Commit Graph

3052 Commits

Author SHA1 Message Date
yuneng-jiang 994976ce6f [Test] UI - Survey: add Vitest tests for ClaudeCodeModal, ClaudeCodePrompt, SurveyPrompt, and SurveyModal
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-09 11:48:56 -07:00
yuneng-jiang 81b223138a fix(test): update agents.test.tsx for AgentsPanel table refactor
AgentsPanel no longer renders AgentCardGrid — it uses a Table directly.
The two tests that looked for agent-card-grid are updated to instead verify
the Actions column header appears for admins and is absent for non-admins.
2026-03-07 23:50:06 -08:00
yuneng-jiang 063198cf8e fix: push org filter into DB query for /team/list, fix agents.tsx build
- _authorize_and_filter_teams now uses Prisma WHERE clause
  (organization_id IN ...) instead of fetching the full team table
- Add missing Switch import in agents.tsx (pre-existing build error)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-07 23:04:08 -08:00
yuneng-jiang 8f33983389 Merge remote-tracking branch 'origin' into litellm_org_admin_add_user_e2e 2026-03-07 22:58:57 -08:00
yuneng-jiang ce317148b9 feat: org admin access to team management — backend auth, UI visibility, tests
- Add _is_user_org_admin_for_team() reusable helper to common_utils.py
- Grant org admins access to /team/list, /team/info, /team/member_add,
  /team/member_delete, /team/member_update, /team/model/add,
  /team/model/delete, /team/permissions_list, /team/permissions_update
- Make validate_membership async with org admin fallback
- Add /user/list to self_managed_routes (endpoint handles own auth)
- UI: org admins see Members, Member Permissions, Settings tabs in team view
- UI: CreateUserButton uses useOrganizations() for org dropdown
- UI: org admin delete-member respects disable_team_admin_delete_team_user
- Add 16 unit tests for _is_user_org_admin_for_team, validate_membership,
  _user_is_org_admin route check, and privilege escalation prevention

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-07 22:43:09 -08:00
yuneng-jiang 8bf3c0c67f fix: org admin invite user — multi-org selector, organizations list in POST body, auth check
- Thread org objects {organization_id, organization_alias} instead of bare IDs from
  users/page.tsx → view_users.tsx → CreateUserButton so the selector can show aliases
- Replace single-select org dropdown with multi-select; always shown when organizationIds
  is non-null; disabled/pre-selected for single-org admins; displays "Alias (id)"
- handleCreate: maps organization_ids → organizations before POST, removes redundant
  organizationMemberAddCall (backend _add_user_to_organizations handles it)
- _user_is_org_admin: also checks organizations list field in addition to singular
  organization_id so /user/new succeeds for org admins
- Add 5 backend unit tests for _user_is_org_admin and 2 frontend tests for new form behavior

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-07 20:34:12 -08:00
Krish Dholakia cf439c269c Agents - add max budget + tpm/rpm limiting per agent AND per agent session (#22849)
* feat: enforce x-litellm-trace-id in header, if required

* feat: update spend for agent

* refactor: update agent table to follow similar format as other entities - also add a spend column - allows us to see spend of an agent

* fix: cleanup ui

* feat: return spend on agent endpoints

* feat: scope pr

* feat(agents/): support budgets + rate limiting on agents + agent sessions

* fix: address PR review feedback

- Add missing tpm_limit, rpm_limit, session_tpm_limit, session_rpm_limit
  columns to root schema.prisma to match proxy and extras schemas
- Add backwards-compatible fallback to key metadata for max_iterations
  so existing users don't silently lose enforcement

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: qa'ed RPM limiting on agents

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 19:12:42 -08:00
Krish Dholakia 03ca98123f Agents health checks (#23044)
* feat: add health check toggle to agents page

Backend:
- Add health_check query parameter to GET /v1/agents endpoint
- When health_check=true, performs concurrent GET requests to each agent's
  URL and filters out agents with unreachable URLs (5s timeout)
- Agents returning HTTP <500 are considered healthy; 5xx and connection
  errors mark agents as unhealthy

UI:
- Add Health Check toggle (Switch) to agents panel header
- Toggle triggers re-fetch with health_check=true, filtering the agent list
- Icon color changes (green/gray) to indicate toggle state
- Tooltip explains behavior: 'only agents with reachable URLs are shown'

Networking:
- Update getAgentsList to accept optional healthCheck boolean parameter

Tests:
- Backend: 9 new tests covering health check filtering, _check_agent_url_health
  helper (no URL, 200, 404, 500, connection error cases)
- UI: 3 new tests verifying toggle renders, initial fetch without health check,
  and fetch with health check after toggle click

Co-authored-by: Krish Dholakia <krrishdholakia@gmail.com>

* fix: fix greptile comment re: security issue

* fix: fix based on greptile feedback

* fix: align health check tests with implementation

- Rename test_should_return_unhealthy_when_no_url to
  test_should_return_healthy_when_no_url (implementation returns
  healthy=True for agents without a URL)
- Patch get_async_httpx_client instead of httpx.AsyncClient so mocks
  actually intercept the HTTP calls made by _check_agent_url_health
- Remove unnecessary __aenter__/__aexit__ context-manager mocks

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: undo _experimental/out renames from cherry-pick

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Update litellm/proxy/agent_endpoints/endpoints.py

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
2026-03-07 18:32:47 -08:00
yuneng-jiang 0a0c0d8017 Merge pull request #23080 from BerriAI/litellm_org_admin_invite_users
[Feature] UI - Internal Users: Allow Org Admins to View and Invite Users
2026-03-07 18:31:38 -08:00
Krish Dholakia e7714f0ce6 Fix CVEs: bump tar/minimatch/pypdf + harden Docker SBOM patching (#23082)
* fix(docker): bump tar/minimatch/pypdf for CVE fixes + harden SBOM patching

- Bump tar 7.5.8→7.5.10, minimatch 10.2.1→10.2.4, pypdf 6.6.2→6.7.3
- Add sed-based SBOM metadata patching with properly indented find/sed
- Add npm package manager cleanup (apk del / apt-get purge) to remove
  stale SBOM entries from image scanners
- Scope || true to only apk del via brace grouping { ... || true; }
- Guard npm root -g with non-empty assertion to prevent silent failures
- Scope minimatch sed regex to ^10.x to avoid matching other major versions

Addresses: CVE-2026-27903, CVE-2026-27904, GHSA-qffp-2rhf-9h96, CVE-2026-27888

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(docker): scope find to /usr/local/lib /usr/lib, drop autoremove

- Replace `find /` with `find /usr/local/lib /usr/lib` to avoid
  traversing /proc, /sys, /dev during SBOM metadata patching
- Remove `apt-get autoremove -y` from Debian-based Dockerfiles to
  prevent nodejs from being removed as an auto-installed dependency

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 18:31:27 -08:00
yuneng-jiang fd29d15a64 fix: use comma-separated organization_ids param instead of repeated query params
UI sends organization_ids=org1,org2,org3 and backend parses the
comma-separated string, matching the existing pattern used elsewhere.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 18:30:59 -08:00
yuneng-jiang 41d89ab84e fix: address review feedback for org admin user management
- Backend authorization: enforce server-side org scoping on /user/list.
  Non-proxy-admin callers must be org_admin; their permitted org IDs are
  fetched from the DB and intersected with any requested org filter.
- Race condition: gate userListQuery on org data being loaded for
  non-proxy-admin users (undefined = loading, null = no filter needed).
- Silent failure: surface organizationMemberAddCall errors via
  NotificationsManager instead of only console.error.
- Multi-org: org admins managing multiple orgs can choose which org to
  add the new user to via a dropdown (defaults to first org).
- Change organization_id param to List[str] (repeated query params)
  instead of comma-separated string.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 18:28:01 -08:00
yuneng-jiang 9e531195ec Merge pull request #23057 from BerriAI/litellm_fix_user_filter_scope
[Fix] User Filter Scope - Make Org-Scoping Opt-In
2026-03-07 18:22:26 -08:00
yuneng-jiang efcde74711 fix(test): update TeamInfo virtual keys tests for removed member count display
Updates two tests in TeamInfo.test.tsx that were asserting for "X Members" text that was removed from the TeamVirtualKeysTable component in commit ec4ef9c924.

- Changed test "should display X Members in Virtual Keys tab when navigated to" to assert for pagination controls instead
- Changed test "should show Filters and pagination controls in Virtual Keys tab" to wait for Filters button instead of member count

All 29 tests now pass.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-03-07 18:10:49 -08:00
yuneng-jiang cb7da3044d feat: allow org admins to view Internal Users page and invite users
Org admins can now see the Internal Users page in the left nav, view
users scoped to their organization(s), and invite new users who are
automatically added to the org. Proxy admins remain unaffected.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 17:40:29 -08:00
yuneng-jiang d1abe15bbe Merge pull request #23067 from BerriAI/litellm_fix_e2e_create_key
[Fix] Flaky E2E Tests for Create Key and Auth Redirect
2026-03-07 17:07:23 -08:00
Ryan Crabbe ec4ef9c924 tests: update tests to not assert member count text because we removed that from this view 2026-03-07 16:56:15 -08:00
yuneng-jiang 08e2ec3412 Fix flaky e2e tests by using regex selectors
The createKey test broke because the Models field changed from required
to optional (PR #22826), removing the asterisk from the accessible name.
The unauthenticated redirect test broke because the login URL now
includes a redirect_to query param. Both selectors now use regex to be
resilient to these kinds of changes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 16:43:33 -08:00
Ryan Crabbe 79e80aa151 fix: removed total count 2026-03-07 15:39:08 -08:00
yuneng-jiang c631708df6 feat: add opt-in scope_user_search_to_org flag for /user/filter/ui
PR #22722 made org-scoping unconditional on /user/filter/ui, which broke
team admins who aren't org admins (403 when searching users to add).
This makes org-scoping opt-in via a new UI Settings toggle, restoring
open search by default.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 15:38:31 -08:00
Ryan Crabbe dc9c2fe51f fix member count being on an irrelevant page 2026-03-07 15:34:12 -08:00
yuneng-jiang 6dd2a9a3ea Merge pull request #23053 from BerriAI/litellm_fix_chat_ui_link
[Fix] UI - Playground: Fix Open Chat UI button 404
2026-03-07 15:24:11 -08:00
Ishaan Jaff 28c33f53a3 CircleCI test stability (#23055)
* fix: resolve ruff lint errors and mypy type error

- Remove unused import get_user_credential (F401)
- Add noqa: PLR0915 for 3 large functions exceeding 50 statements
- Cast result_data['q'] to str for _append_domain_filters (mypy arg-type)

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: add /vertex_ai/live to supported endpoints and azure gpt-5.1 reasoning flags

- Add /vertex_ai/live to JSON schema validation enum in test_utils.py
- Add supports_none_reasoning_effort=true to 10 azure/gpt-5.1 model entries
  (matching the OpenAI gpt-5.1 behavior)

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: handle non-string team_alias/key_alias in PolicyMatchContext

Prevent Pydantic validation errors when team_alias or key_alias are not
proper strings (e.g. MagicMock in tests). Only pass values that are
actually strings; default to None otherwise.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: initialize jwt_handler.litellm_jwtauth in JWT test

The test_jwt_non_admin_team_route_access test was failing because
user_api_key_auth now accesses jwt_handler.litellm_jwtauth.virtual_key_claim_field
before reaching the mocked JWTAuthManager.auth_builder. Initialize the
jwt_handler with a default LiteLLM_JWTAuth object.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: add missing mock attributes to MCP server test

The test_add_update_server_fallback_to_server_id test was failing because
MagicMock auto-creates attributes when accessed. build_mcp_server_from_table
accesses many fields via getattr(), which on a MagicMock returns another
MagicMock instead of None, causing Pydantic validation errors in MCPServer.

Explicitly set all required mock attributes.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: update UI tests for leftnav, navbar, and KeyLifecycleSettings

- leftnav: Add mock for useTeams hook, add isUserTeamAdminForAnyTeam to
  roles mock, update topLevelLabels to match current component menu items
- navbar: Add mocks for useDisableBouncingIcon, BlogDropdown, UserDropdown,
  and serverRootPath. Update test to work with the new component structure.
- KeyLifecycleSettings: Fix placeholder and tooltip assertions to match
  actual component behavior

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: update health check test assertion from 'connected' to 'healthy'

The /health/readiness endpoint now returns {"status": "healthy"} with the
DB status in a separate field, instead of the previous {"status": "connected"}.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: clear litellm.api_key in OpenRouter validate_environment test

The test_validate_environment_raises_without_key test was failing because
litellm.api_key may be set globally in the test environment. Clear it
along with OPENROUTER_API_KEY and OR_API_KEY env vars using monkeypatch.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: patch HTTPHandler class-level in VLLM embedding test

The test_encoding_format_not_sent_in_actual_request test was patching
client.post on an instance, but the handler uses the class method.
Patch HTTPHandler.post at class level, add caching=False to prevent
cache hits, and remove broad try/except that hid errors.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: make test_redaction_responses_api_stream resilient to async callback timing

Replace fixed 1s sleep with polling wait for async_log_success_event.
Streaming success handler runs via asyncio.create_task; 1s was insufficient
in CI. Add 0.5s initial sleep for event loop to schedule the task, then
poll up to 10s for the callback to fire.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: update dompurify and svgo to fix security CVEs

- CVE-2026-0540: dompurify XSS vulnerability - fix by upgrading to 3.3.2+
- CVE-2026-29074: svgo DoS via entity expansion - fix by upgrading to 3.3.3+

Added npm overrides in docs/my-website/package.json and regenerated
package-lock.json.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: remove unused json import in config_override_endpoints.py

Ruff F401: json is imported but unused (safe_json_loads/safe_dumps
are used instead)

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: add missing MCP mock attributes and provider documentation entries

- Add missing mock attributes to test_add_update_server_with_alias and
  test_add_update_server_without_alias (same fix as fallback test)
- Add bedrock_mantle and searchapi to provider_endpoints_support.json
- Remove unused json import from config_override_endpoints.py

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: override _supports_reasoning_effort_level for Azure gpt5_series prefix

The Azure GPT-5 config uses 'gpt5_series/' as a routing prefix, but
_supports_factory(model='gpt5_series/gpt-5.1') fails to resolve because
'gpt5_series' is not a recognized provider. Override the method to strip
the prefix and prepend 'azure/' for correct model info lookup.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: accept both 'healthy' and 'connected' in health check test

The test_health_and_chat_completion test runs against both source builds
(which return 'healthy') and pip-installed versions (which may return
'connected'). Accept both values.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: mock extract_mcp_auth_context in streamable HTTP MCP handler test

The handle_streamable_http_mcp function now calls extract_mcp_auth_context
before session_manager.handle_request, but the test didn't mock it. The
auth extraction fails with the minimal mock scope, preventing
handle_request from being called. Also relax assertion to not check
exact args since the send wrapper may be modified by debug injection.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: add test for _combine_fallback_usage to satisfy router code coverage

The router_code_coverage.py check requires all functions in router.py
to be called in test files. Add a basic test for _combine_fallback_usage.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: add @log_guardrail_information decorator to CrowdStrike AIDR guardrail

The check_guardrail_apply_decorator.py CI check requires all guardrail
apply_guardrail methods to have the @log_guardrail_information decorator.
The CrowdStrike AIDR handler was missing it.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: document PRISMA_RECONNECT_ESCALATION_THRESHOLD and REDIS_CLUSTER_NODES env keys

Add missing environment variable documentation to config_settings.md
to satisfy the test_env_keys.py CI check.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: document enforced_file_expires_after and enforced_batch_output_expires_after in new_team docstring

The test_api_docs.py CI check validates that all Pydantic model fields
are documented in the function docstring. Add missing parameter docs
for enforced_file_expires_after and enforced_batch_output_expires_after.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: regenerate poetry.lock to match pyproject.toml

The poetry.lock file was out of sync with pyproject.toml, causing
proxy_e2e_azure_batches_tests to fail during dependency installation.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: set master_key=None in test_create_file_with_deep_nested_litellm_metadata

The test was missing the master_key monkeypatch that other tests in the
same file set. In CI with parallel execution (-n 4), another test may
set master_key to a non-None value, causing auth failures (500) when
the test sends 'Bearer test-key'.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: document enforced_*_expires_after in update_team docstring too

Same missing params as new_team - also needed in update_team docstring
for the test_api_docs.py CI check to pass.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: use get_async_httpx_client in a2a_protocol and add master_key monkeypatch to files tests

- Replace httpx.AsyncClient() with get_async_httpx_client() in a2a_protocol/main.py
  to satisfy the ensure_async_clients_test CI check
- Add httpxSpecialProvider.A2AProvider enum value
- Add master_key=None monkeypatch to test_managed_files_with_loadbalancing

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: remove unused httpx import from a2a_protocol/main.py

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: use cache-key-only param for A2A extra_headers to avoid AsyncHTTPHandler init error

The 'extra_headers' key in params was being passed to AsyncHTTPHandler.__init__()
which doesn't accept it. Use 'disable_aiohttp_transport' as the cache-key-only
param since it's explicitly filtered out before reaching the constructor.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: add additionalProperties:false and resolve $defs/$ref in Anthropic output_format schemas

Anthropic API now requires additionalProperties=false for all object-type
schemas in output_format. Also resolve $defs/$ref references by inlining
them using unpack_defs before sending to Anthropic, since Anthropic
doesn't support external schema references.

Fixes: llm_translation_testing Anthropic JSON schema failures

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: allowlist CVE-2026-2297 and GHSA-qffp-2rhf-9h96 in security scans

- CVE-2026-2297: Python 3.13 SourcelessFileLoader audit hook bypass,
  no fix available in base image
- GHSA-qffp-2rhf-9h96: tar hardlink path traversal, from nodejs_wheel
  bundled npm, not used in application runtime code

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: isolate files endpoint tests from shared proxy state in CI parallel execution

Override user_api_key_auth dependency to return a fixed UserAPIKeyAuth
with PROXY_ADMIN role, avoiding auth lookups via prisma_client,
user_api_key_cache, or master_key. Set prisma_client=None to prevent
DB state contamination. Use try/finally to clean up dependency overrides.

Fixes persistent test_create_file_with_deep_nested_litellm_metadata and
test_managed_files_with_loadbalancing 500 errors in CI with -n 4.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* fix: apply same auth override to test_managed_files_with_loadbalancing

Same CI parallel execution fix as test_create_file_with_deep_nested -
override user_api_key_auth dependency and set prisma_client=None.

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>
2026-03-07 15:19:39 -08:00
yuneng-jiang ff6dc51987 fix(ui): fix playground banner Open Chat UI button 404
The banner's href was hardcoded to /chat, missing both the /ui/ prefix
and any server_root_path prefix. Use useUIConfig to build the same
chatHref as the navbar does.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-07 15:06:28 -08:00
Ishaan Jaff cfd0e2cf99 [Feat] UI Polish - MCP Servers page - show transport type (#23051)
* Update AGENTS.md with additional Cursor Cloud setup notes

- Add note about openapi-core dependency needed for OpenAPI compliance tests
- Add note about poetry lock fallback when lock file is out of sync

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* Sync lock files with current dependency specs

- poetry.lock: regenerated to match pyproject.toml (litellm-proxy-extras 0.4.50 -> 0.4.51)
- package-lock.json: updated from npm install

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* Polish MCP Servers UI for enterprise-grade look and feel

10 improvements to the MCP Servers table and related components:

1. Remove debug console.logs from mcp_servers.tsx
2. Fix health status icons: distinct ✓/✗/? per state instead of identical dots
3. Health status badges: proper pill styling with rounded-full and borders
4. Health loading state: subtle pulsing dot instead of raw SVG spinner
5. Transport column: color-coded badges (HTTP=blue, SSE=purple, STDIO=amber, OPENAPI=teal)
6. Auth type column: color-coded badges (oauth2=indigo, bearer_token=sky, api_key=emerald)
7. Server ID chip: rounded corners, border, and transition effect
8. Filter bar: lighter border, cleaner labels, vertical divider between filters
9. Network Access: pill badges with colored dots (Public/Internal)
10. Date columns: shorter headers, dash for missing values, tooltip with full datetime

Also:
- Improved delete modal: cleaner layout, neutral background instead of red
- Access Groups column: shows first group with +N count instead of truncated text
- Empty state message includes CTA guidance
- Updated test to match renamed filter label

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* Polish MCP server detail views and table refinements (round 2)

10 more enterprise polish improvements:

1. Overview cards: use color-coded badges for Transport and Auth Type values
2. Overview cards: fix 'Host Url' typo -> 'Host URL', uppercase card labels
3. Settings tab: show em-dash placeholder for empty/missing values
4. Settings tab: use consistent Transport/Auth/Network badge styling matching table
5. Settings tab: definition-list layout with label/value grid columns
6. Server detail header: show server name prominently with alias as badge
7. Server detail header: show description below name, smaller server ID
8. Actions column: improved hover states with background color transitions
9. Credential column: pill badge for Connected state, shadow on Connect button
10. Table header: server count badge next to title, CTA button moved right

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

* Revert colorful transport/auth badges to neutral gray

Color should only carry semantic meaning. Transport type (HTTP/SSE) and
auth type (oauth2/bearer_token) are informational labels, not status
indicators, so they use a uniform gray badge.

Color remains on:
- Health status: green (healthy), red (unhealthy)
- Network access: green (public), orange (internal)
- Credential: green (connected)

Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>
2026-03-07 13:05:46 -08:00
Ryan Crabbe 52e530bc8c fix(ui): use icon prop on Save Changes button to fix duplicate loading spinner
Move SaveOutlined from button children to the icon prop so Ant Design
properly replaces it with a spinner during loading state.
2026-03-07 12:15:38 -08:00
ryan-crabbe fe1ee4b039 Merge pull request #23036 from BerriAI/litellm_hashicorp_vault_frontend
Litellm hashicorp vault frontend
2026-03-07 11:04:14 -08:00
Ryan Crabbe 2390ab2c2c fix: align detectAuthMethod priority with backend 2026-03-07 11:04:01 -08:00
Ryan Crabbe e697b81b3f fix(ui): make Add Member button primary with icon and loading state 2026-03-07 10:36:39 -08:00
Ryan Crabbe 536457fb31 address review: use AntD Flex/Space, extract vault API from networking 2026-03-07 10:30:40 -08:00
Ryan Crabbe 0dff602423 fix: align frontend sensitive fields with backend 2026-03-07 09:18:32 -08:00
Ryan Crabbe 37de206c5b polish changes 2026-03-07 08:58:28 -08:00
yuneng-jiang aae0c81cd1 [Fix] UI Chat - respect SERVER_ROOT_PATH for chat and back-to-console links
The Chat button in the navbar and the "back to Developer Console" link
in ChatPage used the `serverRootPath` module variable directly, which is
initialized to "/" and only updated after `getUiConfig` resolves. Since
React does not re-render on module variable changes, the links computed
their hrefs with the stale default, ignoring any configured
SERVER_ROOT_PATH.

Both components now call `useUIConfig()` (React Query, cached) to
reactively read `server_root_path`, matching the pattern used elsewhere
in the UI.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-06 22:07:45 -08:00
Krish Dholakia ff8e01d20b feat: Add Canadian PII protection (PIPEDA) (#22951)
* feat: Add Canadian PII protection patterns and PIPEDA-compliant policy template

Adds 6 new Canadian PII regex pattern detectors to patterns.json:
- ca_sin: Social Insurance Number (PIPEDA Privacy Act, Income Tax Act)
- ca_ohip: Ontario Health Insurance Plan Number (PHIPA)
- ca_on_drivers_licence: Ontario driver's licence (HTA, PIPEDA)
- ca_immigration_doc: IRCC immigration docs (UCI, work/study permits, IMM refs)
- ca_bank_account: Canadian bank account routing (transit-institution-account)
- ca_postal_code: Canadian postal code (Canada Post spec)

Adds comprehensive policy template 'canadian-pii-protection' (id: canadian-pii-protection)
with 5 sub-guardrails grouping patterns by data type. All patterns include contextual
keyword matching (English + French keywords where applicable) to reduce false positives.
Complements existing passport_canada pattern.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* feat: Add Canadian PII compliance dataset and tests (57 tests)

Adds:
- test_ca_patterns.py: 30 unit tests for regex pattern matching (SIN, OHIP,
  driver's licence, immigration docs, bank account, postal code)
- test_ca_policy_e2e.py: 27 end-to-end tests running the full
  ContentFilterGuardrail pipeline with MASK action — validates detection
  of real PII and pass-through of clean prompts
- canadianPiiCompliancePrompts.ts: 21-prompt compliance dataset for UI
  evaluation, wired into the main compliancePrompts framework

Fixes keyword_pattern alternation ordering in patterns.json — longer
alternatives (e.g. "social insurance number") now precede shorter ones
("social insurance") to avoid excessive gap-word count when the regex
engine selects the shorter match first.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* feat: Add University of Toronto FIPPA identifier patterns and tests (36 tests)

Add 3 UofT institutional identifiers (student/employee number, UTORid, TCard)
covered under Ontario FIPPA. Includes pattern definitions, policy template
sub-guardrail, compliance prompts, unit tests, and e2e tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: Correct test assertion bug and inaccurate docstring

Fix test_utorid_masked checking `result` (dict) instead of `output` (string).
Update test_ca_policy_e2e.py docstring to clarify scope vs UofT tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: Address Greptile review feedback

- Tighten ca_postal_code keyword_pattern: replace broad "address" with
  specific compound terms (mailing/street/shipping/home address)
- Add missing "PIPEDA" tag to policy_templates.json for discoverability
- Add us_phone pattern to test_ca_policy_e2e.py setup to match deployed template
- Add phone number e2e test for complete coverage

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: Tighten patterns to reduce false positives and add missing test coverage

- ca_sin: reject leading-zero SINs ([1-9]\d{2}), set allow_word_numbers to false
- ca_immigration_doc: require separators in UCI pattern (prevent bare \d{10} match)
- uoft_utorid: qualify generic keywords (acorn -> acorn login, quercus -> quercus login)
- uoft_tcard: remove generic keywords (student card, id card, library card) that
  overlap with credit card contexts; keep only UofT-specific terms (tcard, campus card)
- Add visa/mastercard/amex/iban patterns to test_ca_policy_e2e.py setup to match
  deployed template; add Visa card masking test
- Add test verifying "student card" no longer triggers TCard redaction

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
2026-03-06 18:27:31 -08:00
Ryan Crabbe 8388e77b59 wire in the hashicorp settings 2026-03-06 18:26:30 -08:00
yuneng-jiang a323d37a5d Merge pull request #23009 from BerriAI/feature/vkey-modal-squashed
[Infra] Resolve Merge Conflicts for #21065
2026-03-06 18:14:18 -08:00
Ryan Crabbe 1a395e1bae Merge branch 'main' into litellm_hashicorp_vault_frontend 2026-03-06 18:12:15 -08:00
yuneng-jiang a0fb994ef0 [Test] Add unit tests for 5 untested policy components
Adds Vitest + RTL test files for policy_table, policy_templates,
guardrail_selection_modal, impact_popover, and add_attachment_form.
53 tests total covering rendering, user interactions, API calls,
and conditional UI behavior.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-06 17:22:39 -08:00
yuneng-jiang 34769fdbf4 Merge remote-tracking branch 'origin' into feature/vkey-modal-squashed 2026-03-06 16:51:21 -08:00
Sameer Kankute 8b0375f99c Merge pull request #22888 from BerriAI/litellm_a2a-custom-headers
[Feat] Add a2a custom headers
2026-03-06 18:24:21 +05:30
yuneng-jiang e468b0278f [Fix] Key Expiry Default Duration - support null to never expire
Support passing duration=null on /key/update to reset a key's expiry to never expires, alongside the existing "-1" magic string (kept for backward compat).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-05 20:54:30 -08:00
Ishaan Jaff 83e237bac2 fix(chat): fix /ui/chat routing, Suspense boundary, serverRootPath support (#22945)
* fix(chat): fix router.push paths to use /ui/chat with serverRootPath support

* fix(chat): wrap chat page in Suspense boundary for Next.js static export

* fix(chat): fix clipboard writeText rejection handler - remove undefined message.error call

* feat(chat): rebuild UI with routing fixes

* fix(chat): use useTheme logoUrl + /get_image fallback for sidebar logo

* feat(chat): rebuild UI with logo fix

* fix(chat): use /get_image directly for logo (no ThemeProvider outside dashboard layout)

* feat(chat): add multi-model comparison and provider logos in chat UI

- Replace single model selector with multi-select (up to 3 models)
- Show provider logos next to model names in dropdown (openai, anthropic, gemini, mistral, groq, etc.)
- Selected models float to the top of the dropdown list
- Multi-model mode: responses stream in parallel side-by-side cards below each user message
- Multi-turn: each follow-up message carries full per-model history as context
- Surface API errors inline in response cards instead of silently swallowing them
- Rebuild UI
2026-03-05 20:00:25 -08:00
Sameer Kankute 91a8937705 Merge pull request #22750 from BerriAI/litellm_mcp_doc_update
[Chore] update mcp documentation for header forwarding
2026-03-06 09:14:48 +05:30
Ishaan Jaff ec600aa70a feat(ui): add Chat UI — ChatGPT-like interface with MCP tools and streaming (#22937)
* feat(ui): add chat message and conversation types

* feat(ui): add useChatHistory hook for localStorage-backed conversations

* feat(ui): add ConversationList sidebar component

* feat(ui): add MCPConnectPicker for attaching MCP servers to chat

* feat(ui): add ModelSelector dropdown for chat

* feat(ui): add ChatInputBar with MCP tool attachment support

* feat(ui): add MCPAppsPanel with list/detail view for MCP servers

* feat(ui): add ChatMessages component; remove auto-scrollIntoView that caused scroll-lock bypass

* feat(ui): add ChatPage — ChatGPT-like UI with scroll lock, MCP tools, streaming

* feat(ui): add /chat route wired to ChatPage

* feat(ui): remove chat from leftnav — chat accessible via navbar button

* feat(ui): add Chat button to top navbar

* feat(ui): add dismissible Chat UI announcement banner to Playground page

* feat(proxy): add Chat UI link to Swagger description

* feat(ui): add react-markdown and syntax-highlighter deps for chat UI

* fix(ui): replace missing BorderOutlined import with inline stop icon div

* fix(ui): apply remark-gfm plugin to ReactMarkdown for GFM support

* fix(ui): remove unused isEvenRow variable in MCPAppsPanel

* fix(ui): add ellipsis when truncating conversation title

* fix(ui): wire search button to chats view; remove non-functional keyboard hint

* fix(ui): use serverRootPath in navbar chat link for sub-path deployments

* fix(ui): remove unused ChatInputBar and ModelSelector files

* fix(ui): correct grid bottom-border condition for odd server count

* fix(chat): move localStorage writes out of setConversations updater (React purity)

* fix(chat): fix stale closure in handleEditAndResend - compute history before async state update

* fix(chat): fix 4 issues in ChatMessages - array redaction, clipboard error, inline detection, remove unused ref
2026-03-05 18:13:04 -08:00
yuneng-jiang 92b3160206 Merge pull request #22858 from BerriAI/litellm_rbac_vector_agents
[Feature] RBAC for Vector Stores and Agents
2026-03-05 16:40:38 -08:00
Ryan Crabbe c98da10b84 feat: Hashicorp Vault config UI components
Add settings panel, edit modal, and delete flow for managing Hashicorp
Vault configuration from the admin UI. Extract shared constants, use
React Query hooks, and align error handling with deriveErrorMessage
pattern.
2026-03-05 16:34:25 -08:00
yuneng-jiang b3c092f489 [Fix] Address code review: delegate team admin check to shared helper, fix sidebar team admin exemption
- rbac_utils.py: remove duplicated _check_if_team_admin/_is_user_team_admin_for_any_team;
  delegate to _user_has_admin_privileges from management_endpoints/common_utils with the
  shared user_api_key_cache (fixes no-op DualCache and missing org admin coverage)
- test_rbac_utils.py: update patch target to match new delegation path
- SidebarProvider.tsx: pass allowAgentsForTeamAdmins and allowVectorStoresForTeamAdmins
  props to Sidebar
- leftnav.tsx: add useTeams hook + isTeamAdmin memo; exempt team admins from sidebar
  filtering when allow_*_for_team_admins is enabled (fixes frontend/backend inconsistency)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-05 15:04:33 -08:00
yuneng-jiang 4e7b0fcfdf [Test] Add Vitest unit tests for policies components
Add 58 unit tests across 5 files in ui/litellm-dashboard/src/components/policies/:
- build_attachment_data.test.ts: pure logic tests for global vs specific scope
- impact_preview_alert.test.tsx: rendering for global scope warning and specific scope counts/tags
- PolicySelector.test.tsx: pure function tests for getPolicyOptionEntries/policyVersionRef + component fetch/disable behavior
- policy_info.test.tsx: loading, not-found, policy details rendering, admin gating, onClose/onEdit callbacks
- attachment_table.test.tsx: loading/empty states, row rendering, scope badges, delete admin gating

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-05 14:00:46 -08:00
Sameer Kankute 5183a6e850 Merge pull request #22866 from mubashir1osmani/feat/bedrock-mantle-provider-clean
feat: bedrock mantle provider
2026-03-05 18:24:00 +05:30
Sameer Kankute 36d279ab42 feat(ui/agents): add Authentication Headers section to agent create/edit form
Add a new "Authentication Headers" panel to AgentFormFields:
- Static Headers: key-value Form.List (always sent to the backend agent,
  static wins on conflict with dynamic)
- Forward Client Headers: Select[tags] of header names to extract from
  the client request and forward (extra_headers)

Update buildAgentDataFromForm to serialize both fields for the API.
Update parseAgentForForm to deserialize them back for editing.
Covers both the create wizard (add_agent_form) and the edit view (agent_info).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-05 14:34:11 +05:30