From 382f7fb649f8014feda56fcd7ad0d5dff5af54d6 Mon Sep 17 00:00:00 2001
From: Waleed Latif <walif6@gmail.com>
Date: Tue, 21 Apr 2026 20:43:13 -0700
Subject: [PATCH 1/5] fix(docs): update simstudio.ai URLs to sim.ai in SSO docs

---
 apps/docs/content/docs/en/enterprise/sso.mdx | 22 ++++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/apps/docs/content/docs/en/enterprise/sso.mdx b/apps/docs/content/docs/en/enterprise/sso.mdx
index 8cc264d7dc..b4223b6900 100644
--- a/apps/docs/content/docs/en/enterprise/sso.mdx
+++ b/apps/docs/content/docs/en/enterprise/sso.mdx
@@ -62,15 +62,15 @@ The **Callback URL** shown in the form is the endpoint your identity provider mu
 
 **OIDC providers** (Okta, Microsoft Entra ID, Google Workspace, Auth0):
 ```
-https://simstudio.ai/api/auth/sso/callback/{provider-id}
+https://sim.ai/api/auth/sso/callback/{provider-id}
 ```
 
 **SAML providers** (ADFS, Shibboleth):
 ```
-https://simstudio.ai/api/auth/sso/saml2/callback/{provider-id}
+https://sim.ai/api/auth/sso/saml2/callback/{provider-id}
 ```
 
-For self-hosted, replace `simstudio.ai` with your instance hostname.
+For self-hosted, replace `sim.ai` with your instance hostname.
 
 ### 5. Save and test
 
@@ -92,7 +92,7 @@ Click **Save**. To test, sign out and use the **Sign in with SSO** button on the
 2. Select **OIDC - OpenID Connect**, then **Web Application**
 3. Set the **Sign-in redirect URI** to your Sim callback URL:
    ```
-   https://simstudio.ai/api/auth/sso/callback/okta
+   https://sim.ai/api/auth/sso/callback/okta
    ```
 4. Under **Assignments**, grant access to the relevant users or groups
 5. Copy the **Client ID** and **Client Secret** from the app's **General** tab
@@ -124,7 +124,7 @@ Click **Save**. To test, sign out and use the **Sign in with SSO** button on the
 1. Go to **Microsoft Entra ID → App registrations → New registration**
 2. Under **Redirect URI**, select **Web** and enter your Sim callback URL:
    ```
-   https://simstudio.ai/api/auth/sso/callback/azure-ad
+   https://sim.ai/api/auth/sso/callback/azure-ad
    ```
 3. After registration, go to **Certificates & secrets → New client secret** and copy the value immediately — it won't be shown again
 4. Go to **Overview** and copy the **Application (client) ID** and **Directory (tenant) ID**
@@ -156,7 +156,7 @@ Click **Save**. To test, sign out and use the **Sign in with SSO** button on the
 2. Set the application type to **Web application**
 3. Add your Sim callback URL to **Authorized redirect URIs**:
    ```
-   https://simstudio.ai/api/auth/sso/callback/google-workspace
+   https://sim.ai/api/auth/sso/callback/google-workspace
    ```
 4. Copy the **Client ID** and **Client Secret**
 
@@ -187,12 +187,12 @@ Click **Save**. To test, sign out and use the **Sign in with SSO** button on the
 2. Choose **Claims aware**, then **Enter data about the relying party manually**
 3. Set the **Relying party identifier** (Entity ID) to your Sim base URL:
    ```
-   https://simstudio.ai
+   https://sim.ai
    ```
    For self-hosted, use your instance's base URL (e.g. `https://sim.company.com`)
 4. Add an endpoint: **SAML Assertion Consumer Service** (HTTP POST) with the URL:
    ```
-   https://simstudio.ai/api/auth/sso/saml2/callback/adfs
+   https://sim.ai/api/auth/sso/saml2/callback/adfs
    ```
    For self-hosted: `https://sim.company.com/api/auth/sso/saml2/callback/adfs`
 5. Export the **Token-signing certificate** from **Certificates**: right-click → **View Certificate → Details → Copy to File**, choose **Base-64 encoded X.509 (.CER)**. The `.cer` file is PEM-encoded — rename it to `.pem` before pasting its contents into Sim.
@@ -204,7 +204,7 @@ Click **Save**. To test, sign out and use the **Sign in with SSO** button on the
 |-------|-------|
 | Provider Type | SAML |
 | Provider ID | `adfs` |
-| Issuer URL | `https://simstudio.ai` |
+| Issuer URL | `https://sim.ai` |
 | Domain | `company.com` |
 | Entry Point URL | `https://adfs.company.com/adfs/ls` |
 | Certificate | Contents of the `.pem` file |
@@ -223,7 +223,7 @@ Click **Save**. To test, sign out and use the **Sign in with SSO** button on the
 
 Once SSO is configured, users with your domain (`company.com`) can sign in through your identity provider:
 
-1. User goes to `simstudio.ai` and clicks **Sign in with SSO**
+1. User goes to `sim.ai` and clicks **Sign in with SSO**
 2. They enter their work email (e.g. `alice@company.com`)
 3. Sim redirects them to your identity provider
 4. After authenticating, they are returned to Sim and added to your organization automatically
@@ -268,7 +268,7 @@ Users who sign in via SSO for the first time are automatically provisioned and a
   },
   {
     question: "What is the Callback URL?",
-    answer: "The Callback URL (also called Redirect URI or ACS URL) is the endpoint in Sim that receives the authentication response from your identity provider. For OIDC providers it follows the format: https://simstudio.ai/api/auth/sso/callback/{provider-id}. For SAML providers it is: https://simstudio.ai/api/auth/sso/saml2/callback/{provider-id}. You must register this URL in your identity provider before SSO will work."
+    answer: "The Callback URL (also called Redirect URI or ACS URL) is the endpoint in Sim that receives the authentication response from your identity provider. For OIDC providers it follows the format: https://sim.ai/api/auth/sso/callback/{provider-id}. For SAML providers it is: https://sim.ai/api/auth/sso/saml2/callback/{provider-id}. You must register this URL in your identity provider before SSO will work."
   },
   {
     question: "How do I update or replace an existing SSO configuration?",

From 7bc1b2b22dbdce80fc836aec41d31658773da53d Mon Sep 17 00:00:00 2001
From: Waleed Latif <walif6@gmail.com>
Date: Tue, 21 Apr 2026 21:09:21 -0700
Subject: [PATCH 2/5] improvement(docs): remove plan defaults table from data
 retention docs

---
 .../content/docs/en/enterprise/data-retention.mdx  | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/apps/docs/content/docs/en/enterprise/data-retention.mdx b/apps/docs/content/docs/en/enterprise/data-retention.mdx
index 2590d32408..6647a53cff 100644
--- a/apps/docs/content/docs/en/enterprise/data-retention.mdx
+++ b/apps/docs/content/docs/en/enterprise/data-retention.mdx
@@ -67,22 +67,12 @@ Retention is configured at the **workspace level**, not organization-wide. Each
 
 ---
 
-## Plan defaults
-
-Non-enterprise workspaces use the following automatic defaults. These cannot be changed.
-
-| Setting | Free | Pro | Team |
-|---------|------|-----|------|
-| Log retention | 30 days | Not configured | Not configured |
-| Soft deletion cleanup | 30 days | 90 days | 90 days |
-| Task cleanup | Not configured | Not configured | Not configured |
-
-"Not configured" means that category of data is not automatically deleted on that plan.
+## Defaults
 
 Enterprise workspaces have no defaults — retention only runs for a setting once you configure it. Until configured, that category of data is not automatically deleted.
 
 <Callout type="info">
-  On Enterprise, setting a period to **Forever** explicitly keeps data indefinitely. Leaving a setting unconfigured has the same effect, but setting it to Forever makes the intent explicit and allows you to change it later without needing to save from scratch.
+  Setting a period to **Forever** explicitly keeps data indefinitely. Leaving a setting unconfigured has the same effect, but setting it to Forever makes the intent explicit and allows you to change it later without needing to save from scratch.
 </Callout>
 
 ---

From cabe1faf7cdfa8af4b8386194a6e15707e3d5c18 Mon Sep 17 00:00:00 2001
From: Waleed Latif <walif6@gmail.com>
Date: Tue, 21 Apr 2026 21:12:37 -0700
Subject: [PATCH 3/5] improvement(docs): consolidate self-hosting info at
 bottom of enterprise docs

---
 .../docs/en/enterprise/access-control.mdx     |  2 +-
 .../docs/en/enterprise/data-retention.mdx     |  2 +-
 .../docs/content/docs/en/enterprise/index.mdx | 99 ++++++++-----------
 apps/docs/content/docs/en/enterprise/sso.mdx  |  8 --
 .../docs/en/enterprise/whitelabeling.mdx      |  2 +-
 5 files changed, 42 insertions(+), 71 deletions(-)

diff --git a/apps/docs/content/docs/en/enterprise/access-control.mdx b/apps/docs/content/docs/en/enterprise/access-control.mdx
index b1ab31105c..0034a296ae 100644
--- a/apps/docs/content/docs/en/enterprise/access-control.mdx
+++ b/apps/docs/content/docs/en/enterprise/access-control.mdx
@@ -165,7 +165,7 @@ When a user opens Mothership, their permission group is read before any block or
 <FAQ items={[
   {
     question: "Who can create and manage permission groups?",
-    answer: "Any workspace admin on an Enterprise-entitled workspace can create, edit, and delete permission groups for that workspace. On Sim Cloud, the workspace's billed account must be on the Enterprise plan; on self-hosted deployments you can enable it via ACCESS_CONTROL_ENABLED."
+    answer: "Any workspace admin on an Enterprise-entitled workspace can create, edit, and delete permission groups for that workspace. The workspace's billed account must be on the Enterprise plan."
   },
   {
     question: "What happens to a workflow that was built before a block was restricted?",
diff --git a/apps/docs/content/docs/en/enterprise/data-retention.mdx b/apps/docs/content/docs/en/enterprise/data-retention.mdx
index 6647a53cff..4f297e72ff 100644
--- a/apps/docs/content/docs/en/enterprise/data-retention.mdx
+++ b/apps/docs/content/docs/en/enterprise/data-retention.mdx
@@ -69,7 +69,7 @@ Retention is configured at the **workspace level**, not organization-wide. Each
 
 ## Defaults
 
-Enterprise workspaces have no defaults — retention only runs for a setting once you configure it. Until configured, that category of data is not automatically deleted.
+By default, all three settings are unconfigured — no data is automatically deleted in any category until you configure it.
 
 <Callout type="info">
   Setting a period to **Forever** explicitly keeps data indefinitely. Leaving a setting unconfigured has the same effect, but setting it to Forever makes the intent explicit and allows you to change it later without needing to save from scratch.
diff --git a/apps/docs/content/docs/en/enterprise/index.mdx b/apps/docs/content/docs/en/enterprise/index.mdx
index a4a7aff19b..c73e4c449a 100644
--- a/apps/docs/content/docs/en/enterprise/index.mdx
+++ b/apps/docs/content/docs/en/enterprise/index.mdx
@@ -30,6 +30,8 @@ Define permission groups on a workspace to control what features and integration
   Any workspace admin on an Enterprise-entitled workspace can manage permission groups. Users not assigned to any group have full access. Permission restrictions are enforced at both UI and execution time, and apply to workflows based on the workflow's workspace.
 </Callout>
 
+See the [Access Control guide](/docs/enterprise/access-control) for full details.
+
 ---
 
 ## Single Sign-On (SSO)
@@ -40,69 +42,46 @@ See the [SSO setup guide](/docs/enterprise/sso) for step-by-step instructions an
 
 ---
 
-## Self-Hosted Configuration
+## Whitelabeling
 
-For self-hosted deployments, enterprise features can be enabled via environment variables without requiring billing.
+Replace Sim's default branding — logos, product name, and favicons — with your own. See the [whitelabeling guide](/docs/enterprise/whitelabeling).
 
-### Environment Variables
+---
 
-| Variable | Description |
-|----------|-------------|
-| `ORGANIZATIONS_ENABLED`, `NEXT_PUBLIC_ORGANIZATIONS_ENABLED` | Enable team/organization management |
-| `ACCESS_CONTROL_ENABLED`, `NEXT_PUBLIC_ACCESS_CONTROL_ENABLED` | Permission groups for access restrictions |
-| `SSO_ENABLED`, `NEXT_PUBLIC_SSO_ENABLED` | Single Sign-On with SAML/OIDC |
-| `CREDENTIAL_SETS_ENABLED`, `NEXT_PUBLIC_CREDENTIAL_SETS_ENABLED` | Polling Groups for email triggers |
-| `INBOX_ENABLED`, `NEXT_PUBLIC_INBOX_ENABLED` | Sim Mailer inbox for outbound email |
-| `WHITELABELING_ENABLED`, `NEXT_PUBLIC_WHITELABELING_ENABLED` | Custom branding and white-labeling |
-| `AUDIT_LOGS_ENABLED`, `NEXT_PUBLIC_AUDIT_LOGS_ENABLED` | Audit logging for compliance and monitoring |
-| `DISABLE_INVITATIONS`, `NEXT_PUBLIC_DISABLE_INVITATIONS` | Globally disable workspace/organization invitations |
-
-### Organization Management
-
-When billing is disabled, use the Admin API to manage organizations:
-
-```bash
-# Create an organization
-curl -X POST https://your-instance/api/v1/admin/organizations \
-  -H "x-admin-key: YOUR_ADMIN_API_KEY" \
-  -H "Content-Type: application/json" \
-  -d '{"name": "My Organization", "ownerId": "user-id-here"}'
-
-# Add a member
-curl -X POST https://your-instance/api/v1/admin/organizations/{orgId}/members \
-  -H "x-admin-key: YOUR_ADMIN_API_KEY" \
-  -H "Content-Type: application/json" \
-  -d '{"userId": "user-id-here", "role": "admin"}'
-```
-
-### Workspace Members
-
-When invitations are disabled, use the Admin API to manage workspace memberships directly:
-
-```bash
-# Add a user to a workspace
-curl -X POST https://your-instance/api/v1/admin/workspaces/{workspaceId}/members \
-  -H "x-admin-key: YOUR_ADMIN_API_KEY" \
-  -H "Content-Type: application/json" \
-  -d '{"userId": "user-id-here", "permissions": "write"}'
-
-# Remove a user from a workspace
-curl -X DELETE "https://your-instance/api/v1/admin/workspaces/{workspaceId}/members?userId=user-id-here" \
-  -H "x-admin-key: YOUR_ADMIN_API_KEY"
-```
-
-### Notes
-
-- Access Control is scoped per workspace. Set `ACCESS_CONTROL_ENABLED` and `NEXT_PUBLIC_ACCESS_CONTROL_ENABLED` to enable it on every workspace in a self-hosted deployment, bypassing the Enterprise plan check.
-- When `DISABLE_INVITATIONS` is set, users cannot send invitations. Use the Admin API to manage workspace and organization memberships instead.
+## Audit Logs
+
+Track configuration and security-relevant actions across your organization for compliance and monitoring. See the [audit logs guide](/docs/enterprise/audit-logs).
+
+---
+
+## Data Retention
+
+Configure how long execution logs, soft-deleted resources, and Mothership data are kept before permanent deletion. See the [data retention guide](/docs/enterprise/data-retention).
+
+---
 
 <FAQ items={[
-  { question: "What are the minimum requirements to self-host Sim?", answer: "The Docker Compose production setup includes the Sim application (8 GB memory limit), a realtime collaboration server (1 GB memory limit), and a PostgreSQL database with pgvector. A machine with at least 16 GB of RAM and 4 CPU cores is recommended. You will also need Docker and Docker Compose installed." },
-  { question: "Can I run Sim completely offline with local AI models?", answer: "Yes. Sim supports Ollama and VLLM for running local AI models. A separate Docker Compose configuration (docker-compose.ollama.yml) is available for deploying with Ollama. This lets you run workflows without any external API calls, keeping all data on your infrastructure." },
-  { question: "How does data privacy work with self-hosted deployments?", answer: "When self-hosted, all data stays on your infrastructure. Workflow definitions, execution logs, credentials, and user data are stored in your PostgreSQL database. If you use local AI models through Ollama or VLLM, no data leaves your network. When using external AI providers, only the data sent in prompts goes to those providers." },
-  { question: "Do I need a paid license to self-host Sim?", answer: "The core Sim platform is open source under Apache 2.0 and can be self-hosted for free. Enterprise features like SSO (SAML/OIDC), access control with permission groups, and organization management require an Enterprise subscription for production use. These features can be enabled via environment variables for development and evaluation without a license." },
-  { question: "Which SSO providers are supported?", answer: "Sim supports SAML 2.0 and OIDC protocols, which means it works with virtually any enterprise identity provider including Okta, Azure AD (Entra ID), Google Workspace, and OneLogin. Configuration is done through Settings in the workspace UI." },
-  { question: "How do I manage users when invitations are disabled?", answer: "Use the Admin API with your admin API key. You can create organizations, add members to organizations with specific roles, add users to workspaces with defined permissions, and remove users. All management is done through REST API calls authenticated with the x-admin-key header." },
-  { question: "Can I scale Sim horizontally for high availability?", answer: "The Docker Compose setup is designed for single-node deployments. For production scaling, you can deploy on Kubernetes with multiple application replicas behind a load balancer. The database can be scaled independently using managed PostgreSQL services. Redis can be configured for session and cache management across multiple instances." },
-  { question: "How do access control permission groups work?", answer: "Permission groups are created per workspace and let you restrict which AI providers, workflow blocks, and platform features are available to specific members of that workspace. Each user can belong to at most one group per workspace (and different groups in different workspaces). Users not assigned to any group have full access. Restrictions are enforced at both the UI level (hiding restricted options) and at execution time (blocking unauthorized operations) — execution enforcement is based on the workflow's workspace. Any workspace admin on an Enterprise-entitled workspace can manage permission groups." },
+  { question: "Who can manage Enterprise features?", answer: "Workspace admins on an Enterprise-entitled workspace. Access Control, SSO, whitelabeling, audit logs, and data retention are all configured per workspace under Settings → Enterprise." },
+  { question: "Which SSO providers are supported?", answer: "Sim supports SAML 2.0 and OIDC, which works with virtually any enterprise identity provider including Okta, Azure AD (Entra ID), Google Workspace, ADFS, and OneLogin." },
+  { question: "How do access control permission groups work?", answer: "Permission groups are created per workspace and let you restrict which AI providers, workflow blocks, and platform features are available to specific members of that workspace. Each user can belong to at most one group per workspace. Users not assigned to any group have full access. Restrictions are enforced at both the UI level and at execution time based on the workflow's workspace." },
 ]} />
+
+---
+
+## Self-hosted setup
+
+Self-hosted deployments enable enterprise features via environment variables instead of billing.
+
+| Variable | Description |
+|----------|-------------|
+| `ORGANIZATIONS_ENABLED`, `NEXT_PUBLIC_ORGANIZATIONS_ENABLED` | Team and organization management |
+| `ACCESS_CONTROL_ENABLED`, `NEXT_PUBLIC_ACCESS_CONTROL_ENABLED` | Permission groups |
+| `SSO_ENABLED`, `NEXT_PUBLIC_SSO_ENABLED` | SAML and OIDC sign-in |
+| `WHITELABELING_ENABLED`, `NEXT_PUBLIC_WHITELABELING_ENABLED` | Custom branding |
+| `AUDIT_LOGS_ENABLED`, `NEXT_PUBLIC_AUDIT_LOGS_ENABLED` | Audit logging |
+| `NEXT_PUBLIC_DATA_RETENTION_ENABLED` | Data retention configuration |
+| `CREDENTIAL_SETS_ENABLED`, `NEXT_PUBLIC_CREDENTIAL_SETS_ENABLED` | Polling groups for email triggers |
+| `INBOX_ENABLED`, `NEXT_PUBLIC_INBOX_ENABLED` | Sim Mailer inbox |
+| `DISABLE_INVITATIONS`, `NEXT_PUBLIC_DISABLE_INVITATIONS` | Disable invitations; manage membership via Admin API |
+
+Once enabled, each feature is configured through the same Settings UI as Sim Cloud. When invitations are disabled, use the Admin API (`x-admin-key` header) to manage organization and workspace membership.
diff --git a/apps/docs/content/docs/en/enterprise/sso.mdx b/apps/docs/content/docs/en/enterprise/sso.mdx
index b4223b6900..227261a7f3 100644
--- a/apps/docs/content/docs/en/enterprise/sso.mdx
+++ b/apps/docs/content/docs/en/enterprise/sso.mdx
@@ -70,8 +70,6 @@ https://sim.ai/api/auth/sso/callback/{provider-id}
 https://sim.ai/api/auth/sso/saml2/callback/{provider-id}
 ```
 
-For self-hosted, replace `sim.ai` with your instance hostname.
-
 ### 5. Save and test
 
 Click **Save**. To test, sign out and use the **Sign in with SSO** button on the login page. Enter an email address at your configured domain — Sim will redirect you to your identity provider.
@@ -189,12 +187,10 @@ Click **Save**. To test, sign out and use the **Sign in with SSO** button on the
    ```
    https://sim.ai
    ```
-   For self-hosted, use your instance's base URL (e.g. `https://sim.company.com`)
 4. Add an endpoint: **SAML Assertion Consumer Service** (HTTP POST) with the URL:
    ```
    https://sim.ai/api/auth/sso/saml2/callback/adfs
    ```
-   For self-hosted: `https://sim.company.com/api/auth/sso/saml2/callback/adfs`
 5. Export the **Token-signing certificate** from **Certificates**: right-click → **View Certificate → Details → Copy to File**, choose **Base-64 encoded X.509 (.CER)**. The `.cer` file is PEM-encoded — rename it to `.pem` before pasting its contents into Sim.
 6. Note the **ADFS Federation Service endpoint URL** (e.g. `https://adfs.company.com/adfs/ls`)
 
@@ -235,10 +231,6 @@ Users who sign in via SSO for the first time are automatically provisioned and a
   Password-based login remains available. Forcing all organization members to use SSO exclusively is not yet supported.
 </Callout>
 
-<Callout type="info">
-  **Self-hosted:** Automatic organization provisioning requires `ORGANIZATIONS_ENABLED=true` in addition to `SSO_ENABLED=true`. Without it, SSO authentication still works — users get a valid session — but they are not automatically added to an organization.
-</Callout>
-
 ---
 
 <FAQ items={[
diff --git a/apps/docs/content/docs/en/enterprise/whitelabeling.mdx b/apps/docs/content/docs/en/enterprise/whitelabeling.mdx
index a4c5f527f2..d50351a1b6 100644
--- a/apps/docs/content/docs/en/enterprise/whitelabeling.mdx
+++ b/apps/docs/content/docs/en/enterprise/whitelabeling.mdx
@@ -103,4 +103,4 @@ WHITELABELING_ENABLED=true
 NEXT_PUBLIC_WHITELABELING_ENABLED=true
 ```
 
-Once enabled, configure branding through **Settings → Enterprise → Whitelabeling** the same way as Sim Cloud.
+Once enabled, configure branding through **Settings → Enterprise → Whitelabeling** the same way.

From 71a316cfa86b67bf955230ea3aeeb549715da181 Mon Sep 17 00:00:00 2001
From: Waleed Latif <walif6@gmail.com>
Date: Tue, 21 Apr 2026 21:15:23 -0700
Subject: [PATCH 4/5] improvement(docs): reduce callout and FAQ overuse in
 enterprise docs

---
 .../docs/en/enterprise/access-control.mdx     |  7 +----
 .../content/docs/en/enterprise/audit-logs.mdx |  5 +---
 .../docs/en/enterprise/data-retention.mdx     | 11 ++-----
 .../docs/content/docs/en/enterprise/index.mdx | 15 +---------
 apps/docs/content/docs/en/enterprise/sso.mdx  | 14 ++-------
 .../docs/en/enterprise/whitelabeling.mdx      | 29 ++-----------------
 6 files changed, 10 insertions(+), 71 deletions(-)

diff --git a/apps/docs/content/docs/en/enterprise/access-control.mdx b/apps/docs/content/docs/en/enterprise/access-control.mdx
index 0034a296ae..500cb61771 100644
--- a/apps/docs/content/docs/en/enterprise/access-control.mdx
+++ b/apps/docs/content/docs/en/enterprise/access-control.mdx
@@ -3,7 +3,6 @@ title: Access Control
 description: Restrict which models, blocks, and platform features each group of users can access
 ---
 
-import { Callout } from 'fumadocs-ui/components/callout'
 import { FAQ } from '@/components/ui/faq'
 import { Image } from '@/components/ui/image'
 
@@ -54,11 +53,7 @@ Controls which workflow blocks members can place and execute.
 <Image src="/static/enterprise/access-control-blocks.png" alt="Blocks tab showing Core Blocks (Agent, API, Condition, Function, Knowledge, etc.) and Tools (integrations like 1Password, A2A, Ahrefs, Airtable, and more) with checkboxes to allow or restrict each" width={900} height={500} /> Blocks are split into two sections: **Core Blocks** (Agent, API, Condition, Function, etc.) and **Tools** (all integration blocks).
 
 - **All checked (default):** All blocks are allowed.
-- **Subset checked:** Only the selected blocks are allowed. Workflows that already contain a disallowed block will fail when run — they are not automatically modified.
-
-<Callout type="info">
-  The `start_trigger` block (the entry point of every workflow) is always allowed and cannot be restricted.
-</Callout>
+- **Subset checked:** Only the selected blocks are allowed. Workflows that already contain a disallowed block will fail when run — they are not automatically modified. The `start_trigger` block (the entry point of every workflow) is always allowed and cannot be restricted.
 
 #### Platform
 
diff --git a/apps/docs/content/docs/en/enterprise/audit-logs.mdx b/apps/docs/content/docs/en/enterprise/audit-logs.mdx
index ebd9be41a1..92ec41a489 100644
--- a/apps/docs/content/docs/en/enterprise/audit-logs.mdx
+++ b/apps/docs/content/docs/en/enterprise/audit-logs.mdx
@@ -3,7 +3,6 @@ title: Audit Logs
 description: Track every action taken across your organization's workspaces
 ---
 
-import { Callout } from 'fumadocs-ui/components/callout'
 import { FAQ } from '@/components/ui/faq'
 import { Image } from '@/components/ui/image'
 
@@ -78,9 +77,7 @@ Authorization: Bearer <api-key>
 
 Paginate by passing the `nextCursor` value as the `cursor` parameter in the next request. When `nextCursor` is absent, you have reached the last page.
 
-<Callout type="info">
-  The API accepts both personal and workspace-scoped API keys. Rate limits apply — the response includes `X-RateLimit-*` headers with your current limit and remaining quota.
-</Callout>
+The API accepts both personal and workspace-scoped API keys. Rate limits apply — the response includes `X-RateLimit-*` headers with your current limit and remaining quota.
 
 ---
 
diff --git a/apps/docs/content/docs/en/enterprise/data-retention.mdx b/apps/docs/content/docs/en/enterprise/data-retention.mdx
index 4f297e72ff..76510debe0 100644
--- a/apps/docs/content/docs/en/enterprise/data-retention.mdx
+++ b/apps/docs/content/docs/en/enterprise/data-retention.mdx
@@ -3,7 +3,6 @@ title: Data Retention
 description: Control how long execution logs, deleted resources, and copilot data are kept before permanent deletion
 ---
 
-import { Callout } from 'fumadocs-ui/components/callout'
 import { FAQ } from '@/components/ui/faq'
 import { Image } from '@/components/ui/image'
 
@@ -55,9 +54,7 @@ Controls how long **Mothership data** is kept, including:
 - Run checkpoints and async tool calls
 - Inbox tasks (Sim Mailer)
 
-<Callout type="info">
-  Each setting is independent. You can configure a short log retention period alongside a long soft deletion cleanup period, or set any combination that fits your compliance requirements.
-</Callout>
+Each setting is independent. You can configure a short log retention period alongside a long soft deletion cleanup period, or any combination that fits your compliance requirements.
 
 ---
 
@@ -69,11 +66,7 @@ Retention is configured at the **workspace level**, not organization-wide. Each
 
 ## Defaults
 
-By default, all three settings are unconfigured — no data is automatically deleted in any category until you configure it.
-
-<Callout type="info">
-  Setting a period to **Forever** explicitly keeps data indefinitely. Leaving a setting unconfigured has the same effect, but setting it to Forever makes the intent explicit and allows you to change it later without needing to save from scratch.
-</Callout>
+By default, all three settings are unconfigured — no data is automatically deleted in any category until you configure it. Setting a period to **Forever** has the same effect as leaving it unconfigured, but makes the intent explicit and allows you to change it later without saving from scratch.
 
 ---
 
diff --git a/apps/docs/content/docs/en/enterprise/index.mdx b/apps/docs/content/docs/en/enterprise/index.mdx
index c73e4c449a..45e596c399 100644
--- a/apps/docs/content/docs/en/enterprise/index.mdx
+++ b/apps/docs/content/docs/en/enterprise/index.mdx
@@ -3,9 +3,6 @@ title: Enterprise
 description: Enterprise features for business organizations
 ---
 
-import { Callout } from 'fumadocs-ui/components/callout'
-import { FAQ } from '@/components/ui/faq'
-
 Sim Enterprise provides advanced features for organizations with enhanced security, compliance, and management requirements.
 
 ---
@@ -26,9 +23,7 @@ Define permission groups on a workspace to control what features and integration
 2. Create a permission group with your desired restrictions
 3. Add workspace members to the permission group
 
-<Callout type="info">
-  Any workspace admin on an Enterprise-entitled workspace can manage permission groups. Users not assigned to any group have full access. Permission restrictions are enforced at both UI and execution time, and apply to workflows based on the workflow's workspace.
-</Callout>
+Any workspace admin on an Enterprise-entitled workspace can manage permission groups. Users not assigned to any group have full access. Restrictions are enforced at both UI and execution time, based on the workflow's workspace.
 
 See the [Access Control guide](/docs/enterprise/access-control) for full details.
 
@@ -60,14 +55,6 @@ Configure how long execution logs, soft-deleted resources, and Mothership data a
 
 ---
 
-<FAQ items={[
-  { question: "Who can manage Enterprise features?", answer: "Workspace admins on an Enterprise-entitled workspace. Access Control, SSO, whitelabeling, audit logs, and data retention are all configured per workspace under Settings → Enterprise." },
-  { question: "Which SSO providers are supported?", answer: "Sim supports SAML 2.0 and OIDC, which works with virtually any enterprise identity provider including Okta, Azure AD (Entra ID), Google Workspace, ADFS, and OneLogin." },
-  { question: "How do access control permission groups work?", answer: "Permission groups are created per workspace and let you restrict which AI providers, workflow blocks, and platform features are available to specific members of that workspace. Each user can belong to at most one group per workspace. Users not assigned to any group have full access. Restrictions are enforced at both the UI level and at execution time based on the workflow's workspace." },
-]} />
-
----
-
 ## Self-hosted setup
 
 Self-hosted deployments enable enterprise features via environment variables instead of billing.
diff --git a/apps/docs/content/docs/en/enterprise/sso.mdx b/apps/docs/content/docs/en/enterprise/sso.mdx
index 227261a7f3..a85f5b598c 100644
--- a/apps/docs/content/docs/en/enterprise/sso.mdx
+++ b/apps/docs/content/docs/en/enterprise/sso.mdx
@@ -107,9 +107,7 @@ Click **Save**. To test, sign out and use the **Sign in with SSO** button on the
 | Client ID | From Okta app |
 | Client Secret | From Okta app |
 
-<Callout type="info">
-  The issuer URL uses Okta's default authorization server (`/oauth2/default`), which is pre-configured on every Okta org. If you created a custom authorization server, replace `default` with your server name.
-</Callout>
+The issuer URL uses Okta's default authorization server, which is pre-configured on every Okta org. If you created a custom authorization server, replace `default` with your server name.
 
 </Tab>
 
@@ -138,10 +136,6 @@ Click **Save**. To test, sign out and use the **Sign in with SSO** button on the
 | Client ID | Application (client) ID |
 | Client Secret | Secret value |
 
-<Callout type="info">
-  Replace `{tenant-id}` with your Directory (tenant) ID from the app's Overview page. Sim auto-discovers token and JWKS endpoints from the issuer.
-</Callout>
-
 </Tab>
 
 <Tab value="Google Workspace">
@@ -225,11 +219,7 @@ Once SSO is configured, users with your domain (`company.com`) can sign in throu
 4. After authenticating, they are returned to Sim and added to your organization automatically
 5. They land in the workspace
 
-Users who sign in via SSO for the first time are automatically provisioned and added to your organization — no manual invite required.
-
-<Callout type="info">
-  Password-based login remains available. Forcing all organization members to use SSO exclusively is not yet supported.
-</Callout>
+Users who sign in via SSO for the first time are automatically provisioned and added to your organization — no manual invite required. Password-based login remains available; forcing all organization members to use SSO exclusively is not yet supported.
 
 ---
 
diff --git a/apps/docs/content/docs/en/enterprise/whitelabeling.mdx b/apps/docs/content/docs/en/enterprise/whitelabeling.mdx
index d50351a1b6..ef19be0557 100644
--- a/apps/docs/content/docs/en/enterprise/whitelabeling.mdx
+++ b/apps/docs/content/docs/en/enterprise/whitelabeling.mdx
@@ -3,8 +3,6 @@ title: Whitelabeling
 description: Replace Sim branding with your own logo, colors, and links
 ---
 
-import { Callout } from 'fumadocs-ui/components/callout'
-import { FAQ } from '@/components/ui/faq'
 import { Image } from '@/components/ui/image'
 
 Whitelabeling lets you replace Sim's default branding — logo, colors, and support links — with your own. Members of your organization see your brand instead of Sim's throughout the workspace.
@@ -13,6 +11,8 @@ Whitelabeling lets you replace Sim's default branding — logo, colors, and supp
 
 ## Setup
 
+Organization owners and admins on an Enterprise-entitled workspace can configure whitelabeling.
+
 ### 1. Open Whitelabeling settings
 
 Go to **Settings → Enterprise → Whitelabeling** in your workspace.
@@ -65,30 +65,7 @@ Whitelabeling replaces the following visual elements:
 - **Primary and accent colors** — applied to buttons, active states, and highlights
 - **Support and legal links** — help prompts and footer links point to your URLs
 
-<Callout type="info">
-  Whitelabeling applies only to members of your organization. Public-facing pages (login, marketing) are not affected.
-</Callout>
-
----
-
-<FAQ items={[
-  {
-    question: "Who can configure whitelabeling?",
-    answer: "Organization owners and admins can configure whitelabeling. On Sim Cloud, you must be on the Enterprise plan."
-  },
-  {
-    question: "What image formats are supported?",
-    answer: "PNG, JPEG, SVG, and WebP. Maximum file size is 5 MB for both the logo and wordmark."
-  },
-  {
-    question: "What is the difference between the logo and the wordmark?",
-    answer: "The logo is a square image shown in the collapsed sidebar. The wordmark is a wide image shown in the expanded sidebar alongside member names and navigation items."
-  },
-  {
-    question: "Do members outside my organization see the custom branding?",
-    answer: "No. Custom branding is scoped to your organization. Members see your branding when signed in to your organization's workspace."
-  }
-]} />
+Whitelabeling applies only to members of your organization. Public-facing pages (login, marketing) are not affected.
 
 ---
 

From 6064fd546adf4f62abfdb72fc4bde5b9b28041b3 Mon Sep 17 00:00:00 2001
From: Waleed Latif <walif6@gmail.com>
Date: Tue, 21 Apr 2026 21:17:24 -0700
Subject: [PATCH 5/5] improvement(docs): restore FAQs and genuine-gotcha
 callouts

---
 .../docs/en/enterprise/access-control.mdx     |  7 +++++-
 .../docs/content/docs/en/enterprise/index.mdx | 10 ++++++++
 apps/docs/content/docs/en/enterprise/sso.mdx  |  6 ++++-
 .../docs/en/enterprise/whitelabeling.mdx      | 24 +++++++++++++++++--
 4 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/apps/docs/content/docs/en/enterprise/access-control.mdx b/apps/docs/content/docs/en/enterprise/access-control.mdx
index 500cb61771..0034a296ae 100644
--- a/apps/docs/content/docs/en/enterprise/access-control.mdx
+++ b/apps/docs/content/docs/en/enterprise/access-control.mdx
@@ -3,6 +3,7 @@ title: Access Control
 description: Restrict which models, blocks, and platform features each group of users can access
 ---
 
+import { Callout } from 'fumadocs-ui/components/callout'
 import { FAQ } from '@/components/ui/faq'
 import { Image } from '@/components/ui/image'
 
@@ -53,7 +54,11 @@ Controls which workflow blocks members can place and execute.
 <Image src="/static/enterprise/access-control-blocks.png" alt="Blocks tab showing Core Blocks (Agent, API, Condition, Function, Knowledge, etc.) and Tools (integrations like 1Password, A2A, Ahrefs, Airtable, and more) with checkboxes to allow or restrict each" width={900} height={500} /> Blocks are split into two sections: **Core Blocks** (Agent, API, Condition, Function, etc.) and **Tools** (all integration blocks).
 
 - **All checked (default):** All blocks are allowed.
-- **Subset checked:** Only the selected blocks are allowed. Workflows that already contain a disallowed block will fail when run — they are not automatically modified. The `start_trigger` block (the entry point of every workflow) is always allowed and cannot be restricted.
+- **Subset checked:** Only the selected blocks are allowed. Workflows that already contain a disallowed block will fail when run — they are not automatically modified.
+
+<Callout type="info">
+  The `start_trigger` block (the entry point of every workflow) is always allowed and cannot be restricted.
+</Callout>
 
 #### Platform
 
diff --git a/apps/docs/content/docs/en/enterprise/index.mdx b/apps/docs/content/docs/en/enterprise/index.mdx
index 45e596c399..1c01d7872f 100644
--- a/apps/docs/content/docs/en/enterprise/index.mdx
+++ b/apps/docs/content/docs/en/enterprise/index.mdx
@@ -3,6 +3,8 @@ title: Enterprise
 description: Enterprise features for business organizations
 ---
 
+import { FAQ } from '@/components/ui/faq'
+
 Sim Enterprise provides advanced features for organizations with enhanced security, compliance, and management requirements.
 
 ---
@@ -55,6 +57,14 @@ Configure how long execution logs, soft-deleted resources, and Mothership data a
 
 ---
 
+<FAQ items={[
+  { question: "Who can manage Enterprise features?", answer: "Workspace admins on an Enterprise-entitled workspace. Access Control, SSO, whitelabeling, audit logs, and data retention are all configured per workspace under Settings → Enterprise." },
+  { question: "Which SSO providers are supported?", answer: "Sim supports SAML 2.0 and OIDC, which works with virtually any enterprise identity provider including Okta, Azure AD (Entra ID), Google Workspace, ADFS, and OneLogin." },
+  { question: "How do access control permission groups work?", answer: "Permission groups are created per workspace and let you restrict which AI providers, workflow blocks, and platform features are available to specific members of that workspace. Each user can belong to at most one group per workspace. Users not assigned to any group have full access. Restrictions are enforced at both the UI level and at execution time based on the workflow's workspace." },
+]} />
+
+---
+
 ## Self-hosted setup
 
 Self-hosted deployments enable enterprise features via environment variables instead of billing.
diff --git a/apps/docs/content/docs/en/enterprise/sso.mdx b/apps/docs/content/docs/en/enterprise/sso.mdx
index a85f5b598c..ca04c0b918 100644
--- a/apps/docs/content/docs/en/enterprise/sso.mdx
+++ b/apps/docs/content/docs/en/enterprise/sso.mdx
@@ -219,7 +219,11 @@ Once SSO is configured, users with your domain (`company.com`) can sign in throu
 4. After authenticating, they are returned to Sim and added to your organization automatically
 5. They land in the workspace
 
-Users who sign in via SSO for the first time are automatically provisioned and added to your organization — no manual invite required. Password-based login remains available; forcing all organization members to use SSO exclusively is not yet supported.
+Users who sign in via SSO for the first time are automatically provisioned and added to your organization — no manual invite required.
+
+<Callout type="info">
+  Password-based login remains available. Forcing all organization members to use SSO exclusively is not yet supported.
+</Callout>
 
 ---
 
diff --git a/apps/docs/content/docs/en/enterprise/whitelabeling.mdx b/apps/docs/content/docs/en/enterprise/whitelabeling.mdx
index ef19be0557..fdaceff7be 100644
--- a/apps/docs/content/docs/en/enterprise/whitelabeling.mdx
+++ b/apps/docs/content/docs/en/enterprise/whitelabeling.mdx
@@ -3,6 +3,7 @@ title: Whitelabeling
 description: Replace Sim branding with your own logo, colors, and links
 ---
 
+import { FAQ } from '@/components/ui/faq'
 import { Image } from '@/components/ui/image'
 
 Whitelabeling lets you replace Sim's default branding — logo, colors, and support links — with your own. Members of your organization see your brand instead of Sim's throughout the workspace.
@@ -11,8 +12,6 @@ Whitelabeling lets you replace Sim's default branding — logo, colors, and supp
 
 ## Setup
 
-Organization owners and admins on an Enterprise-entitled workspace can configure whitelabeling.
-
 ### 1. Open Whitelabeling settings
 
 Go to **Settings → Enterprise → Whitelabeling** in your workspace.
@@ -69,6 +68,27 @@ Whitelabeling applies only to members of your organization. Public-facing pages
 
 ---
 
+<FAQ items={[
+  {
+    question: "Who can configure whitelabeling?",
+    answer: "Organization owners and admins can configure whitelabeling. On Sim Cloud, you must be on the Enterprise plan."
+  },
+  {
+    question: "What image formats are supported?",
+    answer: "PNG, JPEG, SVG, and WebP. Maximum file size is 5 MB for both the logo and wordmark."
+  },
+  {
+    question: "What is the difference between the logo and the wordmark?",
+    answer: "The logo is a square image shown in the collapsed sidebar. The wordmark is a wide image shown in the expanded sidebar alongside member names and navigation items."
+  },
+  {
+    question: "Do members outside my organization see the custom branding?",
+    answer: "No. Custom branding is scoped to your organization. Members see your branding when signed in to your organization's workspace."
+  }
+]} />
+
+---
+
 ## Self-hosted setup
 
 Self-hosted deployments use environment variables instead of the billing/plan check.