fix(gateway): persist provider-funded route billing decision

apps/web/src/app/api/dev/consume-credits/route.ts

@@ -89,6 +89,7 @@ export async function POST(request: NextRequest): Promise<NextResponse> {
       editor_name: null,
       machine_id: null,
       user_byok: false,
+      is_free: false,
       has_tools: false,
       feature: null,
       session_id: null,

apps/web/src/app/api/fim/completions/route.ts

@@ -158,6 +158,7 @@ export async function POST(request: NextRequest) {
   const userByok = organizationId
     ? await getBYOKforOrganization(readDb, organizationId, [byokProviderKey])
     : await getBYOKforUser(readDb, user.id, [byokProviderKey]);
+  const isFreeRequest = await isFreeModel(requestBody.model);
 
   const usageContext: MicrodollarUsageContext = {
     api_kind: 'fim_completions',
@@ -177,6 +178,7 @@ export async function POST(request: NextRequest) {
     editor_name: extractHeaderAndLimitLength(request, 'x-kilocode-editorname'),
     machine_id: extractHeaderAndLimitLength(request, 'x-kilocode-machineid'),
     user_byok: !!userByok,
+    is_free: isFreeRequest,
     has_tools: false,
     feature: validateFeatureHeader(request.headers.get(FEATURE_HEADER)),
     session_id: taskId ?? null,
@@ -190,7 +192,7 @@ export async function POST(request: NextRequest) {
   // slight replication lag, and provides lower latency for US users
   const { balance, settings, plan } = await getBalanceAndOrgSettings(organizationId, user, readDb);
 
-  if (balance <= 0 && !(await isFreeModel(requestBody.model)) && !userByok) {
+  if (balance <= 0 && !isFreeRequest && !userByok) {
     return NextResponse.json(
       {
         error: { message: 'Insufficient credits' },

apps/web/src/app/api/openrouter/[...path]/route.ts

@@ -104,6 +104,19 @@ const MAX_TOKENS_LIMIT = 99999999999; // GPT4.1 default is ~32k
 const PAID_MODEL_AUTH_REQUIRED = 'PAID_MODEL_AUTH_REQUIRED';
 const PROMOTION_MODEL_LIMIT_REACHED = 'PROMOTION_MODEL_LIMIT_REACHED';
 
+function paidModelAuthRequiredResponse() {
+  return NextResponse.json(
+    {
+      error: {
+        code: PAID_MODEL_AUTH_REQUIRED,
+        message: 'You need to sign in to use this model.',
+      },
+      error_type: ProxyErrorType.paid_model_auth_required,
+    },
+    { status: 401 }
+  );
+}
+
 function validatePath(
   url: URL
 ):
@@ -274,14 +287,19 @@ export async function POST(request: NextRequest): Promise<NextResponseType<unkno
     );
   }
 
+  const [isExperimentCandidate, isIntrinsicallyFreeModel] = await Promise.all([
+    isPublicIdExperimented(originalModelIdLowerCased),
+    isFreeModel(originalModelIdLowerCased),
+  ]);
+
   // For FREE models: check rate limit, log at start.
   // Server-side products (cloud-agent, code-review, app-builder) rate-limit
   // per user when the request comes from Cloudflare IPs (Kilo infrastructure).
   // All other products rate-limit per IP (fast pre-auth path).
   const isRateLimitedFreeModelRequest =
     isKiloExclusiveFreeModel(originalModelIdLowerCased) ||
     autoModel === KILO_AUTO_FREE_MODEL.id ||
-    (await isPublicIdExperimented(originalModelIdLowerCased));
+    isExperimentCandidate;
   if (isRateLimitedFreeModelRequest) {
     const rateLimit = await resolveRateLimit(feature, ipAddress, authPromise);
     if (rateLimit instanceof NextResponse) return rateLimit;
@@ -319,19 +337,10 @@ export async function POST(request: NextRequest): Promise<NextResponseType<unkno
   let tokenSource: string | undefined = authTokenSource;
 
   if (authFailedResponse) {
-    // No valid auth
-    if (!(await isFreeModel(originalModelIdLowerCased))) {
-      // Paid model requires authentication
-      return NextResponse.json(
-        {
-          error: {
-            code: PAID_MODEL_AUTH_REQUIRED,
-            message: 'You need to sign in to use this model.',
-          },
-          error_type: ProxyErrorType.paid_model_auth_required,
-        },
-        { status: 401 }
-      );
+    // A potential experiment request must reach provider selection before we
+    // know whether this specific request is provider-funded.
+    if (!isIntrinsicallyFreeModel && !isExperimentCandidate) {
+      return paidModelAuthRequiredResponse();
     }
 
     const promotionLimit = await checkPromotionLimit(ipAddress);
@@ -358,7 +367,8 @@ export async function POST(request: NextRequest): Promise<NextResponseType<unkno
       );
     }
 
-    // Anonymous access for free model (already rate-limited above)
+    // Anonymous access for a possibly free request; provider selection below
+    // rejects stale experiment membership before any paid fallback is sent.
     user = createAnonymousContext(ipAddress);
     organizationId = undefined;
     botId = undefined;
@@ -374,15 +384,6 @@ export async function POST(request: NextRequest): Promise<NextResponseType<unkno
     return storeAndPreviousResponseIdIsNotSupported();
   }
 
-  // Log to free_model_usage for rate limiting (at request start, before processing)
-  if (isRateLimitedFreeModelRequest) {
-    await logFreeModelRequest(
-      ipAddress,
-      originalModelIdLowerCased,
-      isAnonymousContext(user) ? undefined : user.id
-    );
-  }
-
   // Use new shared helper for fraud & project headers
   const { fraudHeaders, projectId } = extractFraudAndProjectHeaders(request);
   const providerResult = await getProvider({
@@ -410,6 +411,22 @@ export async function POST(request: NextRequest): Promise<NextResponseType<unkno
     skipKiloExclusiveModelSettings,
     experiment,
   } = providerResult;
+  const providerFunded = experiment !== undefined;
+  const isFreeRequest = isIntrinsicallyFreeModel || providerFunded;
+
+  // A stale experiment-membership hit can allow an anonymous request as far as
+  // provider selection. It does not make ordinary fallback routing free.
+  if (isAnonymousContext(user) && !isFreeRequest) {
+    return paidModelAuthRequiredResponse();
+  }
+
+  if (isRateLimitedFreeModelRequest) {
+    await logFreeModelRequest(
+      ipAddress,
+      originalModelIdLowerCased,
+      isAnonymousContext(user) ? undefined : user.id
+    );
+  }
 
   // Request-level data-collection opt-out: a caller can set
   // `provider.data_collection: 'deny'` or `provider.zdr: true` on any
@@ -482,6 +499,7 @@ export async function POST(request: NextRequest): Promise<NextResponseType<unkno
     editor_name: extractHeaderAndLimitLength(request, 'x-kilocode-editorname'),
     machine_id: machineIdHeader,
     user_byok: !!userByok,
+    is_free: isFreeRequest,
     has_tools: (requestBodyParsed.body.tools?.length ?? 0) > 0,
     botId,
     tokenSource,
@@ -499,7 +517,7 @@ export async function POST(request: NextRequest): Promise<NextResponseType<unkno
   if (!isAnonymousContext(user) && !bypassAccessCheck) {
     const { balance, settings, plan } = await balanceAndSettingsPromise;
 
-    if (balance <= 0 && !(await isFreeModel(originalModelIdLowerCased)) && !userByok) {
+    if (balance <= 0 && !isFreeRequest && !userByok) {
       return await usageLimitExceededResponse(user, balance);
     }
 
@@ -540,8 +558,6 @@ export async function POST(request: NextRequest): Promise<NextResponseType<unkno
   if (experiment) {
     usageContext.modelExperimentVariantVersionId = experiment.variantVersionId;
     usageContext.modelExperimentAllocationSubject = experiment.allocationSubject;
-    // Cost zeroing for experiment traffic is handled by `isFreeModel`, which
-    // returns true for experimented public ids.
   }
 
   sentryRootSpan()?.setAttribute(

apps/web/src/app/api/openrouter/audio/transcriptions/route.ts

@@ -155,6 +155,7 @@ export async function POST(request: NextRequest): Promise<NextResponseType<unkno
     editor_name: extractHeaderAndLimitLength(request, 'x-kilocode-editorname'),
     machine_id: extractHeaderAndLimitLength(request, 'x-kilocode-machineid'),
     user_byok: !!userByok,
+    is_free: false,
     has_tools: false,
     botId,
     tokenSource,

apps/web/src/app/api/openrouter/embeddings/route.ts

@@ -102,6 +102,7 @@ export async function POST(request: NextRequest): Promise<NextResponseType<unkno
 
   const requestedModel = requestBodyParsed.model.trim();
   const requestedModelLowerCased = requestedModel.toLowerCase();
+  const isFreeRequest = await isFreeModel(requestedModelLowerCased);
 
   // Extract IP for all requests (needed for free model rate limiting)
   const ipAddress = request.headers.get('x-forwarded-for')?.split(',')[0]?.trim();
@@ -132,7 +133,7 @@ export async function POST(request: NextRequest): Promise<NextResponseType<unkno
   const tokenSource: string | undefined = authTokenSource;
 
   if (authFailedResponse) {
-    if (!(await isFreeModel(requestedModelLowerCased))) {
+    if (!isFreeRequest) {
       return NextResponse.json(
         {
           error: {
@@ -183,6 +184,7 @@ export async function POST(request: NextRequest): Promise<NextResponseType<unkno
     editor_name: extractHeaderAndLimitLength(request, 'x-kilocode-editorname'),
     machine_id: extractHeaderAndLimitLength(request, 'x-kilocode-machineid'),
     user_byok: !!userByok,
+    is_free: isFreeRequest,
     has_tools: false,
     botId,
     tokenSource,
@@ -199,7 +201,7 @@ export async function POST(request: NextRequest): Promise<NextResponseType<unkno
   if (!isAnonymousContext(user)) {
     const { balance, settings, plan } = await getBalanceAndOrgSettings(organizationId, user);
 
-    if (balance <= 0 && !(await isFreeModel(requestedModelLowerCased)) && !userByok) {
+    if (balance <= 0 && !isFreeRequest && !userByok) {
       return await usageLimitExceededResponse(user, balance);
     }
 

apps/web/src/lib/ai-gateway/is-free-model.ts

@@ -1,24 +1,18 @@
 import { KILO_AUTO_FREE_MODEL } from '@/lib/ai-gateway/auto-model';
 import { isKiloExclusiveFreeModel, isOpenRouterStealthModel } from '@/lib/ai-gateway/models';
-import { isPublicIdExperimented } from '@/lib/ai-gateway/experiments/membership';
 
 /**
- * Returns true if `model` should be treated as free for the requesting user
- * this request — including dedicated experimented public ids, which are
- * partner/Kilo-funded for v1.
- *
- * Server-only: consults a Redis-backed membership set for experiment routing.
- * Lives outside `models.ts` so client bundles importing the model-id
- * constants (`PRIMARY_DEFAULT_MODEL`, `preferredModels`, …) from `models.ts`
- * don't transitively pull in the Redis client.
+ * Returns true when `model` is intrinsically free. Request-specific funding,
+ * such as a selected provider-funded experiment variant, is recorded on the
+ * usage context after routing and must not be inferred from mutable model
+ * membership.
  */
 export async function isFreeModel(model: string): Promise<boolean> {
   return (
     isKiloExclusiveFreeModel(model) ||
     model === KILO_AUTO_FREE_MODEL.id ||
     (model ?? '').endsWith(':free') ||
     model === 'openrouter/free' ||
-    isOpenRouterStealthModel(model ?? '') ||
-    (await isPublicIdExperimented(model ?? ''))
+    isOpenRouterStealthModel(model ?? '')
   );
 }

apps/web/src/lib/ai-gateway/models.test.ts

@@ -114,6 +114,7 @@ describe('isFreeModel', () => {
       expect(await isFreeModel('claude-3.7-sonnet')).toBe(false);
       expect(await isFreeModel('anthropic/claude-sonnet-4')).toBe(false);
       expect(await isFreeModel('google/gemini-2.5-pro')).toBe(false);
+      expect(await isFreeModel('preview/provider-funded-model')).toBe(false);
     });
 
     test('should return false for models with "free" in the middle', async () => {

apps/web/src/lib/ai-gateway/processUsage.test.ts

@@ -8,6 +8,7 @@ import {
   mapToUsageStats,
   logMicrodollarUsage,
   processOpenRouterUsage,
+  processTokenData,
   stripNulBytesInPlace,
   toInsertableDbUsageRecord,
 } from './processUsage';
@@ -383,6 +384,7 @@ describe('logMicrodollarUsage', () => {
       editor_name: null,
       machine_id: null,
       user_byok: false,
+      is_free: false,
       has_tools: false,
       feature: 'vscode-extension',
       session_id: null,
@@ -512,6 +514,79 @@ describe('logMicrodollarUsage', () => {
     expect(metadataRecord?.has_middle_out_transform).toBe(false);
   });
 
+  test('zeroes selected provider-funded traffic using the persisted route decision', async () => {
+    const user = await insertTestUser({
+      id: 'test-provider-funded-user',
+      microdollars_used: 2000,
+      google_user_email: 'provider-funded@example.com',
+    });
+    const usageStats: MicrodollarUsageStats = {
+      ...BASE_USAGE_STATS,
+      messageId: 'test-provider-funded-msg',
+      cost_mUsd: 500,
+      cacheDiscount_mUsd: 25,
+      is_byok: false,
+    };
+    const usageContext: MicrodollarUsageContext = {
+      ...createBaseUsageContext(user),
+      requested_model: 'preview/provider-funded-model',
+      is_free: true,
+    };
+
+    await processTokenData(usageStats, usageContext);
+
+    const metadataRecord = await db.query.microdollar_usage_metadata.findFirst({
+      where: eq(microdollar_usage_metadata.message_id, 'test-provider-funded-msg'),
+    });
+    const usageRecord = metadataRecord
+      ? await db.query.microdollar_usage.findFirst({
+          where: eq(microdollar_usage.id, metadataRecord.id),
+        })
+      : undefined;
+    const updatedUser = await findUserById(user.id);
+
+    expect(usageRecord?.cost).toBe(0);
+    expect(usageRecord?.cache_discount).toBe(0);
+    expect(metadataRecord?.market_cost).toBe(500);
+    expect(metadataRecord?.is_free).toBe(true);
+    expect(updatedUser?.microdollars_used).toBe(2000);
+  });
+
+  test('bills ordinary traffic without a persisted provider-funded decision', async () => {
+    const user = await insertTestUser({
+      id: 'test-non-funded-preview-user',
+      microdollars_used: 2000,
+      google_user_email: 'non-funded-preview@example.com',
+    });
+    const usageStats: MicrodollarUsageStats = {
+      ...BASE_USAGE_STATS,
+      messageId: 'test-non-funded-preview-msg',
+      cost_mUsd: 500,
+      is_byok: false,
+    };
+    const usageContext: MicrodollarUsageContext = {
+      ...createBaseUsageContext(user),
+      requested_model: 'preview/provider-funded-model',
+      is_free: false,
+    };
+
+    await processTokenData(usageStats, usageContext);
+
+    const metadataRecord = await db.query.microdollar_usage_metadata.findFirst({
+      where: eq(microdollar_usage_metadata.message_id, 'test-non-funded-preview-msg'),
+    });
+    const usageRecord = metadataRecord
+      ? await db.query.microdollar_usage.findFirst({
+          where: eq(microdollar_usage.id, metadataRecord.id),
+        })
+      : undefined;
+    const updatedUser = await findUserById(user.id);
+
+    expect(usageRecord?.cost).toBe(500);
+    expect(metadataRecord?.is_free).toBe(false);
+    expect(updatedUser?.microdollars_used).toBe(2500);
+  });
+
   test('stores 3 usage records with overlapping data and tests metadata deduplication', async () => {
     const user = await insertTestUser({
       id: 'test-dedup-user',
@@ -943,6 +1018,7 @@ describe('toInsertableDbUsageRecord NUL-byte sanitization', () => {
       editor_name: 'vscode',
       machine_id: 'machine',
       user_byok: false,
+      is_free: false,
       has_tools: false,
       feature: null,
       session_id: 'session',