fix(responses): presidio PII masking for Azure WebSocket and streaming#30003
Conversation
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
Greptile SummaryThis PR fixes three related issues: Azure native Responses WebSocket URL construction (introducing a provider-overridable
Confidence Score: 5/5Safe to merge; the changes are well-tested with unit tests covering the critical paths, no real network calls in the test suite, and the logic correctly handles edge cases (null response, mixed streams, flat vs. nested message shapes). The Azure URL construction, model enforcement, and PII masking/unmasking flows are all covered by dedicated tests. The rewrite of process_output_streaming_response correctly mirrors the established non-streaming pattern. The two multi-callback asymmetries noted are theoretical for the standard single-Presidio deployment and do not affect correctness in practice. litellm/responses/streaming_iterator.py deserves a second look if multiple PII guardrail callbacks ever become a supported configuration — the single-callback assumption in _unmask_response_event and the in-place chaining in _mask_response_create would need revisiting.
|
| Filename | Overview |
|---|---|
| litellm/responses/streaming_iterator.py | Adds ~300 lines of PII masking/unmasking logic to ResponsesWebSocketStreaming, including authorized-model enforcement, input masking on response.create frames, and output masking + delta suppression on response.completed events. Code is well-commented and tested, but the triple JSON parse/dump per backend event and the single-callback assumption in _unmask_response_event are minor concerns. |
| litellm/llms/openai/responses/guardrail_translation/handler.py | Rewrites process_output_streaming_response to use per-item extraction + write-back for response.completed events (matching process_output_response), and broadens _apply_guardrail_responses_to_output to accept plain dicts. Guardrail results are now correctly written back into the chunk in-place rather than silently discarded. |
| litellm/proxy/guardrails/guardrail_hooks/presidio.py | Adds _unmask_responses_api_completed_chunk helper and fixes _stream_pii_unmasking to pass through non-ModelResponseStream chunks instead of silently dropping them. The saw_non_chat_chunk flag prevents the chat-stream reassembly path from running on mixed streams. |
| litellm/llms/custom_httpx/llm_http_handler.py | Replaces hard-coded get_complete_url + scheme-swap with provider-overridable get_websocket_url, gates the ?model= append on model_in_websocket_url(), and populates GenericLiteLLMParams with full context. Also discovers guardrail callbacks via duck-typing and passes them to ResponsesWebSocketStreaming. |
| litellm/llms/azure/responses/transformation.py | Adds supports_native_websocket, get_websocket_url (builds wss://.../openai/v1/responses with no api-version), and model_in_websocket_url (returns False). Correctly strips existing /openai/responses suffixes and drops all query params via httpx URL copy_with. |
| litellm/llms/base_llm/responses/transformation.py | Adds default get_websocket_url (delegates to get_complete_url then swaps scheme) and model_in_websocket_url (returns True) as overridable hooks for providers, with clear docstrings explaining the override contract. |
Reviews (18): Last reviewed commit: "fix(responses): mask reasoning summary P..." | Re-trigger Greptile
PR overviewAll previously flagged issues have been addressed. No open security concerns remain on this pull request. Security reviewNo open security issues remain on this pull request. Fixed/addressed: 15 · PR risk: 0/10 |
|
bugbot run |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 3 potential issues.
Autofix Details
Bugbot Autofix prepared fixes for all 3 issues found in the latest run.
- ✅ Fixed: Null response field crashes handlers
- Response completion handlers now treat null or non-object response payloads as pass-through instead of chaining .get calls on None.
- ✅ Fixed: WS frames omit authorized model
- Authorized models are now injected into flat or nested response.create frames when the client omits the model field.
- ✅ Fixed: Azure WS URL query mishandled
- Azure WebSocket URL construction now parses api_base, strips existing response paths, and drops query params before appending the v1 WebSocket path.
You can send follow-ups to the cloud agent here.
|
bugbot run |
|
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 2 potential issues.
Bugbot Autofix is ON, but it could not run because the spend limit has been reached. To enable Bugbot Autofix, have a team admin raise the spend limit in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit bee452c. Configure here.
Wire Presidio into native Responses WebSocket forwarding and fix streaming output unmasking so masked tokens are restored for HTTP and WS clients. Co-authored-by: Cursor <[email protected]>
…nd PII logging - Add model_in_websocket_url() to BaseResponsesAPIConfig (default True) so providers can opt out of ?model= being appended to WebSocket URLs. - Override model_in_websocket_url() to return False for Azure, since Azure sends the model in the response.create body, not the URL query string. - Use this flag in llm_http_handler to conditionally append ?model=. - Pass masked message to _store_input() instead of the original PII-containing message so logging destinations do not receive unmasked PII. Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
… PII
Handle the nested {"type":"response.create","response":{"input":[...]}}
format in _mask_response_create. Previously only the flat top-level input
was masked; the nested shape bypassed Presidio and forwarded raw PII
upstream. Now both shapes are normalized and masked before forwarding.
Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
…sking When apply_to_output masking is active on a native Responses WebSocket, response.output_text.done, response.content_part.done, and response.output_item.done carry the full model output before the masked response.completed arrives, so an authenticated client could read unmasked PII from those events. Suppress them alongside delta events; the client receives only the fully-masked response.completed.
Delta events are suppressed in backend_to_client before _mask_response_completed runs when output masking is active, so the method's delta-handling branch was unreachable. Restrict it to response.completed and cover the Responses API unmask path with a Pydantic ResponseCompletedEvent regression test.
_stream_pii_unmasking buffered ModelResponseStream chunks but returned early once a /v1/responses event was seen, silently dropping the buffered chat chunks. Flush them in order before switching to passthrough, mirroring _stream_apply_output_masking, and cover it with a regression test.
…t PII path Presidio masking on the native Responses WebSocket path left two gaps. On the request side _mask_response_create only walked the input containers, so PII placed in the instructions field of a response.create frame was forwarded upstream and logged unmasked even with output_parse_pii enabled. Now both the flat and nested instructions strings are masked alongside input. On the response side _mask_response_completed only masked content text blocks, so model-produced PII inside function-call arguments could reach the client when apply_to_output was enabled, both via the standalone response.function_call_arguments.done event and via the function_call output items in response.completed. The done event is now suppressed under output masking and completed function-call arguments are run through check_pii before forwarding or logging.
response.create input items of type function_call_output carry user-controlled text in output, not content, so the Presidio masking pass forwarded that text upstream unmasked. Mask the output field (string or list of text blocks) alongside content.
BerriAI#30003) * fix(responses): Presidio PII masking for Azure WebSocket and streaming Wire Presidio into native Responses WebSocket forwarding and fix streaming output unmasking so masked tokens are restored for HTTP and WS clients. Co-authored-by: Cursor <[email protected]> * Fix unused imports in responses handlers * fix(responses): address Greptile review - Azure WebSocket model URL and PII logging - Add model_in_websocket_url() to BaseResponsesAPIConfig (default True) so providers can opt out of ?model= being appended to WebSocket URLs. - Override model_in_websocket_url() to return False for Azure, since Azure sends the model in the response.create body, not the URL query string. - Use this flag in llm_http_handler to conditionally append ?model=. - Pass masked message to _store_input() instead of the original PII-containing message so logging destinations do not receive unmasked PII. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): mask nested response.create input format for Presidio PII Handle the nested {"type":"response.create","response":{"input":[...]}} format in _mask_response_create. Previously only the flat top-level input was masked; the nested shape bypassed Presidio and forwarded raw PII upstream. Now both shapes are normalized and masked before forwarding. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * style: apply black formatting to llm_http_handler and streaming_iterator Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * style: suppress PLR0915 on async_responses_websocket Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): add apply_to_output masking on Responses API WebSocket path Previously the WebSocket guardrail filter excluded callbacks with apply_to_output=True, leaving model-generated PII unmasked before returning to the client. - Collect apply_to_output callbacks separately in llm_http_handler and pass them to ResponsesWebSocketStreaming as output_guardrail_callbacks. - Add _mask_response_completed method that calls check_pii(output_parse_pii=False) on text blocks in response.completed events, masking model output PII. - backend_to_client now chains unmask (pii_tokens) → mask (apply_to_output) before forwarding each event to the client. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): unmask PII tokens in streaming delta events and warn on guardrail init failure - Rename _unmask_response_completed -> _unmask_response_event and extend it to also unmask response.output_text.delta (and other delta types) so real-time streaming clients receive original values, not PII tokens. - Split the broad except-and-swallow into ImportError (expected in SDK-only environments) vs Exception (unexpected — now logs a warning so operators know masking is disabled). Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): enforce authorized model on WebSocket frames and remove proxy import Security: add _enforce_authorized_model to ResponsesWebSocketStreaming that overwrites both flat and nested model fields in every response.create frame with the connection-authorized model, preventing deployment-substitution attacks where an authenticated user sends a different model name in the frame body after connecting with an allowed model. Layering: remove the _OPTIONAL_PresidioPIIMasking isinstance check and proxy import from the SDK handler. Use duck-typed checks (callable check_pii + get_presidio_settings_from_request_data) so any guardrail implementing the interface works, not just Presidio. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): add _unmask_pii_text to duck-typed contract and mask delta frames - Add callable(_unmask_pii_text) check to the guardrail_callbacks filter so a custom guardrail missing that method cannot cause an AttributeError and silently kill the WebSocket session. - Extend _mask_response_completed to also mask response.output_text.delta (and other delta types) for apply_to_output callbacks, so real-time streaming clients do not receive unredacted model-generated PII in deltas. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * Fix Responses WebSocket guardrail edge cases * fix(responses): log masked output and suppress deltas when apply_to_output active - Move _store_event to after _mask_response_completed so logs receive the redacted form, not raw model output containing PII. - Suppress delta event forwarding when output_guardrail_callbacks are present: per-fragment Presidio cannot catch PII that spans multiple chunks (e.g. "alice@" + "example.com"). Clients receive only the fully-masked response.completed, which Presidio scans on complete text. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): mask and suppress response.output_item.done for apply_to_output response.output_item.done carries completed item text in item.content[*].text before response.completed arrives, allowing unmasked PII to reach the client. - _unmask_response_event: unmask input-PII tokens in item.content[*].text - _mask_response_completed: run check_pii on item.content[*].text for apply_to_output callbacks (same as response.completed handling) - backend_to_client suppression: also skip response.output_item.done when output_guardrail_callbacks are active; client receives only the fully-masked response.completed Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(types): cast response_obj to ResponsesAPIResponse to satisfy mypy Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * Revert "fix(types): cast response_obj to ResponsesAPIResponse to satisfy mypy" This reverts commit d596955. * Revert "fix(responses): mask and suppress response.output_item.done for apply_to_output" This reverts commit 219fd54. * fix(types): accept dict responses in guardrail output write-back Streaming response.completed events pass a dict response object, so widen _apply_guardrail_responses_to_output to match its existing runtime handling. Co-authored-by: Cursor <[email protected]> * perf(responses): skip Presidio masking on suppressed WebSocket delta events Delta events are dropped wholesale when apply_to_output masking is active, so masking them first issued a wasted check_pii call per fragment. Move the suppression check ahead of the unmask/mask passes; the event type is invariant across both, so client-visible behavior is unchanged. * test(responses): cover Responses WebSocket PII masking hooks Add regression tests for the native Responses WebSocket guardrail path: input masking and model enforcement in _mask_response_create, token unmasking in _unmask_response_event, apply_to_output masking and delta suppression in _mask_response_completed/backend_to_client, and the get_websocket_url / model_in_websocket_url defaults for the base and Azure configs. Raises diff coverage above the codecov patch target. * fix(responses): suppress text-bearing done events under output PII masking When apply_to_output masking is active on a native Responses WebSocket, response.output_text.done, response.content_part.done, and response.output_item.done carry the full model output before the masked response.completed arrives, so an authenticated client could read unmasked PII from those events. Suppress them alongside delta events; the client receives only the fully-masked response.completed. * refactor(responses): drop dead delta branch in WebSocket output masking Delta events are suppressed in backend_to_client before _mask_response_completed runs when output masking is active, so the method's delta-handling branch was unreachable. Restrict it to response.completed and cover the Responses API unmask path with a Pydantic ResponseCompletedEvent regression test. * fix(presidio): flush buffered chat chunks on mixed unmask stream _stream_pii_unmasking buffered ModelResponseStream chunks but returned early once a /v1/responses event was seen, silently dropping the buffered chat chunks. Flush them in order before switching to passthrough, mirroring _stream_apply_output_masking, and cover it with a regression test. * fix(responses): mask instructions and tool-call arguments in WebSocket PII path Presidio masking on the native Responses WebSocket path left two gaps. On the request side _mask_response_create only walked the input containers, so PII placed in the instructions field of a response.create frame was forwarded upstream and logged unmasked even with output_parse_pii enabled. Now both the flat and nested instructions strings are masked alongside input. On the response side _mask_response_completed only masked content text blocks, so model-produced PII inside function-call arguments could reach the client when apply_to_output was enabled, both via the standalone response.function_call_arguments.done event and via the function_call output items in response.completed. The done event is now suppressed under output masking and completed function-call arguments are run through check_pii before forwarding or logging. * fix(responses): suppress reasoning_summary_text.done under output PII masking * fix(responses): mask function_call_output.output in WebSocket PII path response.create input items of type function_call_output carry user-controlled text in output, not content, so the Presidio masking pass forwarded that text upstream unmasked. Mask the output field (string or list of text blocks) alongside content. * fix(responses): mask reasoning summary PII in WebSocket output path --------- Co-authored-by: Cursor <[email protected]> Co-authored-by: Claude Sonnet 4.6 <[email protected]> Co-authored-by: mateo-berri <[email protected]>
BerriAI#30003) * fix(responses): Presidio PII masking for Azure WebSocket and streaming Wire Presidio into native Responses WebSocket forwarding and fix streaming output unmasking so masked tokens are restored for HTTP and WS clients. Co-authored-by: Cursor <[email protected]> * Fix unused imports in responses handlers * fix(responses): address Greptile review - Azure WebSocket model URL and PII logging - Add model_in_websocket_url() to BaseResponsesAPIConfig (default True) so providers can opt out of ?model= being appended to WebSocket URLs. - Override model_in_websocket_url() to return False for Azure, since Azure sends the model in the response.create body, not the URL query string. - Use this flag in llm_http_handler to conditionally append ?model=. - Pass masked message to _store_input() instead of the original PII-containing message so logging destinations do not receive unmasked PII. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): mask nested response.create input format for Presidio PII Handle the nested {"type":"response.create","response":{"input":[...]}} format in _mask_response_create. Previously only the flat top-level input was masked; the nested shape bypassed Presidio and forwarded raw PII upstream. Now both shapes are normalized and masked before forwarding. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * style: apply black formatting to llm_http_handler and streaming_iterator Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * style: suppress PLR0915 on async_responses_websocket Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): add apply_to_output masking on Responses API WebSocket path Previously the WebSocket guardrail filter excluded callbacks with apply_to_output=True, leaving model-generated PII unmasked before returning to the client. - Collect apply_to_output callbacks separately in llm_http_handler and pass them to ResponsesWebSocketStreaming as output_guardrail_callbacks. - Add _mask_response_completed method that calls check_pii(output_parse_pii=False) on text blocks in response.completed events, masking model output PII. - backend_to_client now chains unmask (pii_tokens) → mask (apply_to_output) before forwarding each event to the client. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): unmask PII tokens in streaming delta events and warn on guardrail init failure - Rename _unmask_response_completed -> _unmask_response_event and extend it to also unmask response.output_text.delta (and other delta types) so real-time streaming clients receive original values, not PII tokens. - Split the broad except-and-swallow into ImportError (expected in SDK-only environments) vs Exception (unexpected — now logs a warning so operators know masking is disabled). Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): enforce authorized model on WebSocket frames and remove proxy import Security: add _enforce_authorized_model to ResponsesWebSocketStreaming that overwrites both flat and nested model fields in every response.create frame with the connection-authorized model, preventing deployment-substitution attacks where an authenticated user sends a different model name in the frame body after connecting with an allowed model. Layering: remove the _OPTIONAL_PresidioPIIMasking isinstance check and proxy import from the SDK handler. Use duck-typed checks (callable check_pii + get_presidio_settings_from_request_data) so any guardrail implementing the interface works, not just Presidio. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): add _unmask_pii_text to duck-typed contract and mask delta frames - Add callable(_unmask_pii_text) check to the guardrail_callbacks filter so a custom guardrail missing that method cannot cause an AttributeError and silently kill the WebSocket session. - Extend _mask_response_completed to also mask response.output_text.delta (and other delta types) for apply_to_output callbacks, so real-time streaming clients do not receive unredacted model-generated PII in deltas. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * Fix Responses WebSocket guardrail edge cases * fix(responses): log masked output and suppress deltas when apply_to_output active - Move _store_event to after _mask_response_completed so logs receive the redacted form, not raw model output containing PII. - Suppress delta event forwarding when output_guardrail_callbacks are present: per-fragment Presidio cannot catch PII that spans multiple chunks (e.g. "alice@" + "example.com"). Clients receive only the fully-masked response.completed, which Presidio scans on complete text. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): mask and suppress response.output_item.done for apply_to_output response.output_item.done carries completed item text in item.content[*].text before response.completed arrives, allowing unmasked PII to reach the client. - _unmask_response_event: unmask input-PII tokens in item.content[*].text - _mask_response_completed: run check_pii on item.content[*].text for apply_to_output callbacks (same as response.completed handling) - backend_to_client suppression: also skip response.output_item.done when output_guardrail_callbacks are active; client receives only the fully-masked response.completed Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(types): cast response_obj to ResponsesAPIResponse to satisfy mypy Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * Revert "fix(types): cast response_obj to ResponsesAPIResponse to satisfy mypy" This reverts commit d596955. * Revert "fix(responses): mask and suppress response.output_item.done for apply_to_output" This reverts commit 219fd54. * fix(types): accept dict responses in guardrail output write-back Streaming response.completed events pass a dict response object, so widen _apply_guardrail_responses_to_output to match its existing runtime handling. Co-authored-by: Cursor <[email protected]> * perf(responses): skip Presidio masking on suppressed WebSocket delta events Delta events are dropped wholesale when apply_to_output masking is active, so masking them first issued a wasted check_pii call per fragment. Move the suppression check ahead of the unmask/mask passes; the event type is invariant across both, so client-visible behavior is unchanged. * test(responses): cover Responses WebSocket PII masking hooks Add regression tests for the native Responses WebSocket guardrail path: input masking and model enforcement in _mask_response_create, token unmasking in _unmask_response_event, apply_to_output masking and delta suppression in _mask_response_completed/backend_to_client, and the get_websocket_url / model_in_websocket_url defaults for the base and Azure configs. Raises diff coverage above the codecov patch target. * fix(responses): suppress text-bearing done events under output PII masking When apply_to_output masking is active on a native Responses WebSocket, response.output_text.done, response.content_part.done, and response.output_item.done carry the full model output before the masked response.completed arrives, so an authenticated client could read unmasked PII from those events. Suppress them alongside delta events; the client receives only the fully-masked response.completed. * refactor(responses): drop dead delta branch in WebSocket output masking Delta events are suppressed in backend_to_client before _mask_response_completed runs when output masking is active, so the method's delta-handling branch was unreachable. Restrict it to response.completed and cover the Responses API unmask path with a Pydantic ResponseCompletedEvent regression test. * fix(presidio): flush buffered chat chunks on mixed unmask stream _stream_pii_unmasking buffered ModelResponseStream chunks but returned early once a /v1/responses event was seen, silently dropping the buffered chat chunks. Flush them in order before switching to passthrough, mirroring _stream_apply_output_masking, and cover it with a regression test. * fix(responses): mask instructions and tool-call arguments in WebSocket PII path Presidio masking on the native Responses WebSocket path left two gaps. On the request side _mask_response_create only walked the input containers, so PII placed in the instructions field of a response.create frame was forwarded upstream and logged unmasked even with output_parse_pii enabled. Now both the flat and nested instructions strings are masked alongside input. On the response side _mask_response_completed only masked content text blocks, so model-produced PII inside function-call arguments could reach the client when apply_to_output was enabled, both via the standalone response.function_call_arguments.done event and via the function_call output items in response.completed. The done event is now suppressed under output masking and completed function-call arguments are run through check_pii before forwarding or logging. * fix(responses): suppress reasoning_summary_text.done under output PII masking * fix(responses): mask function_call_output.output in WebSocket PII path response.create input items of type function_call_output carry user-controlled text in output, not content, so the Presidio masking pass forwarded that text upstream unmasked. Mask the output field (string or list of text blocks) alongside content. * fix(responses): mask reasoning summary PII in WebSocket output path --------- Co-authored-by: Cursor <[email protected]> Co-authored-by: Claude Sonnet 4.6 <[email protected]> Co-authored-by: mateo-berri <[email protected]>
BerriAI#30003) * fix(responses): Presidio PII masking for Azure WebSocket and streaming Wire Presidio into native Responses WebSocket forwarding and fix streaming output unmasking so masked tokens are restored for HTTP and WS clients. Co-authored-by: Cursor <[email protected]> * Fix unused imports in responses handlers * fix(responses): address Greptile review - Azure WebSocket model URL and PII logging - Add model_in_websocket_url() to BaseResponsesAPIConfig (default True) so providers can opt out of ?model= being appended to WebSocket URLs. - Override model_in_websocket_url() to return False for Azure, since Azure sends the model in the response.create body, not the URL query string. - Use this flag in llm_http_handler to conditionally append ?model=. - Pass masked message to _store_input() instead of the original PII-containing message so logging destinations do not receive unmasked PII. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): mask nested response.create input format for Presidio PII Handle the nested {"type":"response.create","response":{"input":[...]}} format in _mask_response_create. Previously only the flat top-level input was masked; the nested shape bypassed Presidio and forwarded raw PII upstream. Now both shapes are normalized and masked before forwarding. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * style: apply black formatting to llm_http_handler and streaming_iterator Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * style: suppress PLR0915 on async_responses_websocket Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): add apply_to_output masking on Responses API WebSocket path Previously the WebSocket guardrail filter excluded callbacks with apply_to_output=True, leaving model-generated PII unmasked before returning to the client. - Collect apply_to_output callbacks separately in llm_http_handler and pass them to ResponsesWebSocketStreaming as output_guardrail_callbacks. - Add _mask_response_completed method that calls check_pii(output_parse_pii=False) on text blocks in response.completed events, masking model output PII. - backend_to_client now chains unmask (pii_tokens) → mask (apply_to_output) before forwarding each event to the client. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): unmask PII tokens in streaming delta events and warn on guardrail init failure - Rename _unmask_response_completed -> _unmask_response_event and extend it to also unmask response.output_text.delta (and other delta types) so real-time streaming clients receive original values, not PII tokens. - Split the broad except-and-swallow into ImportError (expected in SDK-only environments) vs Exception (unexpected — now logs a warning so operators know masking is disabled). Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): enforce authorized model on WebSocket frames and remove proxy import Security: add _enforce_authorized_model to ResponsesWebSocketStreaming that overwrites both flat and nested model fields in every response.create frame with the connection-authorized model, preventing deployment-substitution attacks where an authenticated user sends a different model name in the frame body after connecting with an allowed model. Layering: remove the _OPTIONAL_PresidioPIIMasking isinstance check and proxy import from the SDK handler. Use duck-typed checks (callable check_pii + get_presidio_settings_from_request_data) so any guardrail implementing the interface works, not just Presidio. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): add _unmask_pii_text to duck-typed contract and mask delta frames - Add callable(_unmask_pii_text) check to the guardrail_callbacks filter so a custom guardrail missing that method cannot cause an AttributeError and silently kill the WebSocket session. - Extend _mask_response_completed to also mask response.output_text.delta (and other delta types) for apply_to_output callbacks, so real-time streaming clients do not receive unredacted model-generated PII in deltas. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * Fix Responses WebSocket guardrail edge cases * fix(responses): log masked output and suppress deltas when apply_to_output active - Move _store_event to after _mask_response_completed so logs receive the redacted form, not raw model output containing PII. - Suppress delta event forwarding when output_guardrail_callbacks are present: per-fragment Presidio cannot catch PII that spans multiple chunks (e.g. "alice@" + "example.com"). Clients receive only the fully-masked response.completed, which Presidio scans on complete text. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): mask and suppress response.output_item.done for apply_to_output response.output_item.done carries completed item text in item.content[*].text before response.completed arrives, allowing unmasked PII to reach the client. - _unmask_response_event: unmask input-PII tokens in item.content[*].text - _mask_response_completed: run check_pii on item.content[*].text for apply_to_output callbacks (same as response.completed handling) - backend_to_client suppression: also skip response.output_item.done when output_guardrail_callbacks are active; client receives only the fully-masked response.completed Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(types): cast response_obj to ResponsesAPIResponse to satisfy mypy Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * Revert "fix(types): cast response_obj to ResponsesAPIResponse to satisfy mypy" This reverts commit d596955. * Revert "fix(responses): mask and suppress response.output_item.done for apply_to_output" This reverts commit 219fd54. * fix(types): accept dict responses in guardrail output write-back Streaming response.completed events pass a dict response object, so widen _apply_guardrail_responses_to_output to match its existing runtime handling. Co-authored-by: Cursor <[email protected]> * perf(responses): skip Presidio masking on suppressed WebSocket delta events Delta events are dropped wholesale when apply_to_output masking is active, so masking them first issued a wasted check_pii call per fragment. Move the suppression check ahead of the unmask/mask passes; the event type is invariant across both, so client-visible behavior is unchanged. * test(responses): cover Responses WebSocket PII masking hooks Add regression tests for the native Responses WebSocket guardrail path: input masking and model enforcement in _mask_response_create, token unmasking in _unmask_response_event, apply_to_output masking and delta suppression in _mask_response_completed/backend_to_client, and the get_websocket_url / model_in_websocket_url defaults for the base and Azure configs. Raises diff coverage above the codecov patch target. * fix(responses): suppress text-bearing done events under output PII masking When apply_to_output masking is active on a native Responses WebSocket, response.output_text.done, response.content_part.done, and response.output_item.done carry the full model output before the masked response.completed arrives, so an authenticated client could read unmasked PII from those events. Suppress them alongside delta events; the client receives only the fully-masked response.completed. * refactor(responses): drop dead delta branch in WebSocket output masking Delta events are suppressed in backend_to_client before _mask_response_completed runs when output masking is active, so the method's delta-handling branch was unreachable. Restrict it to response.completed and cover the Responses API unmask path with a Pydantic ResponseCompletedEvent regression test. * fix(presidio): flush buffered chat chunks on mixed unmask stream _stream_pii_unmasking buffered ModelResponseStream chunks but returned early once a /v1/responses event was seen, silently dropping the buffered chat chunks. Flush them in order before switching to passthrough, mirroring _stream_apply_output_masking, and cover it with a regression test. * fix(responses): mask instructions and tool-call arguments in WebSocket PII path Presidio masking on the native Responses WebSocket path left two gaps. On the request side _mask_response_create only walked the input containers, so PII placed in the instructions field of a response.create frame was forwarded upstream and logged unmasked even with output_parse_pii enabled. Now both the flat and nested instructions strings are masked alongside input. On the response side _mask_response_completed only masked content text blocks, so model-produced PII inside function-call arguments could reach the client when apply_to_output was enabled, both via the standalone response.function_call_arguments.done event and via the function_call output items in response.completed. The done event is now suppressed under output masking and completed function-call arguments are run through check_pii before forwarding or logging. * fix(responses): suppress reasoning_summary_text.done under output PII masking * fix(responses): mask function_call_output.output in WebSocket PII path response.create input items of type function_call_output carry user-controlled text in output, not content, so the Presidio masking pass forwarded that text upstream unmasked. Mask the output field (string or list of text blocks) alongside content. * fix(responses): mask reasoning summary PII in WebSocket output path --------- Co-authored-by: Cursor <[email protected]> Co-authored-by: Claude Sonnet 4.6 <[email protected]> Co-authored-by: mateo-berri <[email protected]>
BerriAI#30003) * fix(responses): Presidio PII masking for Azure WebSocket and streaming Wire Presidio into native Responses WebSocket forwarding and fix streaming output unmasking so masked tokens are restored for HTTP and WS clients. Co-authored-by: Cursor <[email protected]> * Fix unused imports in responses handlers * fix(responses): address Greptile review - Azure WebSocket model URL and PII logging - Add model_in_websocket_url() to BaseResponsesAPIConfig (default True) so providers can opt out of ?model= being appended to WebSocket URLs. - Override model_in_websocket_url() to return False for Azure, since Azure sends the model in the response.create body, not the URL query string. - Use this flag in llm_http_handler to conditionally append ?model=. - Pass masked message to _store_input() instead of the original PII-containing message so logging destinations do not receive unmasked PII. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): mask nested response.create input format for Presidio PII Handle the nested {"type":"response.create","response":{"input":[...]}} format in _mask_response_create. Previously only the flat top-level input was masked; the nested shape bypassed Presidio and forwarded raw PII upstream. Now both shapes are normalized and masked before forwarding. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * style: apply black formatting to llm_http_handler and streaming_iterator Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * style: suppress PLR0915 on async_responses_websocket Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): add apply_to_output masking on Responses API WebSocket path Previously the WebSocket guardrail filter excluded callbacks with apply_to_output=True, leaving model-generated PII unmasked before returning to the client. - Collect apply_to_output callbacks separately in llm_http_handler and pass them to ResponsesWebSocketStreaming as output_guardrail_callbacks. - Add _mask_response_completed method that calls check_pii(output_parse_pii=False) on text blocks in response.completed events, masking model output PII. - backend_to_client now chains unmask (pii_tokens) → mask (apply_to_output) before forwarding each event to the client. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): unmask PII tokens in streaming delta events and warn on guardrail init failure - Rename _unmask_response_completed -> _unmask_response_event and extend it to also unmask response.output_text.delta (and other delta types) so real-time streaming clients receive original values, not PII tokens. - Split the broad except-and-swallow into ImportError (expected in SDK-only environments) vs Exception (unexpected — now logs a warning so operators know masking is disabled). Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): enforce authorized model on WebSocket frames and remove proxy import Security: add _enforce_authorized_model to ResponsesWebSocketStreaming that overwrites both flat and nested model fields in every response.create frame with the connection-authorized model, preventing deployment-substitution attacks where an authenticated user sends a different model name in the frame body after connecting with an allowed model. Layering: remove the _OPTIONAL_PresidioPIIMasking isinstance check and proxy import from the SDK handler. Use duck-typed checks (callable check_pii + get_presidio_settings_from_request_data) so any guardrail implementing the interface works, not just Presidio. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): add _unmask_pii_text to duck-typed contract and mask delta frames - Add callable(_unmask_pii_text) check to the guardrail_callbacks filter so a custom guardrail missing that method cannot cause an AttributeError and silently kill the WebSocket session. - Extend _mask_response_completed to also mask response.output_text.delta (and other delta types) for apply_to_output callbacks, so real-time streaming clients do not receive unredacted model-generated PII in deltas. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * Fix Responses WebSocket guardrail edge cases * fix(responses): log masked output and suppress deltas when apply_to_output active - Move _store_event to after _mask_response_completed so logs receive the redacted form, not raw model output containing PII. - Suppress delta event forwarding when output_guardrail_callbacks are present: per-fragment Presidio cannot catch PII that spans multiple chunks (e.g. "alice@" + "example.com"). Clients receive only the fully-masked response.completed, which Presidio scans on complete text. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(responses): mask and suppress response.output_item.done for apply_to_output response.output_item.done carries completed item text in item.content[*].text before response.completed arrives, allowing unmasked PII to reach the client. - _unmask_response_event: unmask input-PII tokens in item.content[*].text - _mask_response_completed: run check_pii on item.content[*].text for apply_to_output callbacks (same as response.completed handling) - backend_to_client suppression: also skip response.output_item.done when output_guardrail_callbacks are active; client receives only the fully-masked response.completed Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(types): cast response_obj to ResponsesAPIResponse to satisfy mypy Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * Revert "fix(types): cast response_obj to ResponsesAPIResponse to satisfy mypy" This reverts commit d596955. * Revert "fix(responses): mask and suppress response.output_item.done for apply_to_output" This reverts commit 219fd54. * fix(types): accept dict responses in guardrail output write-back Streaming response.completed events pass a dict response object, so widen _apply_guardrail_responses_to_output to match its existing runtime handling. Co-authored-by: Cursor <[email protected]> * perf(responses): skip Presidio masking on suppressed WebSocket delta events Delta events are dropped wholesale when apply_to_output masking is active, so masking them first issued a wasted check_pii call per fragment. Move the suppression check ahead of the unmask/mask passes; the event type is invariant across both, so client-visible behavior is unchanged. * test(responses): cover Responses WebSocket PII masking hooks Add regression tests for the native Responses WebSocket guardrail path: input masking and model enforcement in _mask_response_create, token unmasking in _unmask_response_event, apply_to_output masking and delta suppression in _mask_response_completed/backend_to_client, and the get_websocket_url / model_in_websocket_url defaults for the base and Azure configs. Raises diff coverage above the codecov patch target. * fix(responses): suppress text-bearing done events under output PII masking When apply_to_output masking is active on a native Responses WebSocket, response.output_text.done, response.content_part.done, and response.output_item.done carry the full model output before the masked response.completed arrives, so an authenticated client could read unmasked PII from those events. Suppress them alongside delta events; the client receives only the fully-masked response.completed. * refactor(responses): drop dead delta branch in WebSocket output masking Delta events are suppressed in backend_to_client before _mask_response_completed runs when output masking is active, so the method's delta-handling branch was unreachable. Restrict it to response.completed and cover the Responses API unmask path with a Pydantic ResponseCompletedEvent regression test. * fix(presidio): flush buffered chat chunks on mixed unmask stream _stream_pii_unmasking buffered ModelResponseStream chunks but returned early once a /v1/responses event was seen, silently dropping the buffered chat chunks. Flush them in order before switching to passthrough, mirroring _stream_apply_output_masking, and cover it with a regression test. * fix(responses): mask instructions and tool-call arguments in WebSocket PII path Presidio masking on the native Responses WebSocket path left two gaps. On the request side _mask_response_create only walked the input containers, so PII placed in the instructions field of a response.create frame was forwarded upstream and logged unmasked even with output_parse_pii enabled. Now both the flat and nested instructions strings are masked alongside input. On the response side _mask_response_completed only masked content text blocks, so model-produced PII inside function-call arguments could reach the client when apply_to_output was enabled, both via the standalone response.function_call_arguments.done event and via the function_call output items in response.completed. The done event is now suppressed under output masking and completed function-call arguments are run through check_pii before forwarding or logging. * fix(responses): suppress reasoning_summary_text.done under output PII masking * fix(responses): mask function_call_output.output in WebSocket PII path response.create input items of type function_call_output carry user-controlled text in output, not content, so the Presidio masking pass forwarded that text upstream unmasked. Mask the output field (string or list of text blocks) alongside content. * fix(responses): mask reasoning summary PII in WebSocket output path --------- Co-authored-by: Cursor <[email protected]> Co-authored-by: Claude Sonnet 4.6 <[email protected]> Co-authored-by: mateo-berri <[email protected]>
BerriAI#30003) * fix(responses): Presidio PII masking for Azure WebSocket and streaming Wire Presidio into native Responses WebSocket forwarding and fix streaming output unmasking so masked tokens are restored for HTTP and WS clients. Co-authored-by: Cursor <[email protected]> * Fix unused imports in responses handlers * fix(responses): address Greptile review - Azure WebSocket model URL and PII logging - Add model_in_websocket_url() to BaseResponsesAPIConfig (default True) so providers can opt out of ?model= being appended to WebSocket URLs. - Override model_in_websocket_url() to return False for Azure, since Azure sends the model in the response.create body, not the URL query string. - Use this flag in llm_http_handler to conditionally append ?model=. - Pass masked message to _store_input() instead of the original PII-containing message so logging destinations do not receive unmasked PII. * fix(responses): mask nested response.create input format for Presidio PII Handle the nested {"type":"response.create","response":{"input":[...]}} format in _mask_response_create. Previously only the flat top-level input was masked; the nested shape bypassed Presidio and forwarded raw PII upstream. Now both shapes are normalized and masked before forwarding. * style: apply black formatting to llm_http_handler and streaming_iterator * style: suppress PLR0915 on async_responses_websocket * fix(responses): add apply_to_output masking on Responses API WebSocket path Previously the WebSocket guardrail filter excluded callbacks with apply_to_output=True, leaving model-generated PII unmasked before returning to the client. - Collect apply_to_output callbacks separately in llm_http_handler and pass them to ResponsesWebSocketStreaming as output_guardrail_callbacks. - Add _mask_response_completed method that calls check_pii(output_parse_pii=False) on text blocks in response.completed events, masking model output PII. - backend_to_client now chains unmask (pii_tokens) → mask (apply_to_output) before forwarding each event to the client. * fix(responses): unmask PII tokens in streaming delta events and warn on guardrail init failure - Rename _unmask_response_completed -> _unmask_response_event and extend it to also unmask response.output_text.delta (and other delta types) so real-time streaming clients receive original values, not PII tokens. - Split the broad except-and-swallow into ImportError (expected in SDK-only environments) vs Exception (unexpected — now logs a warning so operators know masking is disabled). * fix(responses): enforce authorized model on WebSocket frames and remove proxy import Security: add _enforce_authorized_model to ResponsesWebSocketStreaming that overwrites both flat and nested model fields in every response.create frame with the connection-authorized model, preventing deployment-substitution attacks where an authenticated user sends a different model name in the frame body after connecting with an allowed model. Layering: remove the _OPTIONAL_PresidioPIIMasking isinstance check and proxy import from the SDK handler. Use duck-typed checks (callable check_pii + get_presidio_settings_from_request_data) so any guardrail implementing the interface works, not just Presidio. * fix(responses): add _unmask_pii_text to duck-typed contract and mask delta frames - Add callable(_unmask_pii_text) check to the guardrail_callbacks filter so a custom guardrail missing that method cannot cause an AttributeError and silently kill the WebSocket session. - Extend _mask_response_completed to also mask response.output_text.delta (and other delta types) for apply_to_output callbacks, so real-time streaming clients do not receive unredacted model-generated PII in deltas. * Fix Responses WebSocket guardrail edge cases * fix(responses): log masked output and suppress deltas when apply_to_output active - Move _store_event to after _mask_response_completed so logs receive the redacted form, not raw model output containing PII. - Suppress delta event forwarding when output_guardrail_callbacks are present: per-fragment Presidio cannot catch PII that spans multiple chunks (e.g. "alice@" + "example.com"). Clients receive only the fully-masked response.completed, which Presidio scans on complete text. * fix(responses): mask and suppress response.output_item.done for apply_to_output response.output_item.done carries completed item text in item.content[*].text before response.completed arrives, allowing unmasked PII to reach the client. - _unmask_response_event: unmask input-PII tokens in item.content[*].text - _mask_response_completed: run check_pii on item.content[*].text for apply_to_output callbacks (same as response.completed handling) - backend_to_client suppression: also skip response.output_item.done when output_guardrail_callbacks are active; client receives only the fully-masked response.completed * fix(types): cast response_obj to ResponsesAPIResponse to satisfy mypy * Revert "fix(types): cast response_obj to ResponsesAPIResponse to satisfy mypy" This reverts commit d596955. * Revert "fix(responses): mask and suppress response.output_item.done for apply_to_output" This reverts commit 219fd54. * fix(types): accept dict responses in guardrail output write-back Streaming response.completed events pass a dict response object, so widen _apply_guardrail_responses_to_output to match its existing runtime handling. Co-authored-by: Cursor <[email protected]> * perf(responses): skip Presidio masking on suppressed WebSocket delta events Delta events are dropped wholesale when apply_to_output masking is active, so masking them first issued a wasted check_pii call per fragment. Move the suppression check ahead of the unmask/mask passes; the event type is invariant across both, so client-visible behavior is unchanged. * test(responses): cover Responses WebSocket PII masking hooks Add regression tests for the native Responses WebSocket guardrail path: input masking and model enforcement in _mask_response_create, token unmasking in _unmask_response_event, apply_to_output masking and delta suppression in _mask_response_completed/backend_to_client, and the get_websocket_url / model_in_websocket_url defaults for the base and Azure configs. Raises diff coverage above the codecov patch target. * fix(responses): suppress text-bearing done events under output PII masking When apply_to_output masking is active on a native Responses WebSocket, response.output_text.done, response.content_part.done, and response.output_item.done carry the full model output before the masked response.completed arrives, so an authenticated client could read unmasked PII from those events. Suppress them alongside delta events; the client receives only the fully-masked response.completed. * refactor(responses): drop dead delta branch in WebSocket output masking Delta events are suppressed in backend_to_client before _mask_response_completed runs when output masking is active, so the method's delta-handling branch was unreachable. Restrict it to response.completed and cover the Responses API unmask path with a Pydantic ResponseCompletedEvent regression test. * fix(presidio): flush buffered chat chunks on mixed unmask stream _stream_pii_unmasking buffered ModelResponseStream chunks but returned early once a /v1/responses event was seen, silently dropping the buffered chat chunks. Flush them in order before switching to passthrough, mirroring _stream_apply_output_masking, and cover it with a regression test. * fix(responses): mask instructions and tool-call arguments in WebSocket PII path Presidio masking on the native Responses WebSocket path left two gaps. On the request side _mask_response_create only walked the input containers, so PII placed in the instructions field of a response.create frame was forwarded upstream and logged unmasked even with output_parse_pii enabled. Now both the flat and nested instructions strings are masked alongside input. On the response side _mask_response_completed only masked content text blocks, so model-produced PII inside function-call arguments could reach the client when apply_to_output was enabled, both via the standalone response.function_call_arguments.done event and via the function_call output items in response.completed. The done event is now suppressed under output masking and completed function-call arguments are run through check_pii before forwarding or logging. * fix(responses): suppress reasoning_summary_text.done under output PII masking * fix(responses): mask function_call_output.output in WebSocket PII path response.create input items of type function_call_output carry user-controlled text in output, not content, so the Presidio masking pass forwarded that text upstream unmasked. Mask the output field (string or list of text blocks) alongside content. * fix(responses): mask reasoning summary PII in WebSocket output path --------- Co-authored-by: Cursor <[email protected]> Co-authored-by: mateo-berri <[email protected]>
…to v1.90.0 (#232) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [https://github.com/BerriAI/litellm.git](https://github.com/BerriAI/litellm) | minor | `v1.89.4` → `v1.90.0` | --- ### Release Notes <details> <summary>BerriAI/litellm (https://github.com/BerriAI/litellm.git)</summary> ### [`v1.90.0`](https://github.com/BerriAI/litellm/releases/tag/v1.90.0) [Compare Source](BerriAI/litellm@v1.89.4...v1.90.0-rc.1) #### Verify Docker Image Signature All LiteLLM Docker images are signed with [cosign](https://docs.sigstore.dev/cosign/overview/). Every release is signed with the same key introduced in [commit `0112e53`](BerriAI/litellm@0112e53). **Verify using the pinned commit hash (recommended):** A commit hash is cryptographically immutable, so this is the strongest way to ensure you are using the original signing key: ```bash cosign verify \ --key https://raw.githubusercontent.com/BerriAI/litellm/0112e53046018d726492c814b3644b7d376029d0/cosign.pub \ ghcr.io/berriai/litellm:v1.90.0 ``` **Verify using the release tag (convenience):** Tags are protected in this repository and resolve to the same key. This option is easier to read but relies on tag protection rules: ```bash cosign verify \ --key https://raw.githubusercontent.com/BerriAI/litellm/v1.90.0/cosign.pub \ ghcr.io/berriai/litellm:v1.90.0 ``` Expected output: ``` The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key ``` *** #### What's Changed - fix(responses-bridge): map system-only chat request to system input item by [@​milan-berri](https://github.com/milan-berri) in [#​29817](BerriAI/litellm#29817) - feat(bedrock): forward strict and additionalProperties to Converse toolSpec by [@​mateo-berri](https://github.com/mateo-berri) in [#​29814](BerriAI/litellm#29814) - fix(mcp): highlight MCP cards red when the logged-in user is missing per-user env vars by [@​mateo-berri](https://github.com/mateo-berri) in [#​29856](BerriAI/litellm#29856) - feat(ui): add budget duration to edit team member form by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​29717](BerriAI/litellm#29717) - fix(ui): make workflow runs page fill full width by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29868](BerriAI/litellm#29868) - feat: standardize rate limit errors with category, rate\_limit\_type, model, and llm\_provider fields by [@​mateo-berri](https://github.com/mateo-berri) in [#​27687](BerriAI/litellm#27687) - fix(ui): default guardrails page to the Guardrails tab by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29872](BerriAI/litellm#29872) - docs(readme): add Deploy on AWS/GCP Terraform section and fix deploy button rendering by [@​mateo-berri](https://github.com/mateo-berri) in [#​29879](BerriAI/litellm#29879) - refactor(bedrock): build Converse toolSpec via a BedrockToolSpec dict subclass by [@​mateo-berri](https://github.com/mateo-berri) in [#​29869](BerriAI/litellm#29869) - feat(litellm): add models and repository layers by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​29686](BerriAI/litellm#29686) - feat(ui): include internal routes in the dashboard's generated OpenAPI types by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​29885](BerriAI/litellm#29885) - feat(proxy): publish /v2/model/info in Swagger OpenAPI spec by [@​Sameerlite](https://github.com/Sameerlite) in [#​29900](BerriAI/litellm#29900) - refactor(ui): single source of truth for migrated-page routing by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​29949](BerriAI/litellm#29949) - fix(ui/model-hub): render provider icons on the public model hub by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29958](BerriAI/litellm#29958) - fix(ui): keep create guardrail modal open on outside click by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29871](BerriAI/litellm#29871) - fix(ui): label default key type as "Full Access" on key edit page by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29870](BerriAI/litellm#29870) - fix(ui): unify migrated-route URLs and migrate the API Reference page by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​29953](BerriAI/litellm#29953) - fix(mcp): let non-creator users OAuth into OBO-mode MCP servers from the Tools page by [@​tin-berri](https://github.com/tin-berri) in [#​29867](BerriAI/litellm#29867) - Litellm oss staging 080626 by [@​Sameerlite](https://github.com/Sameerlite) in [#​29932](BerriAI/litellm#29932) - feat(galileo): add health check support for UI callback test by [@​Sameerlite](https://github.com/Sameerlite) in [#​29908](BerriAI/litellm#29908) - fix(model-management): allow deleting a BYOK model after its team is deleted by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29875](BerriAI/litellm#29875) - feat(jwt-auth): opt-in fallback to DB team on unresolved JWT claim by [@​milan-berri](https://github.com/milan-berri) in [#​28913](BerriAI/litellm#28913) - fix(team\_endpoints): don't block /team/update on unchanged team budget by [@​milan-berri](https://github.com/milan-berri) in [#​29525](BerriAI/litellm#29525) - fix(fireworks): enable tool calling for glm-5p1 in model cost map by [@​milan-berri](https://github.com/milan-berri) in [#​29697](BerriAI/litellm#29697) - fix(vertex): propagate Vertex AI metadata in streaming success callbacks by [@​Sameerlite](https://github.com/Sameerlite) in [#​29899](BerriAI/litellm#29899) - fix(ui): show team projects to internal users on key creation by [@​milan-berri](https://github.com/milan-berri) in [#​28855](BerriAI/litellm#28855) - build(deps): bump pyjwt to 2.13.0 and ws override to 8.20.1 by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29982](BerriAI/litellm#29982) - fix(team-management): delete a team's BYOK models when the team is deleted by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29977](BerriAI/litellm#29977) - feat(vantage): include organization metadata in FOCUS Tags export by [@​milan-berri](https://github.com/milan-berri) in [#​28184](BerriAI/litellm#28184) - fix(guardrails): read CrowdStrike AIDR identity from both metadata bags by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29991](BerriAI/litellm#29991) - fix(mcp): mirror upstream token lifetime instead of forcing a 1h OBO expiry by [@​tin-berri](https://github.com/tin-berri) in [#​29951](BerriAI/litellm#29951) - feat(azure\_ai): add MAI-Image-2.5 image generation support by [@​Sameerlite](https://github.com/Sameerlite) in [#​29688](BerriAI/litellm#29688) - fix(mcp): load MCP tool configuration tools via the OBO/passthrough-aware GET path by [@​tin-berri](https://github.com/tin-berri) in [#​29960](BerriAI/litellm#29960) - fix(team): reserve team budget raises for proxy admins on /team/update by [@​milan-berri](https://github.com/milan-berri) in [#​30030](BerriAI/litellm#30030) - test(ui): data-driven App Router migration E2E smoke (default + server-root-path) by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​29974](BerriAI/litellm#29974) - fix(proxy): extend response headers hook to streaming, TTS, image gen, and pass-through by [@​michelligabriele](https://github.com/michelligabriele) in [#​24232](BerriAI/litellm#24232) - chore(ui): remove dead App Router route stubs under (dashboard) by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30045](BerriAI/litellm#30045) - fix(ui/mcp): reset OAuth state on create-server modal close so a prior server's token no longer leaks into the next add-server session by [@​tin-berri](https://github.com/tin-berri) in [#​30000](BerriAI/litellm#30000) - fix(mcp): allow team access-group grants in OAuth authorize/token access check by [@​tin-berri](https://github.com/tin-berri) in [#​30041](BerriAI/litellm#30041) - docs(security): require a reproduction video for vulnerability reports by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30063](BerriAI/litellm#30063) - feat(ui): add admin flag to disable in-product UI nudges for everyone by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​29796](BerriAI/litellm#29796) - chore(ui): remove dead dashboard files and unused dependencies by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30047](BerriAI/litellm#30047) - fix(proxy): authorize batch files using upload target\_model\_names (LIT-3593) by [@​Sameerlite](https://github.com/Sameerlite) in [#​30009](BerriAI/litellm#30009) - Add Claude Fable 5 across Anthropic, Bedrock, Vertex AI, and Azure AI by [@​mateo-berri](https://github.com/mateo-berri) in [#​30064](BerriAI/litellm#30064) - Add Claude Fable 5 cost map entries (data-only hotfix for the hosted map) by [@​mateo-berri](https://github.com/mateo-berri) in [#​30076](BerriAI/litellm#30076) - fix(caching): restore stored prompt\_tokens on embedding cache hits instead of recomputing by [@​michelligabriele](https://github.com/michelligabriele) in [#​30046](BerriAI/litellm#30046) - Litellm oss 090626 by [@​Sameerlite](https://github.com/Sameerlite) in [#​30021](BerriAI/litellm#30021) - fix(proxy): self-heal startup/reload prisma reads on engine disconnect by [@​michelligabriele](https://github.com/michelligabriele) in [#​28803](BerriAI/litellm#28803) - chore(ui): make knip recognize .mjs scripts and openapi-typescript by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30052](BerriAI/litellm#30052) - fix(register\_model): preserve built-in cache pricing when registering custom overrides under unmapped keys by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30044](BerriAI/litellm#30044) - \[internal copy of [#​28007](BerriAI/litellm#28007)] Fix/gcp model garden streaming by [@​mateo-berri](https://github.com/mateo-berri) in [#​28363](BerriAI/litellm#28363) - feat(cli): per-agent `lite claude` / `codex` / `opencode` commands that wrap coding agents through the proxy by [@​mateo-berri](https://github.com/mateo-berri) in [#​29850](BerriAI/litellm#29850) - fix(callbacks): forward callback\_settings to callback initializers and guard consumers against non-dict values by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30161](BerriAI/litellm#30161) - fix(mcp): drop orphaned per-user credential rows when an MCP server is deleted by [@​tin-berri](https://github.com/tin-berri) in [#​30141](BerriAI/litellm#30141) - fix(proxy): recover from cached-plan errors by reconnecting the Prisma client by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​29983](BerriAI/litellm#29983) - feat(proxy): add option to disable server-side prepared statements for DB lookups by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​29984](BerriAI/litellm#29984) - fix(release): stop backport releases from overwriting the latest badge by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30005](BerriAI/litellm#30005) - feat: add conventional commits and coding guidelines by [@​mateo-berri](https://github.com/mateo-berri) in [#​30159](BerriAI/litellm#30159) - fix(proxy): return 5xx on DB infra errors during auth; reserve 401 for genuine auth failures by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​29986](BerriAI/litellm#29986) - fix(ui): dev server 404s on migrated-page links because uiBase hardcodes /ui by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30169](BerriAI/litellm#30169) - refactor(ui): consolidate dashboard to one shell in the (dashboard) layout by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30166](BerriAI/litellm#30166) - fix(proxy): align /v1/model/info with router deployments by [@​Sameerlite](https://github.com/Sameerlite) in [#​30025](BerriAI/litellm#30025) - fix: completion\_cost AttributeError on streaming Anthropic web\_search responses ([#​26153](BerriAI/litellm#26153)) by [@​ishaan-berri](https://github.com/ishaan-berri) in [#​27346](BerriAI/litellm#27346) - \[internal copy of [#​30137](BerriAI/litellm#30137)] perf(realtime): eliminate redundant per-frame JSON work on OpenAI realtime relay by [@​mateo-berri](https://github.com/mateo-berri) in [#​30142](BerriAI/litellm#30142) - feat(bedrock): aws\_bedrock\_project\_id for bedrock-mantle project / workspace association by [@​mateo-berri](https://github.com/mateo-berri) in [#​30163](BerriAI/litellm#30163) - chore(hooks): enforce Conventional Commits and Conventional Branches by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30174](BerriAI/litellm#30174) - feat(rate-limiter): allow opting out of v3 TPM reservation and Redis circuit breaker by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30211](BerriAI/litellm#30211) - feat(spend\_logs): opt-in native Postgres partitioning for SpendLogs retention by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​29466](BerriAI/litellm#29466) - feat(ui): migrate playground to path routing and colocate its files by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30185](BerriAI/litellm#30185) - feat(ui): migrate projects and access-groups to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30226](BerriAI/litellm#30226) - fix(proxy): coalesce NULL rollup metrics in aggregated daily-activity by [@​michelligabriele](https://github.com/michelligabriele) in [#​30151](BerriAI/litellm#30151) - fix(anthropic\_passthrough): resolve costing model from message\_start chunk, litellm\_params and model\_group instead of 'unknown' by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30160](BerriAI/litellm#30160) - feat(ui): migrate budgets, workflows, and guardrails-monitor to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30236](BerriAI/litellm#30236) - feat(ui): migrate mcp-servers, search-tools, tag-management, vector-stores, and memory to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30261](BerriAI/litellm#30261) - fix(a2a): forward agent\_extra\_headers through completion bridge by [@​mateo-berri](https://github.com/mateo-berri) in [#​28277](BerriAI/litellm#28277) - fix(gemini-live): forward audio buffer commit and correct Vertex PCM rate by [@​Sameerlite](https://github.com/Sameerlite) in [#​29946](BerriAI/litellm#29946) - fix(proxy): skip double-wrapping unified batch output file ids on retrieve by [@​Sameerlite](https://github.com/Sameerlite) in [#​30011](BerriAI/litellm#30011) - feat: litellm oss 110626 by [@​Sameerlite](https://github.com/Sameerlite) in [#​30202](BerriAI/litellm#30202) - fix(docker): copy only runtime artifacts into the final image by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30243](BerriAI/litellm#30243) - feat(proxy): enforce key/team guardrails on bedrock passthrough routes by [@​Sameerlite](https://github.com/Sameerlite) in [#​30194](BerriAI/litellm#30194) - feat(gemini): forward web search tools in image generation by [@​Sameerlite](https://github.com/Sameerlite) in [#​30119](BerriAI/litellm#30119) - fix: bedrock mantle fixes by [@​Sameerlite](https://github.com/Sameerlite) in [#​30083](BerriAI/litellm#30083) - feat(proxy): add require\_managed\_files setting for file uploads by [@​Sameerlite](https://github.com/Sameerlite) in [#​30186](BerriAI/litellm#30186) - fix(mcp): honor server\_id for REST tool calls with shared upstream URLs by [@​Sameerlite](https://github.com/Sameerlite) in [#​30184](BerriAI/litellm#30184) - fix(responses): presidio PII masking for Azure WebSocket and streaming by [@​Sameerlite](https://github.com/Sameerlite) in [#​30003](BerriAI/litellm#30003) - feat(passthrough): add configurable pass-through request timeouts by [@​Sameerlite](https://github.com/Sameerlite) in [#​30266](BerriAI/litellm#30266) - fix(google\_genai): preserve complete SSE events in Vertex/Gemini image streaming by [@​Sameerlite](https://github.com/Sameerlite) in [#​30270](BerriAI/litellm#30270) - fix(proxy): populate access\_via\_team\_ids on /v1/model/info by [@​Sameerlite](https://github.com/Sameerlite) in [#​30274](BerriAI/litellm#30274) - chore(oss): litellm oss staging 120626 by [@​Sameerlite](https://github.com/Sameerlite) in [#​30292](BerriAI/litellm#30292) - feat(ui): migrate policies, guardrails, prompts, tool-policies, and skills to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30263](BerriAI/litellm#30263) - feat(ui): migrate caching, cost-tracking, transform-request, ui-theme, and logs to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30267](BerriAI/litellm#30267) - fix(ui): gate dashboard layout on ui config load so deep links work under SERVER\_ROOT\_PATH by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30312](BerriAI/litellm#30312) - feat(ui): migrate admin-panel, logging-and-alerts, model-hub-table, and usage to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30268](BerriAI/litellm#30268) - fix(otel): cap metric attribute cardinality with include/exclude lists by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30257](BerriAI/litellm#30257) - fix(proxy): grace-period key rotation 401s; return deprecated-key lookup result directly by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30327](BerriAI/litellm#30327) - chore(deps): bump vitest, brace-expansion, pypdf and tornado by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30220](BerriAI/litellm#30220) - refactor(ui): remove unreachable /chat page by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30178](BerriAI/litellm#30178) - feat(ui): migrate agents and router-settings to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30323](BerriAI/litellm#30323) - feat: strengthen coding conventions in CLAUDE.md by [@​mateo-berri](https://github.com/mateo-berri) in [#​30333](BerriAI/litellm#30333) - feat(ui): cut the users page over to the /ui/users path route by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30334](BerriAI/litellm#30334) - feat: ruff strict-rule suppressions baseline gate by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30303](BerriAI/litellm#30303) - feat(guardrails): add Cisco AI Defense integration ([#​28249](BerriAI/litellm#28249)) by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30338](BerriAI/litellm#30338) - chore(ui): remove dead UI components unreferenced by any page by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30340](BerriAI/litellm#30340) - ci: add osv-scanner lockfile scan workflow by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30222](BerriAI/litellm#30222) - fix(otel): record full error message on standard exception event in otel v2 by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30380](BerriAI/litellm#30380) - test(fireworks): mock whisper transcription tests instead of live calls by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30391](BerriAI/litellm#30391) - build(ui): pin esbuild to 0.28.1 via overrides by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30390](BerriAI/litellm#30390) - feat(ui): cut the organizations page over to the /ui/organizations path route by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30336](BerriAI/litellm#30336) - fix(proxy): support SMTP implicit SSL (port 465) by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30395](BerriAI/litellm#30395) - fix(mcp): default Linear MCP registry entry to streamable HTTP by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30396](BerriAI/litellm#30396) - fix(ui): stop Virtual Keys page from infinite render loop by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30397](BerriAI/litellm#30397) - fix(streaming): guard raise\_on\_model\_repetition against empty choices by [@​shivamrawat1](https://github.com/shivamrawat1) in [#​30485](BerriAI/litellm#30485) - feat(otel-v2): emit the 6 gen\_ai.client.\* metrics at parity with v1 by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30326](BerriAI/litellm#30326) - fix(mcp): drop phantom 401 span on delegated OAuth2 tool calls by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30494](BerriAI/litellm#30494) - feat(ui): cut the teams page over to the /ui/teams path route by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30343](BerriAI/litellm#30343) - fix(integrations): cap Anthropic cache\_control injection at 4 blocks by [@​shivamrawat1](https://github.com/shivamrawat1) in [#​30480](BerriAI/litellm#30480) - chore(codecov): add Batches, Videos, and Realtime components by [@​Sameerlite](https://github.com/Sameerlite) in [#​30517](BerriAI/litellm#30517) - test(batches): move orphan tests into tests/test\_litellm for CI coverage by [@​Sameerlite](https://github.com/Sameerlite) in [#​30510](BerriAI/litellm#30510) - fix(guardrails): run pre\_call hook once for model-level guardrails by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30543](BerriAI/litellm#30543) - fix(guardrails): stop re-initializing DB guardrails on every poll by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30542](BerriAI/litellm#30542) - chore(oss): litellm oss staging 150626 by [@​Sameerlite](https://github.com/Sameerlite) in [#​30463](BerriAI/litellm#30463) - ci(lint): add blanket-noqa, dataclass-default, and unused-noqa Ruff rules by [@​mateo-berri](https://github.com/mateo-berri) in [#​30516](BerriAI/litellm#30516) - ci: ratchet lint and type-check gates (ruff preview, ANN, mypy, basedpyright) by [@​mateo-berri](https://github.com/mateo-berri) in [#​30379](BerriAI/litellm#30379) - fix(proxy): allow internal roles to access vector store CRUD routes by [@​shivamrawat1](https://github.com/shivamrawat1) in [#​30503](BerriAI/litellm#30503) - fix(otel): stamp gen\_ai.input/output.messages on v2 spans by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30548](BerriAI/litellm#30548) - fix(otel): export v2 gen\_ai client metrics to the configured meter provider by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30549](BerriAI/litellm#30549) - fix(bedrock): preserve cache\_control for ARN models in /v1/messages adapter by [@​mateo-berri](https://github.com/mateo-berri) in [#​29823](BerriAI/litellm#29823) - fix: greatly increase basedpyright slack by [@​mateo-berri](https://github.com/mateo-berri) in [#​30563](BerriAI/litellm#30563) - fix(budget): recompute budget\_reset\_at when budget\_duration changes on /budget/update by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30555](BerriAI/litellm#30555) - fix(otel): accept UPPER\_SNAKE\_CASE OTEL\_INSTRUMENTATION\_GENAI\_CAPTURE\_MESSAGE\_CONTENT in v2 by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30562](BerriAI/litellm#30562) - chore(lint): remove PLR0915 too-many-statements ruff rule by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30574](BerriAI/litellm#30574) - ci(lint): ratcheted type-discipline gate (mutable collections, casts, guards, kwargs, suppressions) by [@​mateo-berri](https://github.com/mateo-berri) in [#​30500](BerriAI/litellm#30500) - feat(proxy): add verification\_uri\_complete to CLI SSO device flow by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30571](BerriAI/litellm#30571) - chore: litellm oss staging160626 by [@​Sameerlite](https://github.com/Sameerlite) in [#​30527](BerriAI/litellm#30527) - fix(guardrails): return 400 not 500 when AIM blocks a request by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30573](BerriAI/litellm#30573) - ci(lint): grandfather any-discipline with a per-file ratchet budget (50% headroom) by [@​mateo-berri](https://github.com/mateo-berri) in [#​30582](BerriAI/litellm#30582) - fix(audio): don't override explicit response\_format with verbose\_json by [@​mateo-berri](https://github.com/mateo-berri) in [#​30599](BerriAI/litellm#30599) - fix(anthropic): price and surface response service\_tier in cost tracking by [@​mateo-berri](https://github.com/mateo-berri) in [#​30558](BerriAI/litellm#30558) - feat: add dev and wildcard proxy configs for local testing by [@​mateo-berri](https://github.com/mateo-berri) in [#​30556](BerriAI/litellm#30556) - fix(proxy): list public team model name in /v1/models by [@​ishaan-berri](https://github.com/ishaan-berri) in [#​30588](BerriAI/litellm#30588) - ci: drop mypy entirely, standardize type checking on basedpyright by [@​mateo-berri](https://github.com/mateo-berri) in [#​30648](BerriAI/litellm#30648) - feat(guardrails): surface OpenAI moderation violation\_categories on guardrail traces by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30659](BerriAI/litellm#30659) - fix(proxy): resolve list files credentials from team BYOK deployments by [@​shivamrawat1](https://github.com/shivamrawat1) in [#​30495](BerriAI/litellm#30495) - feat(proxy): add --max\_requests\_before\_restart\_jitter to stagger worker restarts by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30601](BerriAI/litellm#30601) - fix(health): correct bedrock embedding health checks by [@​mateo-berri](https://github.com/mateo-berri) in [#​30583](BerriAI/litellm#30583) - test: harden remaining pass-through CI flakes (image-gen spend poll, ruby assistants timeout) by [@​mateo-berri](https://github.com/mateo-berri) in [#​30685](BerriAI/litellm#30685) - test(pass\_through): harden vertex spendlog poll against transient empty reads by [@​mateo-berri](https://github.com/mateo-berri) in [#​30683](BerriAI/litellm#30683) - fix(cost): stop non-string service\_tier from silently dropping cost tracking by [@​mateo-berri](https://github.com/mateo-berri) in [#​30690](BerriAI/litellm#30690) - feat(proxy): warn at startup when custom\_auth skips common\_checks enforcement by [@​tin-berri](https://github.com/tin-berri) in [#​30665](BerriAI/litellm#30665) - fix(pod\_lock): release cron lock by matching async\_set\_cache JSON encoding by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30600](BerriAI/litellm#30600) - ci: run a local fake OpenAI endpoint instead of the shared Railway mock by [@​mateo-berri](https://github.com/mateo-berri) in [#​30695](BerriAI/litellm#30695) - ci(windows): pin uv to Python 3.11 so it ignores the preinstalled 3.14 by [@​mateo-berri](https://github.com/mateo-berri) in [#​30704](BerriAI/litellm#30704) - feat(ui): migrate models page to App Router path route by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30677](BerriAI/litellm#30677) - refactor(ui): remove orphaned pass-through-settings route by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30692](BerriAI/litellm#30692) - fix(cost): stop non-string response service\_tier from dropping cost tracking by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30706](BerriAI/litellm#30706) - feat(agent-shin): automated PR/issue triage, low-quality auto-close, and review-gate label lifecycle by [@​mateo-berri](https://github.com/mateo-berri) in [#​30433](BerriAI/litellm#30433) - chore: litellm oss 170626 by [@​Sameerlite](https://github.com/Sameerlite) in [#​30637](BerriAI/litellm#30637) - fix(bedrock\_mantle): add SigV4 fallback to chat completions auth by [@​mateo-berri](https://github.com/mateo-berri) in [#​30714](BerriAI/litellm#30714) - feat(search): add TinyFish as search provider by [@​simantak-dabhade](https://github.com/simantak-dabhade) in [#​30634](BerriAI/litellm#30634) - feat(ui): migrate old usage report to App Router path route by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30694](BerriAI/litellm#30694) - fix(proxy): enforce budgets against authoritative DB spend when the cross-pod counter is stale by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30684](BerriAI/litellm#30684) - chore(ci): remove Agent Shin pull\_request\_target workflows by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30784](BerriAI/litellm#30784) - chore: litellm oss staging by [@​Sameerlite](https://github.com/Sameerlite) in [#​30745](BerriAI/litellm#30745) - ci(zizmor): also run on litellm\_internal\_staging by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30789](BerriAI/litellm#30789) - fix(test): drop references to removed Agent Shin workflows by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30791](https://github.com/BerriAI/litellm/pull/30791) - chore: remove in-product survey and Claude Code feedback nudges by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30773](https://github.com/BerriAI/litellm/pull/30773) - feat(ui): migrate api-keys landing to App Router path route by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30699](https://github.com/BerriAI/litellm/pull/30699) - feat(proxy): configurable response headers and login-page hint by [@​yucheng-berri](https://github.com/yucheng-berri) in [#​30792](https://github.com/BerriAI/litellm/pull/30792) - ci(zizmor): gate PRs on medium+ findings and clear existing ones by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30797](https://github.com/BerriAI/litellm/pull/30797) - fix(proxy): use e.request\_data for logging\_obj in ModifyResponseException streaming passthrough by [@​mateo-berri](https://github.com/mateo-berri) in [#​30800](https://github.com/BerriAI/litellm/pull/30800) - chore: make pr template linear portion clearer by [@​mateo-berri](https://github.com/mateo-berri) in [#​30766](https://github.com/BerriAI/litellm/pull/30766) - chore(typing): add boto3/botocore stubs so basedpyright resolves the AWS SDK by [@​mateo-berri](https://github.com/mateo-berri) in [#​30815](https://github.com/BerriAI/litellm/pull/30815) - fix(otel): one v2 logger owns the global provider; scope tenant OTLP creds per exporter by [@​yucheng-berri](https://github.com/yucheng-berri) in [#​30590](https://github.com/BerriAI/litellm/pull/30590) - fix(passthrough): recover output tokens for interrupted anthropic streams by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30787](https://github.com/BerriAI/litellm/pull/30787) - fix(proxy): record partial spend on the failure row for interrupted streams by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30788](https://github.com/BerriAI/litellm/pull/30788) - fix(ui): repoint dead usage guide link to cost tracking docs by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30859](https://github.com/BerriAI/litellm/pull/30859) - fix(ui): warn that team models are deleted in the delete-team modal by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29990](https://github.com/BerriAI/litellm/pull/29990) - feat(caching): add valkey-semantic cache backend and fix semantic cache scope keys by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30675](https://github.com/BerriAI/litellm/pull/30675) - test(ui): isolate OldTeams delete-warning tests from leaked mock by [@​mateo-berri](https://github.com/mateo-berri) in [#​30871](https://github.com/BerriAI/litellm/pull/30871) - feat: add lint-gate target and truncation-proof summary to the strict ruff gate by [@​mateo-berri](https://github.com/mateo-berri) in [#​30877](https://github.com/BerriAI/litellm/pull/30877) - chore(ui): rebuild ui for release by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30894](https://github.com/BerriAI/litellm/pull/30894) - chore(ci): bump deps by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30899](https://github.com/BerriAI/litellm/pull/30899) - fix(watsonx): wrap string embedding input in array for WatsonX API by [@​shivamrawat1](https://github.com/shivamrawat1) in [#​30897](https://github.com/BerriAI/litellm/pull/30897) - test: point router/completion/triton tests at the local fake OpenAI endpoint by [@​mateo-berri](https://github.com/mateo-berri) in [#​30900](https://github.com/BerriAI/litellm/pull/30900) - feat(sandbox): e2b code execution primitive by [@​krrish-berri-2](https://github.com/krrish-berri-2) in [#​30898](https://github.com/BerriAI/litellm/pull/30898) - fix(ui): source api-keys identity from useAuthorized to stop "User ID is not set" by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30903](https://github.com/BerriAI/litellm/pull/30903) - chore(ui): rebuild ui by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30906](https://github.com/BerriAI/litellm/pull/30906) - chore(ci): promote internal staging to main by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30907](https://github.com/BerriAI/litellm/pull/30907) - fix(redis): prevent forcing SSLConnection when ssl=False in connection pool by [@​Jacopos311](https://github.com/Jacopos311) in [#​30770](https://github.com/BerriAI/litellm/pull/30770) - fix(proxy): log UI setup failures instead of silently swallowing by [@​sarvesh1327](https://github.com/sarvesh1327) in [#​30819](https://github.com/BerriAI/litellm/pull/30819) #### New Contributors - [@​simantak-dabhade](https://github.com/simantak-dabhade) made their first contribution in [#​30634](BerriAI/litellm#30634) - [@​Jacopos311](https://github.com/Jacopos311) made their first contribution in [#​30770](https://github.com/BerriAI/litellm/pull/30770) - [@​sarvesh1327](https://github.com/sarvesh1327) made their first contribution in [#​30819](https://github.com/BerriAI/litellm/pull/30819) **Full Changelog**: <BerriAI/litellm@v1.89.0...v1.90.0> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMjAuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIyMC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: Renovate Bot <[email protected]> Reviewed-on: https://codeberg.org/blake-hamm/bhamm-lab/pulls/232
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [ghcr.io/berriai/litellm](https://images.chainguard.dev/directory/image/wolfi-base/overview) ([source](https://github.com/BerriAI/litellm)) | final | minor | `v1.85.1` → `v1.90.0` | --- ### Release Notes <details> <summary>BerriAI/litellm (ghcr.io/berriai/litellm)</summary> ### [`v1.90.0`](https://github.com/BerriAI/litellm/releases/tag/v1.90.0) [Compare Source](https://github.com/BerriAI/litellm/compare/v1.90.0...v1.90.0) ##### Verify Docker Image Signature All LiteLLM Docker images are signed with [cosign](https://docs.sigstore.dev/cosign/overview/). Every release is signed with the same key introduced in [commit `0112e53`](https://github.com/BerriAI/litellm/commit/0112e53046018d726492c814b3644b7d376029d0). **Verify using the pinned commit hash (recommended):** A commit hash is cryptographically immutable, so this is the strongest way to ensure you are using the original signing key: ```bash cosign verify \ --key https://raw.githubusercontent.com/BerriAI/litellm/0112e53046018d726492c814b3644b7d376029d0/cosign.pub \ ghcr.io/berriai/litellm:v1.90.0 ``` **Verify using the release tag (convenience):** Tags are protected in this repository and resolve to the same key. This option is easier to read but relies on tag protection rules: ```bash cosign verify \ --key https://raw.githubusercontent.com/BerriAI/litellm/v1.90.0/cosign.pub \ ghcr.io/berriai/litellm:v1.90.0 ``` Expected output: ``` The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key ``` *** ##### What's Changed - fix(responses-bridge): map system-only chat request to system input item by [@​milan-berri](https://github.com/milan-berri) in [#​29817](https://github.com/BerriAI/litellm/pull/29817) - feat(bedrock): forward strict and additionalProperties to Converse toolSpec by [@​mateo-berri](https://github.com/mateo-berri) in [#​29814](https://github.com/BerriAI/litellm/pull/29814) - fix(mcp): highlight MCP cards red when the logged-in user is missing per-user env vars by [@​mateo-berri](https://github.com/mateo-berri) in [#​29856](https://github.com/BerriAI/litellm/pull/29856) - feat(ui): add budget duration to edit team member form by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​29717](https://github.com/BerriAI/litellm/pull/29717) - fix(ui): make workflow runs page fill full width by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29868](https://github.com/BerriAI/litellm/pull/29868) - feat: standardize rate limit errors with category, rate\_limit\_type, model, and llm\_provider fields by [@​mateo-berri](https://github.com/mateo-berri) in [#​27687](https://github.com/BerriAI/litellm/pull/27687) - fix(ui): default guardrails page to the Guardrails tab by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29872](https://github.com/BerriAI/litellm/pull/29872) - docs(readme): add Deploy on AWS/GCP Terraform section and fix deploy button rendering by [@​mateo-berri](https://github.com/mateo-berri) in [#​29879](https://github.com/BerriAI/litellm/pull/29879) - refactor(bedrock): build Converse toolSpec via a BedrockToolSpec dict subclass by [@​mateo-berri](https://github.com/mateo-berri) in [#​29869](https://github.com/BerriAI/litellm/pull/29869) - feat(litellm): add models and repository layers by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​29686](https://github.com/BerriAI/litellm/pull/29686) - feat(ui): include internal routes in the dashboard's generated OpenAPI types by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​29885](https://github.com/BerriAI/litellm/pull/29885) - feat(proxy): publish /v2/model/info in Swagger OpenAPI spec by [@​Sameerlite](https://github.com/Sameerlite) in [#​29900](https://github.com/BerriAI/litellm/pull/29900) - refactor(ui): single source of truth for migrated-page routing by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​29949](https://github.com/BerriAI/litellm/pull/29949) - fix(ui/model-hub): render provider icons on the public model hub by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29958](https://github.com/BerriAI/litellm/pull/29958) - fix(ui): keep create guardrail modal open on outside click by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29871](https://github.com/BerriAI/litellm/pull/29871) - fix(ui): label default key type as "Full Access" on key edit page by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29870](https://github.com/BerriAI/litellm/pull/29870) - fix(ui): unify migrated-route URLs and migrate the API Reference page by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​29953](https://github.com/BerriAI/litellm/pull/29953) - fix(mcp): let non-creator users OAuth into OBO-mode MCP servers from the Tools page by [@​tin-berri](https://github.com/tin-berri) in [#​29867](https://github.com/BerriAI/litellm/pull/29867) - Litellm oss staging 080626 by [@​Sameerlite](https://github.com/Sameerlite) in [#​29932](https://github.com/BerriAI/litellm/pull/29932) - feat(galileo): add health check support for UI callback test by [@​Sameerlite](https://github.com/Sameerlite) in [#​29908](https://github.com/BerriAI/litellm/pull/29908) - fix(model-management): allow deleting a BYOK model after its team is deleted by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29875](https://github.com/BerriAI/litellm/pull/29875) - feat(jwt-auth): opt-in fallback to DB team on unresolved JWT claim by [@​milan-berri](https://github.com/milan-berri) in [#​28913](https://github.com/BerriAI/litellm/pull/28913) - fix(team\_endpoints): don't block /team/update on unchanged team budget by [@​milan-berri](https://github.com/milan-berri) in [#​29525](https://github.com/BerriAI/litellm/pull/29525) - fix(fireworks): enable tool calling for glm-5p1 in model cost map by [@​milan-berri](https://github.com/milan-berri) in [#​29697](https://github.com/BerriAI/litellm/pull/29697) - fix(vertex): propagate Vertex AI metadata in streaming success callbacks by [@​Sameerlite](https://github.com/Sameerlite) in [#​29899](https://github.com/BerriAI/litellm/pull/29899) - fix(ui): show team projects to internal users on key creation by [@​milan-berri](https://github.com/milan-berri) in [#​28855](https://github.com/BerriAI/litellm/pull/28855) - build(deps): bump pyjwt to 2.13.0 and ws override to 8.20.1 by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29982](https://github.com/BerriAI/litellm/pull/29982) - fix(team-management): delete a team's BYOK models when the team is deleted by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29977](https://github.com/BerriAI/litellm/pull/29977) - feat(vantage): include organization metadata in FOCUS Tags export by [@​milan-berri](https://github.com/milan-berri) in [#​28184](https://github.com/BerriAI/litellm/pull/28184) - fix(guardrails): read CrowdStrike AIDR identity from both metadata bags by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29991](https://github.com/BerriAI/litellm/pull/29991) - fix(mcp): mirror upstream token lifetime instead of forcing a 1h OBO expiry by [@​tin-berri](https://github.com/tin-berri) in [#​29951](https://github.com/BerriAI/litellm/pull/29951) - feat(azure\_ai): add MAI-Image-2.5 image generation support by [@​Sameerlite](https://github.com/Sameerlite) in [#​29688](https://github.com/BerriAI/litellm/pull/29688) - fix(mcp): load MCP tool configuration tools via the OBO/passthrough-aware GET path by [@​tin-berri](https://github.com/tin-berri) in [#​29960](https://github.com/BerriAI/litellm/pull/29960) - fix(team): reserve team budget raises for proxy admins on /team/update by [@​milan-berri](https://github.com/milan-berri) in [#​30030](https://github.com/BerriAI/litellm/pull/30030) - test(ui): data-driven App Router migration E2E smoke (default + server-root-path) by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​29974](https://github.com/BerriAI/litellm/pull/29974) - fix(proxy): extend response headers hook to streaming, TTS, image gen, and pass-through by [@​michelligabriele](https://github.com/michelligabriele) in [#​24232](https://github.com/BerriAI/litellm/pull/24232) - chore(ui): remove dead App Router route stubs under (dashboard) by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30045](https://github.com/BerriAI/litellm/pull/30045) - fix(ui/mcp): reset OAuth state on create-server modal close so a prior server's token no longer leaks into the next add-server session by [@​tin-berri](https://github.com/tin-berri) in [#​30000](https://github.com/BerriAI/litellm/pull/30000) - fix(mcp): allow team access-group grants in OAuth authorize/token access check by [@​tin-berri](https://github.com/tin-berri) in [#​30041](https://github.com/BerriAI/litellm/pull/30041) - docs(security): require a reproduction video for vulnerability reports by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30063](https://github.com/BerriAI/litellm/pull/30063) - feat(ui): add admin flag to disable in-product UI nudges for everyone by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​29796](https://github.com/BerriAI/litellm/pull/29796) - chore(ui): remove dead dashboard files and unused dependencies by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30047](https://github.com/BerriAI/litellm/pull/30047) - fix(proxy): authorize batch files using upload target\_model\_names (LIT-3593) by [@​Sameerlite](https://github.com/Sameerlite) in [#​30009](https://github.com/BerriAI/litellm/pull/30009) - Add Claude Fable 5 across Anthropic, Bedrock, Vertex AI, and Azure AI by [@​mateo-berri](https://github.com/mateo-berri) in [#​30064](https://github.com/BerriAI/litellm/pull/30064) - Add Claude Fable 5 cost map entries (data-only hotfix for the hosted map) by [@​mateo-berri](https://github.com/mateo-berri) in [#​30076](https://github.com/BerriAI/litellm/pull/30076) - fix(caching): restore stored prompt\_tokens on embedding cache hits instead of recomputing by [@​michelligabriele](https://github.com/michelligabriele) in [#​30046](https://github.com/BerriAI/litellm/pull/30046) - Litellm oss 090626 by [@​Sameerlite](https://github.com/Sameerlite) in [#​30021](https://github.com/BerriAI/litellm/pull/30021) - fix(proxy): self-heal startup/reload prisma reads on engine disconnect by [@​michelligabriele](https://github.com/michelligabriele) in [#​28803](https://github.com/BerriAI/litellm/pull/28803) - chore(ui): make knip recognize .mjs scripts and openapi-typescript by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30052](https://github.com/BerriAI/litellm/pull/30052) - fix(register\_model): preserve built-in cache pricing when registering custom overrides under unmapped keys by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30044](https://github.com/BerriAI/litellm/pull/30044) - \[internal copy of [#​28007](https://github.com/BerriAI/litellm/issues/28007)] Fix/gcp model garden streaming by [@​mateo-berri](https://github.com/mateo-berri) in [#​28363](https://github.com/BerriAI/litellm/pull/28363) - feat(cli): per-agent `lite claude` / `codex` / `opencode` commands that wrap coding agents through the proxy by [@​mateo-berri](https://github.com/mateo-berri) in [#​29850](https://github.com/BerriAI/litellm/pull/29850) - fix(callbacks): forward callback\_settings to callback initializers and guard consumers against non-dict values by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30161](https://github.com/BerriAI/litellm/pull/30161) - fix(mcp): drop orphaned per-user credential rows when an MCP server is deleted by [@​tin-berri](https://github.com/tin-berri) in [#​30141](https://github.com/BerriAI/litellm/pull/30141) - fix(proxy): recover from cached-plan errors by reconnecting the Prisma client by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​29983](https://github.com/BerriAI/litellm/pull/29983) - feat(proxy): add option to disable server-side prepared statements for DB lookups by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​29984](https://github.com/BerriAI/litellm/pull/29984) - fix(release): stop backport releases from overwriting the latest badge by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30005](https://github.com/BerriAI/litellm/pull/30005) - feat: add conventional commits and coding guidelines by [@​mateo-berri](https://github.com/mateo-berri) in [#​30159](https://github.com/BerriAI/litellm/pull/30159) - fix(proxy): return 5xx on DB infra errors during auth; reserve 401 for genuine auth failures by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​29986](https://github.com/BerriAI/litellm/pull/29986) - fix(ui): dev server 404s on migrated-page links because uiBase hardcodes /ui by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30169](https://github.com/BerriAI/litellm/pull/30169) - refactor(ui): consolidate dashboard to one shell in the (dashboard) layout by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30166](https://github.com/BerriAI/litellm/pull/30166) - fix(proxy): align /v1/model/info with router deployments by [@​Sameerlite](https://github.com/Sameerlite) in [#​30025](https://github.com/BerriAI/litellm/pull/30025) - fix: completion\_cost AttributeError on streaming Anthropic web\_search responses ([#​26153](https://github.com/BerriAI/litellm/issues/26153)) by [@​ishaan-berri](https://github.com/ishaan-berri) in [#​27346](https://github.com/BerriAI/litellm/pull/27346) - \[internal copy of [#​30137](https://github.com/BerriAI/litellm/issues/30137)] perf(realtime): eliminate redundant per-frame JSON work on OpenAI realtime relay by [@​mateo-berri](https://github.com/mateo-berri) in [#​30142](https://github.com/BerriAI/litellm/pull/30142) - feat(bedrock): aws\_bedrock\_project\_id for bedrock-mantle project / workspace association by [@​mateo-berri](https://github.com/mateo-berri) in [#​30163](https://github.com/BerriAI/litellm/pull/30163) - chore(hooks): enforce Conventional Commits and Conventional Branches by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30174](https://github.com/BerriAI/litellm/pull/30174) - feat(rate-limiter): allow opting out of v3 TPM reservation and Redis circuit breaker by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30211](https://github.com/BerriAI/litellm/pull/30211) - feat(spend\_logs): opt-in native Postgres partitioning for SpendLogs retention by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​29466](https://github.com/BerriAI/litellm/pull/29466) - feat(ui): migrate playground to path routing and colocate its files by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30185](https://github.com/BerriAI/litellm/pull/30185) - feat(ui): migrate projects and access-groups to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30226](https://github.com/BerriAI/litellm/pull/30226) - fix(proxy): coalesce NULL rollup metrics in aggregated daily-activity by [@​michelligabriele](https://github.com/michelligabriele) in [#​30151](https://github.com/BerriAI/litellm/pull/30151) - fix(anthropic\_passthrough): resolve costing model from message\_start chunk, litellm\_params and model\_group instead of 'unknown' by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30160](https://github.com/BerriAI/litellm/pull/30160) - feat(ui): migrate budgets, workflows, and guardrails-monitor to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30236](https://github.com/BerriAI/litellm/pull/30236) - feat(ui): migrate mcp-servers, search-tools, tag-management, vector-stores, and memory to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30261](https://github.com/BerriAI/litellm/pull/30261) - fix(a2a): forward agent\_extra\_headers through completion bridge by [@​mateo-berri](https://github.com/mateo-berri) in [#​28277](https://github.com/BerriAI/litellm/pull/28277) - fix(gemini-live): forward audio buffer commit and correct Vertex PCM rate by [@​Sameerlite](https://github.com/Sameerlite) in [#​29946](https://github.com/BerriAI/litellm/pull/29946) - fix(proxy): skip double-wrapping unified batch output file ids on retrieve by [@​Sameerlite](https://github.com/Sameerlite) in [#​30011](https://github.com/BerriAI/litellm/pull/30011) - feat: litellm oss 110626 by [@​Sameerlite](https://github.com/Sameerlite) in [#​30202](https://github.com/BerriAI/litellm/pull/30202) - fix(docker): copy only runtime artifacts into the final image by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30243](https://github.com/BerriAI/litellm/pull/30243) - feat(proxy): enforce key/team guardrails on bedrock passthrough routes by [@​Sameerlite](https://github.com/Sameerlite) in [#​30194](https://github.com/BerriAI/litellm/pull/30194) - feat(gemini): forward web search tools in image generation by [@​Sameerlite](https://github.com/Sameerlite) in [#​30119](https://github.com/BerriAI/litellm/pull/30119) - fix: bedrock mantle fixes by [@​Sameerlite](https://github.com/Sameerlite) in [#​30083](https://github.com/BerriAI/litellm/pull/30083) - feat(proxy): add require\_managed\_files setting for file uploads by [@​Sameerlite](https://github.com/Sameerlite) in [#​30186](https://github.com/BerriAI/litellm/pull/30186) - fix(mcp): honor server\_id for REST tool calls with shared upstream URLs by [@​Sameerlite](https://github.com/Sameerlite) in [#​30184](https://github.com/BerriAI/litellm/pull/30184) - fix(responses): presidio PII masking for Azure WebSocket and streaming by [@​Sameerlite](https://github.com/Sameerlite) in [#​30003](https://github.com/BerriAI/litellm/pull/30003) - feat(passthrough): add configurable pass-through request timeouts by [@​Sameerlite](https://github.com/Sameerlite) in [#​30266](https://github.com/BerriAI/litellm/pull/30266) - fix(google\_genai): preserve complete SSE events in Vertex/Gemini image streaming by [@​Sameerlite](https://github.com/Sameerlite) in [#​30270](https://github.com/BerriAI/litellm/pull/30270) - fix(proxy): populate access\_via\_team\_ids on /v1/model/info by [@​Sameerlite](https://github.com/Sameerlite) in [#​30274](https://github.com/BerriAI/litellm/pull/30274) - chore(oss): litellm oss staging 120626 by [@​Sameerlite](https://github.com/Sameerlite) in [#​30292](https://github.com/BerriAI/litellm/pull/30292) - feat(ui): migrate policies, guardrails, prompts, tool-policies, and skills to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30263](https://github.com/BerriAI/litellm/pull/30263) - feat(ui): migrate caching, cost-tracking, transform-request, ui-theme, and logs to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30267](https://github.com/BerriAI/litellm/pull/30267) - fix(ui): gate dashboard layout on ui config load so deep links work under SERVER\_ROOT\_PATH by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30312](https://github.com/BerriAI/litellm/pull/30312) - feat(ui): migrate admin-panel, logging-and-alerts, model-hub-table, and usage to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30268](https://github.com/BerriAI/litellm/pull/30268) - fix(otel): cap metric attribute cardinality with include/exclude lists by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30257](https://github.com/BerriAI/litellm/pull/30257) - fix(proxy): grace-period key rotation 401s; return deprecated-key lookup result directly by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30327](https://github.com/BerriAI/litellm/pull/30327) - chore(deps): bump vitest, brace-expansion, pypdf and tornado by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30220](https://github.com/BerriAI/litellm/pull/30220) - refactor(ui): remove unreachable /chat page by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30178](https://github.com/BerriAI/litellm/pull/30178) - feat(ui): migrate agents and router-settings to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30323](https://github.com/BerriAI/litellm/pull/30323) - feat: strengthen coding conventions in CLAUDE.md by [@​mateo-berri](https://github.com/mateo-berri) in [#​30333](https://github.com/BerriAI/litellm/pull/30333) - feat(ui): cut the users page over to the /ui/users path route by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30334](https://github.com/BerriAI/litellm/pull/30334) - feat: ruff strict-rule suppressions baseline gate by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30303](https://github.com/BerriAI/litellm/pull/30303) - feat(guardrails): add Cisco AI Defense integration ([#​28249](https://github.com/BerriAI/litellm/issues/28249)) by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30338](https://github.com/BerriAI/litellm/pull/30338) - chore(ui): remove dead UI components unreferenced by any page by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30340](https://github.com/BerriAI/litellm/pull/30340) - ci: add osv-scanner lockfile scan workflow by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30222](https://github.com/BerriAI/litellm/pull/30222) - fix(otel): record full error message on standard exception event in otel v2 by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30380](https://github.com/BerriAI/litellm/pull/30380) - test(fireworks): mock whisper transcription tests instead of live calls by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30391](https://github.com/BerriAI/litellm/pull/30391) - build(ui): pin esbuild to 0.28.1 via overrides by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30390](https://github.com/BerriAI/litellm/pull/30390) - feat(ui): cut the organizations page over to the /ui/organizations path route by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30336](https://github.com/BerriAI/litellm/pull/30336) - fix(proxy): support SMTP implicit SSL (port 465) by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30395](https://github.com/BerriAI/litellm/pull/30395) - fix(mcp): default Linear MCP registry entry to streamable HTTP by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30396](https://github.com/BerriAI/litellm/pull/30396) - fix(ui): stop Virtual Keys page from infinite render loop by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30397](https://github.com/BerriAI/litellm/pull/30397) - fix(streaming): guard raise\_on\_model\_repetition against empty choices by [@​shivamrawat1](https://github.com/shivamrawat1) in [#​30485](https://github.com/BerriAI/litellm/pull/30485) - feat(otel-v2): emit the 6 gen\_ai.client.\* metrics at parity with v1 by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30326](https://github.com/BerriAI/litellm/pull/30326) - fix(mcp): drop phantom 401 span on delegated OAuth2 tool calls by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30494](https://github.com/BerriAI/litellm/pull/30494) - feat(ui): cut the teams page over to the /ui/teams path route by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30343](https://github.com/BerriAI/litellm/pull/30343) - fix(integrations): cap Anthropic cache\_control injection at 4 blocks by [@​shivamrawat1](https://github.com/shivamrawat1) in [#​30480](https://github.com/BerriAI/litellm/pull/30480) - chore(codecov): add Batches, Videos, and Realtime components by [@​Sameerlite](https://github.com/Sameerlite) in [#​30517](https://github.com/BerriAI/litellm/pull/30517) - test(batches): move orphan tests into tests/test\_litellm for CI coverage by [@​Sameerlite](https://github.com/Sameerlite) in [#​30510](https://github.com/BerriAI/litellm/pull/30510) - fix(guardrails): run pre\_call hook once for model-level guardrails by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30543](https://github.com/BerriAI/litellm/pull/30543) - fix(guardrails): stop re-initializing DB guardrails on every poll by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30542](https://github.com/BerriAI/litellm/pull/30542) - chore(oss): litellm oss staging 150626 by [@​Sameerlite](https://github.com/Sameerlite) in [#​30463](https://github.com/BerriAI/litellm/pull/30463) - ci(lint): add blanket-noqa, dataclass-default, and unused-noqa Ruff rules by [@​mateo-berri](https://github.com/mateo-berri) in [#​30516](https://github.com/BerriAI/litellm/pull/30516) - ci: ratchet lint and type-check gates (ruff preview, ANN, mypy, basedpyright) by [@​mateo-berri](https://github.com/mateo-berri) in [#​30379](https://github.com/BerriAI/litellm/pull/30379) - fix(proxy): allow internal roles to access vector store CRUD routes by [@​shivamrawat1](https://github.com/shivamrawat1) in [#​30503](https://github.com/BerriAI/litellm/pull/30503) - fix(otel): stamp gen\_ai.input/output.messages on v2 spans by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30548](https://github.com/BerriAI/litellm/pull/30548) - fix(otel): export v2 gen\_ai client metrics to the configured meter provider by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30549](https://github.com/BerriAI/litellm/pull/30549) - fix(bedrock): preserve cache\_control for ARN models in /v1/messages adapter by [@​mateo-berri](https://github.com/mateo-berri) in [#​29823](https://github.com/BerriAI/litellm/pull/29823) - fix: greatly increase basedpyright slack by [@​mateo-berri](https://github.com/mateo-berri) in [#​30563](https://github.com/BerriAI/litellm/pull/30563) - fix(budget): recompute budget\_reset\_at when budget\_duration changes on /budget/update by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30555](https://github.com/BerriAI/litellm/pull/30555) - fix(otel): accept UPPER\_SNAKE\_CASE OTEL\_INSTRUMENTATION\_GENAI\_CAPTURE\_MESSAGE\_CONTENT in v2 by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30562](https://github.com/BerriAI/litellm/pull/30562) - chore(lint): remove PLR0915 too-many-statements ruff rule by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30574](https://github.com/BerriAI/litellm/pull/30574) - ci(lint): ratcheted type-discipline gate (mutable collections, casts, guards, kwargs, suppressions) by [@​mateo-berri](https://github.com/mateo-berri) in [#​30500](https://github.com/BerriAI/litellm/pull/30500) - feat(proxy): add verification\_uri\_complete to CLI SSO device flow by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30571](https://github.com/BerriAI/litellm/pull/30571) - chore: litellm oss staging160626 by [@​Sameerlite](https://github.com/Sameerlite) in [#​30527](https://github.com/BerriAI/litellm/pull/30527) - fix(guardrails): return 400 not 500 when AIM blocks a request by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30573](https://github.com/BerriAI/litellm/pull/30573) - ci(lint): grandfather any-discipline with a per-file ratchet budget (50% headroom) by [@​mateo-berri](https://github.com/mateo-berri) in [#​30582](https://github.com/BerriAI/litellm/pull/30582) - fix(audio): don't override explicit response\_format with verbose\_json by [@​mateo-berri](https://github.com/mateo-berri) in [#​30599](https://github.com/BerriAI/litellm/pull/30599) - fix(anthropic): price and surface response service\_tier in cost tracking by [@​mateo-berri](https://github.com/mateo-berri) in [#​30558](https://github.com/BerriAI/litellm/pull/30558) - feat: add dev and wildcard proxy configs for local testing by [@​mateo-berri](https://github.com/mateo-berri) in [#​30556](https://github.com/BerriAI/litellm/pull/30556) - fix(proxy): list public team model name in /v1/models by [@​ishaan-berri](https://github.com/ishaan-berri) in [#​30588](https://github.com/BerriAI/litellm/pull/30588) - ci: drop mypy entirely, standardize type checking on basedpyright by [@​mateo-berri](https://github.com/mateo-berri) in [#​30648](https://github.com/BerriAI/litellm/pull/30648) - feat(guardrails): surface OpenAI moderation violation\_categories on guardrail traces by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30659](https://github.com/BerriAI/litellm/pull/30659) - fix(proxy): resolve list files credentials from team BYOK deployments by [@​shivamrawat1](https://github.com/shivamrawat1) in [#​30495](https://github.com/BerriAI/litellm/pull/30495) - feat(proxy): add --max\_requests\_before\_restart\_jitter to stagger worker restarts by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30601](https://github.com/BerriAI/litellm/pull/30601) - fix(health): correct bedrock embedding health checks by [@​mateo-berri](https://github.com/mateo-berri) in [#​30583](https://github.com/BerriAI/litellm/pull/30583) - test: harden remaining pass-through CI flakes (image-gen spend poll, ruby assistants timeout) by [@​mateo-berri](https://github.com/mateo-berri) in [#​30685](https://github.com/BerriAI/litellm/pull/30685) - test(pass\_through): harden vertex spendlog poll against transient empty reads by [@​mateo-berri](https://github.com/mateo-berri) in [#​30683](https://github.com/BerriAI/litellm/pull/30683) - fix(cost): stop non-string service\_tier from silently dropping cost tracking by [@​mateo-berri](https://github.com/mateo-berri) in [#​30690](https://github.com/BerriAI/litellm/pull/30690) - feat(proxy): warn at startup when custom\_auth skips common\_checks enforcement by [@​tin-berri](https://github.com/tin-berri) in [#​30665](https://github.com/BerriAI/litellm/pull/30665) - fix(pod\_lock): release cron lock by matching async\_set\_cache JSON encoding by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30600](https://github.com/BerriAI/litellm/pull/30600) - ci: run a local fake OpenAI endpoint instead of the shared Railway mock by [@​mateo-berri](https://github.com/mateo-berri) in [#​30695](https://github.com/BerriAI/litellm/pull/30695) - ci(windows): pin uv to Python 3.11 so it ignores the preinstalled 3.14 by [@​mateo-berri](https://github.com/mateo-berri) in [#​30704](https://github.com/BerriAI/litellm/pull/30704) - feat(ui): migrate models page to App Router path route by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30677](https://github.com/BerriAI/litellm/pull/30677) - refactor(ui): remove orphaned pass-through-settings route by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30692](https://github.com/BerriAI/litellm/pull/30692) - fix(cost): stop non-string response service\_tier from dropping cost tracking by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30706](https://github.com/BerriAI/litellm/pull/30706) - feat(agent-shin): automated PR/issue triage, low-quality auto-close, and review-gate label lifecycle by [@​mateo-berri](https://github.com/mateo-berri) in [#​30433](https://github.com/BerriAI/litellm/pull/30433) - chore: litellm oss 170626 by [@​Sameerlite](https://github.com/Sameerlite) in [#​30637](https://github.com/BerriAI/litellm/pull/30637) - fix(bedrock\_mantle): add SigV4 fallback to chat completions auth by [@​mateo-berri](https://github.com/mateo-berri) in [#​30714](https://github.com/BerriAI/litellm/pull/30714) - feat(search): add TinyFish as search provider by [@​simantak-dabhade](https://github.com/simantak-dabhade) in [#​30634](https://github.com/BerriAI/litellm/pull/30634) - feat(ui): migrate old usage report to App Router path route by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30694](https://github.com/BerriAI/litellm/pull/30694) - fix(proxy): enforce budgets against authoritative DB spend when the cross-pod counter is stale by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30684](https://github.com/BerriAI/litellm/pull/30684) - chore(ci): remove Agent Shin pull\_request\_target workflows by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30784](https://github.com/BerriAI/litellm/pull/30784) - chore: litellm oss staging by [@​Sameerlite](https://github.com/Sameerlite) in [#​30745](https://github.com/BerriAI/litellm/pull/30745) - ci(zizmor): also run on litellm\_internal\_staging by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30789](https://github.com/BerriAI/litellm/pull/30789) - fix(test): drop references to removed Agent Shin workflows by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30791](https://github.com/BerriAI/litellm/pull/30791) - chore: remove in-product survey and Claude Code feedback nudges by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30773](https://github.com/BerriAI/litellm/pull/30773) - feat(ui): migrate api-keys landing to App Router path route by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30699](https://github.com/BerriAI/litellm/pull/30699) - feat(proxy): configurable response headers and login-page hint by [@​yucheng-berri](https://github.com/yucheng-berri) in [#​30792](https://github.com/BerriAI/litellm/pull/30792) - ci(zizmor): gate PRs on medium+ findings and clear existing ones by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30797](https://github.com/BerriAI/litellm/pull/30797) - fix(proxy): use e.request\_data for logging\_obj in ModifyResponseException streaming passthrough by [@​mateo-berri](https://github.com/mateo-berri) in [#​30800](https://github.com/BerriAI/litellm/pull/30800) - chore: make pr template linear portion clearer by [@​mateo-berri](https://github.com/mateo-berri) in [#​30766](https://github.com/BerriAI/litellm/pull/30766) - chore(typing): add boto3/botocore stubs so basedpyright resolves the AWS SDK by [@​mateo-berri](https://github.com/mateo-berri) in [#​30815](https://github.com/BerriAI/litellm/pull/30815) - fix(otel): one v2 logger owns the global provider; scope tenant OTLP creds per exporter by [@​yucheng-berri](https://github.com/yucheng-berri) in [#​30590](https://github.com/BerriAI/litellm/pull/30590) - fix(passthrough): recover output tokens for interrupted anthropic streams by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30787](https://github.com/BerriAI/litellm/pull/30787) - fix(proxy): record partial spend on the failure row for interrupted streams by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30788](https://github.com/BerriAI/litellm/pull/30788) - fix(ui): repoint dead usage guide link to cost tracking docs by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30859](https://github.com/BerriAI/litellm/pull/30859) - fix(ui): warn that team models are deleted in the delete-team modal by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29990](https://github.com/BerriAI/litellm/pull/29990) - feat(caching): add valkey-semantic cache backend and fix semantic cache scope keys by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30675](https://github.com/BerriAI/litellm/pull/30675) - test(ui): isolate OldTeams delete-warning tests from leaked mock by [@​mateo-berri](https://github.com/mateo-berri) in [#​30871](https://github.com/BerriAI/litellm/pull/30871) - feat: add lint-gate target and truncation-proof summary to the strict ruff gate by [@​mateo-berri](https://github.com/mateo-berri) in [#​30877](https://github.com/BerriAI/litellm/pull/30877) - chore(ui): rebuild ui for release by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30894](https://github.com/BerriAI/litellm/pull/30894) - chore(ci): bump deps by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30899](https://github.com/BerriAI/litellm/pull/30899) - fix(watsonx): wrap string embedding input in array for WatsonX API by [@​shivamrawat1](https://github.com/shivamrawat1) in [#​30897](https://github.com/BerriAI/litellm/pull/30897) - test: point router/completion/triton tests at the local fake OpenAI endpoint by [@​mateo-berri](https://github.com/mateo-berri) in [#​30900](https://github.com/BerriAI/litellm/pull/30900) - feat(sandbox): e2b code execution primitive by [@​krrish-berri-2](https://github.com/krrish-berri-2) in [#​30898](https://github.com/BerriAI/litellm/pull/30898) - fix(ui): source api-keys identity from useAuthorized to stop "User ID is not set" by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30903](https://github.com/BerriAI/litellm/pull/30903) - chore(ui): rebuild ui by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30906](https://github.com/BerriAI/litellm/pull/30906) - chore(ci): promote internal staging to main by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30907](https://github.com/BerriAI/litellm/pull/30907) - fix(redis): prevent forcing SSLConnection when ssl=False in connection pool by [@​Jacopos311](https://github.com/Jacopos311) in [#​30770](https://github.com/BerriAI/litellm/pull/30770) - fix(proxy): log UI setup failures instead of silently swallowing by [@​sarvesh1327](https://github.com/sarvesh1327) in [#​30819](https://github.com/BerriAI/litellm/pull/30819) ##### New Contributors - [@​simantak-dabhade](https://github.com/simantak-dabhade) made their first contribution in [#​30634](https://github.com/BerriAI/litellm/pull/30634) - [@​Jacopos311](https://github.com/Jacopos311) made their first contribution in [#​30770](https://github.com/BerriAI/litellm/pull/30770) - [@​sarvesh1327](https://github.com/sarvesh1327) made their first contribution in [#​30819](https://github.com/BerriAI/litellm/pull/30819) **Full Changelog**: <https://github.com/BerriAI/litellm/compare/v1.89.0...v1.90.0> ### [`v1.90.0`](https://github.com/BerriAI/litellm/releases/tag/v1.90.0) [Compare Source](https://github.com/BerriAI/litellm/compare/v1.89.4...v1.90.0) ##### Verify Docker Image Signature All LiteLLM Docker images are signed with [cosign](https://docs.sigstore.dev/cosign/overview/). Every release is signed with the same key introduced in [commit `0112e53`](https://github.com/BerriAI/litellm/commit/0112e53046018d726492c814b3644b7d376029d0). **Verify using the pinned commit hash (recommended):** A commit hash is cryptographically immutable, so this is the strongest way to ensure you are using the original signing key: ```bash cosign verify \ --key https://raw.githubusercontent.com/BerriAI/litellm/0112e53046018d726492c814b3644b7d376029d0/cosign.pub \ ghcr.io/berriai/litellm:v1.90.0 ``` **Verify using the release tag (convenience):** Tags are protected in this repository and resolve to the same key. This option is easier to read but relies on tag protection rules: ```bash cosign verify \ --key https://raw.githubusercontent.com/BerriAI/litellm/v1.90.0/cosign.pub \ ghcr.io/berriai/litellm:v1.90.0 ``` Expected output: ``` The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key ``` *** ##### What's Changed - fix(responses-bridge): map system-only chat request to system input item by [@​milan-berri](https://github.com/milan-berri) in [#​29817](https://github.com/BerriAI/litellm/pull/29817) - feat(bedrock): forward strict and additionalProperties to Converse toolSpec by [@​mateo-berri](https://github.com/mateo-berri) in [#​29814](https://github.com/BerriAI/litellm/pull/29814) - fix(mcp): highlight MCP cards red when the logged-in user is missing per-user env vars by [@​mateo-berri](https://github.com/mateo-berri) in [#​29856](https://github.com/BerriAI/litellm/pull/29856) - feat(ui): add budget duration to edit team member form by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​29717](https://github.com/BerriAI/litellm/pull/29717) - fix(ui): make workflow runs page fill full width by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29868](https://github.com/BerriAI/litellm/pull/29868) - feat: standardize rate limit errors with category, rate\_limit\_type, model, and llm\_provider fields by [@​mateo-berri](https://github.com/mateo-berri) in [#​27687](https://github.com/BerriAI/litellm/pull/27687) - fix(ui): default guardrails page to the Guardrails tab by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29872](https://github.com/BerriAI/litellm/pull/29872) - docs(readme): add Deploy on AWS/GCP Terraform section and fix deploy button rendering by [@​mateo-berri](https://github.com/mateo-berri) in [#​29879](https://github.com/BerriAI/litellm/pull/29879) - refactor(bedrock): build Converse toolSpec via a BedrockToolSpec dict subclass by [@​mateo-berri](https://github.com/mateo-berri) in [#​29869](https://github.com/BerriAI/litellm/pull/29869) - feat(litellm): add models and repository layers by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​29686](https://github.com/BerriAI/litellm/pull/29686) - feat(ui): include internal routes in the dashboard's generated OpenAPI types by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​29885](https://github.com/BerriAI/litellm/pull/29885) - feat(proxy): publish /v2/model/info in Swagger OpenAPI spec by [@​Sameerlite](https://github.com/Sameerlite) in [#​29900](https://github.com/BerriAI/litellm/pull/29900) - refactor(ui): single source of truth for migrated-page routing by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​29949](https://github.com/BerriAI/litellm/pull/29949) - fix(ui/model-hub): render provider icons on the public model hub by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29958](https://github.com/BerriAI/litellm/pull/29958) - fix(ui): keep create guardrail modal open on outside click by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29871](https://github.com/BerriAI/litellm/pull/29871) - fix(ui): label default key type as "Full Access" on key edit page by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29870](https://github.com/BerriAI/litellm/pull/29870) - fix(ui): unify migrated-route URLs and migrate the API Reference page by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​29953](https://github.com/BerriAI/litellm/pull/29953) - fix(mcp): let non-creator users OAuth into OBO-mode MCP servers from the Tools page by [@​tin-berri](https://github.com/tin-berri) in [#​29867](https://github.com/BerriAI/litellm/pull/29867) - Litellm oss staging 080626 by [@​Sameerlite](https://github.com/Sameerlite) in [#​29932](https://github.com/BerriAI/litellm/pull/29932) - feat(galileo): add health check support for UI callback test by [@​Sameerlite](https://github.com/Sameerlite) in [#​29908](https://github.com/BerriAI/litellm/pull/29908) - fix(model-management): allow deleting a BYOK model after its team is deleted by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29875](https://github.com/BerriAI/litellm/pull/29875) - feat(jwt-auth): opt-in fallback to DB team on unresolved JWT claim by [@​milan-berri](https://github.com/milan-berri) in [#​28913](https://github.com/BerriAI/litellm/pull/28913) - fix(team\_endpoints): don't block /team/update on unchanged team budget by [@​milan-berri](https://github.com/milan-berri) in [#​29525](https://github.com/BerriAI/litellm/pull/29525) - fix(fireworks): enable tool calling for glm-5p1 in model cost map by [@​milan-berri](https://github.com/milan-berri) in [#​29697](https://github.com/BerriAI/litellm/pull/29697) - fix(vertex): propagate Vertex AI metadata in streaming success callbacks by [@​Sameerlite](https://github.com/Sameerlite) in [#​29899](https://github.com/BerriAI/litellm/pull/29899) - fix(ui): show team projects to internal users on key creation by [@​milan-berri](https://github.com/milan-berri) in [#​28855](https://github.com/BerriAI/litellm/pull/28855) - build(deps): bump pyjwt to 2.13.0 and ws override to 8.20.1 by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29982](https://github.com/BerriAI/litellm/pull/29982) - fix(team-management): delete a team's BYOK models when the team is deleted by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29977](https://github.com/BerriAI/litellm/pull/29977) - feat(vantage): include organization metadata in FOCUS Tags export by [@​milan-berri](https://github.com/milan-berri) in [#​28184](https://github.com/BerriAI/litellm/pull/28184) - fix(guardrails): read CrowdStrike AIDR identity from both metadata bags by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​29991](https://github.com/BerriAI/litellm/pull/29991) - fix(mcp): mirror upstream token lifetime instead of forcing a 1h OBO expiry by [@​tin-berri](https://github.com/tin-berri) in [#​29951](https://github.com/BerriAI/litellm/pull/29951) - feat(azure\_ai): add MAI-Image-2.5 image generation support by [@​Sameerlite](https://github.com/Sameerlite) in [#​29688](https://github.com/BerriAI/litellm/pull/29688) - fix(mcp): load MCP tool configuration tools via the OBO/passthrough-aware GET path by [@​tin-berri](https://github.com/tin-berri) in [#​29960](https://github.com/BerriAI/litellm/pull/29960) - fix(team): reserve team budget raises for proxy admins on /team/update by [@​milan-berri](https://github.com/milan-berri) in [#​30030](https://github.com/BerriAI/litellm/pull/30030) - test(ui): data-driven App Router migration E2E smoke (default + server-root-path) by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​29974](https://github.com/BerriAI/litellm/pull/29974) - fix(proxy): extend response headers hook to streaming, TTS, image gen, and pass-through by [@​michelligabriele](https://github.com/michelligabriele) in [#​24232](https://github.com/BerriAI/litellm/pull/24232) - chore(ui): remove dead App Router route stubs under (dashboard) by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30045](https://github.com/BerriAI/litellm/pull/30045) - fix(ui/mcp): reset OAuth state on create-server modal close so a prior server's token no longer leaks into the next add-server session by [@​tin-berri](https://github.com/tin-berri) in [#​30000](https://github.com/BerriAI/litellm/pull/30000) - fix(mcp): allow team access-group grants in OAuth authorize/token access check by [@​tin-berri](https://github.com/tin-berri) in [#​30041](https://github.com/BerriAI/litellm/pull/30041) - docs(security): require a reproduction video for vulnerability reports by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30063](https://github.com/BerriAI/litellm/pull/30063) - feat(ui): add admin flag to disable in-product UI nudges for everyone by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​29796](https://github.com/BerriAI/litellm/pull/29796) - chore(ui): remove dead dashboard files and unused dependencies by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30047](https://github.com/BerriAI/litellm/pull/30047) - fix(proxy): authorize batch files using upload target\_model\_names (LIT-3593) by [@​Sameerlite](https://github.com/Sameerlite) in [#​30009](https://github.com/BerriAI/litellm/pull/30009) - Add Claude Fable 5 across Anthropic, Bedrock, Vertex AI, and Azure AI by [@​mateo-berri](https://github.com/mateo-berri) in [#​30064](https://github.com/BerriAI/litellm/pull/30064) - Add Claude Fable 5 cost map entries (data-only hotfix for the hosted map) by [@​mateo-berri](https://github.com/mateo-berri) in [#​30076](https://github.com/BerriAI/litellm/pull/30076) - fix(caching): restore stored prompt\_tokens on embedding cache hits instead of recomputing by [@​michelligabriele](https://github.com/michelligabriele) in [#​30046](https://github.com/BerriAI/litellm/pull/30046) - Litellm oss 090626 by [@​Sameerlite](https://github.com/Sameerlite) in [#​30021](https://github.com/BerriAI/litellm/pull/30021) - fix(proxy): self-heal startup/reload prisma reads on engine disconnect by [@​michelligabriele](https://github.com/michelligabriele) in [#​28803](https://github.com/BerriAI/litellm/pull/28803) - chore(ui): make knip recognize .mjs scripts and openapi-typescript by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30052](https://github.com/BerriAI/litellm/pull/30052) - fix(register\_model): preserve built-in cache pricing when registering custom overrides under unmapped keys by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30044](https://github.com/BerriAI/litellm/pull/30044) - \[internal copy of [#​28007](https://github.com/BerriAI/litellm/issues/28007)] Fix/gcp model garden streaming by [@​mateo-berri](https://github.com/mateo-berri) in [#​28363](https://github.com/BerriAI/litellm/pull/28363) - feat(cli): per-agent `lite claude` / `codex` / `opencode` commands that wrap coding agents through the proxy by [@​mateo-berri](https://github.com/mateo-berri) in [#​29850](https://github.com/BerriAI/litellm/pull/29850) - fix(callbacks): forward callback\_settings to callback initializers and guard consumers against non-dict values by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30161](https://github.com/BerriAI/litellm/pull/30161) - fix(mcp): drop orphaned per-user credential rows when an MCP server is deleted by [@​tin-berri](https://github.com/tin-berri) in [#​30141](https://github.com/BerriAI/litellm/pull/30141) - fix(proxy): recover from cached-plan errors by reconnecting the Prisma client by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​29983](https://github.com/BerriAI/litellm/pull/29983) - feat(proxy): add option to disable server-side prepared statements for DB lookups by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​29984](https://github.com/BerriAI/litellm/pull/29984) - fix(release): stop backport releases from overwriting the latest badge by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30005](https://github.com/BerriAI/litellm/pull/30005) - feat: add conventional commits and coding guidelines by [@​mateo-berri](https://github.com/mateo-berri) in [#​30159](https://github.com/BerriAI/litellm/pull/30159) - fix(proxy): return 5xx on DB infra errors during auth; reserve 401 for genuine auth failures by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​29986](https://github.com/BerriAI/litellm/pull/29986) - fix(ui): dev server 404s on migrated-page links because uiBase hardcodes /ui by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30169](https://github.com/BerriAI/litellm/pull/30169) - refactor(ui): consolidate dashboard to one shell in the (dashboard) layout by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30166](https://github.com/BerriAI/litellm/pull/30166) - fix(proxy): align /v1/model/info with router deployments by [@​Sameerlite](https://github.com/Sameerlite) in [#​30025](https://github.com/BerriAI/litellm/pull/30025) - fix: completion\_cost AttributeError on streaming Anthropic web\_search responses ([#​26153](https://github.com/BerriAI/litellm/issues/26153)) by [@​ishaan-berri](https://github.com/ishaan-berri) in [#​27346](https://github.com/BerriAI/litellm/pull/27346) - \[internal copy of [#​30137](https://github.com/BerriAI/litellm/issues/30137)] perf(realtime): eliminate redundant per-frame JSON work on OpenAI realtime relay by [@​mateo-berri](https://github.com/mateo-berri) in [#​30142](https://github.com/BerriAI/litellm/pull/30142) - feat(bedrock): aws\_bedrock\_project\_id for bedrock-mantle project / workspace association by [@​mateo-berri](https://github.com/mateo-berri) in [#​30163](https://github.com/BerriAI/litellm/pull/30163) - chore(hooks): enforce Conventional Commits and Conventional Branches by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30174](https://github.com/BerriAI/litellm/pull/30174) - feat(rate-limiter): allow opting out of v3 TPM reservation and Redis circuit breaker by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30211](https://github.com/BerriAI/litellm/pull/30211) - feat(spend\_logs): opt-in native Postgres partitioning for SpendLogs retention by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​29466](https://github.com/BerriAI/litellm/pull/29466) - feat(ui): migrate playground to path routing and colocate its files by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30185](https://github.com/BerriAI/litellm/pull/30185) - feat(ui): migrate projects and access-groups to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30226](https://github.com/BerriAI/litellm/pull/30226) - fix(proxy): coalesce NULL rollup metrics in aggregated daily-activity by [@​michelligabriele](https://github.com/michelligabriele) in [#​30151](https://github.com/BerriAI/litellm/pull/30151) - fix(anthropic\_passthrough): resolve costing model from message\_start chunk, litellm\_params and model\_group instead of 'unknown' by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30160](https://github.com/BerriAI/litellm/pull/30160) - feat(ui): migrate budgets, workflows, and guardrails-monitor to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30236](https://github.com/BerriAI/litellm/pull/30236) - feat(ui): migrate mcp-servers, search-tools, tag-management, vector-stores, and memory to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30261](https://github.com/BerriAI/litellm/pull/30261) - fix(a2a): forward agent\_extra\_headers through completion bridge by [@​mateo-berri](https://github.com/mateo-berri) in [#​28277](https://github.com/BerriAI/litellm/pull/28277) - fix(gemini-live): forward audio buffer commit and correct Vertex PCM rate by [@​Sameerlite](https://github.com/Sameerlite) in [#​29946](https://github.com/BerriAI/litellm/pull/29946) - fix(proxy): skip double-wrapping unified batch output file ids on retrieve by [@​Sameerlite](https://github.com/Sameerlite) in [#​30011](https://github.com/BerriAI/litellm/pull/30011) - feat: litellm oss 110626 by [@​Sameerlite](https://github.com/Sameerlite) in [#​30202](https://github.com/BerriAI/litellm/pull/30202) - fix(docker): copy only runtime artifacts into the final image by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30243](https://github.com/BerriAI/litellm/pull/30243) - feat(proxy): enforce key/team guardrails on bedrock passthrough routes by [@​Sameerlite](https://github.com/Sameerlite) in [#​30194](https://github.com/BerriAI/litellm/pull/30194) - feat(gemini): forward web search tools in image generation by [@​Sameerlite](https://github.com/Sameerlite) in [#​30119](https://github.com/BerriAI/litellm/pull/30119) - fix: bedrock mantle fixes by [@​Sameerlite](https://github.com/Sameerlite) in [#​30083](https://github.com/BerriAI/litellm/pull/30083) - feat(proxy): add require\_managed\_files setting for file uploads by [@​Sameerlite](https://github.com/Sameerlite) in [#​30186](https://github.com/BerriAI/litellm/pull/30186) - fix(mcp): honor server\_id for REST tool calls with shared upstream URLs by [@​Sameerlite](https://github.com/Sameerlite) in [#​30184](https://github.com/BerriAI/litellm/pull/30184) - fix(responses): presidio PII masking for Azure WebSocket and streaming by [@​Sameerlite](https://github.com/Sameerlite) in [#​30003](https://github.com/BerriAI/litellm/pull/30003) - feat(passthrough): add configurable pass-through request timeouts by [@​Sameerlite](https://github.com/Sameerlite) in [#​30266](https://github.com/BerriAI/litellm/pull/30266) - fix(google\_genai): preserve complete SSE events in Vertex/Gemini image streaming by [@​Sameerlite](https://github.com/Sameerlite) in [#​30270](https://github.com/BerriAI/litellm/pull/30270) - fix(proxy): populate access\_via\_team\_ids on /v1/model/info by [@​Sameerlite](https://github.com/Sameerlite) in [#​30274](https://github.com/BerriAI/litellm/pull/30274) - chore(oss): litellm oss staging 120626 by [@​Sameerlite](https://github.com/Sameerlite) in [#​30292](https://github.com/BerriAI/litellm/pull/30292) - feat(ui): migrate policies, guardrails, prompts, tool-policies, and skills to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30263](https://github.com/BerriAI/litellm/pull/30263) - feat(ui): migrate caching, cost-tracking, transform-request, ui-theme, and logs to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30267](https://github.com/BerriAI/litellm/pull/30267) - fix(ui): gate dashboard layout on ui config load so deep links work under SERVER\_ROOT\_PATH by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30312](https://github.com/BerriAI/litellm/pull/30312) - feat(ui): migrate admin-panel, logging-and-alerts, model-hub-table, and usage to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30268](https://github.com/BerriAI/litellm/pull/30268) - fix(otel): cap metric attribute cardinality with include/exclude lists by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30257](https://github.com/BerriAI/litellm/pull/30257) - fix(proxy): grace-period key rotation 401s; return deprecated-key lookup result directly by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30327](https://github.com/BerriAI/litellm/pull/30327) - chore(deps): bump vitest, brace-expansion, pypdf and tornado by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30220](https://github.com/BerriAI/litellm/pull/30220) - refactor(ui): remove unreachable /chat page by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30178](https://github.com/BerriAI/litellm/pull/30178) - feat(ui): migrate agents and router-settings to path routes by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30323](https://github.com/BerriAI/litellm/pull/30323) - feat: strengthen coding conventions in CLAUDE.md by [@​mateo-berri](https://github.com/mateo-berri) in [#​30333](https://github.com/BerriAI/litellm/pull/30333) - feat(ui): cut the users page over to the /ui/users path route by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30334](https://github.com/BerriAI/litellm/pull/30334) - feat: ruff strict-rule suppressions baseline gate by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30303](https://github.com/BerriAI/litellm/pull/30303) - feat(guardrails): add Cisco AI Defense integration ([#​28249](https://github.com/BerriAI/litellm/issues/28249)) by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30338](https://github.com/BerriAI/litellm/pull/30338) - chore(ui): remove dead UI components unreferenced by any page by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30340](https://github.com/BerriAI/litellm/pull/30340) - ci: add osv-scanner lockfile scan workflow by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30222](https://github.com/BerriAI/litellm/pull/30222) - fix(otel): record full error message on standard exception event in otel v2 by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30380](https://github.com/BerriAI/litellm/pull/30380) - test(fireworks): mock whisper transcription tests instead of live calls by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30391](https://github.com/BerriAI/litellm/pull/30391) - build(ui): pin esbuild to 0.28.1 via overrides by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30390](https://github.com/BerriAI/litellm/pull/30390) - feat(ui): cut the organizations page over to the /ui/organizations path route by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30336](https://github.com/BerriAI/litellm/pull/30336) - fix(proxy): support SMTP implicit SSL (port 465) by [@​yuneng-berri](https://github.com/yuneng-berri) in [#​30395](https://github.com/BerriAI/litellm/pull/30395) - fix(mcp): default Linear MCP registry entry to streamable HTTP by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30396](https://github.com/BerriAI/litellm/pull/30396) - fix(ui): stop Virtual Keys page from infinite render loop by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30397](https://github.com/BerriAI/litellm/pull/30397) - fix(streaming): guard raise\_on\_model\_repetition against empty choices by [@​shivamrawat1](https://github.com/shivamrawat1) in [#​30485](https://github.com/BerriAI/litellm/pull/30485) - feat(otel-v2): emit the 6 gen\_ai.client.\* metrics at parity with v1 by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30326](https://github.com/BerriAI/litellm/pull/30326) - fix(mcp): drop phantom 401 span on delegated OAuth2 tool calls by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30494](https://github.com/BerriAI/litellm/pull/30494) - feat(ui): cut the teams page over to the /ui/teams path route by [@​ryan-crabbe-berri](https://github.com/ryan-crabbe-berri) in [#​30343](https://github.com/BerriAI/litellm/pull/30343) - fix(integrations): cap Anthropic cache\_control injection at 4 blocks by [@​shivamrawat1](https://github.com/shivamrawat1) in [#​30480](https://github.com/BerriAI/litellm/pull/30480) - chore(codecov): add Batches, Videos, and Realtime components by [@​Sameerlite](https://github.com/Sameerlite) in [#​30517](https://github.com/BerriAI/litellm/pull/30517) - test(batches): move orphan tests into tests/test\_litellm for CI coverage by [@​Sameerlite](https://github.com/Sameerlite) in [#​30510](https://github.com/BerriAI/litellm/pull/30510) - fix(guardrails): run pre\_call hook once for model-level guardrails by [@​yassin-berriai](https://github.com/yassin-berriai) in [#​30543](http…

Summary
get_websocket_url()(/openai/v1/responses, noapi-versionquery param)response.create/response.completedframes inResponsesWebSocketStreamingTest plan
poetry run pytest tests/test_litellm/llms/openai/responses/test_openai_responses_guardrail_handler.py -vpoetry run pytest tests/test_litellm/proxy/guardrails/guardrail_hooks/test_presidio.py -vpoetry run pytest tests/test_litellm/responses/test_responses_websocket_all_providers.py -vBefore


After
Note
Medium Risk
Touches PII handling and proxy WebSocket forwarding (including model substitution guards); behavior changes affect security-sensitive request/response paths but are covered by new tests.
Overview
Fixes Azure native Responses WebSocket connectivity by adding provider-specific
get_websocket_url()(/openai/v1/responses, noapi-version) andmodel_in_websocket_url() == False, and routing the HTTP handler through those hooks with fulllitellm_paramsinstead of always appending?model=.Extends Presidio PII to native Responses WebSockets:
response.createframes get input masking plus authorized-model overwrite on every create; backend events get token unmasking on deltas/response.completedand optional output masking. HTTP Responses streaming guardrails now write guardrailed text back intoresponse.completedoutput items (and Presidio no longer drops non–chat-completion stream chunks whenoutput_parse_piiis on).Reviewed by Cursor Bugbot for commit bee452c. Bugbot is set up for automated code reviews on this repo. Configure here.