Commit Graph

4253 Commits

Author SHA1 Message Date
YutaSaito 06f2ecef42 feat: tool permission argument check (#16982) 2025-11-22 19:21:25 -08:00
Krrish Dholakia cc5ecfd479 test: fix tests 2025-11-22 16:50:50 -08:00
Krish Dholakia 270d23939e (fix) litellm_logging.py: fix mcp tool call response logging + (fix) responses_bridge: remove unmapped param error mid-stream - allows gpt-5 web search to work via responses api in .completion() (#16946)
* fix: fix getting mcp servers

* fix(litellm_logging.py): handle list objects for final response in standard logging payload

Fixes issue where mcp tool call response wouldn't show up

* fix(litellm_responses_transformation/): remove invalid item error for unmapped objects - breaks stream and there's no real value to this as outside of a few of them, not all can be mapped to chat completions

resolves error for web search calls via chat completions to responses api
2025-11-22 15:48:32 -08:00
Krish Dholakia b9f2cc1c98 Model Armor - Logging guardrail response on llm responses (#16977)
* Litellm dev 11 22 2025 p1 (#16975)

* fix(model_armor.py): return response after applying changes

* fix: initial commit adding guardrail span logging to otel on post-call runs

sends it as a separate span right now, need to include in the same llm request/response span

* fix(opentelemetry.py): include guardrail in received request log + set input/ouput fields on parent otel span instead of nesting it

allows request/response to be seen easily on observability tools

* fix(model_armor.py): working model armor logging on post call events

* fix: fix exception message

* fix(opentelemetry.py): add backwards compatibility for litellm_request

allow users building on the spec change to use previous spec
2025-11-22 15:44:28 -08:00
Krish Dholakia e11d34eb69 Permission Management - disable global guardrails by key/team (#16983)
* feat(teams.py): param for disabling guardrails by team

allows use-case where you don't run global guardrails for team - only run team-specific guardrails

* feat(custom_guardrail.py): add support for disabling global guardrails

only run guardrails requested for in the request/key/team

* feat: support adding disable_global_guardrails to metadata if present in key/team metadata

* feat(create_key_button.tsx): new disable global guardrails field

* feat(key_edit_view.tsx): support disabling global guardrails on key edit

* feat(teams.tsx): add disable global guardrails on create team on UI

* feat(team_info.tsx): allow disabling global guardrails on team update
2025-11-22 15:43:50 -08:00
Ishaan Jaffer 1fc3baf864 e2e ui testing fixes 2025-11-22 14:30:00 -08:00
yuneng-jiang 825f61b452 Remove expired proxy admin keys from cache (#16894) 2025-11-22 14:23:28 -08:00
yuneng-jiang 22fd323d6b Calling team/permissions_list and team/permissions_update now returns 404 with non-existent team (#16835) 2025-11-22 14:21:58 -08:00
Alexsander Hamir b02baf53a9 Fix: prevent memory blowout in LoggingWorker (#16559)
* fix: prevent memory blowout in LoggingWorker

Tasks were being executed sequentially with each task awaited before
processing the next one. When the queue had 10k+ tasks, only one could
execute at a time. Since the request rate exceeded execution speed,
objects accumulated in memory (50k+), holding references to heavy
objects and causing memory blowout.

The new implementation uses a semaphore to allow up to 1000 concurrent
tasks while properly tracking and cleaning up each task, significantly
improving throughput and preventing queue buildup.

* fix: require semaphor before removing task from queue

* fix: make worker concurrency configurable

* fix: clean comments

* fix: clarify new env purpose

* fix: add missing lib

* make constants configurable instead of hardcoded

* add more aggressive cleaning when queue is full

* add helpers function for the aggressive cleaning functionality

* use envs instead of static constants

* import and document constants

* add unit test for new functionality

* fix default value on config_settings

* fix: remove unused variables and imports to resolve linter errors

- Remove unused time_since_last_clear variable in logging_worker.py
  The variable was calculated but never used in _handle_queue_full()
  method, causing F841 linter error.

- Remove unused TYPE_CHECKING import in mcp_server/server.py
  The import was not used anywhere in the file, causing F401 linter error.

These changes improve code cleanliness and ensure the codebase passes
all linter checks without affecting functionality.

* add missing log expected by test_queue_full_handling

* fix: clean config_setting.md file

* fix: handle logging errors gracefully during shutdown in _flush_on_exit

During process shutdown, logging handlers may be closed while _flush_on_exit
tries to flush queued logging coroutines. This causes 'ValueError: I/O
operation on closed file' errors when coroutines attempt to log.

Changes:
- Add _safe_log helper method that wraps logging calls and suppresses
  errors when logging handlers are closed (ValueError, OSError, AttributeError)
- Replace all verbose_logger calls in _flush_on_exit with _safe_log
- Remove logging from exception handler in coroutine execution loop
  to prevent cascading errors during shutdown

This ensures graceful shutdown even when logging handlers are closed,
which is common during process termination.
2025-11-22 13:58:29 -08:00
Ishaan Jaffer dd325191e7 ui testing fixes 2025-11-22 13:44:58 -08:00
Krish Dholakia ac3aa74c22 (feat) Anthropic - support Structured Outputs output_format for Claude 4.5 sonnet and Opus 4.1 + Arize Phoenix - root span logging (#16949)
* feat(anthropic/chat/transformations): for claude-4-5-sonnet and opus-4-1 support passing structured output to anthropic api

* docs: document new feature

* fix: fix output format

* fix: cleanup

* fix(transformation.py): conditionally pass in json tool call

* fix: support ARIZE_SPACE_ID instead of ARIZE_SPACE_KEY

* docs(arize_integration.md): cleanup arize docs

* feat(callback_info_helpers.tsx): allow setting arize space id via ui

* fix: fix linting error

* fix(opentelemetry.py): working arize phoenix root span tracing
2025-11-22 12:08:26 -08:00
Ishaan Jaffer dc08e2d057 fix pkg lock 2025-11-22 11:52:57 -08:00
Ishaan Jaffer 0429ca4fd0 test_package_dependencies 2025-11-22 11:20:40 -08:00
Ishaan Jaffer f5c8136243 fix docker model runner tests 2025-11-22 11:07:56 -08:00
Ishaan Jaffer 725982f39e test_dotprompt_with_prompt_version 2025-11-22 11:00:47 -08:00
Ishaan Jaffer 9ea74a1aa9 TestDockerModelRunnerIntegration 2025-11-22 10:46:12 -08:00
Ishaan Jaffer 1b88cfbe60 test_router_get_deployment_credentials_with_provider 2025-11-22 10:46:12 -08:00
Alexsander Hamir ca2a27c377 fix: add missing mock attributes in websocket and realtime tests (#16974)
- Add scope and url attributes to WebSocket mock in test_user_api_key_auth_websocket
- Add shared_realtime_ssl_context initialization in realtime handler test
2025-11-22 10:44:23 -08:00
Ishaan Jaffer 65b842b6b4 test fix 2025-11-22 10:26:32 -08:00
Ishaan Jaffer 5c289df374 test url with format 2025-11-22 10:10:08 -08:00
Alexsander Hamir 9a0658084b Fix SSL test failures due to caching and test isolation issues (#16973)
This commit fixes two critical test failures and two test isolation issues
in the SSL configuration tests.

## Critical Test Failures Fixed

### 1. test_get_ssl_configuration
**Problem:** Test was failing with assertion error that ssl.create_default_context
was never called (expected 1 call, got 0).

**Root Cause:** The get_ssl_configuration() function uses a caching mechanism
(_ssl_context_cache) to avoid creating duplicate SSL contexts with the same
configuration. When tests run in sequence, a previous test may have created an
SSL context with the same configuration (same cafile, ssl_security_level,
ssl_ecdh_curve). When this test runs, it retrieves the cached context instead
of creating a new one, so ssl.create_default_context() is never called, causing
the mock assertion to fail.

**Fix:** Clear the SSL context cache at the start of the test to ensure a fresh
context is created, allowing the mock to be called and verified.

### 2. test_ssl_ecdh_curve
**Problem:** Test was failing with assertion error that set_ecdh_curve was
never called (expected 1 call, got 0).

**Root Cause:** Same caching issue as above. Additionally, the test needed to
use a real SSLContext instance instead of a MagicMock because _create_ssl_context
calls methods like set_ciphers() and minimum_version that require a real context.

**Fix:**
- Clear the SSL context cache at the start of the test
- Use a real SSLContext instance and patch set_ecdh_curve on it specifically
- Added explanatory comment about why a real context is needed

## Test Isolation Issues Fixed

### 3. test_ssl_security_level
**Problem:** Test was failing because it expected LiteLLMAiohttpTransport but
got httpx.AsyncHTTPTransport instead.

**Root Cause:** Test isolation issue. Other tests in the file (test_force_ipv4_transport,
test_aiohttp_disabled_transport) set litellm.disable_aiohttp_transport = True
but don't restore the original value. When this test runs after those tests,
aiohttp transport is disabled, causing it to use httpx transport instead.

**Fix:** Explicitly enable aiohttp transport at the start of the test and restore
the original value in a finally block, ensuring the test works regardless of
test execution order.

### 4. test_ssl_verification_with_aiohttp_transport
**Problem:** Same as above - expected LiteLLMAiohttpTransport but got
httpx.AsyncHTTPTransport.

**Root Cause:** Same test isolation issue - aiohttp transport disabled by
previous tests.

**Fix:** Same approach - explicitly enable aiohttp transport and restore
original value in finally block.

## Why These Fixes Work

1. **Cache clearing:** By clearing _ssl_context_cache before each test, we
   ensure that get_ssl_configuration() creates a fresh SSL context, allowing
   mocks to be properly called and verified.

2. **Test isolation:** By saving and restoring the disable_aiohttp_transport
   setting, tests are independent of each other and work correctly regardless
   of execution order.

These are minimal, targeted fixes that address the root causes without
modifying production code or affecting other functionality.
2025-11-22 10:07:30 -08:00
Ishaan Jaffer ee758914e0 test docker model runner 2025-11-22 10:06:14 -08:00
Ishaan Jaffer 3235807d68 test prompt manager 2025-11-22 10:05:55 -08:00
Ishaan Jaffer 0c28af8705 test MCP server 2025-11-22 10:02:15 -08:00
Ishaan Jaffer fc0eac2d10 test_get_tools_from_mcp_servers 2025-11-22 10:02:15 -08:00
Ishaan Jaffer b2812af0a0 fix MCP tests 2025-11-22 10:02:15 -08:00
Ishaan Jaffer 5b23b0913e async def test_auth_callback_new_user(mock_google_sso, mock_env_vars, prisma_client): 2025-11-22 10:02:15 -08:00
Alexsander Hamir eb5031da1e [Perf] Fix bottlenecks degrading realtime endpoint performance (#16670)
* Cache realtime websocket request body

Move the realtime request payload builder out of the websocket handler and wrap it with an LRU cache so repeated connections reuse the same bytes object. This keeps the JSON formatting cost down while bounding memory usage.

* Optimize realtime websocket caching

Refactored /v1/realtime to use cached helpers for both the JSON body and query params, introduced a reusable request-scope template, and optimized header handling to avoid redundant work.

* Refine realtime websocket header handling

* Reuse websocket scope headers in auth

* Refactor realtime request body helper

Move the realtime request body formatter into proxy common utils so it can be reused across modules. Reuse it in the websocket auth flow to share LRU caching and avoid ad hoc byte builders.

* fix: revert to old pattern

The old pattern was necessary, we can just return the optimized function instead.

* Reuse SSL context for realtime

Create a shared SSLContext for OpenAI realtime websocket dials and pass it into websockets.connect so we stop re-reading verify paths on every session.

* feat: reuse shared TLS context for realtime websockets

- add `SHARED_REALTIME_SSL_CONTEXT` helper so all realtime websocket clients share the same TLS settings
- wire the shared context into OpenAI, Azure, custom HTTPX handlers, and realtime health checks
- update realtime tests to assert that the expected SSL context is passed to `websockets.connect`

This keeps TLS configuration consistent and avoids recreating SSL contexts per connection.

* Reuse HTTP SSL context for realtime

Remove the standalone realtime SSL helper, expose a shared context directly from the HTTP handler, and point all realtime websocket clients and tests to it. Add the websocket header comparison tool.

* Lazy-load shared realtime SSL context

Fix circular imports introduced by eagerly instantiating the shared TLS context. Make the HTTP handler lazily create the context and have realtime clients/tests fetch it on demand, keeping configuration consistent without breaking startup.

* add: unit test for realtime LRU caches

* fix: merge conflict with imports
2025-11-22 10:01:02 -08:00
Ishaan Jaffer badbadba0d fix img URL for tests 2025-11-22 09:41:15 -08:00
Sameer Kankute 82dc0354ce Litellm sameer nov 3 stable branch (#16963)
* Add openai metadata filed in the request

* Add docs related to openai metadata

* Add utils

* test_completion_openai_metadata[True]

* Added support for though signature for gemini 3 in responses api (#16872)

* Added support for though signature for gemini 3

* Update docs with all supported endpoints and cost tracking

* Added config based routing support for batches and files

* fix lint errors

* Litellm anthropic image url support (#16868)

* Add image as url support to anthropic

* fix mypy errors

* fix tests

* Fix: Populate spend_logs_metadata in batch and files endpoints (#16921)

* Add spend-logs-metadata to the metadata

* Add tests for spend logs metadata in batches

* use better names

* Remove support for penalty param for gemini 3 (#16907)

* Remove support for penalty param

* remove halucinated model names

* fix mypy/test errors

* fix tests

* fix too many lines error

* fix too many lines error

* Add config for cicd test case

* Fix final tests

* fix batch tests

* fix batch tests
2025-11-22 09:35:05 -08:00
Ishaan Jaffer 8fbf060ac5 ArizePhoenixConfig 2025-11-22 09:28:37 -08:00
Derek Duenas bbaf0af907 Grayswan guardrail passthrough on flagged (#16891)
* attempt to implement the passthrough feature

* Formatting and small change

* Fix formatting

* Format test file

---------

Co-authored-by: Xiaohan Fu <xiaohan@grayswan.ai>
2025-11-21 20:01:35 -08:00
Dima-Mediator a0d4d0b304 Gemini models: capture image_tokens and support cost_per_output_image_token in costs calculations (#16912) 2025-11-21 19:59:24 -08:00
Alexsander Hamir 6e70c279f8 [Fix] - Router's Cache: Fix routing for requests with same cacheable prefix but different user messages (#16951)
* fix(router): use cacheable prefix for prompt caching cache keys

Fix issue where requests with same cacheable prefix but different user
messages were routing to different deployments, preventing cached token
reuse. The cache key now correctly includes only the cacheable prefix
(up to and including the last cache_control block) instead of the
entire messages array.

## New Functions

### extract_cacheable_prefix()
Static method that extracts the cacheable prefix from messages for
prompt caching. The cacheable prefix is defined as everything UP TO
AND INCLUDING the LAST content block (across all messages) that has
cache_control with type "ephemeral". This includes ALL blocks
before the last cacheable block (even if they don't have cache_control
themselves).

- Finds the last content block with cache_control across all messages
- Returns all messages and content blocks up to and including that
  last cacheable block
- Excludes everything after the last cacheable block (including user
  messages that come after)
- Returns empty list if no cacheable blocks are found

## Changed Functions

### get_prompt_caching_cache_key()
Modified to use the cacheable prefix instead of the full messages array
when generating cache keys. This ensures that requests with the same
cacheable prefix but different user messages generate the same cache
key, enabling proper routing to the same deployment.

- Now calls extract_cacheable_prefix() to get only cacheable content
- Returns None if no cacheable prefix is found (can't generate key)
- Cache key is now based on cacheable prefix only, not full messages

### async_get_model_id()
Completely refactored to use the cacheable prefix directly instead of
the previous workaround that checked progressively shorter message
slices. The previous implementation was inefficient and unreliable.

- Removed progressive message slicing logic (messages[:-1], messages[:-2], etc.)
- Now uses single direct cache lookup with cacheable prefix-based key
- More efficient (1 lookup instead of up to 4)
- More reliable (uses correct cache key based on cacheable prefix)
- Returns None if no cacheable prefix found

### add_model_id()
Added None check for cache_key to prevent caching when no cacheable
prefix is found. This ensures we don't attempt to cache when there's
no meaningful cache key to use.

- Added guard: returns early if cache_key is None
- Prevents attempting to cache when no cacheable prefix exists

### async_add_model_id()
Added None check for cache_key to prevent caching when no cacheable
prefix is found. Matches the behavior of add_model_id() for consistency.

- Added guard: returns early if cache_key is None
- Prevents attempting to cache when no cacheable prefix exists

### get_model_id()
Added None check for cache_key to handle cases where no cacheable
prefix is found. Ensures consistent behavior across all cache methods.

- Added guard: returns None if cache_key is None
- Prevents calling get_cache() with None key

## Test

### test_router_prompt_caching_same_cacheable_prefix_routes_to_same_deployment()
New end-to-end test that validates the fix. Tests that requests with
the same cacheable prefix (system blocks with cache_control) but
different user messages:
1. Generate the same cache key
2. Successfully perform cache lookup
3. Route to the same deployment

This test reproduces the exact scenario from the user's bug report
where three requests with different user messages should route to the
same deployment but were previously routing to different ones.

Fixes issue where cached tokens couldn't be reused because requests
were routed to different providers due to different cache keys.

* fix(router): use cast() for proper type handling in extract_cacheable_prefix

Replace type annotation with type: ignore comment with proper cast()
from typing module, matching the pattern used throughout the
codebase for creating modified AllMessageValues dictionaries.
2025-11-21 19:13:40 -08:00
yuneng-jiang b074c79734 Allow partial matches for user id in user table (#16952) 2025-11-21 19:12:16 -08:00
yuneng-jiang 6881594632 [Fix] Exclude litellm_credential_name from Sensitive Data Masker (Updated) (#16958)
* Exclude litellm_credential_name from sensitive masker

* Adding missing file
2025-11-21 19:09:48 -08:00
Justin Tahara 703f619e08 feat(bedrock): Add Claude 4.5 to US Gov Cloud (#16957)
* feat(bedrock): Add Claude 4.5 to US Gov Cloud

* Adding west and tests
2025-11-21 19:06:26 -08:00
Mubashir Osmani db58f6aeb1 fix: arize phoenix logging (#16301)
* arize phx

* fix arize integration

* traces to specific project name

* fix

* look for http endpoint
2025-11-21 18:46:18 -08:00
yuneng-jiang eb48d5cc42 Revert "Exclude litellm_credential_name from sensitive masker (#16950)" (#16956)
This reverts commit 5cfacb96e6.
2025-11-21 18:09:54 -08:00
Ishaan Jaffer 1f36fad94b TestDockerModelRunnerIntegration 2025-11-21 17:39:33 -08:00
Ishaan Jaffer 3296ffd3ca test fixes 2025-11-21 17:38:20 -08:00
Ishaan Jaffer 8b8b31ecd8 fix img gen 2025-11-21 17:18:48 -08:00
Ishaan Jaffer 6439aed3ac snowflake test fix 2025-11-21 17:12:55 -08:00
Ishaan Jaffer e7a32c1e8f docker test fixes 2025-11-21 16:52:58 -08:00
yuneng-jiang 5cfacb96e6 Exclude litellm_credential_name from sensitive masker (#16950) 2025-11-21 16:40:17 -08:00
Ishaan Jaffer 69da15e65e test_fal_ai_image_generation_basic 2025-11-21 16:23:41 -08:00
Ishaan Jaffer 4a9f163db1 TestPromptVersionsEndpoint 2025-11-21 16:21:13 -08:00
Ishaan Jaffer 4e8f1d0143 fix prompt manager 2025-11-21 16:17:44 -08:00
Ishaan Jaffer 2226450437 test_ensure_initialize_azure_sdk_client_always_used 2025-11-21 16:15:35 -08:00
yuneng-jiang 0abfb07ab8 Remove UI Session Token from user/info return (#16851) 2025-11-21 16:11:58 -08:00