Kilo-Org · chrarnoldus · Mar 3, 2026 · Mar 3, 2026
diff --git a/packages/db/src/schema-types.ts b/packages/db/src/schema-types.ts
@@ -125,7 +125,9 @@ export const OrganizationPlanSchema = z.enum(['teams', 'enterprise']);
 export type OrganizationPlan = z.infer<typeof OrganizationPlanSchema>;
 
 const OrganizationSettingsSchema = z.object({
+  /** @deprecated */
   model_allow_list: z.array(z.string()).optional(),
+  /** @deprecated */
   provider_allow_list: z.array(z.string()).optional(),
 
   // under development, not yet enforced, will replace model_allow_list and provider_allow_list:

diff --git a/src/app/api/organizations/[id]/defaults/route.ts b/src/app/api/organizations/[id]/defaults/route.ts
@@ -3,7 +3,7 @@ import { getAuthorizedOrgContext } from '@/lib/organizations/organization-auth';
 import type { NextRequest } from 'next/server';
 import { PRIMARY_DEFAULT_MODEL, getFirstFreeModel, preferredModels } from '@/lib/models';
 import { getEnhancedOpenRouterModels } from '@/lib/providers/openrouter';
-import { createProviderAwareModelAllowPredicate } from '@/lib/model-allow.server';
+import { createAllowPredicateFromDenyList } from '@/lib/model-allow.server';
 import { getModelIdToProviderSlugsIndex } from '@/lib/providers/openrouter/models-by-provider-index.server';
 
 type DefaultsResponse = {
@@ -26,9 +26,9 @@ export async function GET(
   // Get organization's default model setting
   let defaultModel = organization.settings?.default_model;
 
-  const allowList = organization.settings?.model_allow_list;
+  const denyList = organization.settings?.model_deny_list;
 
-  const isAllowed = createProviderAwareModelAllowPredicate(allowList ?? []);
+  const isAllowed = createAllowPredicateFromDenyList(denyList ?? []);
 
   const findFirstAllowedModel = async (modelIds: readonly string[]) => {
     for (const modelId of modelIds) {
@@ -73,23 +73,23 @@ export async function GET(
     defaultModel = await findFirstAllowedModel([PRIMARY_DEFAULT_MODEL]);
 
     if (!defaultModel) {
-      if (!allowList?.length) {
+      if (!denyList?.length) {
         defaultModel = PRIMARY_DEFAULT_MODEL;
       } else {
-        const firstConcreteAllowedModel = allowList.find(modelId => !modelId.endsWith('/*'));
+        const firstConcreteAllowedModel = denyList.find(modelId => !modelId.endsWith('/*'));
         defaultModel = firstConcreteAllowedModel;
       }
     }
 
-    if (!defaultModel && allowList?.length) {
+    if (!defaultModel && denyList?.length) {
       defaultModel = await findFirstAllowedModel(preferredModels);
     }
 
-    if (!defaultModel && allowList?.length) {
+    if (!defaultModel && denyList?.length) {
       defaultModel = await findFirstAllowedModelFromDbSnapshot();
     }
 
-    if (!defaultModel && allowList?.length) {
+    if (!defaultModel && denyList?.length) {
       defaultModel = await findFirstAllowedModelFromOpenRouter();
     }
 

diff --git a/src/components/organizations/OrganizationProvidersAndModelsConfigurationCard.tsx b/src/components/organizations/OrganizationProvidersAndModelsConfigurationCard.tsx
@@ -13,7 +13,7 @@ import { AvailableModelsDialog } from './providers-and-models/AvailableModelsDia
 import { useOrganizationConfiguration } from './providers-and-models/useOrganizationConfiguration';
 import { useOpenRouterModelsAndProviders } from '@/app/api/openrouter/hooks';
 import type { ProviderSelection } from '@/components/models/util';
-import { isModelAllowedProviderAwareClient } from '@/lib/model-allow.client';
+import { normalizeModelId } from '@/lib/model-utils';
 
 type OrganizationProvidersAndModelsConfigurationCardProps = {
   organizationId: string;
@@ -67,8 +67,7 @@ export function computeProviderSelectionsForSummaryCard(params: {
         .filter(model => {
           if (!model.endpoint) return false;
           return (
-            modelAllowList.length === 0 ||
-            isModelAllowedProviderAwareClient(model.slug, modelAllowList, openRouterProviders)
+            modelAllowList.length === 0 || modelAllowList.includes(normalizeModelId(model.slug))
           );
         })
         .map(model => model.slug);
@@ -86,7 +85,7 @@ export function computeProviderSelectionsForSummaryCard(params: {
       const selectedModels = provider.models
         .filter(model => {
           if (!model.endpoint) return false;
-          return isModelAllowedProviderAwareClient(model.slug, modelAllowList, openRouterProviders);
+          return modelAllowList.includes(normalizeModelId(model.slug));
         })
         .map(model => model.slug);
 

diff --git a/src/components/organizations/providers-and-models/allowLists.domain.ts b/src/components/organizations/providers-and-models/allowLists.domain.ts
@@ -1,4 +1,3 @@
-import { isModelAllowedProviderAwareClient } from '@/lib/model-allow.client';
 import { normalizeModelId } from '@/lib/model-utils';
 
 export type OpenRouterModelSlugSnapshot = {
@@ -93,7 +92,7 @@ export function computeEnabledProviderSlugs(
 export function computeAllowedModelIds(
   draftModelAllowList: ReadonlyArray<string>,
   openRouterModels: ReadonlyArray<OpenRouterModelSlugSnapshot>,
-  openRouterProviders: OpenRouterProviderModelsSnapshot
+  _openRouterProviders: OpenRouterProviderModelsSnapshot
 ): Set<string> {
   const allowed = new Set<string>();
 
@@ -107,12 +106,7 @@ export function computeAllowedModelIds(
   const allowListArray = [...draftModelAllowList];
   for (const model of openRouterModels) {
     const normalizedModelId = normalizeModelId(model.slug);
-    const isAllowed = isModelAllowedProviderAwareClient(
-      normalizedModelId,
-      allowListArray,
-      openRouterProviders
-    );
-    if (isAllowed) {
+    if (allowListArray.includes(normalizedModelId)) {
       allowed.add(normalizedModelId);
     }
   }

diff --git a/src/components/organizations/providers-and-models/useOrganizationConfiguration.ts b/src/components/organizations/providers-and-models/useOrganizationConfiguration.ts
@@ -7,7 +7,7 @@ import {
   useOpenRouterProviders,
 } from '@/app/api/openrouter/hooks';
 import type { OpenRouterProvider } from '@/lib/organizations/organization-types';
-import { isModelAllowedProviderAwareClient } from '@/lib/model-allow.client';
+import { normalizeModelId } from '@/lib/model-utils';
 
 export type ConfigurationData = {
   allModelsSelected: boolean;
@@ -23,8 +23,7 @@ export function useOrganizationConfiguration(organizationId: string) {
     useOrganizationWithMembers(organizationId);
   const { data: modelsData, isLoading: modelsLoading } = useOpenRouterModels();
   const { data: providersData, isLoading: providersLoading } = useOpenRouterProviders();
-  const { providers: openRouterProviders, isLoading: providersSnapshotLoading } =
-    useOpenRouterModelsAndProviders();
+  const { isLoading: providersSnapshotLoading } = useOpenRouterModelsAndProviders();
 
   const isLoading = orgLoading || modelsLoading || providersLoading || providersSnapshotLoading;
 
@@ -55,14 +54,14 @@ export function useOrganizationConfiguration(organizationId: string) {
     displayModelAllowList = []; // No exclusions
   } else {
     const allowedModelCount = allModelIds.filter(modelId =>
-      isModelAllowedProviderAwareClient(modelId, savedModelAllowList, openRouterProviders)
+      savedModelAllowList.includes(normalizeModelId(modelId))
     ).length;
     const modelAllowRatio = allowedModelCount / allModelIds.length;
     // If more than 50% are allowed, treat as "all selected" mode with exclusions
     if (modelAllowRatio > 0.5) {
       allModelsSelected = true;
       displayModelAllowList = allModelIds.filter(
-        id => !isModelAllowedProviderAwareClient(id, savedModelAllowList, openRouterProviders)
+        id => !savedModelAllowList.includes(normalizeModelId(id))
       );
     } else {
       allModelsSelected = false;

diff --git a/src/lib/integrations/discord-service.ts b/src/lib/integrations/discord-service.ts
@@ -10,7 +10,7 @@ import { DISCORD_CLIENT_ID, DISCORD_CLIENT_SECRET, DISCORD_BOT_TOKEN } from '@/l
 import { APP_URL } from '@/lib/constants';
 import { getOrganizationById } from '@/lib/organizations/organizations';
 import { getDefaultAllowedModel } from '@/lib/slack-bot/model-allow-list';
-import { createProviderAwareModelAllowPredicate } from '@/lib/model-allow.server';
+import { createAllowPredicateFromDenyList } from '@/lib/model-allow.server';
 import { minimax_m25_free_model } from '@/lib/providers/minimax';
 import { CLAUDE_OPUS_CURRENT_MODEL_ID } from '@/lib/providers/anthropic';
 
@@ -367,9 +367,9 @@ export async function updateModel(
   if (owner.type === 'org') {
     const organization = await getOrganizationById(owner.id);
     if (organization) {
-      const modelAllowList = organization.settings?.model_allow_list || [];
-      if (modelAllowList.length > 0) {
-        const isAllowed = createProviderAwareModelAllowPredicate(modelAllowList);
+      const modelDenyList = organization.settings?.model_deny_list || [];
+      if (modelDenyList.length > 0) {
+        const isAllowed = createAllowPredicateFromDenyList(modelDenyList);
         if (!(await isAllowed(modelSlug))) {
           return { success: false, error: 'Model is not allowed by organization policy' };
         }

diff --git a/src/lib/integrations/slack-service.ts b/src/lib/integrations/slack-service.ts
@@ -12,7 +12,7 @@ import { WebClient } from '@slack/web-api';
 import type { OAuthV2Response } from '@slack/oauth';
 import { getOrganizationById } from '@/lib/organizations/organizations';
 import { getDefaultAllowedModel } from '@/lib/slack-bot/model-allow-list';
-import { createProviderAwareModelAllowPredicate } from '@/lib/model-allow.server';
+import { createAllowPredicateFromDenyList } from '@/lib/model-allow.server';
 import { minimax_m25_free_model } from '@/lib/providers/minimax';
 import { CLAUDE_OPUS_CURRENT_MODEL_ID } from '@/lib/providers/anthropic';
 
@@ -481,9 +481,9 @@ export async function updateModel(
   if (owner.type === 'org') {
     const organization = await getOrganizationById(owner.id);
     if (organization) {
-      const modelAllowList = organization.settings?.model_allow_list || [];
-      if (modelAllowList.length > 0) {
-        const isAllowed = createProviderAwareModelAllowPredicate(modelAllowList);
+      const modelDenyList = organization.settings?.model_deny_list || [];
+      if (modelDenyList.length > 0) {
+        const isAllowed = createAllowPredicateFromDenyList(modelDenyList);
         if (!(await isAllowed(modelSlug))) {
           return { success: false, error: 'Model is not allowed by organization policy' };
         }

diff --git a/src/lib/model-allow.client.test.ts b/src/lib/model-allow.client.test.ts
diff --git a/src/lib/model-allow.client.ts b/src/lib/model-allow.client.ts
diff --git a/src/lib/model-allow.server.ts b/src/lib/model-allow.server.ts
@@ -19,6 +19,7 @@ type ProviderAwareAllowPredicateOptions = {
 
 export type ProviderAwareAllowPredicate = (modelId: string) => Promise<boolean>;
 
+/** @deprecated Use `createAllowPredicateFromDenyList` instead */
 export function createProviderAwareModelAllowPredicate(
   allowList: string[],
   options?: ProviderAwareAllowPredicateOptions
@@ -48,6 +49,16 @@ export function createProviderAwareModelAllowPredicate(
   };
 }
 
+export function createAllowPredicateFromDenyList(
+  denyList: string[] | undefined
+): ProviderAwareAllowPredicate {
+  const denyListSet = new Set(denyList);
+  return (modelId: string): Promise<boolean> => {
+    const normalizedModelId = normalizeModelId(modelId);
+    return Promise.resolve(!denyListSet.has(normalizedModelId));
+  };
+}
+
 export async function createDenyLists(
   model_allow_list: string[] | undefined,
   provider_allow_list: string[] | undefined

diff --git a/src/lib/slack-bot/model-allow-list.ts b/src/lib/slack-bot/model-allow-list.ts
@@ -1,6 +1,6 @@
 import { PRIMARY_DEFAULT_MODEL, preferredModels } from '@/lib/models';
 import { getOrganizationById } from '@/lib/organizations/organizations';
-import { createProviderAwareModelAllowPredicate } from '@/lib/model-allow.server';
+import { createAllowPredicateFromDenyList } from '@/lib/model-allow.server';
 
 /**
  * Get a default model that is allowed for an organization.
@@ -15,14 +15,14 @@ export async function getDefaultAllowedModel(
     return globalDefault;
   }
 
-  const modelAllowList = organization.settings?.model_allow_list || [];
+  const modelDenyList = organization.settings?.model_deny_list || [];
 
   // If no restrictions, use global default
-  if (modelAllowList.length === 0) {
+  if (modelDenyList.length === 0) {
     return globalDefault;
   }
 
-  const isAllowed = createProviderAwareModelAllowPredicate(modelAllowList);
+  const isAllowed = createAllowPredicateFromDenyList(modelDenyList);
 
   // Check if the organization's default model is allowed
   const orgDefaultModel = organization.settings?.default_model;
@@ -42,15 +42,15 @@ export async function getDefaultAllowedModel(
   }
 
   // Fall back to the first non-wildcard model in the allow list
-  const firstNonWildcard = modelAllowList.find(m => !m.endsWith('/*'));
+  const firstNonWildcard = modelDenyList.find(m => !m.endsWith('/*'));
   if (firstNonWildcard) {
     return firstNonWildcard;
   }
 
   // If only wildcards, fall back to global default (admin misconfiguration)
   console.warn(
     '[SlackBot] Organization has only wildcard entries in model allow list:',
-    modelAllowList
+    modelDenyList
   );
   return globalDefault;
 }