nudgebee
diff --git a/‎doc-server/api-docs/index.html‎
Lines changed: 0 additions & 751866 deletions b/‎doc-server/api-docs/index.html‎
Lines changed: 0 additions & 751866 deletions
diff --git a/‎doc-server/docs/FAQ.md‎
Lines changed: 15 additions & 9 deletions b/‎doc-server/docs/FAQ.md‎
Lines changed: 15 additions & 9 deletions
diff --git a/‎doc-server/docs/api-docs/api-tokens.md‎
Lines changed: 3 additions & 3 deletions b/‎doc-server/docs/api-docs/api-tokens.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎doc-server/docs/editions.md‎
Lines changed: 73 additions & 0 deletions b/‎doc-server/docs/editions.md‎
Lines changed: 73 additions & 0 deletions
diff --git a/‎doc-server/docs/features/api-tokens.md‎
Lines changed: 3 additions & 3 deletions b/‎doc-server/docs/features/api-tokens.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎doc-server/docs/features/index.md‎
Lines changed: 1 addition & 1 deletion b/‎doc-server/docs/features/index.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎doc-server/docs/features/security.md‎
Lines changed: 4 additions & 3 deletions b/‎doc-server/docs/features/security.md‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎doc-server/docs/features/troubleshooting/alerting.md‎
Lines changed: 9 additions & 9 deletions b/‎doc-server/docs/features/troubleshooting/alerting.md‎
Lines changed: 9 additions & 9 deletions
@@ -53,17 +53,23 @@ GitOps Way Of Configuring NudgeBee Optimizations -
 ### Can NudgeBee work on K3s/Kind/Minikube?
 Yes, please refer to the Installation Guide for local testing.
 
-### Does NudgeBee Docker images have any security vulnerabilities?
-No, NudgeBee uses Alpine-based images to reduce overall size and security issues. We use AWS ECR and NudgeBee for scanning images maintained by us. We can share a security report for that as per request.
+### How are NudgeBee Docker images secured?
+NudgeBee uses minimal Alpine-based images to reduce attack surface and image size. Images are scanned for known vulnerabilities as part of the release pipeline. To report a suspected vulnerability, see the [security policy](https://github.com/nudgebee/nudgebee-docs/blob/main/SECURITY.md).
 
-### Does NudgeBee have VAPT reports?
-Yes, we use ZAP/manual pen testing for our security testing and can share reports based on request.
+### Is NudgeBee penetration tested?
+Yes. NudgeBee undergoes regular security testing, including automated and manual penetration testing, as part of its release process.
 
 ### Can I configure multiple clusters within a single NudgeBee server?
 Yes, configure agents on each targeted cluster.
 
-### What are different NudgeBee distributions?
-NudgeBee has both SaaS and self-hosted solutions. As an end-user, you can use the SaaS solution to quickly validate/test the product and the self-hosted solution for long-term deployment (if there are compliance constraints which don't allow any kind of data movement).
+### What are the different NudgeBee distributions / editions?
+NudgeBee is available in three editions — see the [Editions page](./editions.md) for the full side-by-side comparison.
+
+- **Community** — free, open-source (Apache 2.0), fully functional self-hosted. Pull public images from `ghcr.io/nudgebee`; no license key.
+- **Enterprise** — self-hosted with a commercial license. Adds SAML 2.0 SSO, NudgeBee's managed models (`nb-llm` / `nb-slm`), and commercial support.
+- **Cloud** (SaaS) — fully managed at [app.nudgebee.com](https://app.nudgebee.com). Fastest way to evaluate.
+
+Use Cloud for fastest evaluation; Community for a free, self-hosted deployment; Enterprise when you need SAML, managed models, or a commercial SLA while staying on-prem.
 
 ### What is the NudgeBee release cycle?
 We target to have a weekly release cycle with hotfixes as per requirements. We follow SemVer for our versioning.
@@ -81,9 +87,9 @@ Logs - We integrate with existing log services like Loki/ELK, so again, it depen
 
 #### Servers store the following data:
 
-Aggregated Metrics - We do aggregation on a daily basis. No retention policy yet. Would like to understand the use case.
-Events - Troubleshooting pages. Current retention is 60 days. You can make it configurable.
-Deleted Pods/Workloads etc. - We store deleted workloads/pods etc. No retention policy yet. Will share once that is there, maybe by next week.
+Aggregated Metrics - Aggregated on a daily basis and retained for long-term trend analysis.
+Events - Troubleshooting pages. Default retention is 60 days, and is configurable.
+Deleted Pods/Workloads etc. - Records of deleted workloads/pods are retained to support historical analysis.
 
 ### Does NudgeBee support Anomaly Detection?
 No, this is part of the roadmap.
 
@@ -4,7 +4,7 @@ sidebar_position: 2
 
 # API Tokens
 
-API Tokens allow you to authenticate with Nudgebee APIs programmatically. You can use them to automate workflows, integrate with external tools, or build custom scripts that interact with Nudgebee.
+API Tokens allow you to authenticate with NudgeBee APIs programmatically. You can use them to automate workflows, integrate with external tools, or build custom scripts that interact with NudgeBee.
 
 ## Accessing API Tokens
 
@@ -65,7 +65,7 @@ curl https://app.nudgebee.com/api/auth/token \
   -H 'content-type: application/json'
 ```
 
-- Replace `your@email.com` with your Nudgebee account email.
+- Replace `your@email.com` with your NudgeBee account email.
 - Replace `YOUR_API_TOKEN` with the token you copied when creating it.
 
 The response will contain a JWT token (referred to as `AUTH_TOKEN` below).
@@ -96,5 +96,5 @@ Replace `$AUTH_TOKEN` with the JWT token received in Step 1, and `$QUERY_DATA` w
 ## Notes
 
 - The API token itself is used as the `secret` field in Step 1. It is **not** used directly as a Bearer token in API calls.
-- The base URL in the `curl` commands should match your Nudgebee environment (e.g., `https://app.nudgebee.com` for production).
+- The base URL in the `curl` commands should match your NudgeBee environment (e.g., `https://app.nudgebee.com` for production).
 - If you are using a self-hosted or on-premise deployment, replace the base URL with your instance's domain.
@@ -0,0 +1,73 @@
+---
+sidebar_position: 2
+sidebar_label: Editions & Pricing
+---
+
+# Editions
+
+NudgeBee is available in three editions. They share the same codebase and
+documentation — this page is the source of truth for what each one includes.
+
+| | **Community** <Community/> | **Enterprise** <Enterprise/> | **Cloud** <Cloud/> |
+|---|---|---|---|
+| **What it is** | Free, open-source (Apache 2.0), self-hosted. Fully functional. | Self-hosted with a commercial license. Adds enterprise features and support. | Fully managed SaaS, hosted and operated by NudgeBee. |
+| **Where it runs** | Your own Kubernetes cluster | Your own Kubernetes cluster | [app.nudgebee.com](https://app.nudgebee.com) |
+| **Container images** | Public — `ghcr.io/nudgebee` (no authentication) | Licensed — `registry.nudgebee.com` | Managed for you |
+| **License key** | Not required | Required | Not applicable |
+| **Cost** | Free | Paid (per-license) | Paid (subscription) |
+| **Best for** | Teams that want full control and a zero-cost, self-hosted deployment. | Organizations that need SAML SSO, NudgeBee's managed models, and commercial support while self-hosting. | Teams that want to start in minutes without managing infrastructure. |
+| **Support** | Community ([GitHub Issues & Discussions](https://github.com/nudgebee)) | Commercial support (SLA) | Commercial support (SLA) |
+
+:::tip
+Not sure where to start? The **Community** edition is fully functional and free
+— monitoring, the Semantic Knowledge Graph, cost optimizations, troubleshooting,
+the Workflow Builder, and Autopilot all work out of the box. You can move to
+Enterprise or Cloud later without losing your configuration.
+:::
+
+## What's in the open-source (Community) edition
+
+The Community edition is **fully functional** for self-hosted Kubernetes
+operations. It includes:
+
+- The NudgeBee **Server** (control plane, UI, API) and **Agent**
+- The **Semantic Knowledge Graph**
+- **Cost optimizations** and FinOps recommendations
+- **Troubleshooting**, alerting, and the playbook catalog
+- The **Workflow Builder** and **Autopilot** auto-runbooks
+- **Notifications** (Slack, Teams, Google Chat) and **ticketing** integrations
+- **BYOM (Bring Your Own Model)** LLM connectivity — OpenAI, Azure OpenAI,
+  AWS Bedrock, Google Vertex AI / Gemini, Ollama, Hugging Face, and SageMaker
+- **OAuth SSO** — Google, Okta, OneLogin, Azure AD (and B2C), Auth0 — plus
+  magic-link email and built-in credentials login
+- **Role-based access control**, approval workflows, and audit trails
+
+The Community edition is **single-tenant by design** — one organization per
+install. The chart provisions the tenant at install time and users are invited
+into it from the UI.
+
+## What requires Enterprise or Cloud
+
+A small set of capabilities are not part of the free Community edition. Pages
+documenting these features are marked with an <Enterprise/> or <Cloud/> badge.
+
+| Feature | Edition | Notes |
+|---|---|---|
+| **SAML 2.0 SSO** | <Enterprise/> <Cloud/> | Community supports OAuth SSO (Google, Okta, OneLogin, Azure AD / B2C, Auth0), magic-link email, and credentials login — but the SAML 2.0 flow (with IdP-driven user provisioning and group-to-role mapping) is Enterprise-only. See [Authentication](./integrations/Authentication/index.md). |
+| **NudgeBee-managed & proprietary LLM/SLM models** (`nb-llm`, `nb-slm`, `nb-text-embeddings`) | <Enterprise/> <Cloud/> | Community users connect their own model via [BYOM](./integrations/LLM/index.md). |
+| **Multi-tenant self-signup** | <Cloud/> | Community and Enterprise installs are single-tenant. The self-serve signup flow (creates a new tenant per signup) is exclusive to NudgeBee Cloud. |
+| **Cloud-marketplace billing** (AWS / Azure subscriptions) | <Cloud/> | Marketplace purchase callbacks and billing are SaaS-only. |
+
+:::note
+This boundary may evolve as the project grows. When it does, this page and the
+per-feature badges are updated together so the docs always reflect what's
+actually gated.
+:::
+
+## Trademarks
+
+NudgeBee is open source under the Apache 2.0 license, but the **NudgeBee name
+and logo are trademarks**. The Apache license does not grant trademark rights —
+in particular, modified builds and forks must be renamed. See the
+[trademark policy](https://github.com/nudgebee/nudgebee-docs/blob/main/TRADEMARKS.md)
+for what's allowed.
@@ -3,7 +3,7 @@ sidebar_position: 10
 ---
 # API Tokens
 
-API Tokens allow you to authenticate with Nudgebee APIs programmatically. You can use them to automate workflows, integrate with external tools, or build custom scripts that interact with Nudgebee.
+API Tokens allow you to authenticate with NudgeBee APIs programmatically. You can use them to automate workflows, integrate with external tools, or build custom scripts that interact with NudgeBee.
 
 ## Accessing API Tokens
 
@@ -64,7 +64,7 @@ curl https://app.nudgebee.com/api/auth/token \
   -H 'content-type: application/json'
 ```
 
-- Replace `your@email.com` with your Nudgebee account email.
+- Replace `your@email.com` with your NudgeBee account email.
 - Replace `YOUR_API_TOKEN` with the token you copied when creating it.
 
 The response will contain a JWT token (referred to as `AUTH_TOKEN` below).
@@ -95,5 +95,5 @@ Replace `$AUTH_TOKEN` with the JWT token received in Step 1, and `$QUERY_DATA` w
 ## Notes
 
 - The API token itself is used as the `secret` field in Step 1. It is **not** used directly as a Bearer token in API calls.
-- The base URL in the `curl` commands should match your Nudgebee environment (e.g., `https://app.nudgebee.com` for production).
+- The base URL in the `curl` commands should match your NudgeBee environment (e.g., `https://app.nudgebee.com` for production).
 - If you are using a self-hosted or on-premise deployment, replace the base URL with your instance's domain.
@@ -28,6 +28,6 @@ Explore everything NudgeBee offers for Cloud-Ops Intelligence, troubleshooting,
 
 - **[SLO](./slo.md)** — Define and track Service Level Objectives to ensure your services meet reliability targets. Get alerted when SLOs are at risk and use historical data to make informed capacity decisions.
 
-- **[Security](./security.md)** — Enterprise-grade security with SOC 2 Type II and ISO 27001 certification. Includes SSO authentication, role-based access control, approval workflows, and full audit trails for every action.
+- **[Security](./security.md)** — Role-based access control, approval workflows, and full audit trails for every action. OAuth SSO (Google, Okta, Azure AD, Auth0) and magic-link login are in every edition; **SAML 2.0 SSO** is available in the Enterprise and Cloud editions. NudgeBee Cloud is SOC 2 Type II and ISO 27001 certified.
 
 - **[User Management](./user-management.md)** — Invite team members, assign admin or read-only roles, and control access at both tenant and account level. New users get started instantly via email invite — no password setup needed.
@@ -3,7 +3,7 @@ sidebar_position: 11
 ---
 # Security
 
-NudgeBee is designed with security at its core. The platform is **SOC 2 Type II certified** and **ISO 27001 certified**, providing enterprise-grade security for your cloud operations.
+NudgeBee is designed with security at its core. [NudgeBee Cloud](https://app.nudgebee.com) (the managed SaaS offering) is **SOC 2 Type II certified** and **ISO 27001 certified**. These certifications cover the hosted service; self-hosted (Community and Enterprise) deployments run entirely within your own infrastructure, under your own controls.
 
 This page covers NudgeBee's **Enterprise Guardrails** — authentication, authorization, approval workflows, and audit trails — that keep your operations secure and compliant.
 
@@ -12,9 +12,10 @@ NudgeBee does not store passwords. All authentication is handled through SSO pro
 :::
 
 ## Authentication
-- Supports Google, Azure, Okta, and Auth0 for Single Sign-On (SSO). To configure SSO for on-prem, see [Authentication Integration](../integrations/Authentication/index.md).
+- **OAuth SSO** with Google, Okta, OneLogin, Azure AD (and B2C), and Auth0 is available in **all editions** (Community, Enterprise, Cloud). See [Authentication Integration](../integrations/Authentication/index.md) for setup.
+- **SAML 2.0 SSO** (with IdP-driven user provisioning and group-to-role mapping) is available in the **Enterprise** and **Cloud** editions.
 - Users without SSO can use **magic email links** — enter your email and receive a one-time login link. No password required.
-- Credentials for external integrations are stored encrypted using AES with GCM.
+- Credentials for external integrations are stored encrypted (AES-GCM) at rest using the `NUDGEBEE_ENCRYPTION_KEY` set at install time.
 
 ## Authorization
 - Currently, NudgeBee supports tenant level authorization with 2 roles(admin, readonly)
 
@@ -4,7 +4,7 @@ sidebar_position: 3
 
 # Alerting & Auto-Investigation
 
-When an alert fires, Nudgebee can run a small list of "actions" automatically — gathering logs, fetching cloud metrics, snapshotting database queries, hitting an internal API — and attach the results to the alert as evidence. The LLM then writes the root cause analysis with all of that context already in hand.
+When an alert fires, NudgeBee can run a small list of "actions" automatically — gathering logs, fetching cloud metrics, snapshotting database queries, hitting an internal API — and attach the results to the alert as evidence. The LLM then writes the root cause analysis with all of that context already in hand.
 
 You set this up once, on the alert. After that, every time the alert fires, the same investigation happens automatically.
 
@@ -19,7 +19,7 @@ A few real examples:
 None of these require any custom code or workflow. Each is two or three clicks in the alert editor.
 
 :::tip Works for any alert source
-This works for alerts you create in Nudgebee (Prometheus rules) **and** for alerts forwarded from any of the integrations Nudgebee accepts via webhook: **Datadog**, **New Relic**, **Dynatrace**, **Splunk**, **SolarWinds**, **Grafana**, **GCP Cloud Monitoring**, **Azure Monitor**, **PagerDuty**, **Zenduty**, **ServiceNow**, or the generic webhook (used for AWS CloudWatch via SNS, or any other source). The flow is the same in every case.
+This works for alerts you create in NudgeBee (Prometheus rules) **and** for alerts forwarded from any of the integrations NudgeBee accepts via webhook: **Datadog**, **New Relic**, **Dynatrace**, **Splunk**, **SolarWinds**, **Grafana**, **GCP Cloud Monitoring**, **Azure Monitor**, **PagerDuty**, **Zenduty**, **ServiceNow**, or the generic webhook (used for AWS CloudWatch via SNS, or any other source). The flow is the same in every case.
 :::
 
 ---
@@ -30,7 +30,7 @@ Open the cloud or cluster account from the top-right account picker, then go to
 
 ![AlertManager listing](./img/alertmanager-listing.png)
 
-Every alert Nudgebee knows about is listed here — Prometheus rules you authored, plus alerts forwarded from external sources. From any row you can edit the alert, attach actions to it, or pause it.
+Every alert NudgeBee knows about is listed here — Prometheus rules you authored, plus alerts forwarded from external sources. From any row you can edit the alert, attach actions to it, or pause it.
 
 ---
 
@@ -40,15 +40,15 @@ The alert editor is a short wizard. The first two steps are about **the alert it
 
 ### 1. Alert configuration
 
-Give the alert a name, severity, and short summary. The name is what Nudgebee uses to remember which actions belong to which alert, so pick something stable.
+Give the alert a name, severity, and short summary. The name is what NudgeBee uses to remember which actions belong to which alert, so pick something stable.
 
 If the alert came in from an external source (Datadog, New Relic, an AWS / GCP / Azure alarm forwarded via webhook, etc.), the alert entry is created automatically when it first fires — open the existing row in Alert Manager and go straight to **Add Actions**.
 
 ### 2. Triggering condition
 
-For Prometheus rules created in Nudgebee, this is where you write the PromQL and choose how long the condition must hold (the `for:` window) before the alert fires.
+For Prometheus rules created in NudgeBee, this is where you write the PromQL and choose how long the condition must hold (the `for:` window) before the alert fires.
 
-For external alerts, the trigger condition lives in the originating system (Datadog, CloudWatch, …) — Nudgebee just records the alert when the source notifies it.
+For external alerts, the trigger condition lives in the originating system (Datadog, CloudWatch, …) — NudgeBee just records the alert when the source notifies it.
 
 ### 3. Add actions
 
@@ -133,7 +133,7 @@ Attach three actions, in this order:
 2. **Get Cloud Provider Metrics** — pulls CPU, IOPS, and connection-count history from CloudWatch.
 3. **Database Query (Proxy Agent)** — runs the same `pg_stat_activity` snapshot as above, against the same instance.
 
-When the alarm fires, the alert in Nudgebee will have all three evidence cards waiting — AWS view, metric trend, live workload — and the analysis ties them together. Notice that none of this is Kubernetes-specific.
+When the alarm fires, the alert in NudgeBee will have all three evidence cards waiting — AWS view, metric trend, live workload — and the analysis ties them together. Notice that none of this is Kubernetes-specific.
 
 ### Slow Datadog monitor — pull the service graph
 
@@ -147,9 +147,9 @@ The LLM ends up with a clear picture of where the latency is coming from before
 
 ---
 
-## Need data that's not in the catalog?
+## Need data that's not in the catalog? {#custom-data-collection}
 
-You don't need to write a workflow or a plugin for this. Nudgebee includes "run my command" actions for the common shapes of custom data collection:
+You don't need to write a workflow or a plugin for this. NudgeBee includes "run my command" actions for the common shapes of custom data collection:
 
 - **Run a SQL query** anywhere your proxy agent can reach — Postgres, MySQL, MSSQL, ClickHouse, Oracle.
 - **Hit an internal HTTP endpoint** — Grafana, Jenkins, your own health checks.