[docs] Update documentation for features from 2026-06-11

docs/src/content/docs/reference/cost-management.md

@@ -269,6 +269,13 @@ When the budget is approached, gh-aw emits steering warnings before
 the run reaches the limit. Set a negative value only when budget
 enforcement must be disabled explicitly.
 
+> [!NOTE]
+> Threat-detection runs have their own AI Credits cap, separate
+> from the main agent budget. See
+> [Threat Detection → Detection Budget](/gh-aw/reference/threat-detection/#detection-budget)
+> for `safe-outputs.threat-detection.max-ai-credits` (defaults to
+> `400`, overridable via `GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS`).
+
 ### Cap Turns per Run
 
 Use the top-level `max-turns` frontmatter field to cap the number

docs/src/content/docs/reference/threat-detection.md

@@ -95,6 +95,28 @@ safe-outputs:
 | `runs-on` | string/array/object | Runner for the detection job (default: inherits from workflow `runs-on`) |
 | `steps` | array | Additional GitHub Actions steps to run **before** AI analysis (pre-steps) |
 | `post-steps` | array | Additional GitHub Actions steps to run **after** AI analysis (post-steps) |
+| `max-ai-credits` | integer | AI Credits cap for the detection run, independent of the main agent budget. Defaults to `400` when unset, with runtime override via `vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS`. Accepts plain integers; `-1` disables the detection budget. |
+
+## Detection Budget
+
+Threat-detection runs have their own AI Credits budget, separate from the main agent's `max-ai-credits`. Detection does **not** inherit the main agent's budget — both caps apply independently to their respective jobs.
+
+Set `safe-outputs.threat-detection.max-ai-credits` to override the per-run detection budget:
+
+```yaml wrap
+safe-outputs:
+  create-pull-request:
+  threat-detection:
+    max-ai-credits: 750
+```
+
+When unset, the compiler emits a runtime resolution that falls back to the built-in default of `400`:
+
+```yaml
+${{ vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS || '400' }}
+```
+
+Set the org-wide default with the [`GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS`](/gh-aw/reference/compiler-enterprise-environment-controls/) GitHub Actions variable. A value of `-1` disables AWF budget steering for detection runs.
 
 ## AI-Based Detection (Default)
 

docs/src/content/docs/setup/cli.md

@@ -161,6 +161,8 @@ gh aw add-wizard githubnext/agentics/ci-doctor --skip-secret  # Skip secret prom
 
 **Options:** `--skip-secret`, `--dir/-d`, `--engine/-e`, `--no-gitattributes`, `--no-stop-after`, `--stop-after`
 
+When the Copilot engine is selected, the wizard prompts the user to choose an authentication method: organization billing via [`permissions.copilot-requests: write`](/gh-aw/reference/auth/#copilot-requests-write-permission) (no PAT required), or a [`COPILOT_GITHUB_TOKEN`](/gh-aw/reference/auth/#copilot_github_token) personal access token. Selecting org billing injects the `copilot-requests: write` permission into the workflow frontmatter and skips the API key secret prompt.
+
 #### `add`
 
 Add workflows from The Agentics collection or other repositories to `.github/workflows`. For remote workflows, this command follows frontmatter [`redirect`](/gh-aw/reference/frontmatter/#redirect-redirect) declarations before installation.