Proj/rework llm billing

[ncnthien]

Summary

• Problem:
• Why it matters:
• What changed:
• What did NOT change (scope boundary):

Type of change

• Bug fix
• New feature
• Refactor (no behavior change)
• Documentation
• Test
• Chore (build, dependencies, CI)

Scope (select all touched areas)

• TUI / REPL
• Agent / Tools
• LLM Providers
• Server / Daemon
• Shared (constants, types, transport events)
• CLI Commands (oclif)
• Hub / Connectors
• Cloud Sync
• CI/CD / Infra

Linked issues

• Closes #
• Related #

Root cause (bug fixes only, otherwise write N/A)

• Root cause:
• Why this was not caught earlier:

Test plan

• Coverage added:
  • Unit test
  • Integration test
  • Manual verification only
• Test file(s):
• Key scenario(s) covered:

User-visible changes

List user-visible changes (including defaults, config, or CLI output).
If none, write None.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording

Checklist

• Tests added or updated and passing (npm test)
• Lint passes (npm run lint)
• Type check passes (npm run typecheck)
• Build succeeds (npm run build)
• Commits follow Conventional Commits format
• Documentation updated (if applicable)
• No breaking changes (or clearly documented above)
• Branch is up to date with main

Risks and mitigations

List real risks for this PR. If none, write None.

• Risk:
  • Mitigation:

[github-actions]

Claude finished @ncnthien's task in 7m 16s —— View job

---

PR Review: Rework LLM Billing

• Read core billing infrastructure (services, schemas, DTOs)
• Review transport handlers (billing, team, auth, status)
• Review CLI commands changes
• Review webUI billing/team integration
• Review tests
• Post inline comments and summary

---

Overall: 4 / 5 — solid, ships-ready with one UX bug worth fixing before merge

This is a thoughtful rework. The discriminated-union StatusBillingDTO, the per-project brv-provider.json pin (replacing the previous workspace fallback), the buildStatusBilling pure-function split, and the parallel daemon-stamped pin propagation via BILLING_PIN_CHANGED all read like deliberate, well-tested design choices. Test coverage is genuinely good — buildStatusBilling, resolveBillingForProject, HttpBillingService, the new transport handlers, and the CLI billing helpers all have meaningful cases (including the no-pin / multi-paid-org edge). Web UI utilities (format-credits, get-billing-tone, compute-team-preselection, has-paid-team) are nicely isolated and individually tested.

Inline comments

praise:

• Clean Outside-In: buildStatusBilling is a pure function with comprehensive table-driven tests — the right shape.
• BillingHandler.setupSetPinnedTeam correctly broadcasts BILLING_PIN_CHANGED only on store success, and agent-process.ts consumes it without re-reading config. Solid daemon-stamping pattern, consistent with reviewDisabled stamping.
• ProjectAssociationInitializer proactively invalidates AUTH_STATE, PINNED_TEAM, and LIST_BILLING_USAGE on project association — the right cache discipline.
• printBillingLine swallowing daemon errors so curate/query don't fail just because billing is offline is the right call.

issue (UX, worth fixing pre-merge): resolve-billing-source.ts — when the user has 2+ paid orgs and no pin, freeUserLimit is intentionally not fetched and buildStatusBilling falls through to freeSource(undefined), so the CLI prints Billing: Personal free credits even though the user has multiple paid teams. Misleading; web UI side handles this correctly with needsPickPrompt. See inline.

issue (UX): TeamSelectStep (and the CLI --team flag) lets the user pin a FREE-tier team. The resulting status shows (usage unavailable) instead of disallowing the action. Disable free rows or validate at pin time. Inline.

issue (non-blocking): HttpBillingService.getUsages uses Promise.all, so a transient tiers-endpoint failure throws away the whole call and resolveBillingForProject returns undefined. Promise.allSettled (or .catch(() => []) on tiers) would degrade to "everyone is FREE tier" — same path the code already takes for missing tier entries. Inline.

issue (low/security): setupGetPinnedTeam and setupSetPinnedTeam are the only billing handlers that don't check auth. Daemon is localhost-only so blast radius is small, but the inconsistency means a logged-out client can still write/read pin state. Inline.

issue (low): FileBillingConfigStore.setPinnedTeamId is a non-atomic read-modify-write — concurrent writers can lose pin updates and clobber unknown keys preserved from the same file. Easy fix: write-temp-then-rename. Inline.

nitpick: useListTeams() in header.tsx fires unconditionally; gate on isAuthorized. Inline.

nitpick: billing:getUsage always fetches the full org list then filters client-side. Either push the filter down or remove the endpoint — billing:listUsage already returns the full map keyed by id. Inline.

Other observations (not inlined, no action needed)

• auth-handler.ts:213 calls this.disconnectByteRoverProvider() from onAuthExpired without await. Probably fine (fire-and-forget on expiry) but worth a comment if it's deliberate.
• provider-flow-dialog.tsx:243 handleProviderSelect deps include onProviderActivated and resetAndClose though they're not used in the body. Cosmetic.
• The clientId in setupGetUsage/setupListUsage handlers isn't used; can drop the second handler arg for clarity.
• Test files generally re-stub ProxyConfig.getProxyAgent correctly and verify x-byterover-session-id headers — matches the CLAUDE.md HTTP-nock convention.

Recommendation

Address the "Personal free credits" UX bug (the multi-paid-org case) and the free-tier pin guardrail before shipping; the rest are non-blocking and can land as follow-ups. Pin-write authentication and atomic write are worth doing soon but don't gate this PR.
· branch: proj/rework-llm-billing

[github-actions]

issue (non-blocking): Promise.all rejects if either /billing/usages or /billing/organizations/tiers fails, so a transient tiers outage will fail the whole getUsages call even though the raw usages alone would still be a useful response (every org would default to tier: 'FREE', which is the same fallback path you already implement for missing tier entries).

Consider Promise.allSettled so a tiers failure degrades gracefully:

const [rawResult, tiersResult] = await Promise.all([
  this.fetchRawUsages(sessionKey),
  this.getTiers(sessionKey).catch(() => [] as BillingOrganizationTierDTO[]),
])

That keeps the resilient billing-pill UX (status falls back to "FREE" tier) instead of silently swallowing the whole resolve into undefined upstream in resolveBillingForProject.

[github-actions]

suggestion (non-blocking): setupGetPinnedTeam and setupSetPinnedTeam are the only billing handlers that don't gate on authStateStore.getToken()?.isValid(). They only validate projectPath. Since the pin is consumed at the next byterover task to decide which team to bill, an unauthenticated client can quietly write a pin that the user wouldn't normally see.

Even though the daemon is localhost-only, the rest of the handlers in this file follow the "must be signed in to touch billing state" rule, so the inconsistency is the bug. Adding if (!token?.isValid()) return {error: NOT_AUTHENTICATED_ERROR ...} to both endpoints keeps the contract uniform and prevents stale pins from outliving a logout.

[github-actions]

issue (low): setPinnedTeamId performs a non-atomic read → modify → writeFile. If two clients (e.g. webui dialog and brv providers connect --team) race on the same project, the later writer's view of json will not include the earlier writer's mutation and the earlier write is silently lost.

The blast radius is small (only one key in billing), but the file also preserves arbitrary unknown keys from the same JSON, so a concurrent write to the pin can also clobber unrelated keys an outside tool added. A simple fix: write to a temp path next to the file then fs.rename (atomic on POSIX/Win). The added cost is negligible since this is rare (~user-initiated).

[github-actions]

nitpick: useListTeams() here fires unconditionally, even before sign-in. The server returns {error: NOT_AUTHENTICATED_ERROR} (not a rejection), so the query "succeeds" but the response carries an error string the UI never surfaces — net effect is a wasted round trip on every unauthenticated render and a noisy log channel.

useListTeams already accepts {enabled}:

Suggested change

	const {data: teamsData} = useListTeams()
	const isAuthorized = useAuthStore((s) => s.isAuthorized)
	const {data: teamsData} = useListTeams({enabled: isAuthorized})

Same pattern as useListBillingUsage in useBillingDisplay.

[github-actions]

issue (UX): This list renders every team the user belongs to, including FREE-tier teams. Selecting one of those teams persists a pin that the backend then resolves to a paid usage entry that doesn't exist — build-status-billing.ts:35 returns {organizationId: resolved, source: 'paid'} with no remaining/tier, which formatBillingLine then renders as Billing: <name> (usage unavailable). Same trap exists in the CLI's --team flag (no tier filter on matchTeam).

Two reasonable options:

1. Hide / disable rows where usageByTeam[team.id]?.tier === 'FREE' so users can't pick a tier that can't be billed against.
2. Validate in setBillingPin (server-side) that the team is in the user's paid-org list, and surface "Pick a paid team" if not.

The free-tier message you already show in showFreeTierView only fires when all the user's teams are free — mixed accounts can still hit this footgun.

[github-actions]

issue (UX): When the user has 2+ paid orgs and no pin set, paidUsages.length === 0 is false so freeUserLimit stays undefined. buildStatusBilling then sees resolved === undefined (no pin, >1 paid org) and falls through to freeSource(undefined) which returns {source: 'free'} with no remaining/total.

The CLI then prints Billing: Personal free credits even though the user actually has multiple paid teams to choose from — that string is genuinely misleading. The web UI already handles this with needsPickPrompt and an "amber" warn pill, but the CLI side surfaces it as "you're on free credits."

Either fetch freeUserLimit unconditionally for the byterover branch (one extra call) and surface a 'needs-pick' source variant on StatusBillingDTO so the CLI can print "Pick a billing team — run brv providers connect byterover --team <name>." or keep the data layer the same but special-case paidUsages.length > 1 && pinnedTeamId === undefined in formatBillingLine to print the prompt. The current state silently misrepresents what the user is being billed against.

[github-actions]

nitpick: setupGetUsage fetches every organization the user belongs to and then filters client-side. If the IAM service exposes the per-org endpoint (/billing/usages/{orgId}), pushing the filter down avoids transferring/joining usage data the caller will discard, especially for users with many orgs.

If keeping the bulk fetch is intentional (single round-trip, simpler caching), consider removing this endpoint entirely — LIST_USAGE already gives the caller the full map keyed by organizationId, so callers can just index into it. The current shape is "list, then return one entry" which the consumer is going to repeat anyway when it later wants the full list.