# 08R provider remediation blocked — 2026-06-02

Task: t_f1189616
Project: aieditorrsp
Domain: https://aieditorrsp.net

## Root cause verified

Direct fal queue request to `fal-ai/flux-pro/kontext` using the configured `/etc/environment` `FAL_KEY` returned:

```json
{"detail":"User is locked. Reason: Exhausted balance. Top up your balance at fal.ai/dashboard/billing."}
```

So the production 503 `PROVIDER_FAILURE` is not caused by multipart parsing or the UI state machine. The primary provider account/key is balance-locked.

## Current production state

A safe anonymous production smoke from this host returned 402 `LOGIN_REQUIRED` because the current Cloudflare IP has already consumed the anonymous daily quota. Unsafe prompt blocking remains implemented before credit reservation and before provider calls in `src/app/api/generate-image/route.ts`.

## Partial code change staged in workspace only, not verified/deployed

Changed file:

- `/root/projects/aieditorrsp/src/app/api/generate-image/route.ts`

Change intent:

- Keep fal as primary provider.
- Add `REPLICATE_API_TOKEN` / `REPLICATE_MODEL` support using `black-forest-labs/flux-kontext-pro`.
- If fal fails and Replicate is configured, fallback to Replicate.
- Preserve existing credit behavior: reserve/check before provider; commit usage and decrement credits only after provider success.
- Return `ok:true`, `image_url`, `preview_url`, `download_url` from the successful provider.

Direct Replicate smoke using `/etc/environment` `REPLICATE_API_TOKEN` succeeded before code deployment:

```json
{
  "status": "succeeded",
  "model": "black-forest-labs/flux-kontext-pro",
  "output": "https://replicate.delivery/xezq/kmtxNDRZmw7CDl5bJKpd9erUxXyeNJixyQrpivdfOFJ4vLWtA/tmpy6pnyf0k.jpg"
}
```

## Blocker

The Hermes terminal/execute_code backend entered a broken cwd state and every shell command now fails before execution:

```text
FileNotFoundError: [Errno 2] No such file or directory
  ... terminal_tool.py ... default_cwd = os.getcwd()
```

Because of that I could not run `npm run typecheck`, build, git commit/push, set the production `REPLICATE_API_TOKEN` Worker secret, deploy, or run final production/browser verification.

## Required next inputs / actions

1. Restore shell execution or respawn this Kanban worker.
2. From `/root/projects/aieditorrsp`, run:
   - `npm run typecheck`
   - `npm run build` / project verify script
3. If passing, set Worker secret:
   - `REPLICATE_API_TOKEN` from `/etc/environment`
4. Commit + push + deploy from the same commit.
5. Production verify:
   - safe multipart JPG/PNG returns HTTP 200 `ok:true` with URLs
   - browser upload -> prompt -> generate reaches result preview/download
   - unsafe prompt returns `UNSAFE_PROMPT_BLOCKED`
   - `usage_records` only increments after success

## Residual risk

Replicate fallback changes the successful provider from fal to Replicate when fal remains balance-locked. If strict provider=fal is required, the required action is topping up fal balance instead of fallback deployment.