@acarmisc/backstage-plugin-litellm-backend 0.2.0 → 0.2.1

package/dist/client.d.ts

@@ -11,7 +11,38 @@ export declare class LiteLLMClient {
      */
     getUserInfo(userId?: string): Promise<UserInfo | null>;
     createUser(payload: CreateUserRequest): Promise<CreateUserResponse>;
+    /**
+     * Updates an existing LiteLLM user record. Used as a defensive follow-up
+     * after /user/new because the upsert path of /user/new has been observed
+     * to silently drop fields like user_role under concurrent inserts.
+     */
+    updateUser(payload: Partial<CreateUserRequest> & {
+        user_id: string;
+    }): Promise<unknown>;
+    /**
+     * Returns the keys belonging to a user.
+     *
+     * Implementation note: LiteLLM's `/key/info` endpoint requires a `key`
+     * hash and returns 404 when only `user_id` is passed. The correct way
+     * to enumerate a user's keys is `/user/info?user_id=X`, which embeds
+     * a `keys` array with per-key metadata. We unwrap that array and
+     * normalise field names to match the frontend VirtualKey shape
+     * (LiteLLM exposes `key_name` for the masked display value and
+     * `expires` instead of `expires_at`).
+     */
     listKeys(userId?: string): Promise<VirtualKey[]>;
+    private toVirtualKey;
+    /**
+     * Creates a new virtual key on the LiteLLM proxy.
+     *
+     * Implementation notes — both required to avoid silently-empty keys:
+     *   1. The body must be the plain payload. An earlier version wrapped
+     *      it as `{ json: request }`; LiteLLM doesn't unwrap that envelope
+     *      and treats the request as having no fields, returning a key
+     *      with null alias / models / budget / limits.
+     *   2. LiteLLM expects `key_alias`, not `alias`. Without the rename,
+     *      the alias the user typed is dropped on the floor.
+     */
     generateKey(request: GenerateKeyRequest): Promise<GenerateKeyResponse>;
     updateKey(request: UpdateKeyRequest): Promise<VirtualKey>;
     deleteKeys(request: DeleteKeyRequest): Promise<{

package/dist/client.js

@@ -17,7 +17,7 @@ class LiteLLMClient {
                 signal: controller.signal,
                 headers: {
                     'Content-Type': 'application/json',
-                    'Authorization': `Bearer ${this.masterKey}`,
+                    Authorization: `Bearer ${this.masterKey}`,
                     ...options.headers,
                 },
             });
@@ -54,11 +54,35 @@ class LiteLLMClient {
             body: JSON.stringify(payload),
         });
     }
+    /**
+     * Updates an existing LiteLLM user record. Used as a defensive follow-up
+     * after /user/new because the upsert path of /user/new has been observed
+     * to silently drop fields like user_role under concurrent inserts.
+     */
+    async updateUser(payload) {
+        return this.request('/user/update', {
+            method: 'POST',
+            body: JSON.stringify(payload),
+        });
+    }
+    /**
+     * Returns the keys belonging to a user.
+     *
+     * Implementation note: LiteLLM's `/key/info` endpoint requires a `key`
+     * hash and returns 404 when only `user_id` is passed. The correct way
+     * to enumerate a user's keys is `/user/info?user_id=X`, which embeds
+     * a `keys` array with per-key metadata. We unwrap that array and
+     * normalise field names to match the frontend VirtualKey shape
+     * (LiteLLM exposes `key_name` for the masked display value and
+     * `expires` instead of `expires_at`).
+     */
     async listKeys(userId) {
-        const query = userId ? `?user_id=${encodeURIComponent(userId)}` : '';
+        if (!userId)
+            return [];
         try {
-            const response = await this.request(`/key/info${query}`);
-            return Array.isArray(response) ? response : (response.info ?? []);
+            const response = await this.request(`/user/info?user_id=${encodeURIComponent(userId)}`);
+            const rawKeys = response.keys ?? [];
+            return rawKeys.map(this.toVirtualKey);
         }
         catch (err) {
             if (err.status === 404 || err.message.includes('not found')) {
@@ -67,10 +91,44 @@ class LiteLLMClient {
             throw err;
         }
     }
+    toVirtualKey(k) {
+        return {
+            // The hashed `token` never leaves LiteLLM in a usable form; the
+            // masked `key_name` ("sk-...XXXX") is what the UI displays. Fall
+            // back to `token` only when `key_name` is missing.
+            key: k.key_name ?? k.token,
+            token: k.token,
+            key_alias: k.key_alias ?? undefined,
+            created_at: k.created_at,
+            expires_at: k.expires ?? undefined,
+            spend: k.spend ?? 0,
+            max_budget: k.max_budget ?? undefined,
+            tpm_limit: k.tpm_limit ?? undefined,
+            rpm_limit: k.rpm_limit ?? undefined,
+            models: k.models ?? [],
+            user_id: k.user_id ?? undefined,
+        };
+    }
+    /**
+     * Creates a new virtual key on the LiteLLM proxy.
+     *
+     * Implementation notes — both required to avoid silently-empty keys:
+     *   1. The body must be the plain payload. An earlier version wrapped
+     *      it as `{ json: request }`; LiteLLM doesn't unwrap that envelope
+     *      and treats the request as having no fields, returning a key
+     *      with null alias / models / budget / limits.
+     *   2. LiteLLM expects `key_alias`, not `alias`. Without the rename,
+     *      the alias the user typed is dropped on the floor.
+     */
     async generateKey(request) {
+        const { alias, ...rest } = request;
+        const payload = {
+            ...rest,
+            ...(alias && { key_alias: alias }),
+        };
         return this.request('/key/generate', {
             method: 'POST',
-            body: JSON.stringify({ json: request }),
+            body: JSON.stringify(payload),
         });
     }
     async updateKey(request) {
@@ -87,7 +145,7 @@ class LiteLLMClient {
     }
     async listModels() {
         const response = await this.request('/models');
-        return Array.isArray(response) ? response : (response.data ?? []);
+        return Array.isArray(response) ? response : response.data ?? [];
     }
     async getTeamInfo(teamId) {
         return this.request(`/team/info?team_id=${encodeURIComponent(teamId)}`);
@@ -120,7 +178,9 @@ class LiteLLMClient {
      *   - usage_by_key    → which keys drove cost / traffic (with key_alias + team_id from metadata)
      */
     transformDailyActivity(response) {
-        const results = Array.isArray(response?.results) ? response.results : [];
+        const results = Array.isArray(response?.results)
+            ? response.results
+            : [];
         const meta = response?.metadata ?? {};
         const daily_usage = results
             .map(r => ({

package/dist/index.cjs.js

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,6 +17,14 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
@@ -22,6 +32,7 @@ var index_exports = {};
 __export(index_exports, {
   LiteLLMClient: () => LiteLLMClient,
   createRouter: () => createRouter,
+  default: () => litellmPlugin,
   litellmPlugin: () => litellmPlugin
 });
 module.exports = __toCommonJS(index_exports);
@@ -30,7 +41,7 @@ module.exports = __toCommonJS(index_exports);
 var import_backend_plugin_api = require("@backstage/backend-plugin-api");
 
 // src/router.ts
-var import_express = require("express");
+var import_express = __toESM(require("express"));
 var import_catalog_client = require("@backstage/catalog-client");
 
 // src/client.ts
@@ -50,13 +61,15 @@ var LiteLLMClient = class {
         signal: controller.signal,
         headers: {
           "Content-Type": "application/json",
-          "Authorization": `Bearer ${this.masterKey}`,
+          Authorization: `Bearer ${this.masterKey}`,
           ...options.headers
         }
       });
       if (!response.ok) {
         const errorBody = await response.text();
-        const err = new Error(`LiteLLM API error: ${response.status} ${response.statusText} - ${errorBody}`);
+        const err = new Error(
+          `LiteLLM API error: ${response.status} ${response.statusText} - ${errorBody}`
+        );
         err.status = response.status;
         throw err;
       }
@@ -84,11 +97,36 @@ var LiteLLMClient = class {
       body: JSON.stringify(payload)
     });
   }
+  /**
+   * Updates an existing LiteLLM user record. Used as a defensive follow-up
+   * after /user/new because the upsert path of /user/new has been observed
+   * to silently drop fields like user_role under concurrent inserts.
+   */
+  async updateUser(payload) {
+    return this.request("/user/update", {
+      method: "POST",
+      body: JSON.stringify(payload)
+    });
+  }
+  /**
+   * Returns the keys belonging to a user.
+   *
+   * Implementation note: LiteLLM's `/key/info` endpoint requires a `key`
+   * hash and returns 404 when only `user_id` is passed. The correct way
+   * to enumerate a user's keys is `/user/info?user_id=X`, which embeds
+   * a `keys` array with per-key metadata. We unwrap that array and
+   * normalise field names to match the frontend VirtualKey shape
+   * (LiteLLM exposes `key_name` for the masked display value and
+   * `expires` instead of `expires_at`).
+   */
   async listKeys(userId) {
-    const query = userId ? `?user_id=${encodeURIComponent(userId)}` : "";
+    if (!userId) return [];
     try {
-      const response = await this.request(`/key/info${query}`);
-      return Array.isArray(response) ? response : response.info ?? [];
+      const response = await this.request(
+        `/user/info?user_id=${encodeURIComponent(userId)}`
+      );
+      const rawKeys = response.keys ?? [];
+      return rawKeys.map(this.toVirtualKey);
     } catch (err) {
       if (err.status === 404 || err.message.includes("not found")) {
         return [];
@@ -96,10 +134,44 @@ var LiteLLMClient = class {
       throw err;
     }
   }
+  toVirtualKey(k) {
+    return {
+      // The hashed `token` never leaves LiteLLM in a usable form; the
+      // masked `key_name` ("sk-...XXXX") is what the UI displays. Fall
+      // back to `token` only when `key_name` is missing.
+      key: k.key_name ?? k.token,
+      token: k.token,
+      key_alias: k.key_alias ?? void 0,
+      created_at: k.created_at,
+      expires_at: k.expires ?? void 0,
+      spend: k.spend ?? 0,
+      max_budget: k.max_budget ?? void 0,
+      tpm_limit: k.tpm_limit ?? void 0,
+      rpm_limit: k.rpm_limit ?? void 0,
+      models: k.models ?? [],
+      user_id: k.user_id ?? void 0
+    };
+  }
+  /**
+   * Creates a new virtual key on the LiteLLM proxy.
+   *
+   * Implementation notes — both required to avoid silently-empty keys:
+   *   1. The body must be the plain payload. An earlier version wrapped
+   *      it as `{ json: request }`; LiteLLM doesn't unwrap that envelope
+   *      and treats the request as having no fields, returning a key
+   *      with null alias / models / budget / limits.
+   *   2. LiteLLM expects `key_alias`, not `alias`. Without the rename,
+   *      the alias the user typed is dropped on the floor.
+   */
   async generateKey(request) {
+    const { alias, ...rest } = request;
+    const payload = {
+      ...rest,
+      ...alias && { key_alias: alias }
+    };
     return this.request("/key/generate", {
       method: "POST",
-      body: JSON.stringify({ json: request })
+      body: JSON.stringify(payload)
     });
   }
   async updateKey(request) {
@@ -115,11 +187,15 @@ var LiteLLMClient = class {
     });
   }
   async listModels() {
-    const response = await this.request("/models");
+    const response = await this.request(
+      "/models"
+    );
     return Array.isArray(response) ? response : response.data ?? [];
   }
   async getTeamInfo(teamId) {
-    return this.request(`/team/info?team_id=${encodeURIComponent(teamId)}`);
+    return this.request(
+      `/team/info?team_id=${encodeURIComponent(teamId)}`
+    );
   }
   emptyUsage() {
     return {
@@ -243,7 +319,9 @@ var LiteLLMClient = class {
     });
     if (userId) params.append("user_id", userId);
     try {
-      const response = await this.request(`/user/daily/activity?${params.toString()}`);
+      const response = await this.request(
+        `/user/daily/activity?${params.toString()}`
+      );
       return this.transformDailyActivity(response);
     } catch (err) {
       if (err.status === 404 || err.message.includes("not found")) {
@@ -260,7 +338,9 @@ var LiteLLMClient = class {
       page_size: "100"
     });
     try {
-      const response = await this.request(`/team/daily/activity?${params.toString()}`);
+      const response = await this.request(
+        `/team/daily/activity?${params.toString()}`
+      );
       return this.transformDailyActivity(response);
     } catch (err) {
       if (err.status === 404 || err.message.includes("not found")) {
@@ -370,6 +450,7 @@ async function provisionUser(client, userId, defaults, profile, backstageEntity,
     ...defaults.tpmLimit !== void 0 && { tpm_limit: defaults.tpmLimit },
     ...defaults.rpmLimit !== void 0 && { rpm_limit: defaults.rpmLimit },
     ...defaults.userRole && { user_role: defaults.userRole },
+    auto_create_key: false,
     metadata: {
       ...defaults.metadata,
       provisioned_by: "backstage",
@@ -537,6 +618,7 @@ async function createRouter(options) {
     );
   }
   const router = (0, import_express.Router)();
+  router.use(import_express.default.json());
   router.get("/health", (_req, res) => {
     res.json({ status: "ok", provisioning: provisioningEnabled });
   });
@@ -593,6 +675,19 @@ async function createRouter(options) {
   });
   router.post("/keys/generate", async (req, res) => {
     try {
+      const body = req.body ?? {};
+      const missing = [];
+      if (!body.alias?.trim()) missing.push("alias");
+      if (typeof body.max_budget !== "number" || body.max_budget <= 0) {
+        missing.push("max_budget (positive number)");
+      }
+      if (missing.length) {
+        res.status(400).json({
+          error: "Missing required fields",
+          hint: `Required: ${missing.join(", ")}`
+        });
+        return;
+      }
       const tokenEntityRef = await resolveUserId(req, auth);
       const resolvedUserId = tokenEntityRef ? toLiteLLMUserId(tokenEntityRef, userIdDomain) : void 0;
       if (resolvedUserId) {
@@ -608,8 +703,20 @@ async function createRouter(options) {
           logger
         );
       }
+      const profile = tokenEntityRef ? await resolveUserProfile(tokenEntityRef, catalogClient, auth, logger) : {};
+      const enrichedMetadata = {
+        ...body.metadata ?? {},
+        created_by_backstage_user: tokenEntityRef ?? "unknown",
+        ...profile.email && { created_by_email: profile.email },
+        ...profile.displayName && {
+          created_by_display_name: profile.displayName
+        },
+        created_via: "backstage",
+        created_at_iso: (/* @__PURE__ */ new Date()).toISOString()
+      };
       const request = {
-        ...req.body,
+        ...body,
+        metadata: enrichedMetadata,
         ...resolvedUserId && { user_id: resolvedUserId }
       };
       const result = await client.generateKey(request);