feat: add Anthropic OAuth pre-call hook to litellm

[binary64]

Switch Anthropic models from API key auth to OAuth auth using custom pre-call hook.

Changes

New Files

• • Custom pre-call hook that injects OAuth headers for Anthropic API calls

Modified Files

• • Upgrade to (supports custom hooks)
  • Add environment variable (requires ANTHROPIC_OAUTH_TOKEN secret)
  • Mount as ConfigMap volume
• • Remove from Anthropic model configs
  • Add and
  • Add new ConfigMap containing

What This Does

The hook replaces the previous approach with a proper OAuth flow:

• Injects header
• Sets required Anthropic headers (, )
• Removes conflicting headers

Requirements

• Add to the secret in the namespace
• Ensure the litellm image supports custom hooks (using nightly build)

Testing

Test by making Anthropic API calls through the litellm proxy and verifying:

• OAuth headers are present in the request
• API key headers are NOT present
• Models respond correctly with OAuth auth

---

Summary by cubic

Switches Anthropic models in LiteLLM from API key auth to OAuth via a custom pre-call hook. Centralizes auth, injects required headers, and cleans up config; also routes the Qwen thinking model to the free tier.

• New Features

  • Added async_pre_call_hook that sets Authorization: Bearer from OAUTH_TOKEN (via os.environ) and Anthropic headers; removes API key headers.
  • Updated Anthropic configs to use the hook; added a litellm-hooks ConfigMap mounted at /etc/litellm/hooks.py with subPath; upgraded image to main-v1.81.14-nightly.
  • Set qwen3-235b-thinking model to the :free variant to avoid paid routing.

• Migration

  • Add ANTHROPIC_OAUTH_TOKEN to the litellm-env secret; it is read as OAUTH_TOKEN.
  • Redeploy LiteLLM to pick up the new image, ConfigMaps, and env vars.

^{Written for commit f42e156. Summary will update on new commits.}

[cubic-dev-ai]

3 issues found across 2 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="infra/manifests/litellm/configmap.yaml">

<violation number="1" location="infra/manifests/litellm/configmap.yaml:123">
P1: Missing `:free` suffix on model path. All other free-tier OpenRouter models use `:free` but this one doesn't, which will route requests to the paid version and incur costs.</violation>

<violation number="2" location="infra/manifests/litellm/configmap.yaml:208">
P0: Bug: `OAUTH_TOKEN` is referenced as a bare Python variable but it's an environment variable. This will raise `NameError` at runtime. You need to read it from `os.environ`.</violation>
</file>

<file name="infra/manifests/litellm/deployment.yaml">

<violation number="1" location="infra/manifests/litellm/deployment.yaml:104">
P2: Mounting the ConfigMap at a file path without `subPath` will create a directory at `/etc/litellm/hooks.py`, so the hook file won’t be readable where the app expects it. Use a subPath (and/or configMap items) to mount the file instead of the whole directory.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[binary64]

All three review comments from cubic-dev-ai[bot] have been addressed in the merge commit:

1. P0 (OAUTH_TOKEN bare variable): Added import os and changed to os.environ['OAUTH_TOKEN']
2. P1 (Missing :free suffix): Added :free suffix to openrouter/qwen/qwen3-235b-a22b-thinking-2507:free
3. P2 (subPath mount): Added subPath: hooks.py to the hooks volume mount in deployment.yaml