feat(ai-gateway): add organization auto model routing

[pandemicsyn]

Summary

• Adds kilo-auto/org, an Enterprise-only Organization Auto model that lets an organization choose which model should handle each Kilo mode.
• Organization Auto stores routes in organizations.settings.org_auto_model:
  • If a request mode has an explicit route, Organization Auto uses that model.
  • If a request mode has no explicit route, Organization Auto uses the configured fallback model.
  • If a request uses an unknown/custom mode, Organization Auto also uses the fallback model unless that exact mode slug has a route.
  • Exact route slugs win first, so build uses routes.build before falling back to routes.code, and plan uses routes.plan before falling back to routes.architect.
• Replaces the unshipped org-default-model-config mode-default rollout with the new organization-auto-model-routing PostHog toggle for canonical organization-wide routing.
• Adds Enterprise-only enable/disable/fallback controls, canonical mode route configuration, route-aware mode lifecycle behavior, and exact route audit messages.
• Removes the unshipped OrganizationModeConfig.defaultModel bridge and stores all routing only in organizations.settings.org_auto_model.
• Adds organization-owned direct BYOK route support with credential ownership checks, direct-provider routing, zero Kilo hosted cost, and no fallback to OpenRouter/Vercel when credentials disappear.
• Adds client-safe shared Organization Auto helpers so browser components do not import server-only DB/pg modules.

Verification

• Manual browser verification was not performed in this session; local validation focused on targeted automated tests and API/build behavior.
• Verified Organization Auto API behavior manually with /tmp/org-auto-api-log.sh against a local service, including modes/defaults/models and optional gateway requests.
• Add any additional manual verification details here.

Visual Changes

Before	After
Providers & Models dialog without Organization Auto controls	Providers & Models dialog with Organization Auto enable/disable/fallback controls
Modes form with mode-local default model bridge	Modes form with canonical Organization Auto route selector and routed-mode lifecycle messaging
Routed mode cards without route status	Routed mode cards showing Organization Auto route badges and role-aware actions

Reviewer Notes

• The feature is intentionally scoped to canonical org_auto_model settings, gateway resolution, BYOK ownership checks, route lifecycle consistency, and UI configuration.
• Organization Auto UI/configuration writes are gated by the PostHog release toggle organization-auto-model-routing, replacing the old org-default-model-config toggle. Runtime routing remains data-driven for already-configured organizations, and disable remains available during rollback.
• Stripe webhook/admin plan transitions intentionally do not clear the stored sentinel; catalog/default/runtime eligibility gates make dormant routes safe while preserving future re-enable behavior.
• organization-auto-model-shared.ts exists specifically to keep client components from importing server-only DB/pg code.
• Review route audit messages, BYOK fallback protection, and route-management authorization as the highest-risk areas.

[kilo-code-bot]

WARNING: getBYOKforOrganization(db, ...) uses the module-level db instance instead of a transaction-aware connection.

When validateOrganizationAutoTarget is called inside a mutateOrganizationSettings callback (which runs within a FOR UPDATE transaction on the organizations row), the BYOK credential read at this line executes on a different database session, outside the transaction's isolation context. A concurrent BYOK credential modification by another request could yield a stale read between the transaction lock and the BYOK check.

Consider accepting an optional DrizzleTransaction parameter so that callers inside transactions can pass tx for consistency.

---

Reply with @kilocode-bot fix it to have Kilo Code address this issue.

[kilo-code-bot]

Code Review Summary

Status: 1 Issue Found | Recommendation: Address before merge

Executive Summary

validateOrganizationAutoTarget reads BYOK credentials outside the mutateOrganizationSettings transaction isolation context, creating a narrow consistency gap during Organization Auto route configuration.

Overview

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
apps/web/src/lib/organizations/organization-auto-model.ts	85	getBYOKforOrganization(db, ...) uses global db inside transaction callbacks, bypassing isolation

Files Reviewed (41 files)

• apps/web/src/app/(app)/organizations/[id]/custom-modes/page.tsx
• apps/web/src/app/api/openrouter/[...path]/route.test.ts
• apps/web/src/app/api/openrouter/[...path]/route.ts
• apps/web/src/app/api/organizations/[id]/defaults/route.test.ts
• apps/web/src/app/api/organizations/[id]/defaults/route.ts
• apps/web/src/app/api/organizations/[id]/modes/route.test.ts
• apps/web/src/app/api/organizations/[id]/modes/route.ts
• apps/web/src/app/api/organizations/hooks.ts
• apps/web/src/components/models/CondensedProviderAndModelsList.tsx
• apps/web/src/components/organizations/OrganizationDashboard.tsx
• apps/web/src/components/organizations/OrganizationProvidersAndModelsConfigurationCard.tsx
• apps/web/src/components/organizations/custom-modes/CustomModesLayout.tsx
• apps/web/src/components/organizations/custom-modes/EditModeForm.test.ts
• apps/web/src/components/organizations/custom-modes/EditModeForm.tsx
• apps/web/src/components/organizations/custom-modes/ModeForm.tsx
• apps/web/src/components/organizations/custom-modes/NewModeForm.tsx
• apps/web/src/components/organizations/providers-and-models/DefaultModelDialog.tsx
• apps/web/src/components/organizations/providers-and-models/ModelsTab.tsx
• apps/web/src/components/organizations/providers-and-models/OrganizationProvidersAndModelsPage.tsx
• apps/web/src/components/organizations/providers-and-models/ProvidersTab.tsx
• apps/web/src/lib/ai-gateway/auto-model/index.ts
• apps/web/src/lib/ai-gateway/auto-model/resolution.test.ts
• apps/web/src/lib/ai-gateway/auto-model/resolution.ts
• apps/web/src/lib/ai-gateway/llm-proxy-helpers.ts
• apps/web/src/lib/ai-gateway/providers/openrouter/index.ts
• apps/web/src/lib/organizations/organization-auto-model-shared.ts
• apps/web/src/lib/organizations/organization-auto-model.ts - 1 issue
• apps/web/src/lib/organizations/organization-base-types.ts
• apps/web/src/lib/organizations/organization-models.ts
• apps/web/src/lib/organizations/organization-modes.test.ts
• apps/web/src/lib/organizations/organization-modes.ts
• apps/web/src/lib/organizations/organization-seats.ts
• apps/web/src/lib/organizations/organization-types.ts
• apps/web/src/lib/organizations/organizations.ts
• apps/web/src/lib/proxy-error-types.ts
• apps/web/src/routers/organizations/organization-modes-router.test.ts
• apps/web/src/routers/organizations/organization-modes-router.ts
• apps/web/src/routers/organizations/organization-settings-router.test.ts
• apps/web/src/routers/organizations/organization-settings-router.ts
• packages/db/src/schema-types.test.ts
• packages/db/src/schema-types.ts

---

Fix these issues in Kilo Cloud

---

_{Reviewed by deepseek-v4-pro-20260423 · 1,742,068 tokens}

_{Review guidance: REVIEW.md from base branch main}