feat(guardrails): MCPJWTSigner - built-in guardrail for zero trust MCP auth

[ishaan-jaff]

Relevant issues

Closes #TODO

What this does

Adds MCPJWTSigner as a first-class built-in LiteLLM guardrail. When enabled, it signs every outbound MCP tool call with a LiteLLM-issued RS256 JWT, so MCP servers (e.g. AWS Bedrock AgentCore Gateway) can trust a single signing authority instead of validating each upstream IdP.

Enable in config.yaml — same pattern as grayswan / litellm_content_filter:

guardrails:
  - guardrail_name: mcp-jwt-signer
    litellm_params:
      guardrail: mcp_jwt_signer
      mode: pre_mcp_call
      default_on: true
      issuer: "https://my-litellm.example.com"  # optional
      audience: "mcp"                            # optional
      ttl_seconds: 300                           # optional

The signed JWT carries sub (user_id), act.sub (team_id, RFC 8693 delegation), tool-level scope (mcp:tools/call, mcp:tools/list, mcp:tools/<tool>:call), and standard timing claims.

MCP servers verify tokens via OIDC discovery:

• GET /.well-known/openid-configuration → now includes jwks_uri
• GET /.well-known/jwks.json → RSA public key when guardrail is active

RSA-2048 keypair is auto-generated at startup. Set MCP_JWT_SIGNING_KEY env var (PEM string or file:///path) to use your own key.

Depends on the pre_mcp_call hook mechanism (cherry-picked from #23889).

Pre-Submission checklist

• Tests added (tests/test_litellm/proxy/guardrails/test_mcp_jwt_signer.py, 15 tests, all passing)
• No breaking changes — purely additive
• make test-unit passes locally

Type

• Bug fix
• New feature
• Refactor
• Documentation

Changes

• litellm/types/guardrails.py — add MCP_JWT_SIGNER = "mcp_jwt_signer" to SupportedGuardrailIntegrations
• litellm/proxy/guardrails/guardrail_hooks/mcp_jwt_signer/ — new guardrail package (MCPJWTSigner class + initialize_guardrail)
• litellm/proxy/_experimental/mcp_server/discoverable_endpoints.py — add jwks_uri to OIDC doc; add GET /.well-known/jwks.json
• Cherry-picks from Allow pre_mcp_call guardrail hooks to mutate outbound MCP headers #23889: hook_extra_headers in _call_regular_mcp_tool, pre_mcp_call event hook support in proxy/utils.py

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
litellm	Error		Mar 18, 2026 0:29am

[codspeed-hq]

Merging this PR will not alter performance

✅ 16 untouched benchmarks

---

_{Comparing worktree-fluttering-sleeping-cookie (4761382) with main (ef9cc33)}

[greptile-apps]

Greptile Summary

This PR introduces MCPJWTSigner as a new first-class built-in guardrail that signs every outbound MCP tool call with a LiteLLM-issued RS256 JWT, enabling zero-trust authentication for MCP servers (e.g. AWS Bedrock AgentCore Gateway) against a single trusted signing authority. It also adds supporting OIDC discovery infrastructure (/.well-known/jwks.json, augmented /.well-known/openid-configuration), wires up a new pre_mcp_call hook mechanism, and propagates upstream jwt_claims through the auth pipeline into outbound tokens.

Changes:

• MCPJWTSigner guardrail with RS256 signing, OIDC re-sign (FR-5), configurable scopes (FR-10), end-user identity mapping (FR-12), claim operations (FR-13), two-token model (FR-14), and incoming claim validation (FR-15)
• JWKS and OIDC discovery endpoints added; cache TTL correctly differentiated (300s ephemeral vs 3600s persistent)
• pre_mcp_call hook propagates extra_headers and incoming_bearer_token through the MCP call path; OpenAPI-backed servers correctly warn and skip header injection
• jwt_claims field added to UserAPIKeyAuth and populated in both JWT auth fast paths

Issues found:

• _validate_required_claims uses a falsy-value check (not get(c)) instead of a key-presence check — claims with values of 0, False, or "" are incorrectly treated as missing, causing spurious 403 errors for valid tokens
• _introspect_opaque_token does not validate verify_issuer/verify_audience — when opaque token introspection is used, the configured issuer and audience restrictions are silently skipped, creating a security gap compared to the JWT verification path
• remove_claims can strip security-critical JWT claims (exp, iss, aud) without any warning, producing non-expiring or unverifiable tokens on misconfiguration
• channel_token_ttl is not bounds-checked — unlike ttl_seconds, a value of 0 or negative passes through, producing immediately-expired channel tokens

Confidence Score: 3/5

• Not safe to merge as-is — two security logic bugs (falsy required_claims check and missing iss/aud validation on opaque token introspection) need fixing before production use.
• The overall architecture is sound and many previously identified issues were addressed (JWKS cache TTL, ttl_seconds validation, tool name sanitization, scope over-granting, extra_headers merging, OpenAPI server graceful degradation). However, two remaining P1 bugs could cause incorrect 403 rejections for valid tokens and silently bypass issuer/audience restrictions on opaque token flows — both directly relevant to the zero-trust security guarantees this feature is meant to provide. The remove_claims / channel_token_ttl gaps are lower severity but worth fixing before GA.
• Pay close attention to litellm/proxy/guardrails/guardrail_hooks/mcp_jwt_signer/mcp_jwt_signer.py — specifically _validate_required_claims (line 526), _introspect_opaque_token (lines 477–507), _apply_claim_operations (lines 632–646), and the channel_token_ttl init block (lines 313–316).

Important Files Changed

Filename	Overview
litellm/proxy/guardrails/guardrail_hooks/mcp_jwt_signer/mcp_jwt_signer.py	Core MCPJWTSigner guardrail class: signs outbound MCP calls with RS256 JWTs. Several issues found: _validate_required_claims uses falsy-value check (incorrectly rejects present claims with values 0/False/""), _introspect_opaque_token ignores verify_issuer/verify_audience, remove_claims can silently strip critical JWT claims (exp, iss, aud), and channel_token_ttl lacks the same <= 0 validation guard applied to ttl_seconds.
litellm/proxy/guardrails/guardrail_hooks/mcp_jwt_signer/init.py	Package init: exposes MCPJWTSigner, initialize_guardrail, and get_mcp_jwt_signer. The private _mcp_jwt_signer_instance singleton is correctly NOT included in __all__ or re-exported. Guardrail initializer registry wired correctly.
litellm/proxy/_experimental/mcp_server/discoverable_endpoints.py	Adds /.well-known/jwks.json endpoint and augments /.well-known/openid-configuration with jwks_uri. JWKS cache TTL is correctly differentiated: 300s for ephemeral auto-generated keys, 3600s for persistent env-var keys via signer.jwks_max_age. OIDC response is safely shallow-copied before mutation.
litellm/proxy/_experimental/mcp_server/mcp_server_manager.py	Adds hook_extra_headers support to _call_regular_mcp_tool and wires up pre_call_tool_check to return hook results including extra headers. OpenAPI-backed servers correctly log a warning and skip header injection instead of raising. Authorization header conflicts emit warnings rather than silently overwriting.
litellm/proxy/utils.py	Extends _convert_mcp_hook_response_to_kwargs to propagate extra_headers from hook responses, and surfaces incoming_bearer_token in the synthetic MCP data dict. Header merging logic correctly uses {**existing, **new} to preserve prior-guardrail headers.
litellm/proxy/auth/user_api_key_auth.py	Propagates jwt_claims from both the fast virtual-key JWT path and the standard JWT auth builder path into UserAPIKeyAuth. The variable is always in scope at each assignment site.
litellm/proxy/_types.py	Adds optional jwt_claims: Optional[Dict] field to UserAPIKeyAuth for downstream claim forwarding. Backward-compatible addition.
litellm/types/guardrails.py	Registers MCP_JWT_SIGNER = "mcp_jwt_signer" in SupportedGuardrailIntegrations. Minimal, correct addition.
tests/test_litellm/proxy/guardrails/test_mcp_jwt_signer.py	15 mock-only unit tests covering key generation, JWKS format, claim building, scope generation, TTL validation, and singleton behavior. All tests correctly use mocking — no real network calls. Missing coverage for _introspect_opaque_token issuer/audience validation gap and the falsy-value required_claims edge case.
tests/test_litellm/proxy/_experimental/mcp_server/test_mcp_hook_extra_headers.py	Mock-based tests for the pre_mcp_call hook header injection pipeline. Docstring accurately describes the current behavior (OpenAPI servers warn and continue). Tests are thorough for the happy path and backward compatibility.

Sequence Diagram

sequenceDiagram
    participant Client
    participant LiteLLM Proxy
    participant MCPJWTSigner Guardrail
    participant IdP (optional)
    participant MCP Server

    Client->>LiteLLM Proxy: MCP tool call + Bearer token (optional)
    LiteLLM Proxy->>LiteLLM Proxy: user_api_key_auth (propagates jwt_claims)
    LiteLLM Proxy->>MCPJWTSigner Guardrail: async_pre_call_hook(call_type=call_mcp_tool)

    alt access_token_discovery_uri configured
        MCPJWTSigner Guardrail->>IdP (optional): Fetch JWKS / introspect opaque token
        IdP (optional)-->>MCPJWTSigner Guardrail: Verified JWT claims / introspection response
        MCPJWTSigner Guardrail->>MCPJWTSigner Guardrail: validate required_claims
    end

    MCPJWTSigner Guardrail->>MCPJWTSigner Guardrail: _resolve_end_user_identity → sub
    MCPJWTSigner Guardrail->>MCPJWTSigner Guardrail: _build_scope (tool-specific, least-privilege)
    MCPJWTSigner Guardrail->>MCPJWTSigner Guardrail: _apply_claim_operations (add/set/remove)
    MCPJWTSigner Guardrail->>MCPJWTSigner Guardrail: jwt.encode(RS256, kid=KID)
    MCPJWTSigner Guardrail-->>LiteLLM Proxy: data[extra_headers][Authorization] = Bearer JWT

    LiteLLM Proxy->>MCP Server: Tool call + Authorization: Bearer <LiteLLM JWT>
    MCP Server->>MCP Server: GET /.well-known/jwks.json (cached)
    MCP Server->>MCP Server: Verify RS256 JWT signature
    MCP Server-->>LiteLLM Proxy: Tool result
    LiteLLM Proxy-->>Client: Tool result

Loading

Comments Outside Diff (4)

1. litellm/proxy/guardrails/guardrail_hooks/mcp_jwt_signer/mcp_jwt_signer.py, line 526 (link)

   Falsy-value check incorrectly marks present claims as missing

   (jwt_claims or {}).get(c) returns a falsy value for claims whose value is 0, False, or "" — all of which are valid claim values in JWT (e.g., a numeric role ID of 0, a boolean flag, or an empty string). The list comprehension would then include such claims in missing, raising an erroneous 403 even though the claim IS present in the token.

   The check should test for key presence, not value truthiness:

2. litellm/proxy/guardrails/guardrail_hooks/mcp_jwt_signer/mcp_jwt_signer.py, line 477-507 (link)

   verify_issuer / verify_audience are ignored during opaque token introspection

   When access_token_discovery_uri is set alongside token_introspection_endpoint, the _verify_incoming_jwt path correctly enforces verify_issuer and verify_audience against the JWT payload. However, _introspect_opaque_token only checks active=true and returns the raw introspection response without applying either validation.

   RFC 7662 introspection responses often include iss and aud claims. An attacker who obtains an active token from a different trusted introspection endpoint (or a permissive endpoint that returns active=true for any token) can bypass issuer/audience restrictions entirely when using opaque tokens.

   After the active check, validate the claims that are present in the response:

   if self.verify_issuer and result.get("iss") and result["iss"] != self.verify_issuer:
       raise jwt.exceptions.InvalidIssuerError(
           f"MCPJWTSigner: introspection iss {result['iss']!r} != expected {self.verify_issuer!r}"
       )
   if self.verify_audience:
       aud = result.get("aud")
       if aud and self.verify_audience not in (
           [aud] if isinstance(aud, str) else aud
       ):
           raise jwt.exceptions.InvalidAudienceError(
               f"MCPJWTSigner: introspection aud {aud!r} does not contain {self.verify_audience!r}"
           )

3. litellm/proxy/guardrails/guardrail_hooks/mcp_jwt_signer/mcp_jwt_signer.py, line 632-646 (link)

   remove_claims can silently strip security-critical JWT claims

   The remove_claims config option is applied after all other claim-building steps with no guard against removing exp, iss, aud, or nbf. Removing exp produces a non-expiring token; removing iss or aud causes verification failures at MCP servers. Since these are admin-supplied values, a misconfiguration would produce silently broken or dangerously permissive JWTs with no startup warning.

   Consider logging a warning (or raising at __init__ time) when remove_claims contains security-critical claim names:

   _SECURITY_CLAIMS = {"exp", "iss", "aud", "nbf", "iat"}
   
   def _apply_claim_operations(self, claims: Dict[str, Any]) -> Dict[str, Any]:
       # ...existing add/set logic...
   
       # remove_claims: delete listed keys
       for k in self.remove_claims:
           if k in _SECURITY_CLAIMS:
               verbose_proxy_logger.warning(
                   "MCPJWTSigner: removing security-critical claim %r via remove_claims — "
                   "this may cause JWT verification failures downstream.",
                   k,
               )
           claims.pop(k, None)
   
       return claims

4. litellm/proxy/guardrails/guardrail_hooks/mcp_jwt_signer/mcp_jwt_signer.py, line 313-316 (link)

   channel_token_ttl accepts zero/negative values unlike ttl_seconds

   ttl_seconds has a <= 0 guard that raises ValueError at init time. channel_token_ttl, however, is accepted without bounds validation — a value of 0 or -60 produces channel tokens that are expired on creation, silently breaking the two-token model.

   Apply the same guard:

   if self.channel_token_ttl <= 0:
       raise ValueError(
           f"MCPJWTSigner: channel_token_ttl must be > 0, got {self.channel_token_ttl}"
       )

_{Last reviewed commit: "fix(mcp_jwt_signer):..."}

[greptile-apps]

Breaking 500 error for OpenAPI-backed MCP servers when guardrail is active

When MCPJWTSigner is configured with default_on: true, it will inject extra_headers for every call_mcp_tool invocation. Any user with an OpenAPI-backed MCP server (spec_path set) will immediately hit a 500 Internal Server Error simply because the guardrail is enabled. This is a breaking change for existing OpenAPI MCP server users who add this guardrail.

The PR description claims "No breaking changes — purely additive", but this contradicts that: any deployment that enables the guardrail AND has at least one OpenAPI-backed server will see tool calls fail.

A more resilient approach would be to silently skip header injection for OpenAPI servers (log a warning instead of raising), matching the "graceful degradation" principle for guardrails:

if hook_result.get("extra_headers"):
    if mcp_server.spec_path:
        verbose_logger.warning(
            "MCPJWTSigner: OpenAPI-backed server '%s' does not support hook header "
            "injection — skipping JWT signing for this call.",
            mcp_server.server_name,
        )
    else:
        raise HTTPException(...)

[greptile-apps]

JWKS cache duration too long for auto-generated ephemeral keys

The endpoint returns Cache-Control: public, max-age=3600 regardless of whether the key is a user-supplied persistent key or an auto-generated ephemeral keypair. When the server restarts (which regenerates the keypair), downstream MCP servers and gateways will continue using the old cached JWKS for up to one hour, causing all JWT verifications to fail during that window.

For auto-generated keys, either:

• Reduce the cache TTL significantly (e.g., max-age=60), or
• Use Cache-Control: no-store (or private, no-cache) for ephemeral keys and only apply long-lived caching when a persistent key from MCP_JWT_SIGNING_KEY env var is used.

signer = get_mcp_jwt_signer()
if signer is not None:
    key_is_ephemeral = not os.environ.get(signer.SIGNING_KEY_ENV)
    cache_ttl = 60 if key_is_ephemeral else 3600
    return JSONResponse(
        content=signer.get_jwks(),
        headers={"Cache-Control": f"public, max-age={cache_ttl}"},
    )

[greptile-apps]

No validation of ttl_seconds — zero or negative produces instantly-expired JWTs

ttl_seconds is cast to int directly from config/env without bounds checking. A value of 0 or any negative integer will produce JWTs where exp <= iat, meaning every signed token will be immediately expired on receipt. This would silently break all MCP authentication without any startup warning.

Add a validation guard:

self.ttl_seconds: int = int(
    ttl_seconds
    if ttl_seconds is not None
    else os.environ.get("MCP_JWT_TTL_SECONDS", str(self.DEFAULT_TTL))
)
if self.ttl_seconds <= 0:
    raise ValueError(
        f"MCPJWTSigner: ttl_seconds must be a positive integer, got {self.ttl_seconds}"
    )

[greptile-apps]

Tool name not sanitized before embedding in scope string

tool_name comes directly from data.get("mcp_tool_name", "") without any validation. If the tool name contains spaces, special characters, or path-traversal sequences (e.g., ../../admin), the resulting scope value (mcp:tools/../../admin:call) could be malformed or semantically misleading to MCP servers that parse the scope string.

Consider stripping or rejecting tool names that contain characters outside [A-Za-z0-9_-]:

tool_name: str = data.get("mcp_tool_name", "")
if tool_name and not re.match(r'^[A-Za-z0-9_\-\.]+$', tool_name):
    verbose_proxy_logger.warning(
        "MCPJWTSigner: tool_name '%s' contains unexpected characters; omitting tool-specific scope",
        tool_name,
    )
    tool_name = ""

[greptile-apps]

In-place mutation of a potentially shared response object

oauth_authorization_server_mcp(request) returns its result via response, and this code then mutates it in-place with response["jwks_uri"] = .... If the underlying function ever returns a cached or shared dict object (e.g., from a module-level constant or cached response), this mutation could permanently alter the base OIDC document for all subsequent requests — even after the MCPJWTSigner singleton is unregistered.

Use a defensive copy:

if isinstance(response, dict):
    response = {**response}  # shallow copy to avoid mutating a shared object
    response["jwks_uri"] = f"{request_base_url}/.well-known/jwks.json"
    response["id_token_signing_alg_values_supported"] = ["RS256"]

[greptile-apps]

Missing sub claim for anonymous / service-account calls

When user_api_key_dict.user_id is None (common for service-account API keys or unauthenticated calls), the JWT is issued without a sub claim. RFC 7519 marks sub as optional, but many JWT consumers — including OIDC-compliant validators and AWS Bedrock AgentCore Gateway — require or expect sub to be present and will reject the token. Without a sub, the token also provides no useful end-user identity, which defeats part of the zero-trust purpose.

A defensive fallback should be added so sub is always populated:

user_id = getattr(user_api_key_dict, "user_id", None)
if user_id:
    claims["sub"] = user_id
else:
    # Fallback: use a sentinel so sub is always present in the token
    claims["sub"] = "litellm-proxy-service-account"

[ishaan-jaff]

@greptile review

[greptile-apps]

Module docstring contradicts actual test behavior

Line 5 of the module docstring says:

5. OpenAPI-backed servers raise HTTPException when hook headers are present

But the actual test on line 491–519 (test_openapi_server_warns_and_continues_on_hook_headers) verifies the opposite behavior — the server logs a warning and continues rather than raising an exception. The docstring documents the old broken behavior that was deliberately fixed (silent drop with a warning instead of a hard 500).

This mismatch will mislead future contributors reviewing this file about what the expected contract is.

Suggested change

	"""
	Tests for pre_mcp_call guardrail hook header mutation support.
	Validates that:
	1. _convert_mcp_hook_response_to_kwargs extracts extra_headers from hook response
	2. pre_call_tool_check returns hook-provided extra_headers AND modified arguments
	3. call_tool flows hook headers and modified arguments downstream
	4. Hook-provided headers take highest priority (merge after static_headers)
	"""
	Tests for pre_mcp_call guardrail hook header mutation support.
	Validates that:
	1. _convert_mcp_hook_response_to_kwargs extracts extra_headers from hook response
	2. pre_call_tool_check returns hook-provided extra_headers AND modified arguments
	3. call_tool flows hook headers and modified arguments downstream
	4. Hook-provided headers take highest priority (merge after static_headers)
	5. OpenAPI-backed servers log a warning and skip header injection (graceful degradation)
	6. JWT claims are propagated in both standard and virtual-key fast paths
	7. Backward compatibility: hooks without extra_headers continue to work
	"""

Rule Used: # Code Review Rule: Mock Test Integrity

What:... (source)

[greptile-apps]

Duplicate initialization replaces JWKS singleton, silently breaking first signer's tokens

The constructor unconditionally assigns _mcp_jwt_signer_instance = self. If a user accidentally configures two mcp_jwt_signer guardrails in config.yaml (or if the guardrail is initialized twice during reload), the second instance replaces the singleton, so /.well-known/jwks.json returns only the second instance's public key. However, both MCPJWTSigner instances remain active in the callback list and continue signing JWTs — meaning JWTs from the first signer can no longer be verified (the matching public key has been evicted from JWKS), causing silent authentication failures downstream.

Add a guard that raises an error on duplicate initialization:

# Register singleton so the JWKS endpoint can access it.
global _mcp_jwt_signer_instance
if _mcp_jwt_signer_instance is not None:
    raise ValueError(
        "MCPJWTSigner: only one instance may be active at a time. "
        "Found an existing signer (kid=%s). Remove duplicate guardrail config.",
        _mcp_jwt_signer_instance._kid,
    )
_mcp_jwt_signer_instance = self

[greptile-apps]

Private module variable _mcp_jwt_signer_instance exported as public API

_mcp_jwt_signer_instance is a private implementation detail (the leading _ convention signals this). Re-exporting it in __all__ makes it part of the package's public API, which may cause unintended external usage or direct mutation of the singleton from outside the module.

External callers should only use get_mcp_jwt_signer() (the public accessor). Remove _mcp_jwt_signer_instance from the import and __all__:

from .mcp_jwt_signer import MCPJWTSigner, get_mcp_jwt_signer

Suggested change

	from .mcp_jwt_signer import MCPJWTSigner, _mcp_jwt_signer_instance, get_mcp_jwt_signer
	__all__ = [
	"MCPJWTSigner",
	"initialize_guardrail",
	"get_mcp_jwt_signer",
	]

[greptile-apps]

mcp:tools/list scope always granted even for specific tool calls

The scope claim is built as:

scopes = ["mcp:tools/call", "mcp:tools/list"]
if tool_name:
    scopes.append(f"mcp:tools/{tool_name}:call")

This means every JWT issued for a tool call (call_mcp_tool) unconditionally includes mcp:tools/list — a broader permission that lets the token holder enumerate available tools. For a zero-trust model, a token authorizing a single tool call should not also authorize list.

MCP servers that enforce fine-grained scope checks (e.g., AWS Bedrock AgentCore Gateway) could reject or mishandle this. Consider restricting the base scopes to only what's needed for the actual call type:

scopes = ["mcp:tools/call"]
if tool_name:
    scopes.append(f"mcp:tools/{tool_name}:call")
# Only add list scope if this is an explicit list call, not a tool call

[greptile-apps]

extra_headers assignment silently discards headers from prior hooks

data["extra_headers"] = {...} unconditionally replaces any extra_headers value that an earlier guardrail in the chain may have injected. In a multi-guardrail configuration where another hook also contributes headers (e.g., a custom guardrail that injects tracing or auth headers before MCPJWTSigner runs), those headers are silently dropped.

The assignment should merge into any existing dict rather than replace it:

Suggested change

	data["extra_headers"] = {
	"Authorization": f"Bearer {signed_token}",
	}
	existing = data.get("extra_headers") or {}
	data["extra_headers"] = {
	**existing,
	"Authorization": f"Bearer {signed_token}",
	}

[greptile-apps]

Hook JWT silently overwrites existing OAuth2/static Authorization header on regular MCP servers

hook_extra_headers is merged last (highest priority). When MCPJWTSigner is enabled with default_on: true, its Authorization: Bearer <jwt> overwrites any Authorization header already set by OAuth2 exchange or mcp_server_auth_headers — silently breaking authentication for any regular (non-OpenAPI) MCP server that already has its own auth configured.

The OpenAPI code path received a warning (verbose_logger.warning(...)) for this case, but the regular MCP code path has no equivalent guard. Users enabling this guardrail against servers with existing OAuth2 or API-key auth will see silent authentication failures.

At minimum, add a warning similar to the OpenAPI path when the hook header would override an existing Authorization:

if hook_extra_headers:
    if extra_headers is None:
        extra_headers = {}
    if "Authorization" in hook_extra_headers and "Authorization" in extra_headers:
        verbose_logger.warning(
            "MCPJWTSigner: overriding existing Authorization header for "
            "MCP server '%s'. Disable MCPJWTSigner or remove server-level "
            "auth if this is unintended.",
            mcp_server.server_name,
        )
    extra_headers.update(hook_extra_headers)

[ishaan-jaff]

@greptile review

[ishaan-jaff]

@greptile review

[ishaan-jaff]

@greptile review again