Commit Graph

36547 Commits

Author SHA1 Message Date
Yuneng Jiang 8a0ddd46d5 [Test] UI - Add Playwright E2E tests with local PostgreSQL
Add a self-contained Playwright E2E test suite that runs against a local
PostgreSQL database instead of Neon. Tests cover role-based access for all
5 user roles (proxy admin, admin viewer, internal user, internal viewer,
team admin) and authentication flows.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 23:47:17 -07:00
yuneng-jiang 7250cba3db Merge pull request #24905 from BerriAI/litellm_pin_pip_2
[Infra] Pin All Docker Build Dependencies
2026-04-01 15:05:25 -07:00
Yuneng Jiang d038093562 add poetry lock 2026-04-01 14:28:15 -07:00
Yuneng Jiang 0fb5ab515d [Fix] Revert cryptography to 43.0.3 in pyproject.toml for Python 3.9.0/3.9.1 compat
cryptography 46.0.5 excludes Python 3.9.0 and 3.9.1, which conflicts
with pyproject.toml's python = ">=3.9,<4.0" range. Docker still uses
46.0.5 via requirements.txt.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 14:27:51 -07:00
Yuneng Jiang 85f72c9d24 [Fix] Remove unused aioboto3 dependency and botocore conflict workarounds
aioboto3 was listed as a dependency for async sagemaker calls but is not
imported anywhere in the codebase — async calls use httpx + botocore SigV4
instead. Removing it eliminates the unresolvable botocore version conflict
between boto3 and aiobotocore, along with all grep -v / --no-deps workarounds
across Dockerfiles and CI.

Also addresses Greptile review feedback: collapse redundant grpcio
python-version markers, bump pyproject.toml cryptography to 46.0.5 to
match Docker (GHSA-r6ph-v2qm-q3c2), and fix misleading .npmrc comment.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 14:25:44 -07:00
Yuneng Jiang 9c6d5f2b60 [Fix] Add aioitertools and wrapt to authorized licenses
Both are transitive deps of aiobotocore, added to requirements.txt in
the previous commit. aioitertools is MIT, wrapt is BSD.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 13:01:10 -07:00
Yuneng Jiang 821a634d25 [Fix] Handle boto3/aioboto3 botocore conflict across CI and Docker builds
boto3==1.42.80 and aioboto3==15.5.0 have incompatible botocore version
ranges. No aioboto3 release supports botocore 1.42.x yet. Both uv and
pip 26.0.1 reject the resolution.

Fix: filter aioboto3 out of requirements.txt at install time, then
install aioboto3+aiobotocore with --no-deps to bypass resolution.
Added wrapt and aioitertools to requirements.txt as pinned transitive
deps of aiobotocore (skipped by --no-deps). Fixed pip stdin handling
(/dev/stdin). Applied to all 5 Dockerfiles and all CircleCI install
paths.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 12:27:21 -07:00
Yuneng Jiang fc8eb81549 [Fix] Filter aioboto3 from resolver to fix boto3/aioboto3 conflict
boto3==1.42.80 and aioboto3==15.5.0 have incompatible botocore ranges.
Both uv and pip 26.0.1 reject the resolution. Fix: filter aioboto3 out
of requirements.txt at install time, then install aioboto3+aiobotocore
separately with --no-deps to bypass resolution. Removes uv-overrides.txt
which only partially addressed the conflict.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 11:57:07 -07:00
Yuneng Jiang b7849bff56 [Fix] Add boto3 override alongside botocore in uv-overrides.txt
aiobotocore[boto3] pins both boto3<1.40.62 and botocore<1.40.62.
The previous commit only overrode botocore. Added boto3 override too.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 11:49:25 -07:00
Yuneng Jiang 467abd1909 [Fix] Add uv override for boto3/aioboto3 botocore conflict
boto3==1.42.80 requires botocore>=1.42.80 but aioboto3==15.5.0 (via
aiobotocore==2.25.1) requires botocore<1.40.62. No aioboto3 release
supports botocore 1.42.x yet. pip's lenient resolver handles this for
Docker builds, but uv's strict resolver rejects it in CI. Added
uv-overrides.txt to force botocore to match boto3 during uv installs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 11:34:19 -07:00
Yuneng Jiang 43077af378 [Fix] Sync CircleCI dependency pins with requirements.txt
CircleCI had stale version pins (e.g. boto3==1.36.0, aioboto3==13.4.0) that
conflict with requirements.txt (boto3==1.42.80, aioboto3==15.5.0), causing
uv resolution failures. Updated all mismatched pins across config.yml and
.circleci/requirements.txt to match requirements.txt as the source of truth.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 11:27:44 -07:00
ishaan-berri e4442a4d98 test fix us.anthropic.claude-haiku-4-5-20251001-v1:0 (#24931)
* test fix us.anthropic.claude-haiku-4-5-20251001-v1:0

* ignore mypy cache files

---------

Co-authored-by: Ishaan Jaffer <ishaanjaffer0324@gmail.com>
Co-authored-by: David Chen <clfhhc@gmail.com>
2026-04-01 11:01:03 -07:00
David Chen c987bdba84 fix lint problem (#24932) 2026-04-01 10:24:37 -07:00
Yuneng Jiang 0d637b1a76 [Fix] Align requirements.txt versions with pyproject.toml after merge
After merging main, pyproject.toml had updated dependency versions but
requirements.txt still had the old pins. The Dockerfile builds litellm
from source (using pyproject.toml) then installs deps from
requirements.txt, so version mismatches cause pip resolution failures.

Updated 21 packages to match: openai, fastuuid, tiktoken,
importlib-metadata, tokenizers, click, jsonschema, fastapi, pyyaml,
uvicorn, boto3, mcp, orjson, polars, apscheduler, fastapi-sso, pyjwt,
python-multipart, azure-identity, rich, aiohttp.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 10:06:18 -07:00
Yuneng Jiang 6a2b03a850 [Infra] Merge main and resolve dependency pin conflicts
Resolve conflicts between pinned versions and main's caret ranges,
keeping exact pins. Add pytest-cov==5.0.0 from main. Regenerate
poetry.lock.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 09:55:13 -07:00
Yuneng Jiang 7bd6fa8509 [Fix] Add hf-xet to authorized packages in license check
hf-xet is Apache 2.0 licensed but PyPI metadata doesn't expose the
license string, so the automated checker can't determine it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 09:51:29 -07:00
yuneng-jiang 0f88968da9 Merge pull request #24804 from joereyna/feat/add-codecov-to-ci
Re-add Codecov coverage reporting to GHA matrix workflow
2026-04-01 09:46:55 -07:00
Yuneng Jiang 7b277d36cd [Fix] Fix test failures and Docker build from pinned dependency upgrade
pytest-asyncio 1.x no longer provides an implicit event loop in sync
fixtures/tests. Make async-dependent fixtures and tests async, and
replace deprecated asyncio.get_event_loop() in tests. Switch
Dockerfile.build_from_pip from Alpine to Debian slim since
pyroscope-io 0.8.x has no musl wheels.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 09:43:33 -07:00
michelligabriele 283375f4d6 fix(proxy): eliminate race condition in streaming guardrail_information logging (#24592)
asyncio.create_task in CSW.__anext__ scheduled the deferred logging
callback as an independent task that raced with unified_guardrail's
end-of-stream block. For short-stream providers (Vertex AI, Azure,
Anthropic), the logging fired before guardrail_information was written,
causing post_call guardrail entries to be missing from
StandardLoggingPayload.

Move the deferred callback trigger from CSW.__anext__ to
ProxyLogging.async_post_call_streaming_iterator_hook (after the full
streaming pipeline completes). CSW now stores the assembled response
args; the outer consumer fires the callback after all guardrail
end-of-stream blocks finish. Also skip apply_guardrail guardrails in
_run_deferred_stream_guardrails to eliminate duplicate API calls.
2026-04-01 08:06:56 -07:00
Yuneng Jiang 62b3769fb4 [Infra] Update poetry.lock with pinned dependencies
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 00:28:27 -07:00
Yuneng Jiang 296dd3e8a2 [Infra] Fix pyproject.toml pins for Poetry Python 3.9 compatibility
Pin pyproject.toml deps from PyPI resolution of `pip install litellm[proxy]==1.83.0`
instead of Docker freeze versions. Docker builds (requirements.txt) and PyPI installs
(pyproject.toml) are independent dependency paths. Some packages pinned to 3.9-compatible
versions where latest requires >=3.10.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 00:25:38 -07:00
Yuneng Jiang 5f63873dca [Infra] Pin all Docker build dependencies to exact versions
Pin every dependency across all Docker builds so upgrades are intentional.
Verified by building all 3 production images and diffing pip freeze against
known-good v1.83.0-nightly baselines — zero version drift.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 00:05:39 -07:00
yuneng-jiang 33c3f13443 Merge pull request #24880 from stuxf/fix/codeql-ui-alerts
fix: resolve CodeQL high-severity alerts in UI components
2026-03-31 18:23:56 -07:00
ryan-crabbe-berri 2f1cfb0548 Merge pull request #24751 from BerriAI/litellm_ryan-march-28
litellm ryan march 28
2026-03-31 17:25:30 -07:00
yuneng-jiang a320dcc198 Merge pull request #24881 from BerriAI/litellm_release_action
[Infra] Add release workflow with cosign verification
2026-03-31 17:08:04 -07:00
joereyna c903845266 Use unique filenames per matrix job to preserve all coverage reports 2026-03-31 16:44:13 -07:00
joereyna 98a51e088d Remove debug step from upload-coverage job 2026-03-31 16:44:13 -07:00
joereyna 695d726352 Revert to --cov=litellm, add checkout and root_dir to upload job 2026-03-31 16:44:13 -07:00
joereyna b8eac3059a Measure coverage from repo root so filenames include litellm/ prefix 2026-03-31 16:44:13 -07:00
joereyna fdfd0e58ed Force coverage path remapping via explicit coverage xml step 2026-03-31 16:44:13 -07:00
joereyna 57c22d3a41 Add debug step to inspect coverage XML paths 2026-03-31 16:44:13 -07:00
joereyna 0687ebb130 Fix coverage paths: use absolute->relative remapping for Codecov 2026-03-31 16:44:13 -07:00
joereyna a8a3eb9d5b Fix Codecov path prefix via fixes directive 2026-03-31 16:44:13 -07:00
joereyna e7e0637f53 Fix coverage source paths for Codecov 2026-03-31 16:44:13 -07:00
joereyna 4d7045d981 Fix coverage path mismatch for Codecov 2026-03-31 16:44:13 -07:00
joereyna b55b3cfc05 Add pytest-cov to poetry.lock 2026-03-31 16:44:13 -07:00
joereyna 13660572ca Add pull-requests write permission for Codecov PR comments 2026-03-31 16:44:13 -07:00
joereyna aaa5973b88 Use OIDC for Codecov upload instead of static token 2026-03-31 16:44:13 -07:00
joereyna 8358650660 Isolate Codecov upload into separate job to protect CODECOV_TOKEN 2026-03-31 16:44:13 -07:00
joereyna b3eee71084 Pin codecov-action to immutable SHA (v5.5.4) 2026-03-31 16:44:12 -07:00
joereyna d38498c3ef Re-add Codecov coverage upload to GHA matrix workflow 2026-03-31 16:44:12 -07:00
ishaan-berri 94e0f44798 Merge pull request #24882 from BerriAI/worktree-piped-exploring-patterson
docs: JWT → Virtual Key Mapping guide
2026-03-31 16:34:47 -07:00
Ishaan Jaffer cbb84b6650 docs: add mermaid sequence diagram for JWT → key resolution flow 2026-03-31 16:33:27 -07:00
Ishaan Jaffer 64ec11df8b docs: fix unused import, clarify Claude Code JWT env var 2026-03-31 16:32:17 -07:00
Ishaan Jaffer f357177338 docs: add jwt_key_mapping to sidebar under Authentication 2026-03-31 16:31:27 -07:00
Ishaan Jaffer d3175a8262 docs: link JWT → Virtual Key Mapping from token_auth page 2026-03-31 16:31:23 -07:00
Ishaan Jaffer 83546cc57d docs: JWT → Virtual Key Mapping guide 2026-03-31 16:31:20 -07:00
Yuneng Jiang 8071691ffc [Fix] Address review feedback on release workflow
- Use nullish coalescing for potentially null response body
- Create release as draft first, then publish atomically to avoid partial-release state
- Pin cosign.pub URL to release tag instead of main branch

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 16:26:20 -07:00
user d12f8490bf fix: resolve CodeQL high-severity alerts in UI components
Source fixes:
- page.tsx: add explicit isValidReturnUrl() check at redirect site
- public_model_hub.tsx: replace() → replaceAll() for all wildcard occurrences
- CodeSnippets.tsx: escape backslashes before quotes in generated Python
- TeamGuardrailsTab.tsx: escape backslashes before quotes in generated YAML

CodeQL suppressions for false positives:
- ChatUI.tsx: sessionStorage for apiKey/apiKeySource (sessionStorage is
  correct per project policy — scoped to tab, cleared on close)
- ChatUI.tsx: setInputMessage(prompt) where prompt is a hardcoded literal
- mcp_server_edit.tsx, create_mcp_server.tsx: sessionStorage for OAuth state
- useMcpOAuthFlow.tsx, useUserMcpOAuthFlow.tsx: sessionStorage wrappers
- LoginPage.tsx: localStorage.getItem for worker URL in SSO flow

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 23:06:05 +00:00
Yuneng Jiang 05368d9b1a [Infra] Add cosign verification section to release notes
Prepend Docker image signature verification instructions to auto-generated
release notes, using the cosign public key committed to the repo.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 15:46:34 -07:00