Commit Graph

429 Commits

Author SHA1 Message Date
Ishaan Jaff f3749709b8 Bug Fix - Responses API raises error with Gemini Tool Calls in input (#13260)
* add _transform_responses_api_function_call_to_chat_completion_message

* test_responses_api_with_tool_calls

* TestFunctionCallTransformation

* fixes for responses API testing google ai studio

* TestGoogleAIStudioResponsesAPITest

* test_responses_api_with_tool_calls

* test_responses_api_with_tool_calls

* test_basic_openai_responses_streaming_delete_endpoint
2025-08-04 12:01:33 -07:00
Jugal D. Bhatt 36229dc69f [LLM Translation] Fix Model Usage not having text tokens (#13234)
* fix + test

* remove test comments

* fix mypy

* fix mypy

* fix tests
2025-08-04 21:06:49 +05:30
Krish Dholakia 3119064e94 Prompt Management - add prompts on UI (#13240)
* fix(create_key_button.tsx): add prompts on UI

* feat(key_management_endpoints.py): support adding prompt to key via `/key/update`

* fix(key_info_view.tsx): show existing prompts on key in key_info_view.tsx

* fix(key_edit_view.tsx): UX - disable premium feature for non-premium users

prevent accidental clicking

* fix(create_key_button.tsx): disable premium features behind flag, prevent errors

* feat(prompts.tsx): add new ui component to view created prompts

enables viewing prompts created on config

* feat(prompt_info.tsx): add component for viewing the prompt information

* feat(prompt_endpoints.py): support converting dotprompt to json structure + accept json structure in promptmanager

allows prompt manager to work with api endpoints

* test(test_prompt_manager.py): add unit tests for json data input

* feat(dotprompt/__init__.py): add prompt data to dotpromptmanager

* fix(prompt_endpoints.py): working crud endpoints for prompt management

* feat(prompts/): support `prompt_file` for dotprompt

allows to precisely point to the prompt file a prompt should use

* feat(proxy/utils.py): resolve prompt id correctly

resolves user sent prompt id with internal prompt id

* feat(schema.prisma): initial pr with db schema for prompt management table

allows post endpoints to work with backend

* feat(prompt_endpoints.py): use db in patch_prompt endpoint

* feat(prompt_endpoints.py): use db for update_prompt endpoint

* feat(prompt_endpoints.py): use db on prompt delete endpoint

* build(schema.prisma): add prompt tale to schema.prisma in litellm-proxy-extras

* build(migration.sql): add new sql migration file

* fix(init_prompts.py): fix init

* feat(prompt_info_view.tsx): show the raw prompt template on ui

allows developer to know the prompt template they'll be calling

* feat(add_prompt_form.tsx): working ui add prompt flow

allows user to add prompts to litellm via ui

* build(ui/): styling fixes

* build(ui/): prompts.tsx

styling improvements

* fix(add_prompt_form.tsx): styling improvements

* build(prompts.tsx): styling improvements

* build(ui/): styling improvements

* build(ui/): fix ui error

* fix: fix ruff check

* docs: document new api params

* test: update tests
2025-08-02 22:33:37 -07:00
Ishaan Jaff 2dd9361cd9 Revert "Revert "Fix SSO Logout | Create Unified Login Page with SSO and Username/Password Options (#12703)""
This reverts commit 5fe37b6f72060add859a22ddda0665cd1635f98f.
2025-08-02 12:25:22 -07:00
Ishaan Jaff af9031ba41 Revert "Fix SSO Logout | Create Unified Login Page with SSO and Username/Password Options (#12703)"
This reverts commit a752d7acc9.
2025-08-02 12:25:22 -07:00
Krish Dholakia 342fd2d8b6 Revert "fix: role chaining and session name with webauthentication for aws be…" (#13230)
This reverts commit 0ac093b59e.
2025-08-02 10:11:58 -07:00
Alexander Yastrebov 825923e7be litellm/proxy: preserve model order of /v1/models and /model_group/info (#13178)
Closes #12644

Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
2025-08-02 08:57:38 -07:00
Richard Tweed 0ac093b59e fix: role chaining and session name with webauthentication for aws bedrock (#13205)
* fix(bedrock): prevent duplicate role assumption in EKS/IRSA environments

Fixes issue where AWS role assumption would fail in EKS/IRSA environments
when trying to assume the same role that's already being used.

The problem occurred when:
1. EKS/IRSA automatically assumes a role (e.g., LitellmRole)
2. LiteLLM tries to assume the same role again, causing AccessDenied errors
3. Different models with different roles would fail due to incorrect role context

Changes:
- Added check in _auth_with_aws_role() to detect if already using target role
- Skip role assumption if current identity matches target role
- Return current credentials instead of attempting duplicate assumption
- Added comprehensive test coverage for the fix

This ensures proper role chaining works in EKS/IRSA environments where:
- Service Account can assume Role A
- Role A can assume Role B for different models/accounts

Resolves the AccessDenied errors reported in bedrock usage scenarios.

* fix(bedrock): simplify role assumption for EKS/IRSA environments

Fixes AWS Bedrock role assumption in EKS/IRSA environments by properly
handling ambient credentials when no explicit credentials are provided.

The issue occurred because commit 197e7efa8f
introduced changes that broke role assumption in EKS/IRSA environments.

Changes:
- Simplified _auth_with_aws_role() to use ambient credentials when no
  explicit AWS credentials are provided (aws_access_key_id and
  aws_secret_access_key are both None)
- This allows web identity tokens in EKS/IRSA to work automatically
  through boto3's credential chain
- Maintains backward compatibility for explicit credential scenarios

Added comprehensive test coverage:
- test_eks_irsa_ambient_credentials_used: Verifies ambient credentials work
- test_explicit_credentials_used_when_provided: Ensures explicit creds still work
- test_partial_credentials_still_use_ambient: Edge case handling
- test_cross_account_role_assumption: Multi-account scenarios
- test_role_assumption_with_custom_session_name: Custom session names
- test_role_assumption_ttl_calculation: TTL calculation verification
- test_role_assumption_error_handling: Error propagation
- test_multiple_role_assumptions_in_sequence: Sequential role assumptions

This fix ensures that in EKS/IRSA environments:
1. Service accounts can assume their initial role via web identity
2. That role can then assume other roles across accounts as configured
3. Different models can use different roles without conflicts

* fix(bedrock): add automatic IRSA detection for EKS environments

- Detect AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN environment variables
- Automatically use web identity token flow when IRSA is detected
- Read web identity token from file and pass to existing auth method
- Add test coverage for IRSA environment detection
- Fixes authentication errors in EKS with IRSA when no explicit credentials provided

* fix(bedrock): skip role assumption when IRSA role matches requested role

- Detect when AWS_ROLE_ARN environment variable matches the requested role
- Skip unnecessary role assumption when already running as the target role
- Use existing env vars authentication method for IRSA credentials
- Add test coverage for same-role IRSA scenario
- Fixes 'not authorized to perform: sts:AssumeRole' errors when trying to assume the same role

* fix(bedrock): use boto3's native IRSA support for cross-account role assumption

- Replace custom web identity token handling with boto3's built-in IRSA support
- boto3 automatically reads AWS_WEB_IDENTITY_TOKEN_FILE and assumes initial role
- Then use standard assume_role for cross-account access
- Update test to mock boto3 STS client instead of internal methods
- Fixes 'OIDC token could not be retrieved from secret manager' error

* fix(bedrock): improve IRSA error handling and add debug logging

- Add debug logging to show current identity and role assumption attempts
- Provide clearer error messages for trust policy issues
- Fix region handling in IRSA flow
- Re-raise exceptions instead of silently falling through
- This helps diagnose cross-account role assumption permission issues

* fix(bedrock): manually assume IRSA role with correct session name for cross-account scenarios

- When doing cross-account role assumption, manually assume the IRSA role first with the desired session name
- This ensures the session name in the assumed role ARN matches what's expected in trust policies
- For same-account scenarios, continue using boto3's automatic IRSA support
- Updated tests to handle the new flow
- This fixes the issue where cross-account trust policies require specific session names

* fix: Fix linting issues in base_aws_llm.py

- Fix f-string without placeholders (F541)
- Refactor _auth_with_aws_role to reduce statements count (PLR0915)
  - Extract _handle_irsa_cross_account helper method
  - Extract _handle_irsa_same_account helper method
  - Extract _extract_credentials_and_ttl helper method

---------

Co-authored-by: openhands <openhands@all-hands.dev>
2025-08-02 08:55:35 -07:00
Sameer Kankute 1e33dc50a0 add Perplexity citation annotations support (#13225) 2025-08-02 08:47:35 -07:00
Jugal D. Bhatt a4c11600a9 [LLM] fix model reload on model update (#13216)
* fix model reload on model update

* remove the flag
2025-08-01 18:08:02 -07:00
Jugal D. Bhatt 3867813277 [Proxy]fix key mgmt (#13148)
* fix key mgmt

* Add unit test
2025-08-01 17:17:15 -07:00
Ishaan Jaff 1358978abb test_recreate_prisma_client_successful_disconnect 2025-08-01 15:38:48 -07:00
Jugal D. Bhatt bfabf2709a [LLM translation] Fix bedrock computer use #13143 (#13150)
* fix json test

* fix pr

* fix bedrock computer use tool

* added unit test

* fix failing prisma tesT

* fix prisma connect
2025-08-01 15:02:44 -07:00
Krrish Dholakia d158a0344d test: update unit tests 2025-08-01 13:37:51 -07:00
Krrish Dholakia 72fd4e3d55 test: remove bad unit tests 2025-08-01 13:34:23 -07:00
Krrish Dholakia e3c9fc458d test: update tests 2025-08-01 09:19:31 -07:00
Krrish Dholakia 461b615bde test: update tests 2025-08-01 09:12:44 -07:00
Krrish Dholakia fe24c270de Prompt Management - add local dotprompt file support 2025-07-31 22:28:29 -07:00
Jason Roberts 04c299410e Fix/panw prisma airs post call hook (#13185)
* fix(guardrails): Fix PANW Prisma AIRS post-call hook method name

- Changed async_post_call_hook to async_post_call_success_hook to match proxy calling convention
- Added event_hook parameter to initialization to ensure proper hook registration
- Fixes post-call response scanning for PANW Prisma AIRS guardrails

Resolves issue where post-call hooks were not being invoked due to method name mismatch.

* Update PANW Prisma AIRS tests to use correct method name
2025-07-31 21:50:32 -07:00
Krish Dholakia 78997c2e35 Anthropic - working mid-stream fallbacks (#13149)
* fix(router.py): add acompletion_streaming_iterator inside router

allows router to catch errors mid-stream for fallbacks

Work for https://github.com/BerriAI/litellm/issues/6532

* fix(router.py): working mid-stream fallbacks

* fix(router.py): more iterations

* fix(router.py): working mid-stream fallbacks with fallbacks set on router

* fix(router.py): pass prior content back in new request as assistant prefix message

* fix(router.py): add a system prompt to help guide non-prefix supporting models to use the continued text correctly

* fix(common_utils.py): support converting `prefix: true` for non-prefix supporting models

* fix: reduce LOC in function

* test(test_router.py): add unit tests for new function

* test: add basic unit test

* fix(router.py): ensure return type of fallback stream is compatible with CustomStreamWrapper

prevent client code from breaking

* fix: cleanup

* test: update test

* fix: fix linting error
2025-07-31 21:22:49 -07:00
Cole McIntosh 0666ede8e3 fix: correct patch path in langfuse test for MAX_LANGFUSE_INITIALIZED_CLIENTS (#13192)
The test was failing because it was trying to patch MAX_LANGFUSE_INITIALIZED_CLIENTS
at the wrong path. The constant is imported from litellm.constants into the langfuse
module namespace, so we need to use patch.object on the imported module reference.

Changes:
- Import langfuse module explicitly for patching
- Use patch.object instead of patch string path
- This fixes the AttributeError that was causing CI failures
2025-07-31 17:11:28 -07:00
Ishaan Jaff ee70d593c1 [Feat] Allow redacting message / response content for specific logging integrations - DD LLM Observability (#13158)
* fix redact_standard_logging_payload

* add StandardCustomLoggerInitParams

* allow defining DatadogLLMObsInitParams

* fix init DataDogLLMObsLogger

* fix import

* update redact_standard_logging_payload_from_model_call_details

* test_dd_llms_obs_redaction

* docs DD logging

* docs DD

* docs DD

* Redacting Messages, Response docs DD LLM Obs

* fix redaction logic

* fix create_llm_obs_payload

* fix logging response

* fixes

* ruff fix

* fix test

* test_dd_llms_obs_redaction

* test_create_llm_obs_payload

* redact_standard_logging_payload_from_model_call_details

* img - dd_llm_obs

* docs DD

* fix linting

* fix linting

* fix mypy

* test_create_llm_obs_payload

* test_create_llm_obs_payload

* fix mock_env_vars

* fix _handle_anthropic_messages_response_logging
2025-07-31 16:44:16 -07:00
Ishaan Jaff 115d2480c1 [Bug Fix] Infra - ensure that stale Prisma clients disconnect DB connection (#13140)
* ensure original client is disconnected when re-creating

* test_recreate_prisma_client_successful_disconnect

* test_recreate_prisma_client_successful_disconnect
2025-07-31 16:43:26 -07:00
Anand Khinvasara 212a339954 fix: support negative indexes in cache_control_injection_points for Anthropic Claude (#10226) (#13187) 2025-07-31 15:50:53 -07:00
Jugal D. Bhatt 524a1ffd5f [Proxy Startup]fix db config through envs (#13111)
* fix db config through envs

* add helper

* fix ruff

* fix imports

* add unit tests in db config changes
2025-07-31 13:52:56 -07:00
Ishaan Jaff 65ca4f66f6 Revert "add framework name to UserAgent header in AWS Bedrock API call (#13159)"
This reverts commit 77f506e860.
2025-07-30 23:12:36 -07:00
0x-fang 77f506e860 add framework name to UserAgent header in AWS Bedrock API call (#13159) 2025-07-30 22:44:22 -07:00
Ishaan Jaff 090e2ffb5a Revert "[LLM translation] Fix bedrock computer use (#13143)"
This reverts commit 840dd2e7c7.
2025-07-30 16:03:35 -07:00
Jugal D. Bhatt 840dd2e7c7 [LLM translation] Fix bedrock computer use (#13143)
* Add support for bedrock computer use

* remove print

* split bedrock tools

* add hosted tools

* fix tool use

* fix tool use

* fix function calling

* fix converse transformation

* fix tests

* fix llm translation test

* fix computer use
2025-07-30 12:27:12 -07:00
Jugal D. Bhatt e324f76859 [MCP Gateway] add health check endpoints for MCP (#13106)
* add health check endpoints for MCP

* add import

* Clean up endpopints

* fix ruff
2025-07-30 20:40:44 +05:30
Johnny.H 97d89584c1 fix tool aws bedrock call index when the function only have optional arg (#13115) 2025-07-29 22:07:24 -07:00
Krish Dholakia ea6b4b08d3 move to use_prisma_migrate by default + resolve team-only models on auth checks + UI - add sagemaker on UI (#13117)
* fix(proxy_cli.py): make use_prisma_migrate proxy default

Fixes https://github.com/BerriAI/litellm/issues/13046

 Prisma migrate deploy prevents resetting db

* fix(auth_checks.py): resolve team only models while doing auth checks on model access groups

Fixes issue where key had access via an access group, but team only model could not be called

* test(test_router.py): add unit testing

* feat(provider_specific_fields.tsx): add aws sagemaker on UI
2025-07-29 21:56:18 -07:00
Krish Dholakia 1c182919b5 Revert "[LLM translation] Add support for bedrock computer use (#12948)" (#13118)
This reverts commit 760d747465.
2025-07-29 21:33:46 -07:00
Ishaan Jaff 1af0743e58 Revert "Revert "[MCP Gateway] Add protocol headers (#13062)""
This reverts commit acd915f2db.
2025-07-29 18:14:31 -07:00
Ishaan Jaff d10a5a69af fix test_mlflow_request_tags_functionality 2025-07-29 17:33:24 -07:00
Ishaan Jaff acd915f2db Revert "[MCP Gateway] Add protocol headers (#13062)"
This reverts commit 8de24bab7c.
2025-07-29 17:26:00 -07:00
Jugal D. Bhatt 760d747465 [LLM translation] Add support for bedrock computer use (#12948)
* Add support for bedrock computer use

* remove print

* split bedrock tools

* add hosted tools

* fix tool use

* fix tool use

* fix function calling

* fix converse transformation

* fix tests
2025-07-29 16:52:23 -07:00
Ishaan Jaff 5fa2b00c3f [Feat] MLFlow Logging - Allow adding tags for ML Flow logging requests (#13108)
* add mlflow tags

* fixes config

* add litellm mlflow

* test_mlflow_request_tags_functionality

* docs ML flow litellm proxy

* docs ml flow

* docs mlflow
2025-07-29 16:51:27 -07:00
Cole McIntosh 8826e02a98 feat: Add dot notation support for all JWT fields (#13013)
* feat: Add dot notation support for all JWT fields

- Updated all JWT field access methods to use get_nested_value for dot notation support
- Enhanced get_team_id to properly handle team_id_default fallback with nested fields
- Added comprehensive unit tests for nested JWT field access and edge cases
- Updated documentation to reflect dot notation support across all JWT fields
- Maintains full backward compatibility with existing flat field configurations

Supported fields with dot notation:
- team_id_jwt_field, team_ids_jwt_field, user_id_jwt_field
- user_email_jwt_field, org_id_jwt_field, object_id_jwt_field
- end_user_id_jwt_field (roles_jwt_field was already supported)

Example: user_id_jwt_field: 'user.sub' accesses token['user']['sub']

* fix: Add type annotations to resolve mypy errors

- Add explicit type annotation for team_ids variable in get_team_ids_from_jwt
- Add type ignore comment for sentinel object return in get_team_id
- Resolves mypy errors while maintaining functionality

* fix: Resolve mypy type error in get_team_ids_from_jwt

- Remove explicit List[str] type annotation that conflicts with get_nested_value return type
- Simplify return logic to use 'team_ids or []' ensuring always returns List[str]
- Fixes: Incompatible types in assignment (expression has type 'list[str] | None', variable has type 'list[str]')

* fix: Add proper type annotation for team_ids variable

- Use Optional[List[str]] type annotation to satisfy mypy requirements
- Resolves: Need type annotation for 'team_ids' [var-annotated]
- Maintains functionality while ensuring type safety

* refactor: remove outdated JWT unit tests and consolidate JWT-related functionality

- Deleted the test_jwt.py file as it contained outdated and redundant tests.
- Consolidated JWT-related tests into test_handle_jwt.py for better organization and maintainability.
- Updated tests to ensure proper functionality of JWT handling, including token validation and role mapping.
- Enhanced test coverage for JWT field access and nested claims handling.

* test: add comprehensive unit tests for JWT authentication

- Introduced a new test file `test_jwt.py` containing unit tests for JWT authentication.
- Implemented tests for loading configuration with custom role names, validating tokens, and handling team tokens.
- Enhanced coverage for JWT field access, nested claims, and role-based access control.
- Added fixtures for Prisma client and public JWT key generation to support testing.
- Ensured proper handling of valid and invalid tokens, including user and team scenarios.

* revert test_handle_jwt.py

* rename file

* test: remove outdated JWT nesting tests and add new nested field access tests

- Deleted the `test_jwt_nesting.py` file as it contained outdated tests.
- Introduced new tests in `test_handle_jwt.py` to verify nested JWT field access.
- Enhanced coverage for accessing nested values using dot notation and ensured backward compatibility with flat field names.
- Added tests for handling missing nested paths and appropriate default values.
- Improved handling of metadata prefixes in nested field access.

* restore file
2025-07-29 16:51:17 -07:00
Amit Kumar b6f15ed64d Fix token counter to ignore unsupported keys like prefix (#11791) (#11954) 2025-07-29 16:04:09 -07:00
Jugal D. Bhatt 8de24bab7c [MCP Gateway] Add protocol headers (#13062)
* Add protocol headers

* fix mypy

* fix tests

* fix tests
2025-07-29 16:03:23 -07:00
Siddharth Sahu 39d59f1900 Fix/gemini api key environment variable support (#12507)
* Fix: Add support for GOOGLE_API_KEY environment variables for Gemini API authentication

* added test cases

* incoperated feedback to make it more maintainable

* fix failed linting CI
2025-07-29 15:56:01 -07:00
Krish Dholakia 5b50a12329 Revert "fix: Set user from token user_id for OpenMeter integration (#13029)" (#13107)
This reverts commit f8c09e44f6.
2025-07-29 15:49:20 -07:00
Better than breakfast. f8c09e44f6 fix: Set user from token user_id for OpenMeter integration (#13029) 2025-07-29 15:41:50 -07:00
Maksim f3b1b416d1 fix: always use choice index=0 for Anthropic streaming responses (#12666)
- Fixed 'missing finish_reason for choice 1' error with reasoning_effort
- Anthropic sends multiple content blocks with different indices
- OpenAI expects all content in a single choice at index=0
- Added comprehensive tests for text-only, text+tool, and multiple tools
2025-07-29 14:42:01 -07:00
Ishaan Jaff 4878bc6275 [Bug Fix] Gemini-CLI - The Gemini Custom API request has an incorrect authorization format (#13098)
* fix GoogleGenAIConfig

* fix validate_environment

* test_agenerate_content_x_goog_api_key_header
2025-07-29 13:46:43 -07:00
Tim O'Farrell 4639be0c64 Fix list team v2 security check (#13094)
* Fix security vulnerability in list_team_v2 endpoint

- Add missing allowed_route_check_inside_route security check to list_team_v2
- Add @management_endpoint_wrapper decorator for consistency with list_team
- Add comprehensive tests to verify security checks work correctly
- Ensure non-admin users can only query their own teams
- Ensure admin users can query all teams

This fixes a security bug where non-admin users could potentially access
team information they shouldn't have access to through the list_team_v2
endpoint, which was missing the authorization check present in list_team.

* Fix test

* Test fixes

* Fixed test

* Restored invalid delete

* Revert

---------

Co-authored-by: openhands <openhands@all-hands.dev>
2025-07-29 10:29:40 -07:00
Krish Dholakia 039c8a922c Azure api_version="preview" support + Bedrock cost tracking via Anthropic /v1/messages (#13072)
* fix(azure/chat/gpt_transformation.py): support api_version="preview"

Fixes https://github.com/BerriAI/litellm/issues/12945

* Fix anthropic passthrough logging handler model fallback for streaming requests (#13022)

* fix: anthropic passthrough logging handler model fallback for streaming requests

- Add fallback logic to retrieve model from logging_obj.model_call_details when request_body.model is empty
- Fixes issue #12933 where streaming requests to anthropic passthrough endpoints would crash due to missing model field
- Ensures downstream logging and cost calculation work correctly for all streaming scenarios
- Maintains backwards compatibility with existing non-streaming requests

* test: add minimal tests for anthropic passthrough logging handler model fallback

- Add unit tests for the model fallback logic in _handle_logging_anthropic_collected_chunks
- Test existing behavior when request_body.model is present
- Test fallback logic when request_body.model is empty but logging_obj.model_call_details has model
- Test edge cases where both sources are empty or missing
- Ensure backwards compatibility and graceful degradation

* fix(anthropic_passthrough_logging_handler.py): add provider to model name (accurate cost tracking)

* fix(anthropic_passthrough_logging_handler.py): don't reset custom llm provider, if already set

* fix: fix check

---------

Co-authored-by: Haggai Shachar <haggai.shachar@backline.ai>
2025-07-29 08:13:55 -07:00
Felix Burmester 51bbd12116 Added handling for pwd protected cert files in AOAI CertificateCredential auth (#12995) 2025-07-28 21:34:54 -07:00
Ishaan Jaff a8371d2cb1 [Feat] Add Google AI Studio Imagen4 model family (#13065)
* add gemini

* add init files

* add get_gemini_image_generation_config

* refactor transform

* TestGoogleImageGen

* fix transform

* fix transform

* add gemini_image_cost_calculator

* add cost tracking for gemini/imagen models

* docs image gen

* docs image gen

* test_get_model_info_gemini
2025-07-28 21:25:40 -07:00