Documentation Index
Fetch the complete documentation index at: https://docs.cyberun.cloud/llms.txt
Use this file to discover all available pages before exploring further.
The platform exposes a fixed set of feature toggles. Each toggle
controls one capability — a sidebar entry, an authentication
mechanism, an integration surface. Operators set the toggle in the
deployment’s license; the dashboard and the runtime API respect it.
This page is the operator-side reference. The user-side equivalent
(“which sidebar entry is missing and why”) lives at
Cloud → Feature availability.
How features are evaluated
Two values matter for every operation:
- License entitlement — every feature has a key that the
license either grants (
true) or doesn’t. Unlisted keys are
treated as false (deny by default).
- Operation-to-feature mapping — each operation declares the
feature key it requires. Operations marked
core are always
allowed.
When a request arrives, the platform checks the operation’s feature
requirement against the license. Denied requests return 403 with
a payload identifying the missing feature; the dashboard hides the
corresponding sidebar entry rather than rendering an empty shell.
Key namespaces
Feature and quota keys live in three namespaces. The same short key
name (for example max_agents) can appear in more than one
namespace, so always read a key together with its namespace.
| Namespace | Scope | Source on a self-host deployment |
|---|
| Global | The whole deployment | The signed license payload |
| Account | A single user | The license account block |
| Team | A single team | The license team block |
Global features
Deployment-wide capabilities, sourced from the signed license.
| Key | Controls | Symptom when off | Enterprise default |
|---|
registration | Self-service sign-up. | The Sign up flow on the login screen is hidden; only invitees can sign in. | Off |
oauth | Upstream OAuth sign-in (Google today; more providers in development). | The Continue with Google button is hidden from the login screen. | Off |
email | Outbound email — verification, password reset, invitations. | No email is sent; admins activate accounts and pass invitations out-of-band. | Off |
oidc_provider | Cyberun’s own OIDC issuer that external apps federate sign-in through. | External apps cannot federate sign-in through Cyberun. | Off |
auto_team | Auto-creation of a personal team on first sign-in. | The user lands on an empty teams list after first sign-in. | Off |
mcp_server | The web MCP endpoint that exposes the runtime API as MCP tools. | MCP-aware clients can’t connect; the Access → Integration description omits MCP. | On |
notifications | In-app notifications for task outcomes. | The Notifications entry in the user menu is hidden. | On |
registration, oauth,
email, oidc_provider, auto_team) are the management
features — typically OFF in enterprise self-host templates,
because the operator provisions users out-of-band instead of through
self-service flows. mcp_server and notifications stay ON. SaaS
deployments turn everything on.
Account features
Per-user capabilities, sourced from the license account block.
| Key | Controls | Symptom when off | Enterprise default |
|---|
manual_team_creation | A signed-in user creating a team themselves. | No option to create a team from the team switcher. | On |
team_invitation_accept | A user accepting a team invitation. | Invited users cannot accept and join. | On |
Team features
Per-team capabilities, sourced from the license team block.
| Key | Controls | Symptom when off | Enterprise default |
|---|
webhooks | Outbound HMAC-signed webhooks for task events. | The Webhooks sidebar entry is hidden. | On |
snapshots | Versioned workflow snapshots and the History panel. | No snapshot history; saves overwrite the active version. | On |
remote_access | Per-agent Terminal, Files, Desktop tabs (short-lived tunnel credential). | The three tabs are hidden from the agent detail page. | On |
custom_models | Team-scoped custom model uploads. | The Models sidebar entry is hidden. | On |
custom_nodes | Team-scoped custom ComfyUI node packages. | The Nodes sidebar entry is hidden. | On |
container_service | Container services deployed to agents. | The Containers sidebar entry is hidden. | On |
comfy_cloud | Comfy Cloud fallback compute. | The Cloud Providers sidebar entry is hidden. | On |
nerfstudio | The Nerfstudio runtime and the 3D-reconstruction wizard. | No Nerfstudio option in the workflow create flow; agents won’t load it. | On |
team_invitation_create | Inviting members to a team. | No Invite member button on the Members page. | On |
Quotas
The license also carries numeric quotas. -1 means unlimited, 0
means disabled (no further requests of that kind succeed), >0 is a
hard cap. Each quota lives in a namespace, exactly like a feature.
| Namespace | Key | What it caps | Enterprise default |
|---|
| Global | max_users | Total signed-up users across the deployment. | 50 |
| Global | max_teams | Total teams across the deployment. | 10 |
| Global | max_agents | Total connected agents across the deployment. | 20 |
| Global | max_concurrent_tasks | Tasks running at once across the deployment. | 10 |
| Account | max_owned_teams | Teams a single user can own. | Unlimited |
| Team | max_members | Members per team. | 25 |
| Team | max_workflows | Workflow templates per team. | 100 |
| Team | max_agents | Concurrent online agents per team. | 5 |
| Team | max_webhooks | Webhook endpoints per team. | 10 |
| Team | max_integration_credentials | Integration (sk-) keys per team. | 10 |
| Team | max_agent_credentials | Agent (ak-) keys per team. | 10 |
| Team | max_concurrent_tasks | Concurrent tasks per team. | 5 |
| Team | max_storage_bytes | Stored bytes per team (models, artifacts). | Unlimited |
License templates
Cyberun ships two recommended template profiles. Operators rarely
build a license from scratch; the templates are the starting point
and individual keys can be overridden per deployment.
- SaaS — every feature on, generous quotas. The shape Cyberun’s
own managed service uses.
- Enterprise self-host — the Global management features
(
registration, oauth, email, oidc_provider, auto_team)
off, every other feature on, capacity quotas applied. The shape
most on-prem deployments take.
License generation, signing, and renewal are partner-channel
workflows today; reach out to get a
license issued for a planned deployment. Full self-service license
tooling is in development.
What happens when a feature expires
License validity is checked on a schedule. A request for a feature
that’s simply turned off returns 403 (above); but if the whole
license expires or is revoked, gated operations return 503
(service unavailable) instead. core operations (sign-in, list
teams, basic read paths) continue to work so administrators can
renew without locking themselves out.
Plan license renewal ahead of expiry. The platform does not have a
built-in grace period beyond the validity window — when the expiry
timestamp passes, gated features stop.
See also
