feat(setup): interactive setup wizard + install.sh

[ishaan-jaff]

What

Adds litellm --setup — a Claude Code-style TUI onboarding wizard + a curl-installable install.sh.

Demo flow:

$ litellm --setup

  ██╗     ██╗████████╗███████╗██╗     ██╗     ███╗   ███╗
  ...

  Welcome to LiteLLM v1.82.2

  Let's get started.

  Choose your LLM providers
  ○ 1. OpenAI        GPT-4o, GPT-4o-mini, o1
  ○ 2. Anthropic     Claude Opus, Sonnet, Haiku
  ○ 3. Azure OpenAI  GPT-4o via Azure
  ○ 4. Google Gemini Gemini 2.0 Flash, 1.5 Pro
  ○ 5. AWS Bedrock   Claude, Llama via AWS
  ○ 6. Ollama        Local models

  ❯ Provider(s): 1,2

  ❯ OpenAI API key sk-...: sk-...
  ❯ Anthropic API key sk-ant-...: sk-ant-...

  ❯ Port [4000]:
  ❯ Master key [auto-generate]:

  ✔ Config saved → ./litellm_config.yaml

  ❯ Start the proxy now? (Y/n):

Curl install:

curl -fsSL https://raw.githubusercontent.com/BerriAI/litellm/main/scripts/install.sh | sh

Changes

• litellm/setup_wizard.py — TUI wizard (pure stdlib + ANSI, no extra deps)
• litellm/proxy/proxy_cli.py — adds --setup flag
• scripts/install.sh — detects OS/Python, pip install litellm[proxy], launches wizard

Testing

litellm --setup
# select providers, enter keys, verify litellm_config.yaml is generated
# verify proxy starts: litellm --config litellm_config.yaml

Tested: wizard runs end-to-end, config generates valid YAML, proxy starts with "I'm alive!" health, models load from config (gpt-4o, gpt-4o-mini).

Pre-Submission Checklist

• Added tests (wizard is interactive TUI; validated via piped stdin in QA)
• make test-unit compatible (no new test deps)
• Lint passes (pyright, isort, flake8 all green)

Type

• New feature

CI (LiteLLM team)

• LiteLLM Tests

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
litellm	Ready	Preview, Comment	Mar 17, 2026 8:26pm

[greptile-apps]

Greptile Summary

This PR adds a litellm --setup interactive TUI onboarding wizard (litellm/setup_wizard.py), a --setup CLI flag in proxy_cli.py, a curl-installable scripts/install.sh, and a corresponding unit test suite. It's a well-scoped feature addition that mirrors the Claude Code onboarding UX.

The implementation has gone through significant iteration — a large number of issues identified in prior review rounds have been addressed: YAML-safe escaping via _yaml_escape, readline-safe ANSI prompts via _styled_input, lazy _divider() evaluation, Windows-safe module-level imports, port range validation, Azure deployment name collection, display-name collision avoidance, OSError handling around the config write and os.execlp, and proper set -eu (POSIX-compatible) in install.sh.

Remaining issues found in this pass:

• Misleading validation error message (litellm/setup_wizard.py:473): check_valid_key returns False for every exception — including transient network errors and rate limits — causing the wizard to always display — invalid API key regardless of the actual failure reason. Users with valid keys may be incorrectly prompted to re-enter them.
• Empty model_list not guarded (litellm/setup_wizard.py:296–316): If the user skips all API key prompts for non-Ollama providers, _build_config emits model_list: null, producing a config that starts the proxy but serves no models. No warning is shown before writing or launching.
• Azure API key leaks into environment_variables without a model (litellm/setup_wizard.py:494–510): When a user provides an Azure API key but omits the deployment name, the key is persisted to env_vars and written to environment_variables: in the YAML — but no azure/ model entry references it, leaving a dangling credential block.

Confidence Score: 3/5

• The PR is safe to merge with caveats — the wizard is non-critical path and isolated behind an explicit --setup flag, but two P1 issues (misleading validation errors, possible empty model_list config) should be fixed before broad promotion.
• The core wizard logic, YAML generation, and installer are well-implemented and many prior issues have been addressed. The remaining P1 issues affect UX correctness (misleading error messages, generating a non-functional config) but do not affect the existing LiteLLM proxy or SDK surface area since the wizard is gated behind --setup.
• litellm/setup_wizard.py — specifically the _validate_and_report method (error message accuracy) and the _wizard method (empty model_list guard)

Important Files Changed

Filename	Overview
litellm/setup_wizard.py	New interactive TUI setup wizard; many issues from prior review rounds have been addressed (YAML escaping, readline fix, port validation, lazily-evaluated divider, Windows import guard, Azure deployment collection, etc.), but three new issues remain: check_valid_key swallows all exceptions producing a misleading "invalid API key" message on network errors; no guard prevents writing a config with an empty model_list; and the Azure API key leaks into environment_variables even when Azure setup is incomplete.
litellm/proxy/proxy_cli.py	Adds --setup flag that delegates to run_setup_wizard() and returns; also adds # type: ignore[possibly-unbound] to suppress a Pyright warning on litellm_settings. The setup integration is minimal and correct; the type-ignore was flagged in a prior review thread.
scripts/install.sh	Curl-installable installer; most prior issues are resolved — LITELLM_PACKAGE now points to PyPI, pipefail dropped in favour of POSIX-compatible set -eu, /dev/tty guarded before read, --force-reinstall removed. Looks clean.
tests/test_litellm/test_setup_wizard.py	Pure unit tests covering _yaml_escape and _build_config; no network calls, no mocks needed. Tests verify YAML escaping, provider skipping, sentinel key filtering, Azure deployment name handling, and display-name collision avoidance. Good coverage of the pure functions.
CLAUDE.md	Documentation-only addition describing setup wizard conventions (class structure, check_valid_key usage, test_model field pattern). No issues.

Sequence Diagram

sequenceDiagram
    participant User
    participant CLI as proxy_cli.py (--setup)
    participant Wizard as SetupWizard
    participant Terminal as Terminal / /dev/tty
    participant LiteLLM as litellm.utils.check_valid_key
    participant FS as Filesystem

    User->>CLI: litellm --setup
    CLI->>Wizard: run_setup_wizard()
    Wizard->>Terminal: _print_welcome()
    Wizard->>Terminal: _select_providers() [arrow-key TUI or number fallback]
    Terminal-->>Wizard: selected providers[]
    Wizard->>Terminal: _collect_keys(providers)
    loop For each provider with env_key
        Terminal-->>Wizard: API key input
        Wizard->>LiteLLM: check_valid_key(test_model, api_key)
        LiteLLM-->>Wizard: True / False (auth OR any exception)
        alt Valid
            Wizard->>Terminal: ✔ connected
        else Invalid / network error
            Wizard->>Terminal: ✘ invalid API key (misleading on network errors)
            Terminal-->>Wizard: retry? (y/N)
        end
    end
    Wizard->>Terminal: _proxy_settings() — port + master key
    Terminal-->>Wizard: port, master_key
    Wizard->>FS: write litellm_config.yaml
    FS-->>Wizard: OK / OSError
    Wizard->>Terminal: _print_success()
    Wizard->>Terminal: Start proxy now? (Y/n)
    alt Yes
        Wizard->>CLI: os.execlp(litellm --config ... --port ...)
    else No
        Wizard->>Terminal: print manual start instructions
    end

Loading

Comments Outside Diff (3)

1. litellm/setup_wizard.py, line 296-316 (link)

   No guard against writing an empty model_list config

   If the user selects only API-key-requiring providers (no Ollama) and then skips every key prompt, _build_config will emit:

   model_list:
   
   general_settings:
     master_key: "sk-xxx"

   YAML parses model_list: with no scalar or sequence following it as null. LiteLLM will start successfully but silently have no routable models, and every API request will fail. There is no warning before config_path.write_text(...).

   A simple guard after _build_config returns would catch this:

   config_content = SetupWizard._build_config(providers, env_vars, master_key)
   if "\n  - model_name:" not in config_content:
       print(f"\n  {bold(_CROSS + ' No providers configured.')} "
             "Please re-run and enter at least one API key.\n")
       return

   Alternatively, check that env_vars contains at least one non-_LITELLM_ key (or that Ollama is selected) before proceeding to write the file.

2. litellm/setup_wizard.py, line 494-510 (link)

   Azure API key written to environment_variables even when Azure setup is incomplete

   If a user provides an Azure API key but leaves the deployment name prompt blank, _collect_keys still stores AZURE_API_KEY in env_vars (line 509). In _build_config the Azure model entry is correctly skipped (no deployment), but AZURE_API_KEY is not _LITELLM_-prefixed, so it passes the real_vars filter and ends up in the environment_variables: block of the generated YAML — a stored credential that no model actually references.

   The generated config will confuse users who compare it to the model list and find no azure/ entry, while still seeing their Azure key. Consider either:

   1. Clearing env_vars["AZURE_API_KEY"] when no deployment name is provided, so the key is never carried into the config:

   if deployment:
       env_vars[f"_LITELLM_AZURE_DEPLOYMENT_{p['id'].upper()}"] = deployment
   else:
       # No deployment → abandon Azure entirely; don't store the API key either
       print(grey("  Skipping Azure (no deployment name provided)."))
       continue  # skip _validate_and_report and env_vars assignment below

   2. Or print an explicit warning after writing the config when AZURE_API_KEY is present but no azure/ model appears in the output.

3. litellm/setup_wizard.py, line 473-481 (link)

   check_valid_key swallows all exceptions — misleading "invalid API key" error

   check_valid_key (in litellm/utils.py) catches both AuthenticationError and the catch-all except Exception branch, returning False in both cases. This means a transient network timeout, a 429 rate-limit response, or a DNS failure during key validation will display — invalid API key to the user, even though the key itself is perfectly valid.

   A user with a working key but a momentary network hiccup may discard a valid key and re-enter it unnecessarily, or give up on the provider entirely.

   At minimum, updating the printed message from — invalid API key to — validation failed (invalid key or network error) avoids a false diagnosis and sets correct expectations. The check_valid_key interface does not expose the actual error type, so that distinction would require wrapping litellm.completion directly here — but the message fix is a low-cost improvement.

_{Last reviewed commit: 0e77077}

[greptile-apps]

API keys written as unescaped YAML strings

API keys are embedded as bare double-quoted YAML scalars with no escaping. If a user pastes a key that happens to contain a ", \, or newline (even accidentally), the generated litellm_config.yaml will be malformed/unparseable. For example, a key value of sk-abc"def would produce:

  OPENAI_API_KEY: "sk-abc"def"

which is invalid YAML. Use Python's yaml library (already a transitive dependency of LiteLLM) to serialise the block safely:

import yaml

if real_env_vars:
    lines.append("environment_variables:")
    for k, v in real_env_vars.items():
        lines.append(f"  {k}: {yaml.dump(v, default_flow_style=True).strip()}")
    lines.append("")

Or build the full document as a dict and call yaml.dump() at the end to avoid manually constructing YAML entirely.

[greptile-apps]

run_setup_wizard() always returns None despite its own docstring

The docstring says "Returns the path to the generated config file, or None if aborted", but the function always returns None regardless of whether the wizard completed successfully or was cancelled. The caller in proxy_cli.py currently ignores the return value, but this contract is broken and will mislead future callers.

Either update the docstring to match the implementation, or actually return the path on success:

def run_setup_wizard() -> Optional[str]:
    """
    Run the interactive setup wizard.

    Returns the path to the generated config file, or None if aborted.
    """
    try:
        config_path = _run_wizard()
        return config_path
    except (KeyboardInterrupt, EOFError):
        print(f"\n\n  {grey('Setup cancelled.')}\n")
        return None

and have _run_wizard() return the str(config_path) at the end.

[greptile-apps]

API keys stored in plaintext with no .gitignore warning

The wizard tells users "Keys are stored only in the generated config file", which is technically true but omits the critical follow-up: the file is written to the current working directory with a predictable name (litellm_config.yaml) and contains all secrets in plaintext. Users who accidentally git add . or check this file into a public repository will silently leak credentials.

Consider:

1. Printing an explicit warning after writing the file, e.g.:

  ⚠  Add litellm_config.yaml to .gitignore to avoid leaking keys:
       echo "litellm_config.yaml" >> .gitignore

2. Optionally auto-appending to .gitignore if one already exists in the current directory.

[greptile-apps]

DIVIDER captures color support at module-import time

DIVIDER = dim("  " + "╌" * 74)

dim() calls _supports_color(), which calls sys.stdout.isatty(), at import time. If setup_wizard is imported in a non-TTY context (e.g., during tests, CI, or any other import-time evaluation), DIVIDER will permanently lack ANSI codes for the lifetime of the process — even if the actual wizard later runs in a TTY.

Move this to a function or lazily evaluate it at call time:

def _divider() -> str:
    return dim("  " + "╌" * 74)

and replace all uses of DIVIDER with _divider().

[greptile-apps]

Skipped provider still emits models into the config without credentials

If a user selects (say) OpenAI but then skips the API key prompt (Skip? y), the key variable is left as "" and env_vars["OPENAI_API_KEY"] is never set. However in _build_config, the provider's models (gpt-4o, gpt-4o-mini) are still added to model_list — just without an api_key line. The resulting config will attempt to load these models and silently fall back to the OPENAI_API_KEY environment variable, or fail at runtime with a confusing authentication error.

Consider either:

• Excluding the provider from _build_config when its key was skipped (pass a filtered list), or
• Adding a comment in the YAML to make the missing key obvious to the user.

[greptile-apps]

Unused variable py_ver

py_ver is assigned but never referenced. Remove it to keep the script clean and avoid the spurious Python subprocess invocation:

Suggested change

	py_ver="$("$candidate" -c 'import sys; print(sys.version_info[:2])' 2>/dev/null || true)"
	major="$("$candidate" -c 'import sys; print(sys.version_info.major)' 2>/dev/null || true)"

[greptile-apps]

Hardcoded Anthropic model IDs will go stale

"models": ["claude-opus-4-5", "claude-sonnet-4-5", "claude-haiku-4-5-20251001"],

These model strings are hardcoded in the wizard, meaning every new Claude release requires a code change + LiteLLM upgrade before it shows up as a suggestion. The same applies to bedrock/anthropic.claude-3-5-sonnet-20241022-v2:0 and other versioned identifiers.

Per the project's convention, consider deriving the displayed model list from model_prices_and_context_window.json (via get_model_info / litellm.model_list) so the wizard automatically reflects the latest supported models without code changes.

Rule Used: What: Do not hardcode model-specific flags in the ... (source)

[greptile-apps]

pipefail breaks on POSIX sh (Debian/Ubuntu)

The documented install command is curl -fsSL ... | sh. When a script is piped this way, the OS executes it with the shell named in $SHELL or invoked as sh — the #!/usr/bin/env bash shebang on line 1 is completely ignored by the receiving shell process.

On Debian and Ubuntu (the most common Linux distributions), /bin/sh is dash, which does not recognise pipefail as a valid set option. Running the one-liner will immediately print:

sh: 1: set: Illegal option -o pipefail

and exit with a non-zero status before a single line of installer logic runs.

Fix: either change the documented usage to | bash, or drop pipefail and keep only the POSIX-compatible options:

Suggested change

	set -euo pipefail
	set -eu

[greptile-apps]

Hardcoded model IDs will go stale and violate project convention

The model strings "claude-opus-4-5", "claude-sonnet-4-5", "claude-haiku-4-5-20251001" (and "bedrock/anthropic.claude-3-5-sonnet-20241022-v2:0" on line 63) are hardcoded directly in the wizard. Per the project's convention, model-specific identifiers should not be hardcoded in the codebase — they belong in model_prices_and_context_window.json and should be read via get_model_info / litellm.model_list. Every new Claude release will require a code change and a LiteLLM upgrade before it shows up here.

This pattern also appears at litellm/setup_wizard.py:63 for the Bedrock model ID.

Consider deriving the displayed model list from the existing model registry so the wizard automatically reflects the latest supported models without code changes.

Rule Used: What: Do not hardcode model-specific flags in the ... (source)

[greptile-apps]

Azure deployment name is never collected — generated config will fail

Azure OpenAI requires a user-defined deployment name that is separate from the underlying model name. In LiteLLM the model string must be azure/<deployment_name>, not azure/<model_name>. The wizard never prompts for this value, so it unconditionally falls back to the placeholder azure/gpt-4o, which assumes the user named their deployment gpt-4o.

In virtually every real Azure workspace the deployment has a custom name (e.g. my-gpt4-prod), so any request using this generated config will receive a 404 / "DeploymentNotFound" error from Azure.

The deployment name should be collected during the API key step for Azure (alongside the endpoint URL) and threaded through to _build_config.

[greptile-apps]

Hardcoded dev branch will break the installer after merge

LITELLM_PACKAGE is hardcoded to the feature branch worktree-dynamic-tickling-journal. Once this PR is merged and that branch is deleted, every user who runs the documented curl | sh one-liner from main will get a pip install failure because the branch no longer exists.

The comment on line 9-10 even acknowledges this must be fixed before merging, but the fix has not been applied. The line should be changed to:

Suggested change

	LITELLM_PACKAGE="litellm[proxy] @ git+https://github.com/BerriAI/litellm.git@worktree-dynamic-tickling-journal"
	LITELLM_PACKAGE="litellm[proxy]"

[greptile-apps]

LITELLM_BRANCH env var changes the display banner but not the installed package

The script checks $LITELLM_BRANCH to decide what to print in the header (lines 81–85), but the actual pip install on line 88 always uses $LITELLM_PACKAGE, which is hardcoded above. A user who exports LITELLM_BRANCH=my-feature will see "Installing litellm from branch 'my-feature'…" but actually install from whatever LITELLM_PACKAGE was set to. This is misleading and could cause confusion during debugging.

If LITELLM_BRANCH is intended to allow branch overrides, the package variable needs to be set based on it:

Suggested change

	if [ -n "$LITELLM_BRANCH" ]; then
	header "Installing litellm from branch '${LITELLM_BRANCH}'…"
	else
	header "Installing litellm[proxy]…"
	fi
	echo ""
	"$PYTHON_BIN" -m pip install --quiet --progress-bar off "${LITELLM_PACKAGE}" \
	|| die "pip install failed. Try manually: $PYTHON_BIN -m pip install '${LITELLM_PACKAGE}'"
	if [ -n "$LITELLM_BRANCH" ]; then
	header "Installing litellm from branch '${LITELLM_BRANCH}'…"
	LITELLM_PACKAGE="litellm[proxy] @ git+https://github.com/BerriAI/litellm.git@${LITELLM_BRANCH}"
	else
	header "Installing litellm[proxy]…"
	fi
	echo ""
	"$PYTHON_BIN" -m pip install --quiet --progress-bar off "${LITELLM_PACKAGE}" \
	|| die "pip install failed. Try manually: $PYTHON_BIN -m pip install '${LITELLM_PACKAGE}'"

[greptile-apps]

Port number is not range-validated

port_raw.isdigit() only verifies the string is a non-negative integer, but valid TCP ports are 1–65535. A user entering 99999 or 0 will pass this check and produce a config file with an invalid port that causes litellm to fail on startup with an unhelpful OS error rather than a clear message here.

Suggested change

	port_raw = input(f" {blue('❯')} Port {grey('[4000]')}: ").strip()
	port = int(port_raw) if port_raw.isdigit() else 4000
	port = int(port_raw) if port_raw.isdigit() and 1 <= int(port_raw) <= 65535 else 4000

[greptile-apps]

display_name collision when OpenAI and Azure are both selected

display_name is derived by stripping the provider prefix: azure/gpt-4o → gpt-4o. When a user selects both OpenAI and Azure OpenAI, the generated config will contain two entries both with model_name: gpt-4o:

model_list:
  - model_name: gpt-4o          # from OpenAI
    litellm_params:
      model: gpt-4o
  ...
  - model_name: gpt-4o          # from Azure — same key!
    litellm_params:
      model: azure/gpt-4o

LiteLLM supports duplicate model_name entries for load-balancing, but with no indication to the user that both will serve under the same name, this will cause silent routing surprises. Prefixing the Azure entry would make the config unambiguous:

Suggested change

	for p in providers:
	if not p["models"] and p["id"] == "azure":
	# Azure — add a generic placeholder
	models_to_add = ["azure/gpt-4o"]
	else:
	models_to_add = p["models"]
	for model in models_to_add:
	# User-facing model name (strip provider prefix for display)
	display_name = model.split("/")[-1] if "/" in model else model
	display_name = model.split("/")[-1] if "/" in model else model
	if p["id"] == "azure":
	display_name = f"azure-{display_name}"

[greptile-apps]

Hardcoded model IDs violate project convention

The model strings "claude-opus-4-5", "claude-sonnet-4-5", and "claude-haiku-4-5-20251001" (line 36) are hardcoded in the wizard. Per the project's convention, model-specific identifiers should not be hardcoded in the codebase — they belong in model_prices_and_context_window.json and should be read via get_model_info / litellm.model_list. Every new Claude release will require a code change and a LiteLLM upgrade before it shows up here.

The same issue applies to "bedrock/anthropic.claude-3-5-sonnet-20241022-v2:0" on line 63.

Consider querying the model registry at wizard startup to populate the model lists dynamically, so the wizard automatically reflects the latest supported models without code changes.

Rule Used: What: Do not hardcode model-specific flags in the ... (source)

[greptile-apps]

Unhandled exception on config write failure

config_path.write_text(config_content) is not wrapped in any error handling. If the current working directory is not writable, or the disk is full, Python raises a PermissionError or OSError respectively. This exception propagates through _run_wizard() and exits run_setup_wizard() via the except (KeyboardInterrupt, EOFError) block — but those exception types are not caught, so the user ends up with a raw Python traceback after spending time answering all the prompts.

A try/except around the write would produce a friendly error message instead:

try:
    config_path.write_text(config_content)
except OSError as e:
    print(f"\n  Error: could not write config: {e}")
    return

[greptile-apps]

read </dev/tty exits with error when /dev/tty is unavailable

read -r answer </dev/tty redirects from /dev/tty to allow interactive input even when stdin is a pipe (the curl | sh use-case). However, /dev/tty may not exist or may not be accessible in Docker containers, CI systems, or any environment where there is no controlling terminal. Because set -e is in effect, a failure to open /dev/tty will exit the script immediately, leaving the user with no LiteLLM binary and no indication of what went wrong.

The fallback should skip the prompt gracefully:

Suggested change

	read -r answer </dev/tty
	read -r answer </dev/tty 2>/dev/null || answer="n"

This way, non-interactive environments simply skip the wizard launch without aborting.

[greptile-apps]

Azure endpoint URL silently omitted when user skips it

Azure OpenAI always requires an endpoint URL (api_base). If the user enters a valid API key but then hits Enter without providing the endpoint, api_base is never set in env_vars. In _build_config (lines 285–288), the api_base field is then silently omitted from the YAML, and the generated config will fail at runtime with a confusing authentication or routing error.

The endpoint URL should be treated as required for Azure, with a validation loop mirroring how the API key is collected — rejecting empty input and only allowing a deliberate skip rather than silently proceeding without it.

[greptile-apps]

--force-reinstall can downgrade existing installations

Using --upgrade --force-reinstall together forces reinstallation of litellm and all of its dependencies even when the user already has a newer or equivalent version installed. This is problematic because:

1. It may downgrade litellm's dependencies (e.g. httpx, pydantic) if the version pinned in the package's metadata is older than what the user has.
2. It causes significant extra download and install time for users who already have litellm installed.
3. --upgrade alone is sufficient to ensure the latest version is installed; --force-reinstall on top of it adds no benefit for a normal install path.

Suggested change

	"$PYTHON_BIN" -m pip install --upgrade --force-reinstall "${LITELLM_PACKAGE}" \
	|| die "pip install failed. Try manually: $PYTHON_BIN -m pip install '${LITELLM_PACKAGE}'"
	"$PYTHON_BIN" -m pip install --upgrade "${LITELLM_PACKAGE}" \
	|| die "pip install failed. Try manually: $PYTHON_BIN -m pip install '${LITELLM_PACKAGE}'"

[greptile-apps]

env_vars.pop() mutates a caller-owned dict inside _build_config

_build_config removes the Azure API base sentinel key directly from the env_vars dict that was passed in by reference from _run_wizard. This is a hidden side effect: the caller's dict is silently mutated as part of config generation. While harmless today (the dict isn't used after this call), it couples the two functions via mutation rather than value.

Consider using env_vars.get(azure_base_key) and letting the later filter on line 298 (if not k.startswith("_LITELLM_")) handle exclusion, which is already in place for this reason:

            elif p.get("needs_api_base"):
                azure_base_key = f"_LITELLM_AZURE_API_BASE_{p['id'].upper()}"
                azure_base_val = env_vars.get(azure_base_key)
                if azure_base_val:
                    lines.append(f"      api_base: {azure_base_val}")

[greptile-apps]

Auto-generated master key printed in cleartext to terminal

The auto-generated master_key is printed verbatim in the post-config summary. Unlike a key the user typed themselves, this is a machine-generated token that now lives in the terminal's scrollback buffer — making it easy to leak via screen-shares, CI logs, or terminal recordings.

Consider displaying only a short truncated prefix (e.g. the first 8 characters followed by ...) and pointing the user to the config file for the full value. This reduces accidental exposure without losing usability.

[greptile-apps]

ANSI codes in input() prompts break readline cursor positioning

Every input() call in this file passes a prompt containing raw ANSI escape sequences (from blue(), bold(), grey(), etc.) directly to Python's input(). When the readline library is active (the default on macOS and Linux), it uses the prompt string's byte length to calculate the terminal column for cursor positioning. Because readline doesn't know the ANSI codes are zero-width, it overcounts and places the cursor in the wrong column. As a result:

• Backspace may delete the wrong characters visually
• Line-editing navigation (Home/End, arrow keys) produces garbled output
• The cursor jumps to incorrect positions

The POSIX fix is to wrap every non-printing sequence between \001 (RL_PROMPT_START_IGNORE) and \002 (RL_PROMPT_END_IGNORE). Update _c() to emit these when output is going to input():

def _c_prompt(code: str, text: str) -> str:
    """ANSI colour helper safe for use inside input() prompts."""
    if _supports_color():
        return f"\001{code}\002{text}\001{_RESET}\002"
    return text

And use _c_prompt variants for all prompt strings passed to input(). This affects all six input() call-sites (lines 180, 222, 225, 245, 320, 323, 388).

[greptile-apps]

os.execlp failure produces raw traceback after wizard completes

os.execlp raises FileNotFoundError (if the Python executable path is somehow invalid) or OSError (permission issue, etc.) when the exec syscall fails. The user will have already completed every step of the wizard, and an unhandled exception here produces a confusing Python traceback at the worst possible moment — right after seeing the "Config saved" success message.

Wrap the call in a try/except for a friendlier error:

try:
    os.execlp(
        sys.executable,
        sys.executable,
        "-m",
        "litellm",
        "--config",
        str(config_path),
        "--port",
        str(port),
    )
except OSError as e:
    print(f"\n  Error: could not start proxy: {e}")
    print(f"  Run manually: litellm --config {config_path} --port {port}")
    print()

[greptile-apps]

Hardcoded model IDs violate project convention and will go stale

Model-specific strings such as "claude-opus-4-5", "claude-sonnet-4-5", "claude-haiku-4-5-20251001" (line 36) and "bedrock/anthropic.claude-3-5-sonnet-20241022-v2:0" (line 63) are hardcoded directly in the wizard. Per the project convention, model-specific identifiers must not be hardcoded in the codebase — they belong in model_prices_and_context_window.json and should be read via get_model_info / litellm.model_list.

Every new Claude (or Bedrock) release will require a code change and a LiteLLM upgrade before it surfaces here. Instead, consider querying the model registry at wizard startup to populate the model lists dynamically:

import litellm

def _get_models_for_provider(prefix: str) -> list[str]:
    return [m for m in litellm.model_list if m.startswith(prefix)]

The same issue appears at line 63 for the Bedrock model ID.

Rule Used: What: Do not hardcode model-specific flags in the ... (source)

[greptile-apps]

Hardcoded dev branch will break the installer after merge

LITELLM_PACKAGE points to the feature branch worktree-dynamic-tickling-journal. Once this PR is merged and that branch is deleted, any user running the documented curl | sh one-liner from main will get a pip install failure because the branch no longer exists. The comment on lines 9–10 even acknowledges this fix is required before merging, but it has not been applied.

This must be changed to the stable PyPI package before merging:

Suggested change

	LITELLM_PACKAGE="litellm[proxy] @ git+https://github.com/BerriAI/litellm.git@worktree-dynamic-tickling-journal"
	LITELLM_PACKAGE="litellm[proxy]"

[greptile-apps]

pipefail is not POSIX-compatible — breaks on Debian/Ubuntu dash

The documented install command is curl -fsSL ... | sh. When a script is piped this way, the OS executes it with the interpreter named as sh — the #!/usr/bin/env bash shebang on line 1 is completely ignored by the receiving shell process. On Debian and Ubuntu (the most common Linux distributions), /bin/sh is dash, which does not recognise pipefail as a valid set option. Running the one-liner will immediately print:

sh: 1: set: Illegal option -o pipefail

and exit with a non-zero status before a single line of installer logic runs.

Either change the documented usage to | bash, or drop pipefail and keep only POSIX-compatible options:

Suggested change

	set -euo pipefail
	set -eu

[greptile-apps]

Bedrock extra credentials silently optional — config will fail at runtime

AWS_SECRET_ACCESS_KEY and AWS_REGION_NAME are silently treated as optional for Bedrock. If the user provides AWS_ACCESS_KEY_ID but skips (or accidentally leaves blank) either of the extra key prompts, the generated config will omit those values with no warning. Any request routed to the Bedrock model will then fail at runtime with a confusing authentication error rather than a clear message during setup.

Unlike the Azure endpoint (which has a dedicated needs_api_base guard), the needs_extra path has no required-field enforcement. At minimum, print a warning when AWS_SECRET_ACCESS_KEY is left blank:

        if p.get("needs_extra") and key:
            for extra_key, extra_hint in zip(
                p.get("extra_keys", []), p.get("extra_hints", [])
            ):
                val = input(
                    f"  {blue('❯')} {extra_key} {grey(extra_hint)}: "
                ).strip()
                if val:
                    env_vars[extra_key] = val
                elif extra_key != "AWS_REGION_NAME":  # region has a default
                    print(grey(f"  Warning: {extra_key} is required for AWS Bedrock — config may fail at runtime."))

[greptile-apps]

No unit tests for the pure _build_config function

_build_config is a completely pure function — it takes plain Python values and returns a string — yet no tests are provided anywhere in the PR. Per project convention, all testable logic should have corresponding mock/unit tests that can run in CI without any network calls.

There are several behaviours in this function worth protecting with tests:

• Azure model placeholder (azure/gpt-4o) when models is empty
• os.environ/KEY reference is emitted only when the key is present in env_vars
• api_version is appended only for providers that declare it
• environment_variables: block is omitted when no real vars exist
• The _LITELLM_* sentinel keys are correctly filtered out of the output YAML

These can all be exercised with a straightforward parameterised test using only stdlib — no mocks or network access needed.

Rule Used: What: prevent any tests from being added here that... (source)

[greptile-apps]

Hardcoded model IDs violate project convention and will go stale

"claude-opus-4-5", "claude-sonnet-4-5", "claude-haiku-4-5-20251001" (line 36) and "bedrock/anthropic.claude-3-5-sonnet-20241022-v2:0" (line 63) are hardcoded directly in the wizard. Per the project's convention, model-specific identifiers must not be hardcoded in the codebase — they belong in model_prices_and_context_window.json and should be read via get_model_info / litellm.model_list. Every new Claude or Bedrock release will require a code change and a LiteLLM upgrade before it surfaces in the wizard.

Consider querying the model registry at wizard startup so the list stays current automatically:

import litellm

def _get_models_for_provider(prefix: str) -> list[str]:
    return [m for m in litellm.model_list if m.startswith(prefix)]

The same issue also applies to "bedrock/anthropic.claude-3-5-sonnet-20241022-v2:0" on line 63.

Rule Used: What: Do not hardcode model-specific flags in the ... (source)

[greptile-apps]

type: ignore suppresses potential None passed to append_query_params

get_secret("DATABASE_URL", default_value=None) can return None (e.g., when a secret manager is configured and the key resolves to None). The # type: ignore[arg-type] comment silences the type-checker warning instead of fixing the underlying issue. Even though the guard os.getenv("DATABASE_URL") is not None runs first, get_secret wraps secret-manager backends that may independently return None for a key that exists in the environment.

Passing None to append_query_params will produce a TypeError at runtime. The proper fix is to add an explicit guard:

database_url = get_secret("DATABASE_URL", default_value=None)
if database_url is None:
    die("DATABASE_URL is set but get_secret returned None")
modified_url = append_query_params(database_url, params)

Note: this change appears unrelated to the --setup wizard feature, suggesting it was introduced as a workaround for a pre-existing type error and should be addressed separately.

[greptile-apps]

tuple[int, str] annotation incompatible with Python 3.8

The built-in tuple generic syntax (tuple[int, str]) was introduced in Python 3.9 (PEP 585). Function annotations are evaluated eagerly at definition time in Python 3.8, so importing this module under Python 3.8 raises TypeError: 'type' object is not subscriptable.

While install.sh enforces Python ≥ 3.9, litellm/setup_wizard.py is part of the installable package and may be imported in 3.8 environments. Use from typing import Tuple (or from __future__ import annotations) for backward compatibility:

Suggested change

	def _proxy_settings() -> tuple[int, str]:
	def _proxy_settings() -> "tuple[int, str]":

or, for broader compatibility:

from typing import Tuple
def _proxy_settings() -> Tuple[int, str]:

[greptile-apps]

Missing apostrophe in welcome text

'Lets get started.' is missing the apostrophe in the contraction "Let's".

Suggested change

	print(f" {bold('Lets get started.')}")
	print(f" {bold('Let\\'s get started.')}")

[greptile-apps]

Hardcoded model IDs violate project convention and will go stale

"claude-opus-4-5", "claude-sonnet-4-5", "claude-haiku-4-5-20251001" (line 36) and "bedrock/anthropic.claude-3-5-sonnet-20241022-v2:0" (line 63) are hardcoded directly in the wizard. Per the project's convention (see the model_prices_and_context_window.json + get_model_info pattern), model-specific identifiers must not be hardcoded in the codebase. Every new Claude or Bedrock release will require a code change and a LiteLLM upgrade before it surfaces in the wizard.

Consider querying the model registry at wizard startup to populate the model lists dynamically:

import litellm

def _get_models_for_provider(prefix: str) -> list:
    return [m for m in litellm.model_list if m.startswith(prefix)]

The same issue also applies to "bedrock/anthropic.claude-3-5-sonnet-20241022-v2:0" on line 63.

Rule Used: What: Do not hardcode model-specific flags in the ... (source)

[greptile-apps]

UNIX-only imports at module level break Windows

termios and tty are POSIX-only standard library modules. Placing them at the top-level import means that import litellm.setup_wizard — or, more concretely, litellm --setup — will immediately raise ModuleNotFoundError: No module named 'termios' on any Windows machine, with no graceful fallback to the number-entry path that was already written to handle this case.

The fix is to move both imports inside the one function that actually uses them (_read_key), so that _select_providers can still catch OSError / AttributeError and fall back to _select_providers_fallback on Windows:

def _read_key() -> str:
    """Read one keypress from /dev/tty in raw mode."""
    import termios  # POSIX-only — imported here to avoid breaking Windows at import time
    import tty
    with open("/dev/tty", "rb") as tty_fh:
        ...

[greptile-apps]

sysconfig.get_path() can return None, causing TypeError

sysconfig.get_path("scripts") returns None when the scheme doesn't include that path key (e.g., on some custom or embedded Python builds). Passing None directly to os.path.join raises:

TypeError: expected str, bytes or os.PathLike object, not NoneType

This would surface as an unhandled exception right after the user has completed all wizard prompts — the worst possible moment. The try/except OSError noted in the previous discussion about os.execlp would not catch a TypeError.

A guard is needed before os.path.join:

scripts_dir = sysconfig.get_path("scripts")
if not scripts_dir:
    print(f"\n  Error: could not locate Python scripts directory.")
    print(f"  Run manually: litellm --config {config_path} --port {port}")
    return
litellm_bin = os.path.join(scripts_dir, "litellm")

[greptile-apps]

type: ignore[possibly-unbound] masks a real NameError risk

The # type: ignore[possibly-unbound] comment suppresses Pyright's warning that litellm_settings may not be assigned before this call. This variable is conditionally populated by the config-loading branch earlier in run_server; if config is falsy the conditional litellm_settings if config else None guards against using an unbound name at runtime, but only in this one specific call site.

If the code path is ever refactored and this guard is removed (or a second call site is introduced without it), a real NameError could reach production. The safer fix is to ensure litellm_settings has a well-typed default at the point of assignment, which would remove the need for the suppression comment entirely:

litellm_settings: Optional[dict] = None
# ... (existing config-loading block conditionally assigns litellm_settings)

ProxyInitializationHelpers._maybe_setup_prometheus_multiproc_dir(
    num_workers=num_workers,
    litellm_settings=litellm_settings,  # no type: ignore needed
)

[greptile-apps]

Orphaned extra credentials after retry abandonment

When credential validation fails and the user chooses to retry (retry == "y"), the primary key is deleted from env_vars (line 402), but any needs_extra keys that were already collected (e.g., AWS_SECRET_ACCESS_KEY, AWS_REGION_NAME for Bedrock) are not cleaned up. If the user then abandons the retry by pressing Enter (empty key, line 406–407), env_vars retains those extra keys without the primary key.

These orphaned keys — which are not filtered by the _LITELLM_ prefix guard — will be written into the environment_variables: block of the generated YAML. The resulting config will contain AWS_SECRET_ACCESS_KEY / AWS_REGION_NAME without AWS_ACCESS_KEY_ID, leaking partial credentials and producing a config that fails at runtime with a confusing auth error.

The retry path should clean up all keys collected for the provider before re-prompting:

if retry == "y":
    del env_vars[p["env_key"]]
    # Also clean up any extra keys collected for this provider
    for extra_key in p.get("extra_keys", []):
        env_vars.pop(extra_key, None)
    # Clean up azure api base sentinel
    env_vars.pop(f"_LITELLM_AZURE_API_BASE_{p['id'].upper()}", None)
    # Re-prompt by looping — restart key collection for this provider
    while True:
        ...

[codspeed-hq]

Merging this PR will not alter performance

✅ 16 untouched benchmarks

---

_{Comparing worktree-dynamic-tickling-journal (0e77077) with main (ef9cc33)}