path | Contents |
| --- | --- |
-| `~/.mogplex/auth.json` | Mogplex token and provider credentials (mode `0600`). |
+| `~/.mogplex/auth.json` | Mogplex token and compatibility auth state (mode `0600`). |
| `~/.mogplex/config.toml` | User-level advanced config. |
| `~/.mogplex/permissions.json` | Global permission mode and rules. |
| `./.mogplex/config.toml` | Project-level advanced config. |
diff --git a/content/docs/cli/guides/index.mdx b/content/docs/cli/guides/index.mdx
index 8abee57..33f3c31 100644
--- a/content/docs/cli/guides/index.mdx
+++ b/content/docs/cli/guides/index.mdx
@@ -30,7 +30,7 @@ Use these pages when you want behavior and decision-making, not just syntax.
## Pick a guide by question
-- "Why is the CLI choosing this provider or model?" → [Authentication](/cli/guides/authentication)
+- "Why is the CLI choosing this auth state or model?" → [Authentication](/cli/guides/authentication)
- "Where does this default live and which env var overrides it?" → [Configuration and Flags](/cli/guides/configuration-and-flags)
- "How do I drive a run from the composer?" → [Slash Commands](/cli/guides/slash-commands)
- "How do I make Mogplex behave like part of this repo?" → [Project Commands](/cli/guides/project-commands)
diff --git a/content/docs/cli/index.mdx b/content/docs/cli/index.mdx
index d15d8b4..498c114 100644
--- a/content/docs/cli/index.mdx
+++ b/content/docs/cli/index.mdx
@@ -54,7 +54,7 @@ See [Reference → Panels](/cli/reference/panels) and [Reference → Drawers](/c
## Files the CLI reads
-- `~/.mogplex/auth.json` — Mogplex token and provider credentials.
+- `~/.mogplex/auth.json` — Mogplex token and compatibility auth state.
- `~/.mogplex/permissions.json` — global permission mode and rules.
- `~/.mogplex/projects//permissions.json` — project-level overrides.
- `~/.mogplex/logs/` — structured session logs (secrets redacted).
diff --git a/content/docs/cli/installation.mdx b/content/docs/cli/installation.mdx
index 0039868..8a53c64 100644
--- a/content/docs/cli/installation.mdx
+++ b/content/docs/cli/installation.mdx
@@ -85,7 +85,8 @@ exec zsh -l
mogplex
```
-The first launch opens the in-app login screen. Sign in with your Mogplex account or store a provider key locally — Mogplex never requires environment variables for normal use.
+The first launch opens the in-app login screen. Sign in with your Mogplex
+account. Mogplex never requires environment variables for normal use.
For the full first-run flow, continue with [Quickstart](/cli/quickstart).
@@ -98,7 +99,8 @@ Re-run the installer. It detects the existing install and replaces the binary in
- `mogplex: command not found` — the install succeeded but your shell has not picked up the updated `PATH`. Rehash or open a new shell.
- The installer downloads but fails before extraction — confirm your machine has the right extractor (`tar` for `.tar.gz`, `unzip` or `ditto` for `.zip`).
- You pinned `MOGPLEX_BASE_URL` and the script exits immediately — the installer rejects non-HTTPS hosts.
-- Login succeeds but prompts fail — your account probably lacks model access. Add a provider key in [Web Settings](/web/settings).
+- Login succeeds but prompts fail — your account probably lacks model access.
+ Check [Available Models](/web/models) and [Plans & Billing](/plans-and-billing).
## Uninstall
diff --git a/content/docs/cli/quickstart.mdx b/content/docs/cli/quickstart.mdx
index d49fc96..8f15ae4 100644
--- a/content/docs/cli/quickstart.mdx
+++ b/content/docs/cli/quickstart.mdx
@@ -25,8 +25,9 @@ mogplex
If you are not authenticated, the in-app login screen appears. Pick one:
-- **Sign in with Mogplex** — opens a browser for account-backed login. Recommended; reuses synced model catalog and remote MCP definitions.
-- **Use a provider API key** — store an Anthropic, OpenAI, Google, Groq, Mistral, DeepSeek, xAI, Cohere, or Vercel AI Gateway key locally.
+- **Sign in with Mogplex** — opens a browser for account-backed login. This
+ reuses your plan-backed model access, synced model catalog, and remote MCP
+ definitions.
Stored credentials live in `~/.mogplex/auth.json` (file mode `0600`).
@@ -87,7 +88,8 @@ See [Concepts → Attach](/cli/concepts/attach).
## Common first-run issues
-- Login succeeds but no models available — add a provider key in [Web Settings](/web/settings) (account-backed login inherits hosted model access).
+- Login succeeds but no models available — check [Available Models](/web/models)
+ and the account plan. Account-backed login inherits managed hosted access.
- Header says `transport: offline` — core is unreachable. Check network and retry; the daemon transport surfaces a reconnect banner.
- A slash command "doesn't work" — check `/help` for the actual registry.
diff --git a/content/docs/cli/skills/mogplex-auth.mdx b/content/docs/cli/skills/mogplex-auth.mdx
index 799e431..9fc6b33 100644
--- a/content/docs/cli/skills/mogplex-auth.mdx
+++ b/content/docs/cli/skills/mogplex-auth.mdx
@@ -11,7 +11,7 @@ This page mirrors the canonical `SKILL.md` at [`skills/mogplex-auth/SKILL.md`](h
```yaml
name: mogplex-auth
-description: Guides the user through the Mogplex CLI's in-app login flow, credential precedence, and troubleshooting. Use when the user asks to sign in, switch accounts, store a provider key, or when a Mogplex command fails with an auth error.
+description: Guides the user through the Mogplex CLI's in-app login flow, credential precedence, and troubleshooting. Use when the user asks to sign in, switch accounts, debug env-var overrides, or when a Mogplex command fails with an auth error.
```
## Body
@@ -22,20 +22,8 @@ The Mogplex CLI authenticates **in-app**. There is no `mogplex login status` sub
The cockpit picks credentials in a fixed order:
-1. **Provider env var in the current shell.** If set, it wins — no matter what is stored on disk.
-
- | Provider | Env var |
- | --- | --- |
- | Mogplex | `MOGPLEX_API_KEY` |
- | Anthropic | `ANTHROPIC_API_KEY` |
- | OpenAI | `OPENAI_API_KEY` |
- | Google | `GOOGLE_GENERATIVE_AI_API_KEY` |
- | Groq | `GROQ_API_KEY` |
- | Mistral | `MISTRAL_API_KEY` |
- | DeepSeek | `DEEPSEEK_API_KEY` |
- | xAI | `XAI_API_KEY` |
- | Cohere | `COHERE_API_KEY` |
- | Vercel | `VERCEL_API_TOKEN` |
+1. **Auth env var in the current shell.** `MOGPLEX_API_KEY` and legacy local
+ provider env vars can override what is stored on disk.
2. **Stored credentials** in `~/.mogplex/auth.json` (mode `0600`).
3. **No credentials** → the cockpit's in-app login screen appears.
@@ -55,24 +43,17 @@ mogplex
A browser flow opens; the cockpit listens on a local callback and stores the token in `~/.mogplex/auth.json`. The user does the click-through; you do not drive the browser.
-Account-backed login unlocks synced model catalog, remote MCP server definitions, and hosted model access.
+Account-backed login unlocks synced model catalog, remote MCP server
+definitions, and plan-backed hosted model access.
-### Alternative: store a provider key in-app
+### Compatibility: provider env var
-In the login screen (or via `/login` in the composer), the user can pick **Use a provider API key** and paste a key. Stored in `~/.mogplex/auth.json` with mode `0600`.
+Provider env vars are compatibility and development escape hatches. They are
+not the normal customer setup path for billed Mogplex accounts.
-Supported providers: Anthropic, OpenAI, Google, Groq, Mistral, DeepSeek, xAI, Cohere, Vercel AI Gateway.
-
-### Alternative: provider env var
-
-For CI or ephemeral shells:
-
-```bash
-export OPENAI_API_KEY=sk-...
-mogplex
-```
-
-Do not write keys into shell rc files on the user's behalf. Suggest it; let them do it.
+Do not write keys into shell rc files on the user's behalf. If a user is
+explicitly working in a development or compatibility flow, describe the env-var
+override and let them set it themselves.
## Sanity-check env vars (advisory)
@@ -89,7 +70,7 @@ Never echo a raw key.
| Symptom | What to recommend |
| --- | --- |
| Login screen appears at every launch | No credential stored and no env var set. Pick a path on the login screen. |
-| Login succeeds but prompts fail with "no model access" | Account-backed login is active but the hosted account lacks model access. Direct the user to [Web Settings](https://www.mogplex.com/web/settings) to add a provider key. |
+| Login succeeds but prompts fail with "no model access" | Account-backed login is active but the hosted account lacks model access. Direct the user to [Available Models](https://www.mogplex.com/web/models) and [Plans & Billing](https://www.mogplex.com/plans-and-billing). |
| Cockpit behaves differently than expected after `/login` | An env var is overriding the stored credential. Have the user `unset` it and relaunch. |
| User wants to switch accounts | Type `/logout` in the composer, then `/login` (or relaunch). |
diff --git a/content/docs/cli/skills/using-mogplex-cli.mdx b/content/docs/cli/skills/using-mogplex-cli.mdx
index c267f22..f54d5e4 100644
--- a/content/docs/cli/skills/using-mogplex-cli.mdx
+++ b/content/docs/cli/skills/using-mogplex-cli.mdx
@@ -84,7 +84,7 @@ is it a config / file change?
- Author `AGENTS.md` at the repo root with stable repo guidance (build commands, conventions, layout).
- Author `~/.mogplex/projects//permissions.json` with `allow` / `deny` / `ask` rules — see [Permissions](https://www.mogplex.com/cli/concepts/permissions) for the schema.
-- Recommend env-var escape hatches (`MOGPLEX_TRANSPORT`, `MOGPLEX_ATTACH_RUN_ID`, provider keys) — see [Configuration and Flags](https://www.mogplex.com/cli/guides/configuration-and-flags).
+- Recommend env-var escape hatches (`MOGPLEX_TRANSPORT`, `MOGPLEX_ATTACH_RUN_ID`) only when they fit CI, attach, or development workflows — see [Configuration and Flags](https://www.mogplex.com/cli/guides/configuration-and-flags).
### Safety
diff --git a/content/docs/configure-and-extend/connections-and-mcp.mdx b/content/docs/configure-and-extend/connections-and-mcp.mdx
index 2c8a7ed..91233e3 100644
--- a/content/docs/configure-and-extend/connections-and-mcp.mdx
+++ b/content/docs/configure-and-extend/connections-and-mcp.mdx
@@ -5,7 +5,7 @@ description: Configure REST and MCP connections, understand scope resolution, sy
Connections are how Mogplex agents reach external systems.
-They are separate from provider model keys, GitHub App coverage, Slack channel
+They are separate from managed model access, GitHub App coverage, Slack channel
links, and the preview path where other MCP clients call into Mogplex.
## Direction matters
diff --git a/content/docs/configure-and-extend/index.mdx b/content/docs/configure-and-extend/index.mdx
index 0b9f750..c97bb85 100644
--- a/content/docs/configure-and-extend/index.mdx
+++ b/content/docs/configure-and-extend/index.mdx
@@ -10,12 +10,12 @@ team, or local workflow needs.
Models](/web/models) | Enabled models, disabled models, and the default model for new work |
-| [Settings -> API Keys](/web/settings) | Provider access for hosted work when platform AI is not enough |
+| [Plans & Billing](/plans-and-billing) | Account-level managed access for hosted model usage |
| [Agents](/web/agents) | The default model for that reusable agent |
| [Automations](/web/automations) | Node-level model overrides inside one workflow draft |
| [Repo settings](/web/spaces) | Repo-specific exclusions from the globally enabled model set |
@@ -47,13 +47,14 @@ automation node, assignment, or repo rule.
1. Open [Available Models](/web/models) and make sure the account has at least
one enabled model.
-2. Set a default model that is safe for ordinary new work.
-3. Give specialized agents explicit models when the job needs it.
-4. Use automation node overrides only when one node differs from the base
+2. Confirm the plan includes the level of model usage the workflow needs.
+3. Set a default model that is safe for ordinary new work.
+4. Give specialized agents explicit models when the job needs it.
+5. Use automation node overrides only when one node differs from the base
agent on purpose.
-5. Add repo-specific exclusions when a codebase should not use a model family,
+6. Add repo-specific exclusions when a codebase should not use a model family,
provider, or cost profile.
-6. Review [Observability](/web/observability) and [Cost & Usage](/cli/reference/cost-and-usage)
+7. Review [Observability](/web/observability) and [Cost & Usage](/cli/reference/cost-and-usage)
after real runs, not just after setup.
## When to override the default
diff --git a/content/docs/guides/observability-runbook.mdx b/content/docs/guides/observability-runbook.mdx
index 3d7193a..8cfaf06 100644
--- a/content/docs/guides/observability-runbook.mdx
+++ b/content/docs/guides/observability-runbook.mdx
@@ -98,22 +98,21 @@ When a run exists but stays pending:
1. Check summary cards for stale pending work or start failures.
2. Open the run row and inspect the first event.
3. Check sandbox allocation state if the run needs a sandbox.
-4. Check provider access if the run never reaches a model call.
+4. Check managed model access if the run never reaches a model call.
5. Check whether the source surface is repeatedly re-enqueuing the same work.
If the run came from the public API, use
`GET /api/v1/mogplex/runs/{runId}` and
`GET /api/v1/mogplex/runs/{runId}/events` to compare API state with the UI.
-## Model Or Provider Failure
+## Model Or Access Failure
-For provider errors:
+For model access errors:
1. Confirm the model exists in [Available Models](/web/models).
-2. Confirm the user or team has provider access.
-3. Confirm a stored provider key is valid if platform AI is not enabled.
-4. Check whether the agent, repo, or route excludes the model.
-5. Compare token and cost fields to see whether the call reached the provider.
+2. Confirm the user or team plan includes access to hosted model usage.
+3. Check whether the agent, repo, or route excludes the model.
+4. Compare token and cost fields to see whether the call reached execution.
Use [Model Selection and Cost](/guides/model-selection-and-cost) when the model
is available but the default, route, or cost policy is unclear.
@@ -137,7 +136,7 @@ For sandbox-backed failures:
1. Open the linked sandbox from the Activity row when available.
2. Check root directory, install command, dev command, dev port, and env source.
-3. Check Vercel project or platform sandbox entitlement.
+3. Check managed sandbox access and optional Vercel project metadata.
4. Check branch and preview URL.
5. Stop, restart, or delete only after capturing the first failure event.
@@ -172,7 +171,7 @@ When handing the issue to another person, include:
- sandbox ID or preview URL if applicable
- what changed immediately before the failure
-Leave out raw provider keys, `mog_...` tokens, Slack link URLs, decrypted MCP
+Leave out raw credentials, `mog_...` tokens, Slack link URLs, decrypted MCP
config, and full `.env` files. See
[Security and Data Handling](/reference/security-and-data-handling) for the
safe-sharing checklist.
diff --git a/content/docs/guides/sandbox-setup-checklist.mdx b/content/docs/guides/sandbox-setup-checklist.mdx
index 0b6f285..652f750 100644
--- a/content/docs/guides/sandbox-setup-checklist.mdx
+++ b/content/docs/guides/sandbox-setup-checklist.mdx
@@ -1,6 +1,6 @@
---
title: Sandbox Setup Checklist
-description: Configure repo, branch, root directory, commands, ports, env, Vercel linkage, and preview expectations before debugging sandbox runs.
+description: Configure repo, branch, root directory, commands, ports, env, managed access, and preview expectations before debugging sandbox runs.
---
Use this checklist when a workspace, preview, or cloud run depends on a Mogplex
@@ -20,7 +20,8 @@ contract before changing agents, prompts, routes, or models.
| Dev command | The preview process must start the actual app or service |
| Dev port | The preview router needs the port the app listens on |
| Environment variables | Missing secrets usually look like app boot or preview health failures |
-| Vercel linkage | User-billed preview behavior can depend on linked Vercel project state |
+| Managed sandbox access | Workspace launch depends on the account plan including sandbox access |
+| Vercel project metadata | Optional env sync and preview settings can depend on linked Vercel project state |
| Branch intent | Decide whether the sandbox should work on default branch, an existing branch, or a new branch |
| Timeout and idle behavior | Long-running previews need realistic timeout expectations |
@@ -31,8 +32,8 @@ contract before changing agents, prompts, routes, or models.
3. Set `root_directory` for monorepos.
4. Set install command, dev command, and dev port.
5. Add required env vars or secrets.
-6. Link or confirm Vercel state when the repo relies on Vercel-backed preview
- behavior.
+6. Confirm managed sandbox access, and only then check optional Vercel-linked
+ preview metadata if the repo uses it.
7. Launch one workspace manually before adding triggers or automations.
If the manual workspace launch fails, fix the project settings before debugging
diff --git a/content/docs/guides/troubleshooting.mdx b/content/docs/guides/troubleshooting.mdx
index 4f5e094..e5c3334 100644
--- a/content/docs/guides/troubleshooting.mdx
+++ b/content/docs/guides/troubleshooting.mdx
@@ -19,13 +19,13 @@ work started.
| Slack mention replies but does not start repo work | Slack channel link, user mapping, repo-agent enabled state, or workspace limits |
| Route exists but no run appears | route source, coverage, enabled state, or published automation |
| Run appears but fails | runtime, model, tool, connection, sandbox, or prompt |
-| Preview is unhealthy | repo settings, Vercel linkage, sandbox state, or dev command |
-| Model is missing from a picker | model catalog, provider access, default model, or repo exclusion |
+| Preview is unhealthy | repo settings, managed sandbox access, optional Vercel metadata, sandbox state, or dev command |
+| Model is missing from a picker | model catalog, plan access, default model, or repo exclusion |
| CLI signs in but state looks wrong | CLI auth, account state, local config, or synced hosted state |
## Debug order
-1. Check [Settings](/web/settings) for identity, provider access, model
+1. Check [Settings](/web/settings) for identity, account access, model
defaults, CLI tokens, connections, and GitHub account state.
2. Check [Installations](/web/installations) for GitHub App coverage.
3. Check [Projects](/web/spaces) for repo visibility, repo settings, and
@@ -101,7 +101,7 @@ Check:
- whether the model is visible in the live catalog
- whether the model is enabled for the account
-- whether provider access or bring-your-own-key state is required
+- whether the account plan includes access to that model
- whether the agent is pinned to a hidden legacy model
- whether a repo or route excludes the model
- whether the CLI has synced the expected hosted state
@@ -142,7 +142,8 @@ Check:
- dev command
- dev port
- environment mapping
-- linked Vercel team and project
+- managed sandbox access
+- optional linked Vercel team and project metadata
- sandbox timeout
- active branch and preview URL
diff --git a/content/docs/index.mdx b/content/docs/index.mdx
index 468983b..0e52618 100644
--- a/content/docs/index.mdx
+++ b/content/docs/index.mdx
@@ -60,7 +60,7 @@ finish, then drill into the product surface that owns it.
-
+
diff --git a/content/docs/plans-and-billing.mdx b/content/docs/plans-and-billing.mdx
index 879f44c..b251cbc 100644
--- a/content/docs/plans-and-billing.mdx
+++ b/content/docs/plans-and-billing.mdx
@@ -11,26 +11,30 @@ This page is a placeholder so pricing, entitlement, usage-limit, invoice, and
billing setup links have a stable home while the billing surface ships.
- Detailed plan comparison, account billing, included usage, usage limits,
- invoices, payment method management, and team billing controls will be
- documented here when they are available.
+ Detailed plan comparison, account billing, included model usage, managed
+ sandbox access, usage limits, invoices, payment method management, and team
+ billing controls will be documented here when they are available.
+Mogplex is moving to managed billing for hosted work. That means hosted model
+access and sandbox access come from the Mogplex account plan rather than
+external model credentials or external sandbox accounts.
+
## What will live here
- plan tiers and included usage
- how hosted runs, CLI runs, and account usage are counted
- where admins manage payment methods and invoices
- how usage limits and overages behave
-- how provider keys and Mogplex-managed access interact
+- how managed model and sandbox access are included in each plan
- which roles can view or change billing state
## What to use today
-- Use [Settings](/web/settings) for account setup, provider keys, CLI tokens,
+- Use [Settings](/web/settings) for account setup, access tokens,
connections, and shared preferences.
- Use [Available Models](/web/models) for model availability, enabled models,
- defaults, provider access, and CLI sync behavior.
+ defaults, account access, and CLI sync behavior.
- Use [Observability](/web/observability) to inspect run health, model calls,
tokens, and estimated cost.
- Use [CLI Cost & Usage](/cli/reference/cost-and-usage) for local cockpit
diff --git a/content/docs/platform/app.mdx b/content/docs/platform/app.mdx
index 68ff891..0068808 100644
--- a/content/docs/platform/app.mdx
+++ b/content/docs/platform/app.mdx
@@ -16,7 +16,7 @@ that other surfaces consume.
| Area | What it controls |
| --- | --- |
-| [Settings](/web/settings) | GitHub identity, App coverage, provider keys, CLI tokens, connections, model defaults, and preferences |
+| [Settings](/web/settings) | GitHub identity, App coverage, managed access, access tokens, connections, model defaults, and preferences |
| [Projects](/web/spaces) | Repo import, workspace launch, repo settings, sandbox startup, monorepo entries, assignments, and cron setup |
| [Agents](/web/agents) | Reusable agents, preset forks, categories, slugs, model choice, skills, rules, and context |
| [Triggers](/web/triggers) | One GitHub event routed directly to one agent |
@@ -38,7 +38,7 @@ that other surfaces consume.
For a new account or new repo, use the app in this order:
-1. Connect GitHub and provider state in [Settings](/web/settings).
+1. Connect GitHub and confirm managed account access in [Settings](/web/settings).
2. Confirm App-backed repo coverage in [Installations](/web/installations).
3. Sync and open the target repo in [Projects](/web/spaces).
4. Check reusable behavior in [Agents](/web/agents).
diff --git a/content/docs/platform/how-mogplex-fits-together.mdx b/content/docs/platform/how-mogplex-fits-together.mdx
index 3d7fa50..a687ad0 100644
--- a/content/docs/platform/how-mogplex-fits-together.mdx
+++ b/content/docs/platform/how-mogplex-fits-together.mdx
@@ -19,7 +19,7 @@ Each object answers a different question.
| Object | Owns | Start here when |
| --- | --- | --- |
-| Account state | Identity, provider access, CLI tokens, model defaults, Slack installs, connections, MCP definitions | sign-in, model, provider, token, Slack, or connection state looks wrong |
+| Account state | Identity, managed model and sandbox access, CLI tokens, model defaults, Slack installs, connections, MCP definitions | sign-in, model, billing, token, Slack, or connection state looks wrong |
| GitHub installation | App-backed coverage for one GitHub user or org | repos are visible but GitHub events do not trigger work |
| Repo | Imported repository state and repo-specific settings | the target repo is missing, duplicated, hidden, or needs runtime settings |
| Agent | Reusable behavior, slug, prompt, model, skills, rules, and context | the worker itself behaves wrong or a mention slug does not resolve |
diff --git a/content/docs/platform/index.mdx b/content/docs/platform/index.mdx
index 9184325..640bf6e 100644
--- a/content/docs/platform/index.mdx
+++ b/content/docs/platform/index.mdx
@@ -38,7 +38,7 @@ Start here when you need to understand where work should happen.