Change8

v1.92.0-dev.1

📦 litellmView on GitHub →
10 features🐛 22 fixes🔧 8 symbols

Summary

This release introduces Docker image signature verification using cosign for enhanced security and adds features like declarative fallbacks and AES-256-GCM encryption for proxy credentials. Numerous bug fixes address issues across realtime processing, proxy permissions, Databricks tool calls, and UI stability.

Migration Steps

  1. Users running Docker images should verify image signatures using the provided cosign commands, preferably using the pinned commit hash for maximum security.

✨ New Features

  • Implemented declarative fallback generalizations for unknown models.
  • Added support for AES-256-GCM at-rest credential encryption with versioned format and re-encryption migration in the proxy.
  • Added support for a2a-sdk 1.x proxy routing for 0.3 and 1.0 agents.
  • Added Prometheus metric for litellm_overhead_with_guardrails_latency.
  • Added support for tagging routing denylist via ! prefix in the router.
  • Exposed streaming knobs on generic_guardrail_api.
  • Added logging for per-token-type reasoning and cache cost breakdown in the cost calculator.
  • Typed Customer Management response_model for OpenAPI coverage in the proxy.
  • Emit a tools/list CLIENT span for MCP discovery under otel_v2.
  • Added passthrough for /v1/messages to native endpoints via supported_endpoints.

🐛 Bug Fixes

  • Stopped second Gemini Live setup, retried hung handshake, and closed guardrail bypass in realtime.
  • Simplified unknown-model error message construction in the router.
  • Kept virtual-keys filters across delete and refresh in the UI.
  • Split parallel tool calls in Databricks so each tool message follows tool_calls.
  • Gated non-admin /key/generate budget_limits and permissions in the proxy.
  • Rejected non-finite budget_limits windows on /key/generate.
  • Hard-rejected CLI session token personal-key budget_limits.
  • Used single media upload for batch files to Vertex AI/files to fix 499s on large uploads.
  • Counted only active users toward license seat limit in the proxy.
  • Resolved per-user OAuth identity authoritatively at the token endpoint in MCP.
  • Rejected team-scoped object_permission on personal keys for non-admins in the proxy.
  • Dropped top-level additional_drop_params on /v1/messages in passthrough.
  • Scanned file and document attachments with Model Armor in guardrails.
  • Skipped health check for semantic auto_router deployments.
  • Dropped unmappable Bedrock Responses tools instead of failing the request.
  • Emitted x-litellm-response-cost header on /messages and /generateContent.
  • Supported client_secret_basic for upstream OAuth token endpoints in MCP.
  • Dropped unsignable Anthropic thinking blocks and allowed null signature in logging.
  • Stopped Request Logs page from overflowing horizontally and sized its columns in the UI.
  • Allowed any git host on the skills add form in the UI.
  • Stopped one unauthenticated server from emptying the aggregate tools/list in MCP.
  • Applied EMAIL_SIGNATURE to budget alert emails.

Affected Symbols