Skip to content

fix: prevent dummy_key from overriding provider-specific API keys #2293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
naorpeled merged 7 commits into from
Apr 1, 2026
+340 −5
Merged

fix: prevent dummy_key from overriding provider-specific API keys #2293

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6ca1b00
fix: prevent dummy_key from overriding provider-specific API keys
yanukadeneth99 Mar 27, 2026
2452b6d
fix: extract dummy_key sentinel into module constant
yanukadeneth99 Mar 27, 2026
b5db7ad
fix: add api_key guard and test coverage for dummy key override (#2042)
yanukadeneth99 Mar 30, 2026
a454e4f
fix: replace hardcoded api-key-like strings with generic test identif…
yanukadeneth99 Mar 30, 2026
1dc4223
fix: make test_anthropic_key_not_shadowed_by_dummy_key deterministic
yanukadeneth99 Mar 30, 2026
6a1c384
Merge branch 'main' into fix/litellm-anthropic-key-override
yanukadeneth99 Apr 1, 2026
295f5c4
test: add regression tests for Groq, xAI, and Ollama coexistence
yanukadeneth99 Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions pr_agent/algo/ai_handlers/litellm_ai_handler.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
import json

MODEL_RETRIES = 2
DUMMY_LITELLM_API_KEY = "dummy_key" # placeholder set when no OpenAI key is configured


class LiteLLMAIHandler(BaseAiHandler):
Expand All @@ -39,7 +40,7 @@ def __init__(self):
openai.api_key = get_settings().openai.key
litellm.openai_key = get_settings().openai.key
elif 'OPENAI_API_KEY' not in os.environ:
litellm.api_key = "dummy_key"
litellm.api_key = DUMMY_LITELLM_API_KEY
if get_settings().get("aws.AWS_ACCESS_KEY_ID"):
assert get_settings().aws.AWS_SECRET_ACCESS_KEY and get_settings().aws.AWS_REGION_NAME, "AWS credentials are incomplete"
os.environ["AWS_ACCESS_KEY_ID"] = get_settings().aws.AWS_ACCESS_KEY_ID
Expand Down Expand Up @@ -406,7 +407,10 @@ async def chat_completion(self, model: str, system: str, user: str, temperature:
get_logger().info(f"\nSystem prompt:\n{system}")
get_logger().info(f"\nUser prompt:\n{user}")

kwargs["api_key"] = litellm.api_key
# Inject api_key to the call. This key is populated during init by providers
# like Groq, XAI, Azure AD, and OpenRouter. Skip if None or placeholder.
if litellm.api_key and litellm.api_key != DUMMY_LITELLM_API_KEY:
kwargs["api_key"] = litellm.api_key

# Get completion with automatic streaming detection
resp, finish_reason, response_obj = await self._get_completion(**kwargs)
Expand Down
165 changes: 165 additions & 0 deletions tests/unittest/test_litellm_api_key_guard.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
"""
Tests for the litellm.api_key guard in LiteLLMAIHandler.chat_completion.

Verifies:
- Placeholder key (DUMMY_LITELLM_API_KEY) is never injected into the call.
- None is not injected (e.g. when OpenAI key is set via litellm.openai_key).
- Real provider keys (Groq, XAI, OpenRouter, Azure AD) ARE injected.
"""
from unittest.mock import AsyncMock, MagicMock, patch

import litellm
import pytest

import pr_agent.algo.ai_handlers.litellm_ai_handler as litellm_handler
from pr_agent.algo.ai_handlers.litellm_ai_handler import DUMMY_LITELLM_API_KEY, LiteLLMAIHandler


def _make_settings():
"""Minimal settings object that satisfies __init__ and chat_completion."""
return type("Settings", (), {
"config": type("Config", (), {
"reasoning_effort": None,
"ai_timeout": 30,
"custom_reasoning_model": False,
"max_model_tokens": 32000,
"verbosity_level": 0,
"seed": -1,
"get": lambda self, key, default=None: default,
})(),
"litellm": type("LiteLLM", (), {
"get": lambda self, key, default=None: default,
})(),
"get": lambda self, key, default=None: default,
})()


def _mock_response():
"""Minimal acompletion response."""
mock = MagicMock()
mock.__getitem__ = lambda self, key: {
"choices": [{"message": {"content": "ok"}, "finish_reason": "stop"}]
}[key]
mock.dict.return_value = {"choices": [{"message": {"content": "ok"}, "finish_reason": "stop"}]}
return mock
Comment on lines +37 to +44
Copy link
Copy Markdown
Contributor

@qodo-free-for-open-source-projects qodo-free-for-open-source-projects bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Broken litellm response mock 🐞 Bug ☼ Reliability

The new unit tests’ _mock_response() assigns a lambda to mock.__getitem__, but
_get_completion() requires response["choices"] to return a real list and checks
len(response["choices"]); this mock setup is likely not honored by response[...] and can cause
openai.APIError during the tests. As written, the tests are unstable and may not actually validate
the intended behavior.
Agent Prompt 
### Issue description
The tests’ `_mock_response()` does not reliably satisfy the production access pattern `response["choices"]` + `len(response["choices"])` in `_get_completion()`. This can cause the tests to fail (or validate the wrong behavior) depending on mock internals.

### Issue Context
`LiteLLMAIHandler._get_completion()` expects an object that:
- supports `response["choices"]` returning a list
- supports `response.dict()` returning a dict-like structure for logging

### Fix Focus Areas
- tests/unittest/test_litellm_api_key_guard.py[37-44]
- pr_agent/algo/ai_handlers/litellm_ai_handler.py[440-459]

### Implementation direction
Update `_mock_response()` to use a backing dict and configure magic methods in a standard way, e.g.:
- `data = {"choices": [{"message": {"content": "ok"}, "finish_reason": "stop"}]}`
- `mock = MagicMock()`
- `mock.__getitem__.side_effect = data.__getitem__`
- `mock.dict.return_value = data`
This ensures `response["choices"]` returns a real list and the handler’s logging path still works.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



@pytest.fixture(autouse=True)
def patch_settings(monkeypatch):
monkeypatch.setattr(litellm_handler, "get_settings", lambda: _make_settings())


def _make_anthropic_settings():
"""Settings with ANTHROPIC.KEY configured, no OPENAI.KEY.

This simulates the original bug scenario: ANTHROPIC.KEY is set,
but OPENAI.KEY is not, so litellm.api_key falls back to DUMMY_LITELLM_API_KEY.
"""
anthropic_key = "sk-ant-test-real-key"
return type("Settings", (), {
"config": type("Config", (), {
"reasoning_effort": None,
"ai_timeout": 30,
"custom_reasoning_model": False,
"max_model_tokens": 32000,
"verbosity_level": 0,
"seed": -1,
"get": lambda self, key, default=None: default,
})(),
"litellm": type("LiteLLM", (), {
"get": lambda self, key, default=None: default,
})(),
"anthropic": type("Anthropic", (), {
"key": anthropic_key
})(),
# Return the Anthropic key when settings.get("ANTHROPIC.KEY") is called
"get": lambda self, key, default=None: (
anthropic_key if key == "ANTHROPIC.KEY" else default
),
})()


class TestApiKeyGuard:

@pytest.mark.asyncio
async def test_dummy_key_not_forwarded(self, monkeypatch):
"""api_key must NOT appear in kwargs when litellm.api_key is the placeholder."""
monkeypatch.setattr(litellm, "api_key", DUMMY_LITELLM_API_KEY)

with patch("pr_agent.algo.ai_handlers.litellm_ai_handler.acompletion",
new_callable=AsyncMock) as mock_call:
mock_call.return_value = _mock_response()
handler = LiteLLMAIHandler()
await handler.chat_completion(model="gpt-4o", system="sys", user="usr")

assert "api_key" not in mock_call.call_args[1]

@pytest.mark.asyncio
async def test_none_api_key_not_forwarded(self, monkeypatch):
"""api_key must NOT appear in kwargs when litellm.api_key is None.

This is the OpenAI-key path: OPENAI.KEY sets litellm.openai_key,
leaving litellm.api_key at None.
"""
monkeypatch.setattr(litellm, "api_key", None)

with patch("pr_agent.algo.ai_handlers.litellm_ai_handler.acompletion",
new_callable=AsyncMock) as mock_call:
mock_call.return_value = _mock_response()
handler = LiteLLMAIHandler()
await handler.chat_completion(model="gpt-4o", system="sys", user="usr")

assert "api_key" not in mock_call.call_args[1]

@pytest.mark.asyncio
async def test_real_key_forwarded(self, monkeypatch):
"""api_key IS injected when a real provider key is in litellm.api_key (e.g. Groq, XAI).

The key is set after __init__ to simulate a provider having stored its key there
during initialization, without triggering the placeholder value in __init__.
"""
real_key = "sk-test-real-provider-key"

with patch("pr_agent.algo.ai_handlers.litellm_ai_handler.acompletion",
new_callable=AsyncMock) as mock_call:
mock_call.return_value = _mock_response()
handler = LiteLLMAIHandler()
# Set after init so __init__'s own dummy-key assignment doesn't overwrite it
monkeypatch.setattr(litellm, "api_key", real_key)
await handler.chat_completion(model="gpt-4o", system="sys", user="usr")

assert mock_call.call_args[1]["api_key"] == real_key

@pytest.mark.asyncio
async def test_anthropic_key_not_shadowed_by_dummy_key(self, monkeypatch):
"""Original bug scenario: ANTHROPIC.KEY configured without OPENAI.KEY.

During __init__, litellm.api_key is set to DUMMY_LITELLM_API_KEY (fallback)
because OPENAI.KEY is not configured. But litellm.anthropic_key is also set.
The guard must prevent the dummy key from being passed to the call,
allowing litellm to use anthropic_key internally.

This test replicates the exact bug from GitHub issue #2042.
"""
# Override settings to simulate Anthropic configured, OpenAI not configured
monkeypatch.setattr(litellm_handler, "get_settings", _make_anthropic_settings)

with patch("pr_agent.algo.ai_handlers.litellm_ai_handler.acompletion",
new_callable=AsyncMock) as mock_call:
mock_call.return_value = _mock_response()
handler = LiteLLMAIHandler()

# After init: litellm.api_key should be the dummy (OpenAI fallback),
# but litellm.anthropic_key is the real Anthropic key
assert litellm.api_key == DUMMY_LITELLM_API_KEY

# Call with Anthropic model
await handler.chat_completion(
model="claude-3-5-sonnet-20241022",
system="sys",
user="usr"
)

# Verify the dummy key was NOT passed to the call.
# This allows litellm to use litellm.anthropic_key internally.
assert "api_key" not in mock_call.call_args[1]