fix(azure): preserve content_policy_violation error details from Azure OpenAI

.circleci/config.yml

@@ -112,6 +112,24 @@ jobs:
             python -m mypy .
             cd ..
           no_output_timeout: 10m
+
+  semgrep:
+    docker:
+      - image: cimg/python:3.12
+        auth:
+          username: ${DOCKERHUB_USERNAME}
+          password: ${DOCKERHUB_PASSWORD}
+    working_directory: ~/project
+    steps:
+      - checkout
+      - setup_google_dns
+      - run:
+          name: Install Semgrep
+          command: pip install semgrep
+      - run:
+          name: Run Semgrep (custom rules only)
+          command: semgrep scan --config .semgrep/rules . --error
+
   local_testing_part1:
     docker:
       - image: cimg/python:3.12
@@ -3932,6 +3950,9 @@ jobs:
       image: ubuntu-2204:2023.10.1
     resource_class: xlarge
     working_directory: ~/project
+    parameters:
+      browser:
+        type: string
     steps:
       - checkout
       - setup_google_dns
@@ -3961,7 +3982,7 @@ jobs:
             echo "Expires at: $EXPIRES_AT"
             neon branches create \
               --project-id $NEON_PROJECT_ID \
-              --name preview/commit-${CIRCLE_SHA1:0:7} \
+              --name preview/commit-${CIRCLE_SHA1:0:7}-<< parameters.browser >> \
               --expires-at $EXPIRES_AT \
               --parent br-fancy-paper-ad1olsb3 \
               --api-key $NEON_API_KEY || true
@@ -3971,7 +3992,7 @@ jobs:
             E2E_UI_TEST_DATABASE_URL=$(neon connection-string \
               --project-id $NEON_PROJECT_ID \
               --api-key $NEON_API_KEY \
-              --branch preview/commit-${CIRCLE_SHA1:0:7} \
+              --branch preview/commit-${CIRCLE_SHA1:0:7}-<< parameters.browser >> \
               --database-name yuneng-trial-db \
               --role neondb_owner)
             echo $E2E_UI_TEST_DATABASE_URL
@@ -3983,7 +4004,7 @@ jobs:
               -e UI_USERNAME="admin" \
               -e UI_PASSWORD="gm" \
               -e LITELLM_LICENSE=$LITELLM_LICENSE \
-              --name litellm-docker-database \
+              --name litellm-docker-database-<< parameters.browser >> \
               -v $(pwd)/litellm/proxy/example_config_yaml/simple_config.yaml:/app/config.yaml \
               litellm-docker-database:ci \
               --config /app/config.yaml \
@@ -3999,7 +4020,7 @@ jobs:
             sudo rm dockerize-linux-amd64-v0.6.1.tar.gz
       - run:
           name: Start outputting logs
-          command: docker logs -f litellm-docker-database
+          command: docker logs -f litellm-docker-database-<< parameters.browser >>
           background: true
       - run:
           name: Wait for app to be ready
@@ -4008,6 +4029,7 @@ jobs:
           name: Run Playwright Tests
           command: |
             npx playwright test \
+              --project << parameters.browser >> \
               --config ui/litellm-dashboard/e2e_tests/playwright.config.ts \
               --reporter=html \
               --output=test-results
@@ -4114,6 +4136,12 @@ workflows:
               only:
                 - main
                 - /litellm_.*/
+      - semgrep:
+          filters:
+            branches:
+              only:
+                - main
+                - /litellm_.*/
       - local_testing_part1:
           filters:
             branches:
@@ -4213,6 +4241,20 @@ workflows:
                 - main
                 - /litellm_.*/
       - e2e_ui_testing:
+          name: e2e_ui_testing_chromium
+          browser: chromium
+          context: e2e_ui_tests
+          requires:
+            - ui_build
+            - build_docker_database_image
+          filters:
+            branches:
+              only:
+                - main
+                - /litellm_.*/
+      - e2e_ui_testing:
+          name: e2e_ui_testing_firefox
+          browser: firefox
           context: e2e_ui_tests
           requires:
             - ui_build
@@ -4492,6 +4534,7 @@ workflows:
       - publish_to_pypi:
           requires:
             - mypy_linting
+            - semgrep
             - local_testing_part1
             - local_testing_part2
             - build_and_test
@@ -4524,7 +4567,8 @@ workflows:
             - litellm_assistants_api_testing
             - auth_ui_unit_tests
             - db_migration_disable_update_check
-            - e2e_ui_testing
+            - e2e_ui_testing_chromium
+            - e2e_ui_testing_firefox
             - litellm_proxy_unit_testing_key_generation
             - litellm_proxy_unit_testing_part1
             - litellm_proxy_unit_testing_part2

.github/pull_request_template.md

@@ -9,6 +9,7 @@
 - [ ] I have Added testing in the [`tests/litellm/`](https://github.com/BerriAI/litellm/tree/main/tests/litellm) directory, **Adding at least 1 test is a hard requirement** - [see details](https://docs.litellm.ai/docs/extras/contributing_code)
 - [ ] My PR passes all unit tests on [`make test-unit`](https://docs.litellm.ai/docs/extras/contributing_code)
 - [ ] My PR's scope is as isolated as possible, it only solves 1 specific problem
+- [ ] I have requested a Greptile review by commenting `@greptileai` and received a **Confidence Score of at least 4/5** before requesting a maintainer review
 
 ## CI (LiteLLM team)
 

.semgrep/rules/README.md

@@ -0,0 +1,22 @@
+# Custom Semgrep rules for LiteLLM
+
+Add custom rule YAML files here. Semgrep loads all `.yml`/`.yaml` files under this directory.
+
+**Run only custom rules (CI / fail on findings):**
+
+```bash
+semgrep scan --config .semgrep/rules . --error
+```
+
+**Run with registry + custom rules:**
+
+```bash
+semgrep scan --config auto --config .semgrep/rules .
+```
+
+**Layout:**
+
+- `python/` – Python-specific rules (security, patterns)
+- Add more subdirs as needed (e.g. `generic/` for language-agnostic rules)
+
+See [Semgrep rule syntax](https://semgrep.dev/docs/writing-rules/rule-syntax/).

.semgrep/rules/python/unbounded-memory.yml

@@ -0,0 +1,14 @@
+# Unbounded memory growth – data structures without a clear max limit
+# Can lead to OOM under load.
+
+rules:
+  - id: unbounded-asyncio-queue
+    message: asyncio.Queue() with no maxsize can grow unbounded. Use asyncio.Queue(maxsize=N) for integrations (e.g. log queues).
+    severity: ERROR
+    languages: [python]
+    pattern-either:
+      - pattern: asyncio.Queue()
+      - pattern: asyncio.Queue(maxsize=0)
+    metadata:
+      category: correctness
+      cwe: "CWE-400: Uncontrolled Resource Consumption"

cookbook/nova_sonic_realtime.py

@@ -16,10 +16,14 @@
 import asyncio
 import base64
 import json
+import os
 import pyaudio
 import websockets
 from typing import Optional
 
+# Bounded queue size for audio chunks (configurable via env to avoid unbounded memory)
+AUDIO_QUEUE_MAXSIZE = int(os.getenv("LITELLM_ASYNCIO_QUEUE_MAXSIZE", 10_000))
+
 # Audio configuration (matching Nova Sonic requirements)
 INPUT_SAMPLE_RATE = 16000  # Nova Sonic expects 16kHz input
 OUTPUT_SAMPLE_RATE = 24000  # Nova Sonic outputs 24kHz
@@ -40,7 +44,7 @@ def __init__(self, url: str, api_key: str):
         self.api_key = api_key
         self.ws: Optional[websockets.WebSocketClientProtocol] = None
         self.is_active = False
-        self.audio_queue = asyncio.Queue()
+        self.audio_queue = asyncio.Queue(maxsize=AUDIO_QUEUE_MAXSIZE)
         self.pyaudio = pyaudio.PyAudio()
         self.input_stream = None
         self.output_stream = None

docs/my-website/docs/proxy/config_settings.md

@@ -395,7 +395,7 @@ router_settings:
 | ATHINA_API_KEY | API key for Athina service
 | ATHINA_BASE_URL | Base URL for Athina service (defaults to `https://log.athina.ai`)
 | AUTH_STRATEGY | Strategy used for authentication (e.g., OAuth, API key)
-| AUTO_REDIRECT_UI_LOGIN_TO_SSO | Flag to enable automatic redirect of UI login page to SSO when SSO is configured. Default is **true**
+| AUTO_REDIRECT_UI_LOGIN_TO_SSO | Flag to enable automatic redirect of UI login page to SSO when SSO is configured. Default is **false**
 | AUDIO_SPEECH_CHUNK_SIZE | Chunk size for audio speech processing. Default is 1024
 | ANTHROPIC_API_KEY | API key for Anthropic service
 | ANTHROPIC_API_BASE | Base URL for Anthropic API. Default is https://api.anthropic.com
@@ -784,6 +784,7 @@ router_settings:
 | LITELLM_USER_AGENT | Custom user agent string for LiteLLM API requests. Used for partner telemetry attribution
 | LITELLM_PRINT_STANDARD_LOGGING_PAYLOAD | If true, prints the standard logging payload to the console - useful for debugging
 | LITELM_ENVIRONMENT | Environment for LiteLLM Instance. This is currently only logged to DeepEval to determine the environment for DeepEval integration.
+| LITELLM_ASYNCIO_QUEUE_MAXSIZE | Maximum size for asyncio queues (e.g. log queues, spend update queues, and cookbook examples such as realtime audio in `nova_sonic_realtime.py`). Bounds in-memory growth to prevent OOM. Default is 1000.
 | LOGFIRE_TOKEN | Token for Logfire logging service
 | LOGFIRE_BASE_URL | Base URL for Logfire logging service (useful for self hosted deployments)
 | LOGGING_WORKER_CONCURRENCY | Maximum number of concurrent coroutine slots for the logging worker on the asyncio event loop. Default is 100. Setting too high will flood the event loop with logging tasks which will lower the overall latency of the requests.

docs/my-website/docs/proxy/guardrails/guardrail_policies.md

@@ -1,3 +1,7 @@
+import Image from '@theme/IdealImage';
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
 # [Beta] Guardrail Policies
 
 Use policies to group guardrails and control which ones run for specific teams, keys, or models.
@@ -10,6 +14,9 @@ Use policies to group guardrails and control which ones run for specific teams,
 
 ## Quick Start
 
+<Tabs>
+<TabItem value="config" label="config.yaml">
+
 ```yaml showLineNumbers title="config.yaml"
 model_list:
   - model_name: gpt-4
@@ -43,6 +50,26 @@ policy_attachments:
     scope: "*"  # apply to all requests
 ```
 
+</TabItem>
+<TabItem value="ui" label="UI (LiteLLM Dashboard)">
+
+**Step 1: Create a Policy**
+
+Go to **Policies** tab and click **+ Create New Policy**. Fill in the policy name, description, and select guardrails to add.
+
+![Enter policy name](https://colony-recorder.s3.amazonaws.com/files/2026-02-11/4ba62cc8-d2c4-4af1-a526-686295466928/ascreenshot_401eab3e2081466e8f4d4ffa3bf7bff4_text_export.jpeg)
+
+![Add a description for the policy](https://colony-recorder.s3.amazonaws.com/files/2026-02-11/51685e47-1d94-4d9c-acb0-3c88dce9f938/ascreenshot_a5cd40066ff34afbb1e4089a3c93d889_text_export.jpeg)
+
+![Select a parent policy to inherit from](https://colony-recorder.s3.amazonaws.com/files/2026-02-11/1d96c3d3-187a-4f7c-97d2-6ac1f093d51e/ascreenshot_8a3af3b2210547dca3d4709df920d005_text_export.jpeg)
+
+![Select guardrails to add to the policy](https://colony-recorder.s3.amazonaws.com/files/2026-02-11/23781274-e600-4d5f-a8a6-4a2a977a166c/ascreenshot_a2a45d2c5d064c77ab7cb47b569ad9e9_text_export.jpeg)
+
+![Click Create Policy to save](https://colony-recorder.s3.amazonaws.com/files/2026-02-11/1d1ae8a8-daa5-451b-9fa2-c5b607ff6220/ascreenshot_218c2dd259714be4aa3c4e1894c96878_text_export.jpeg)
+
+</TabItem>
+</Tabs>
+
 Response headers show what ran:
 
 ```
@@ -58,6 +85,9 @@ x-litellm-applied-guardrails: pii_masking,prompt_injection
 
 You have a global baseline, but want to add extra guardrails for a specific team.
 
+<Tabs>
+<TabItem value="config" label="config.yaml">
+
 ```yaml showLineNumbers title="config.yaml"
 policies:
   global-baseline:
@@ -81,6 +111,30 @@ policy_attachments:
       - finance  # team alias from /team/new
 ```
 
+</TabItem>
+<TabItem value="ui" label="UI (LiteLLM Dashboard)">
+
+**Option 1: Create a team-scoped attachment**
+
+Go to **Policies** > **Attachments** tab and click **+ Create New Attachment**. Select the policy and the teams to scope it to.
+
+![Select teams for the attachment](https://colony-recorder.s3.amazonaws.com/files/2026-02-11/50e58f54-3bc3-477e-a106-e58cb65fde7e/ascreenshot_85d2e3d9d8d24842baced92fea170427_text_export.jpeg)
+
+![Select the teams to attach the policy to](https://colony-recorder.s3.amazonaws.com/files/2026-02-11/f24066bb-0a73-49fb-87b6-c65ad3ca5b2f/ascreenshot_242476fbdac447309f65de78b0ed9fdd_text_export.jpeg)
+
+**Option 2: Attach from team settings**
+
+Go to **Teams** > click on a team > **Settings** tab > under **Policies**, select the policies to attach.
+
+![Open team settings and click Edit Settings](https://colony-recorder.s3.amazonaws.com/files/2026-02-11/c31c3735-4f9d-4c6a-896b-186e97296940/ascreenshot_4749bb24ce5942cca462acc958fd3822_text_export.jpeg)
+
+![Select policies to attach to this team](https://colony-recorder.s3.amazonaws.com/files/2026-02-11/da8d5d7a-d975-4bfe-acd2-f41dcea29520/ascreenshot_835a33b6cec545cbb2987f017fbaff90_text_export.jpeg)
+
+<Image img={require('../../../img/policy_team_attach.png')} />
+
+</TabItem>
+</Tabs>
+
 Now the `finance` team gets `pii_masking` + `strict_compliance_check` + `audit_logger`, while everyone else just gets `pii_masking`.
 
 ## Remove guardrails for a specific team
@@ -201,6 +255,60 @@ policy_attachments:
       - "test-*"  # key alias pattern
 ```
 
+**Tag-based** (matches keys/teams by metadata tags, wildcards supported):
+
+```yaml showLineNumbers title="config.yaml"
+policy_attachments:
+  - policy: hipaa-compliance
+    tags:
+      - "healthcare"
+      - "health-*"  # wildcard - matches health-team, health-dev, etc.
+```
+
+Tags are read from key and team `metadata.tags`. For example, a key created with `metadata: {"tags": ["healthcare"]}` would match the attachment above.
+
+## Test Policy Matching
+
+Debug which policies and guardrails apply for a given context. Use this to verify your policy configuration before deploying.
+
+<Tabs>
+<TabItem value="ui" label="UI (LiteLLM Dashboard)">
+
+Go to **Policies** > **Test** tab. Enter a team alias, key alias, model, or tags and click **Test** to see which policies match and what guardrails would be applied.
+
+<Image img={require('../../../img/policy_test_matching.png')} />
+
+</TabItem>
+<TabItem value="api" label="API">
+
+```bash
+curl -X POST "http://localhost:4000/policies/resolve" \
+    -H "Authorization: Bearer <your_api_key>" \
+    -H "Content-Type: application/json" \
+    -d '{
+        "tags": ["healthcare"],
+        "model": "gpt-4"
+    }'
+```
+
+Response:
+
+```json
+{
+    "effective_guardrails": ["pii_masking"],
+    "matched_policies": [
+        {
+            "policy_name": "hipaa-compliance",
+            "matched_via": "tag:healthcare",
+            "guardrails_added": ["pii_masking"]
+        }
+    ]
+}
+```
+
+</TabItem>
+</Tabs>
+
 ## Config Reference
 
 ### `policies`
@@ -233,21 +341,26 @@ policy_attachments:
     scope: ...
     teams: [...]
     keys: [...]
+    models: [...]
+    tags: [...]
 ```
 
 | Field | Type | Description |
 |-------|------|-------------|
 | `policy` | `string` | **Required.** Name of the policy to attach. |
 | `scope` | `string` | Use `"*"` to apply globally. |
-| `teams` | `list[string]` | Team aliases (from `/team/new`). |
+| `teams` | `list[string]` | Team aliases (from `/team/new`). Supports `*` wildcard. |
 | `keys` | `list[string]` | Key aliases (from `/key/generate`). Supports `*` wildcard. |
+| `models` | `list[string]` | Model names. Supports `*` wildcard. |
+| `tags` | `list[string]` | Tag patterns (from key/team `metadata.tags`). Supports `*` wildcard. |
 
 ### Response Headers
 
 | Header | Description |
 |--------|-------------|
 | `x-litellm-applied-policies` | Policies that matched this request |
 | `x-litellm-applied-guardrails` | Guardrails that actually ran |
+| `x-litellm-policy-sources` | Why each policy matched (e.g., `hipaa=tag:healthcare; baseline=scope:*`) |
 
 ## How it works