Pricing, entitlements and credits
Today every AgencyCore org gets the whole platform, and there is no way to sell a smaller package, charge for how much AI work an org runs, or cap how many people use it. The business has decided to sell the platform in tiers instead - CRM only, agents only, a single agent, and network access - with individual apps to be sold separately later, a pool of usage credits in every plan, and support for multiple users per org. This page walks through what was decided, what already exists in the code, and how the new model works, then ends with the questions still open for the team to settle.
The plan in one view
the decisionToday an org either has AgencyCore or it does not: there is no switch to turn on the CRM but not the agents, no meter on how much AI work it runs, and no cap on how many people it seats. Selling tiers means adding all three, and the model keeps them as three independent mechanisms so each stays simple. An entitlement is a per-org on/off switch for one module - can this org use the CRM at all? A credit is the single currency every AI and agent action spends, drawn from a balance that refills each billing period. A numeric limit is a plain plan-set quota, such as the seat count or the daily email volume. Keeping them separate is what lets a plan mix and match modules, a credit stay one currency, and a limit stay a plain number. This page covers the mechanism, not the final price list.
Twelve decisions settle the shape of the model. Grouped into three themes below, each one states the call that was made and why; the sections that follow expand the reasoning, and the linked Linear document holds the full detail.
Where we are today
auditSome of this already exists. A first billing integration shipped recently: during onboarding the org's card is captured, and an admin triggers the first charge by hand, since there is no self-serve checkout. That work also added a catalogue of plans and a subscription state machine to the database. What it does not do is gate any module or meter usage, and that is what this initiative adds. Four facts from the codebase set the starting line.
The billing integration has a final phase still being finished - letting an admin activate a subscription and handling the Stripe lifecycle webhooks. It rewrites the same admin subscription screens this work builds on, so this initiative waits for it to merge rather than colliding with it.
How gating works
interactiveGating is built from three pieces. An entitlement key is a neutral slug for one module (crm, sonar, envoy, and so on); it deliberately does not say whether that module is an app, an agent, or a core feature, so a module can move between runtimes without touching any plan. A plan template is the set of keys a plan turns on. A grant is a per-org exception row that adds a key the plan lacks, removes one it has, or trials one with an expiry date. A resolver service combines the plan template with the org's grants into a single resolved snapshot of which modules the org can use, caches it in Redis, and rebuilds it whenever a plan or grant changes.
crmContacts, companies, pipeline, tasks, lists, inboxCRM routers, CRM routes, sidebarsonarSonar agent appApp install layer, workflow run startheadhunterHeadhunter agent appApp install layer, workflow run startenvoyEnvoy agent appApp install layer, Envoy routers, workflow run startnetworkReferral marketplace (post plus browse and claim), news, Slack invitesNetwork routers and routesanalyticsAnalytics dashboardsAnalytics router and routeasset_libraryDocuments, playbooks, battlecardsPlaybooks and battlecards routers, asset routesbase platformSettings, profiles, notifications, onboarding, terms, data layernever gatedThat snapshot has to be checked everywhere a change can be written, not only at the API routes, because background jobs and the workflow engine write data without going through a route. Enforcement therefore lives at the four points below, all in the API and frontend layers; pushing entitlement checks down into database row-level security is deliberately left out of the first version.
Try it below. Pick a base plan, then click the entitlement chips to add modules as grants, or pick one module to trial. The resolved snapshot on the right shows exactly which modules the org ends up with and where each one came from. Cross-module actions - an action in one module that reaches into another, such as adding a person to the CRM from an agent app - check the target module's key, so the list of what is allowed flips live as you add and remove access.
crmcrmenvoynetworknetworkcrm + crHow credits work
try itA credit is the single balance an org spends on AI and agent work, and it refills each billing period. Work is priced per metered action - a named user action with a fixed credit price, such as running Sonar once or enriching one company - not per underlying API call, so the price does not swing with how many calls a feature happens to make. The list of metered actions is a registry in code, so a typo cannot quietly meter nothing, and the prices sit in a table an admin can tune without a deploy. Each action checks the balance before it runs: at roughly 80 percent used the org gets a warning through the notification system, at 100 percent credit-spending actions stop, viewing data the org already has is never blocked, and an admin can sell a top-up pack to add more. Spend some credits below.
Limits, trials and lapse
guardrailsThree more rules sit beside the module switches, all read from the same resolved snapshot. Numeric limits cap how much an org can do, trials open a module for a fixed window, and lapse - what happens when a plan stops being paid for or is downgraded - decides what an org can still do once its access is pulled.
A seat cap per plan, enforced when a member is added. A daily email send cap that scales with the tier and applies to every plan, because one compromised org sending spam damages sending reputation for everyone. A global spacing rule on outgoing mail is deliverability hygiene, not something a customer can buy more of.
A trial is just a grant row marked as a trial with an expiry date, the same kind of row the composer above toggles. It unlocks the module like any other grant, so every enforcement point already handles it with no special case. The trialed module shows a countdown, and a scheduled job removes the grant when it expires.
When a plan lapses or downgrades, the affected modules go read-only: existing data stays visible, but writes and credit-spending actions stop, and any running sequences or schedules pause cleanly rather than erroring. A fully lapsed subscription drops every module to read-only no matter which keys the plan held.
Rollout and delivery
shipNo existing customer loses anything at launch. A one-time migration puts every current org on the Everything plan at the price it already pays - the grandfathering step - and any repricing is a later sales conversation. Enforcement then switches on in the deliberate order below: it ships dark first, meaning the resolver runs and works out what each org should have but blocks nothing, so it can be checked against reality before it can lock anyone out. The build splits into two tickets because the halves are independent. One builds the gating layer - plans, grants, the resolver, and enforcement. The other builds the usage and credits layer - metering, the ledger, and email caps - and its metering phase does not depend on the first ticket, so it can start in parallel.
The plan template schema, the grants table, the resolver and its snapshot cache, an extended subscription endpoint, and the admin UI for composing plans and managing grants.
The require_feature dependency and its service-layer twin, registered on every router; agent run-start checks; the frontend guard, nav hiding, and locked states; cross-module action checks; entitlement-driven app install; read-only lapse; and the seats-and-limits framework.
Trial grants with their expiry sweep and UI; the grandfathering migration; dark-launch verification; and the staged switch-on.
Usage metering for the providers that lack it (Hunter, Explorium, FullEnrich, Nylas sends, managed-agent runs), plus an org-facing usage endpoint and a customer usage page.
The registry of metered actions, the price table with admin editing, the ledger and per-period balances, the pre-flight balance check, and the warnings sent through notifications.
Per-plan daily send caps, the outgoing-mail spacing rule, top-up packs, and admin worklists for watching usage.
- Full per-feature role-based permissions, custom roles, and an audit log UI
- Self-serve plan purchase, upgrade checkout, and a public pricing page
- Per-seat pricing in Stripe with proration
- Metered billing through Stripe and automatic overage invoicing
- The marketplace product itself (the browse-and-install experience)
- Invitations and self-serve team management
Discussion points
open itemsThis page exists to drive a planning conversation. Everything below is still open - a decision to make, not a design already settled. Each item is a question with enough context to take a side; come with a position on each.
Who owns each ticket, and when does this run?
The gating ticket and the credits ticket each need an owner, and the work has to be slotted against the agent runtime migration already underway. The credits ticket metering phase is the natural piece to run in parallel, since it does not depend on the gating layer.
What happens to the existing entitlements-and-roles ticket?
A backlog ticket already covers both entitlements and role-based access. This spec replaces its entitlements half. The proposal is to re-scope that ticket down to just the deferred role work (role hierarchy, permission primitives, UI guards, audit log) rather than close it. Agree?
Is this the right list of modules?
The proposed paid modules include analytics and the asset library, while the underlying data layer stays free for every org. Does that match where those features are heading?
Is this the right starting set of metered actions, and which are free?
The registry prices a handful of actions (Sonar and Headhunter runs, enrichment, agent runs, email drafts). We need to agree that initial list and which actions launch priced versus free; email sends, for instance, are priced at zero today.
How should credits be priced, and how big should each allowance be?
Prices need a margin approach applied to the real cost data the usage rollup will collect, and each plan needs a sensible monthly credit allowance. Both are placeholder numbers on this page.
When does the marketplace split into apps versus agents, and does any of it land here?
The neutral slugs are designed so a module can later move between the app and agent runtimes. The open question is timing: whether any marketplace install surface ships with this work or strictly after it.
Will the launch check every org before enforcement turns on?
Before enforcement is enabled, the dark-launch verification has to confirm every existing org resolves to the access it should have, including comped and demo orgs that are easy to miss. Confirm that sweep is in scope.