Kilo-Org
diff --git a/‎apps/web/src/lib/ai-gateway/providers/openrouter/snapshot-diff.test.ts‎
Lines changed: 155 additions & 0 deletions b/‎apps/web/src/lib/ai-gateway/providers/openrouter/snapshot-diff.test.ts‎
Lines changed: 155 additions & 0 deletions
diff --git a/‎apps/web/src/lib/ai-gateway/providers/openrouter/snapshot-diff.ts‎
Lines changed: 117 additions & 0 deletions b/‎apps/web/src/lib/ai-gateway/providers/openrouter/snapshot-diff.ts‎
Lines changed: 117 additions & 0 deletions
diff --git a/‎apps/web/src/lib/ai-gateway/providers/openrouter/sync-providers.ts‎
Lines changed: 76 additions & 12 deletions b/‎apps/web/src/lib/ai-gateway/providers/openrouter/sync-providers.ts‎
Lines changed: 76 additions & 12 deletions
@@ -0,0 +1,155 @@
+import { describe, expect, test } from '@jest/globals';
+import type {
+  NormalizedOpenRouterResponse,
+  NormalizedProvider,
+} from '@/lib/ai-gateway/providers/openrouter/openrouter-types';
+import { computeSnapshotDiff } from '@/lib/ai-gateway/providers/openrouter/snapshot-diff';
+
+function buildSnapshot(
+  providers: Array<{ slug: string; models: string[] }>
+): NormalizedOpenRouterResponse {
+  const mapped: NormalizedProvider[] = providers.map(({ slug, models }) => ({
+    name: slug,
+    displayName: slug,
+    slug,
+    dataPolicy: { training: false, retainsPrompts: false, canPublish: false },
+    models: models.map(modelSlug => ({
+      slug: modelSlug,
+      name: modelSlug,
+      author: slug,
+      description: '',
+      context_length: 0,
+      input_modalities: [],
+      output_modalities: [],
+      group: 'other',
+      updated_at: '',
+      endpoint: {
+        provider_display_name: slug,
+        is_free: false,
+        pricing: { prompt: '0', completion: '0' },
+      },
+    })),
+  }));
+
+  return {
+    providers: mapped,
+    total_providers: mapped.length,
+    total_models: mapped.reduce((sum, p) => sum + p.models.length, 0),
+    generated_at: '2026-01-01T00:00:00Z',
+  };
+}
+
+describe('computeSnapshotDiff', () => {
+  test('returns empty diff when old snapshot is null', () => {
+    const snapshot = buildSnapshot([{ slug: 'z-ai', models: ['z-ai/glm-5'] }]);
+    const diff = computeSnapshotDiff(null, snapshot);
+
+    expect(diff.addedByProvider.size).toBe(0);
+    expect(diff.removedByProvider.size).toBe(0);
+    expect(diff.oldModelProvidersIndex.size).toBe(0);
+    expect(diff.newModelProvidersIndex.get('z-ai/glm-5')).toEqual(new Set(['z-ai']));
+  });
+
+  test('returns empty diff maps when snapshots are identical', () => {
+    const snapshot = buildSnapshot([
+      { slug: 'z-ai', models: ['z-ai/glm-5'] },
+      { slug: 'anthropic', models: ['anthropic/claude-4.6'] },
+    ]);
+    const diff = computeSnapshotDiff(snapshot, snapshot);
+
+    expect(diff.addedByProvider.size).toBe(0);
+    expect(diff.removedByProvider.size).toBe(0);
+  });
+
+  test('detects new model on existing provider', () => {
+    const oldSnapshot = buildSnapshot([{ slug: 'z-ai', models: ['z-ai/glm-5'] }]);
+    const newSnapshot = buildSnapshot([
+      { slug: 'z-ai', models: ['z-ai/glm-5', 'z-ai/glm-5.1', 'z-ai/glm-5.1-air'] },
+    ]);
+
+    const diff = computeSnapshotDiff(oldSnapshot, newSnapshot);
+
+    expect(diff.addedByProvider.get('z-ai')).toEqual(['z-ai/glm-5.1', 'z-ai/glm-5.1-air']);
+    expect(diff.removedByProvider.size).toBe(0);
+  });
+
+  test('detects brand-new provider with its models', () => {
+    const oldSnapshot = buildSnapshot([{ slug: 'z-ai', models: ['z-ai/glm-5'] }]);
+    const newSnapshot = buildSnapshot([
+      { slug: 'z-ai', models: ['z-ai/glm-5'] },
+      { slug: 'xyz-corp', models: ['xyz-corp/foo', 'xyz-corp/bar'] },
+    ]);
+
+    const diff = computeSnapshotDiff(oldSnapshot, newSnapshot);
+
+    expect(diff.addedByProvider.get('xyz-corp')).toEqual(['xyz-corp/bar', 'xyz-corp/foo']);
+    expect(diff.addedByProvider.has('z-ai')).toBe(false);
+  });
+
+  test('detects model removed from catalog', () => {
+    const oldSnapshot = buildSnapshot([{ slug: 'z-ai', models: ['z-ai/glm-4.0', 'z-ai/glm-5'] }]);
+    const newSnapshot = buildSnapshot([{ slug: 'z-ai', models: ['z-ai/glm-5'] }]);
+
+    const diff = computeSnapshotDiff(oldSnapshot, newSnapshot);
+
+    expect(diff.removedByProvider.get('z-ai')).toEqual(['z-ai/glm-4.0']);
+    expect(diff.addedByProvider.size).toBe(0);
+  });
+
+  test('detects additional provider offering an existing model as addition for that provider only', () => {
+    const oldSnapshot = buildSnapshot([
+      { slug: 'openai', models: ['openai/gpt-4o'] },
+      { slug: 'azure', models: [] },
+    ]);
+    const newSnapshot = buildSnapshot([
+      { slug: 'openai', models: ['openai/gpt-4o'] },
+      { slug: 'azure', models: ['openai/gpt-4o'] },
+    ]);
+
+    const diff = computeSnapshotDiff(oldSnapshot, newSnapshot);
+
+    expect(diff.addedByProvider.get('azure')).toEqual(['openai/gpt-4o']);
+    expect(diff.addedByProvider.has('openai')).toBe(false);
+    expect(diff.removedByProvider.size).toBe(0);
+  });
+
+  test('normalizes variant suffixes like :free', () => {
+    const oldSnapshot = buildSnapshot([{ slug: 'openai', models: ['openai/gpt-4o'] }]);
+    const newSnapshot = buildSnapshot([
+      { slug: 'openai', models: ['openai/gpt-4o', 'openai/gpt-4o:free'] },
+    ]);
+
+    const diff = computeSnapshotDiff(oldSnapshot, newSnapshot);
+
+    expect(diff.addedByProvider.size).toBe(0);
+    expect(diff.newModelProvidersIndex.get('openai/gpt-4o')).toEqual(new Set(['openai']));
+  });
+
+  test('sorts model ids alphabetically within each provider group', () => {
+    const oldSnapshot = buildSnapshot([{ slug: 'z-ai', models: [] }]);
+    const newSnapshot = buildSnapshot([
+      { slug: 'z-ai', models: ['z-ai/beta', 'z-ai/alpha', 'z-ai/gamma'] },
+    ]);
+
+    const diff = computeSnapshotDiff(oldSnapshot, newSnapshot);
+
+    expect(diff.addedByProvider.get('z-ai')).toEqual(['z-ai/alpha', 'z-ai/beta', 'z-ai/gamma']);
+  });
+
+  test('handles simultaneous additions and removals', () => {
+    const oldSnapshot = buildSnapshot([
+      { slug: 'z-ai', models: ['z-ai/glm-4.0', 'z-ai/glm-5'] },
+      { slug: 'anthropic', models: ['anthropic/claude-4.5'] },
+    ]);
+    const newSnapshot = buildSnapshot([
+      { slug: 'z-ai', models: ['z-ai/glm-5', 'z-ai/glm-5.1'] },
+      { slug: 'anthropic', models: ['anthropic/claude-4.5', 'anthropic/claude-4.6'] },
+    ]);
+
+    const diff = computeSnapshotDiff(oldSnapshot, newSnapshot);
+
+    expect(diff.addedByProvider.get('z-ai')).toEqual(['z-ai/glm-5.1']);
+    expect(diff.addedByProvider.get('anthropic')).toEqual(['anthropic/claude-4.6']);
+    expect(diff.removedByProvider.get('z-ai')).toEqual(['z-ai/glm-4.0']);
+  });
+});
@@ -0,0 +1,117 @@
+import type { NormalizedOpenRouterResponse } from '@/lib/ai-gateway/providers/openrouter/openrouter-types';
+import { normalizeModelId } from '@/lib/ai-gateway/model-utils';
+
+export type SnapshotDiff = {
+  /** providerSlug -> sorted list of normalized model ids newly offered by that provider */
+  addedByProvider: Map<string, string[]>;
+  /** providerSlug -> sorted list of normalized model ids no longer offered by that provider */
+  removedByProvider: Map<string, string[]>;
+  /** modelId -> set of providerSlugs that offered it in the OLD snapshot */
+  oldModelProvidersIndex: Map<string, Set<string>>;
+  /** modelId -> set of providerSlugs that offer it in the NEW snapshot */
+  newModelProvidersIndex: Map<string, Set<string>>;
+};
+
+function buildModelProvidersIndex(
+  snapshot: NormalizedOpenRouterResponse
+): Map<string, Set<string>> {
+  const index = new Map<string, Set<string>>();
+  for (const provider of snapshot.providers) {
+    for (const model of provider.models) {
+      const normalizedModelId = normalizeModelId(model.slug);
+      const existing = index.get(normalizedModelId);
+      if (existing) {
+        existing.add(provider.slug);
+      } else {
+        index.set(normalizedModelId, new Set([provider.slug]));
+      }
+    }
+  }
+  return index;
+}
+
+function emptyDiff(
+  oldIndex: Map<string, Set<string>>,
+  newIndex: Map<string, Set<string>>
+): SnapshotDiff {
+  return {
+    addedByProvider: new Map(),
+    removedByProvider: new Map(),
+    oldModelProvidersIndex: oldIndex,
+    newModelProvidersIndex: newIndex,
+  };
+}
+
+/**
+ * Compare two OpenRouter snapshots and produce the set of provider→model
+ * additions and removals implied by the diff.
+ *
+ * A `(provider, model)` pair is "added" when the NEW snapshot contains that
+ * pair and the OLD snapshot did not. This naturally covers two scenarios:
+ *   1. A brand-new model on an existing provider (e.g. `z-ai/glm-5.1` appears
+ *      under `z-ai`).
+ *   2. An existing model newly offered by an additional provider.
+ *
+ * Similarly, a `(provider, model)` pair is "removed" when the OLD snapshot
+ * contained it and the NEW snapshot does not.
+ *
+ * When `oldSnapshot` is null (first run / fresh database), returns empty
+ * add/remove maps so callers produce no audit log flood.
+ */
+export function computeSnapshotDiff(
+  oldSnapshot: NormalizedOpenRouterResponse | null,
+  newSnapshot: NormalizedOpenRouterResponse
+): SnapshotDiff {
+  const newIndex = buildModelProvidersIndex(newSnapshot);
+
+  if (oldSnapshot === null) {
+    return emptyDiff(new Map(), newIndex);
+  }
+
+  const oldIndex = buildModelProvidersIndex(oldSnapshot);
+
+  const addedByProvider = new Map<string, string[]>();
+  const removedByProvider = new Map<string, string[]>();
+
+  for (const [modelId, newProviders] of newIndex) {
+    const oldProviders = oldIndex.get(modelId);
+    for (const providerSlug of newProviders) {
+      if (!oldProviders || !oldProviders.has(providerSlug)) {
+        const list = addedByProvider.get(providerSlug);
+        if (list) {
+          list.push(modelId);
+        } else {
+          addedByProvider.set(providerSlug, [modelId]);
+        }
+      }
+    }
+  }
+
+  for (const [modelId, oldProviders] of oldIndex) {
+    const newProviders = newIndex.get(modelId);
+    for (const providerSlug of oldProviders) {
+      if (!newProviders || !newProviders.has(providerSlug)) {
+        const list = removedByProvider.get(providerSlug);
+        if (list) {
+          list.push(modelId);
+        } else {
+          removedByProvider.set(providerSlug, [modelId]);
+        }
+      }
+    }
+  }
+
+  for (const list of addedByProvider.values()) {
+    list.sort((a, b) => a.localeCompare(b));
+  }
+  for (const list of removedByProvider.values()) {
+    list.sort((a, b) => a.localeCompare(b));
+  }
+
+  return {
+    addedByProvider,
+    removedByProvider,
+    oldModelProvidersIndex: oldIndex,
+    newModelProvidersIndex: newIndex,
+  };
+}
@@ -17,8 +17,10 @@ import {
 } from '@/lib/ai-gateway/providers/openrouter/openrouter-types';
 import { modelsByProvider } from '@kilocode/db/schema';
 import { db } from '@/lib/drizzle';
-import { lt } from 'drizzle-orm';
+import { desc, lt, sql } from 'drizzle-orm';
+import { captureException } from '@sentry/nextjs';
 import PROVIDERS from '@/lib/ai-gateway/providers/provider-definitions';
+import { logAutoModelChangesForAllOrgs } from '@/lib/organizations/auto-model-change-log';
 import type { Provider } from '@/lib/ai-gateway/providers/types';
 import type { StoredModel } from '@/lib/ai-gateway/providers/vercel/types';
 import { EndpointsSchema, ModelsSchema } from '@/lib/ai-gateway/providers/vercel/types';
@@ -31,6 +33,14 @@ const ATTRIBUTION_HEADERS = {
   'X-Title': 'Kilo Code',
 } as const;
 
+/**
+ * Advisory lock key hashed from a stable identifier. Serializes concurrent
+ * calls to `applySnapshotChangesAndAudit` so two overlapping syncs cannot
+ * both read the same "previous" snapshot and emit duplicate system audit
+ * logs for the same diff. Auto-releases on transaction commit/rollback.
+ */
+const SYNC_PROVIDERS_SNAPSHOT_LOCK_KEY = 'sync-providers:snapshot';
+
 async function fetchGatewayModels(gateway: Provider) {
   const headers = {
     ...ATTRIBUTION_HEADERS,
@@ -309,6 +319,67 @@ async function mirrorToRedis(values: {
   await Promise.all(entries.map(([key, value]) => redisSet(key, JSON.stringify(value))));
 }
 
+/**
+ * Apply a freshly-synced OpenRouter snapshot to the database and emit
+ * per-org audit log entries describing how it affects each enterprise
+ * organization's effective model availability.
+ *
+ * Extracted from `syncAndStoreProviders` so it can be tested without
+ * mocking upstream HTTP calls: seed the DB with a prior snapshot row, call
+ * this with a new synthetic snapshot, and assert on the resulting rows in
+ * `organization_audit_logs`.
+ *
+ * Concurrency safety: a transaction-scoped Postgres advisory lock
+ * (`pg_advisory_xact_lock`) is taken before the previous-snapshot read so
+ * two overlapping sync runs cannot both observe the same "previous" row
+ * and emit duplicate system audit logs for the same diff. The lock is
+ * released automatically on commit/rollback.
+ */
+export async function applySnapshotChangesAndAudit(params: {
+  providers: NormalizedOpenRouterResponse;
+  openrouter_data: Record<string, StoredModel>;
+  vercel_data: Record<string, StoredModel>;
+}): Promise<{
+  id: number;
+  data: NormalizedOpenRouterResponse;
+  previousSnapshot: NormalizedOpenRouterResponse | null;
+}> {
+  const { providers, openrouter_data, vercel_data } = params;
+
+  const { row, previousSnapshot } = await db.transaction(async tx => {
+    await tx.execute(
+      sql`SELECT pg_advisory_xact_lock(hashtext(${SYNC_PROVIDERS_SNAPSHOT_LOCK_KEY}))`
+    );
+
+    const [previousSnapshotRow] = await tx
+      .select({ data: modelsByProvider.data })
+      .from(modelsByProvider)
+      .orderBy(desc(modelsByProvider.id))
+      .limit(1);
+    const previousSnapshot = previousSnapshotRow?.data ?? null;
+
+    const results = await tx
+      .insert(modelsByProvider)
+      .values({
+        data: providers,
+        openrouter: openrouter_data,
+        vercel: vercel_data,
+      })
+      .returning();
+    await tx.delete(modelsByProvider).where(lt(modelsByProvider.id, results[0].id));
+    return { row: results[0], previousSnapshot };
+  });
+
+  try {
+    await logAutoModelChangesForAllOrgs(previousSnapshot, providers);
+  } catch (err) {
+    console.error('[sync-providers] auto-change audit logging failed', err);
+    captureException(err, { tags: { component: 'sync-providers-auto-audit' } });
+  }
+
+  return { id: row.id, data: row.data, previousSnapshot };
+}
+
 export async function syncAndStoreProviders() {
   const startTime = performance.now();
 
@@ -332,17 +403,10 @@ export async function syncAndStoreProviders() {
     throw new Error(`Suspicious: total number of models is ${providers.total_models} < 100`);
   }
 
-  const result = await db.transaction(async tx => {
-    const results = await tx
-      .insert(modelsByProvider)
-      .values({
-        data: providers,
-        openrouter: openrouter_data,
-        vercel: vercel_data,
-      })
-      .returning();
-    await tx.delete(modelsByProvider).where(lt(modelsByProvider.id, results[0].id));
-    return results[0];
+  const result = await applySnapshotChangesAndAudit({
+    providers,
+    openrouter_data,
+    vercel_data,
   });
 
   await mirrorToRedis({