Commit Graph
8936 Commits
Author SHA1 Message Date
Sameer KankuteandGitHub efa33bfe50 Merge pull request #26222 from BerriAI/litellm_anthropic-json-mode-nonstreaming-mixed-tools
fix(anthropic): json response_format + user tools non-streaming
2026-05-01 08:24:38 +05:30
Sameer KankuteandGitHub 72ddbce50e Merge pull request #25499 from BerriAI/litellm_vertex_request_metadata_labels
feat(vertex_ai): propagate metadata labels to embedding, Imagen, rerank
2026-05-01 08:20:55 +05:30
Michael-RZ-BerriandGitHub 05e6402bdb Merge pull request #26829 from BerriAI/litellm_budgetEnforcementMultiPod
[Fix] Refresh Redis TTL on counter writes, skip stale in-memory in Redis
2026-04-30 18:14:41 -07:00
Michael-RZ-BerriandGitHub e4fb325a3a Merge pull request #26914 from BerriAI/litellm_googleGenContentHooks
Run pre_call_hook on Google generateContent endpoints
2026-04-30 17:53:38 -07:00
Michael Riad Zaky 4e26835098 Reorder counter invalidation to run after DB write 2026-04-30 17:50:58 -07:00
Michael Riad Zaky fed5f36a3d Invalidate spend counters on budget reset 2026-04-30 17:50:58 -07:00
Michael Riad Zaky 9f08db91f9 Refresh Redis TTL on counter writes and skip stale in-memory on Redis miss 2026-04-30 17:50:58 -07:00
Yuneng Jiang bd638245e8 [Fix] Responses API: Omit Empty Body On DELETE
The async/sync delete_response_api_handler always passed json=data into
httpx.delete, where data is {} from the transformer. httpx serializes that
to a 2-byte body. The Azure Responses DELETE endpoint now rejects any
request body with code: unexpected_body, breaking
test_basic_openai_responses_delete_endpoint on the llm_responses_api_testing
job. Build the kwargs dict and only set json= when data is truthy.

Add unit tests that patch httpx.delete and assert json/data are not in the
captured kwargs for the Azure DELETE path (sync and async).
2026-04-30 17:39:55 -07:00
yuneng-jiangandGitHub 326bcd6cec Merge pull request #26941 from BerriAI/litellm_/stoic-jemison-cbb6cf
[Test] Proxy E2E: Opt In To Client Mock Response For Model Access Tests
2026-04-30 17:35:16 -07:00
yuneng-jiangandGitHub bdcc23853c Merge pull request #26835 from stuxf/codex/cli-sso-flow-binding
chore(cli): tighten CLI SSO session flow
2026-04-30 17:10:27 -07:00
yuneng-jiangandGitHub 15b7386859 Merge pull request #26815 from stuxf/fix/get-image-lfi-ssrf
chore(proxy): contain UI_LOGO_PATH / LITELLM_FAVICON_URL on unauthenticated asset endpoints
2026-04-30 17:10:15 -07:00
yuneng-jiangandGitHub 71d5015975 Merge pull request #26827 from stuxf/fix/passthrough-auth-default
chore(passthrough): default auth=True and drop enterprise gate on the safe option
2026-04-30 17:06:37 -07:00
Yuneng Jiang be0e9914dc [Test] Proxy E2E: Opt In To Client Mock Response For Model Access Tests
The proxy's ingress hardening (commit 842eea0131) now strips client-supplied
`mock_response` from the request body unless the calling key or team has the
`allow_client_mock_response: true` admin-metadata flag set. The e2e model
access tests rely on `mock_response` to short-circuit the LLM call, so without
the flag they hit real backends — the bedrock wildcard route fakes out to a
shared example endpoint that now 404s on unsupported paths, causing
`test_model_access_patterns[key_models2-bedrock/anthropic.claude-3-True]`
(and the bedrock/anthropic.* row that pytest -x never reaches) to fail.

Set `allow_client_mock_response: true` on every key and team this test file
provisions so `mock_response` is preserved end-to-end.
2026-04-30 17:05:31 -07:00
Michael Riad Zaky 053e040171 run pre_call_hook on Google generateContent endpoints 2026-04-30 16:43:42 -07:00
Michael Riad Zaky 47b2832d6f test: replace subprocess startup-import diff with static source scan 2026-04-30 16:15:46 -07:00
yuneng-jiangandGitHub 256e05e474 Merge pull request #26849 from stuxf/fix/mcp-oauth-discovery-ssrf
chore(mcp): SSRF guard on OAuth metadata discovery follow-up fetches
2026-04-30 13:44:16 -07:00
yuneng-jiangandGitHub 174c770b07 Merge pull request #26836 from stuxf/fix/byok-credential-encryption
chore(mcp): encrypt user-scoped MCP credentials at rest
2026-04-30 13:42:57 -07:00
yuneng-jiangandGitHub 4ff8f0e901 Merge pull request #26851 from stuxf/codex/fix-callback-env-secret-resolution
chore(proxy): block env callback refs in key metadata
2026-04-30 13:11:32 -07:00
yuneng-jiangandGitHub aa76ab2df7 Merge pull request #26862 from stuxf/codex/control-field-sanitization
chore(proxy): harden request control fields
2026-04-30 13:10:58 -07:00
Michael-RZ-BerriandGitHub 9637d8c17b Merge pull request #26802 from BerriAI/litellm_lazyLoadedFrontPage
[Feat / Fix] Lazy loaded imports, lazy loaded front page
2026-04-30 13:04:42 -07:00
yuneng-jiangandGitHub 08541f49ee Merge pull request #26910 from BerriAI/litellm_fix/drop-milvus-db-params
fix: drop milvus dbName and partitionNames from MILVUS_OPTIONAL_PARAMS
2026-04-30 12:53:18 -07:00
Yassin KortamandGitHub d84b35cc40 Merge pull request #26906 from BerriAI/litellm_fix/validate-aws-region
fix: validate aws region name
2026-04-30 12:52:31 -07:00
user 51a3e90451 fix(mcp): reuse safe URL fetch for OAuth discovery 2026-04-30 12:42:52 -07:00
yuneng-jiangandGitHub 3c060364fb Merge pull request #26840 from stuxf/codex/mcp-oauth-root-visibility
chore(mcp): tighten OAuth root endpoint resolution
2026-04-30 11:59:03 -07:00
yuneng-jiangandGitHub a9db887bdd Merge pull request #26843 from stuxf/codex/fix-onboarding-invite-token
chore(auth): harden invite-link onboarding token flow
2026-04-30 11:56:26 -07:00
Yassin Kortam dfc080f580 fix: drop milvus dbName and partitionNames from MILVUS_OPTIONAL_PARAMS 2026-04-30 11:51:32 -07:00
yuneng-jiangandGitHub 0efa8b8828 Merge pull request #26854 from stuxf/fix/team-authz-available-team-bypass
chore(team): close authz bypass via the available-team check
2026-04-30 11:47:19 -07:00
user b67a81da47 test(proxy): align favicon remote asset expectations 2026-04-30 11:46:45 -07:00
yuneng-jiangandGitHub d51d96f405 Merge pull request #26859 from stuxf/chore/audit-log-team-callback-mutations
chore(team): audit-log team-callback admin mutations
2026-04-30 11:46:31 -07:00
Cursor Agent 21c7864d75 Fix Vertex label metadata fallback 2026-04-30 18:44:03 +00:00
Yassin Kortam d47948ab23 fix: validate aws region name 2026-04-30 11:35:30 -07:00
user b8a141cefd fix(static-assets): stop serving stale logo cache 2026-04-30 11:34:25 -07:00
user 215f538d4f fix(static-assets): browser-load remote branding assets 2026-04-30 11:30:57 -07:00
mateo-berriandCursor Agent b5df9d9778 test(vertex_ai): add e2e tests for rerank userLabels propagation
Cover the full litellm.rerank()/arerank() path with HTTP mocked, asserting
metadata.requester_metadata reaches the Discovery Engine :rank body as
userLabels (and stays absent when no metadata is set). Catches plumbing
regressions that unit tests on transform_rerank_request alone would miss.
2026-04-30 18:25:38 +00:00
user f48dfdbdd9 fix(proxy): require opt in for audit header fallback 2026-04-30 11:17:04 -07:00
Mateo WangandCursor Agent 3bbb5c7fd7 Remove dead _transform_response_for_json_mode wrapper
The wrapper had no production callers after transform_parsed_response
was refactored to call _resolve_json_mode_non_streaming directly.
Updated the parametrized test to call the underlying method.
2026-04-30 18:03:44 +00:00
user 09c4d0d01e fix(proxy): gate redaction opt out controls 2026-04-30 00:49:33 -07:00
user c52be31663 fix(logging): redact standard logging choice metadata 2026-04-30 00:35:29 -07:00
user db00e674e2 test(proxy): cover control field hardening branches 2026-04-29 23:57:50 -07:00
user 119c70b576 fix(proxy): gate delegated audit attribution 2026-04-29 23:10:14 -07:00
user 7c3c9ab7ef test(proxy): opt mock-response fixtures into client mocks 2026-04-29 23:00:45 -07:00
user 7497674661 fix(proxy): sanitize redaction controls at ingress 2026-04-29 22:52:31 -07:00
user 842eea0131 chore(proxy): harden request control fields 2026-04-29 22:35:17 -07:00
user 986cdedd4f fix(audit): redact callback secrets and surface fire-and-forget failures
Two Greptile P2s addressed:

1. (security) The audit-log row for an ``add_team_callbacks`` call would
   serialize the entire ``callback_vars`` block — including
   ``langfuse_secret_key``, ``langsmith_api_key``, and the GCS service
   account path — verbatim into ``LiteLLM_AuditLogs``.  Anyone with read
   access to the audit table could harvest team callback credentials.
   Same risk for ``disable_team_logging`` when the team's existing row
   has populated ``callback_settings.callback_vars``.

   Add ``_redact_callback_secrets``: deep-copies the metadata snapshot
   and replaces every ``callback_vars`` value with ``***REDACTED***``.
   The keys are kept so an auditor can still see *which* fields
   changed.  Applied to both before and after snapshots.

2. ``asyncio.create_task`` is fire-and-forget; if the audit-log write
   raises (transient DB error etc.) the exception is silently
   discarded by the event loop and the audit row is just missing —
   the exact gap this PR is closing.  Attach a ``done_callback`` that
   logs the exception at warning level via ``verbose_proxy_logger`` so
   the operator sees there's a gap.

Tests assert that callback values are not present in the serialized
audit payload (both for ``add_team_callbacks`` and for
``disable_team_logging`` when the team's existing row has
populated secrets).
2026-04-30 05:18:29 +00:00
user adc2c55ffc chore(team): audit-log team-callback admin mutations
The two mutating endpoints in team_callback_endpoints.py
(``/team/{id}/callback`` POST and ``/team/{id}/disable_logging``) wrote
team metadata without emitting an audit-log row.  The disable variant
is the worst case: a logging-control action that itself isn't logged,
so an admin (or compromised admin) could zero out a team's
observability with no forensic trail.

Add ``_emit_team_callback_audit_log`` mirroring the
``store_audit_logs``-gated pattern already used in team_endpoints.py
for /team/new and /team/update.  When ``litellm.store_audit_logs`` is
True, both endpoints now emit an ``LiteLLM_AuditLogs`` row capturing
the calling user, the API key, and the before/after team metadata.
When the flag is False the helper is a no-op, so non-Enterprise
deployments are unaffected.

The ``litellm_changed_by`` header is now also accepted on
``/team/{id}/disable_logging`` to match the existing
``add_team_callbacks`` shape; the header is optional so existing
callers are unaffected.

Variant scope: the file has three endpoints — both mutating variants
are now logged.  The read-only ``GET /team/{id}/callback`` is unchanged.
Other unlogged callback / logging-control admin endpoints elsewhere in
the proxy (e.g. ``/cache/settings``, ``/config_overrides/hashicorp_vault``)
are out of scope here and would be addressed in a separate PR.

Tests cover both endpoints in both ``store_audit_logs`` states and
verify that the captured before/after metadata reflects the actual
mutation, plus that the ``litellm-changed-by`` header overrides the
auth user_id when supplied.
2026-04-30 05:04:49 +00:00
Sameer KankuteandGitHub 50ef2d51a2 Merge pull request #26855 from BerriAI/litellm_internal_staging
merge main
2026-04-30 09:09:45 +05:30
Sameer KankuteandGitHub d3891e6eae Merge pull request #26719 from BerriAI/litellm_fix-bedrock-stream-interrupt-spend-da73
fix(passthrough): track spend for interrupted Bedrock streams
2026-04-30 09:09:08 +05:30
user 72674b06b5 test(team): add /team/permissions_update regression for available-team bypass
Greptile P2: the bypass removal in update_team_member_permissions had
no dedicated regression test.  Adds an integration-style test that
posts to /team/permissions_update as a non-admin caller while
``_is_available_team`` is mocked True, and asserts a 403 — pinning
the bypass-removal against future regressions in the same way the
new member-add unit tests pin the self-join enforcement.
2026-04-30 03:37:41 +00:00
user e4c4d9832f chore(team): close authz bypass via the available-team check
Two paths previously treated ``_is_available_team`` as a blanket
authorization bypass — the function was meant to let standard users
self-join a public team but was wired into the broader admin gate
without bounding the action being performed.  Three concrete
exposures resulted:

1. ``/team/member_add``: the bypass let an unprivileged caller add
   themselves as a Team Admin, or add an arbitrary other ``user_id``
   into the team.
2. ``/team/permissions_update``: the same bypass let any authenticated
   user overwrite a team's ``team_member_permissions`` array, mutating
   the access policy for every member.
3. (Read endpoint ``/team/permissions_list`` is unchanged — it leaks
   read-only policy state to non-members but is out of scope of the
   advisory's recommendation; tracking separately.)

This commit:

- Splits ``_validate_team_member_add_permissions`` into early-return
  admin checks followed by an available-team self-join branch that
  enforces ``member.user_id == caller.user_id`` AND
  ``member.role == "user"`` for every member entry in the request.
  The bulk shape (``member: List[Member]``) is checked the same way,
  so a list with one valid self-entry plus one ``role=admin`` entry
  is rejected.  Email-only members are rejected on the self-join
  path: matching by ``user_id`` is the only safe primitive at
  pre-validation time (resolving email→user_id earlier would let
  unauthenticated callers probe user existence).

- Removes the ``_is_available_team`` clause from
  ``update_team_member_permissions`` entirely.  Only proxy / team /
  org admins can update permission policies.

Tests:

- Update the two existing ``_validate_team_member_add_permissions``
  unit tests to pass the new ``data`` argument.
- Add six regression tests covering the privesc shape (role=admin),
  the cross-user-injection shape (other user_id), the no-caller-uid
  fail-closed case, the email-only rejection, and the bulk shape.
- ``test_team_endpoints.py`` 133/133 pass.
2026-04-30 03:23:46 +00:00
Sameer KankuteandGitHub 26cb28efc5 Merge pull request #26814 from sruthi-sixt-26/fix/bedrock-batch-retrieve
fix(proxy/batches): forward model to retrieve_batch for bedrock
2026-04-30 08:53:23 +05:30