o ưi@sdZddlZddlZddlZddlmZmZmZmZm Z m Z m Z m Z ddl mZmZmZddlmZddlZddlmZddlmZddlmZdd lmZmZmZmZmZm Z m!Z!dd l"m#Z#dd l$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;mZ>dd l?m@Z@ddlAmBZBmCZCddlDmEZEddlFmGZGmHZHmIZIddlJmKZKddlLmMZMddlNmOZOddlPmQZQerddlRmSZTe eTefZSneZSeddZUeZVe5jWjXe5jYjXZZde[de\ddfddZ]de e e[ee[fde eKde^fd d!Z_d"e e/d#e e e[ee[fde eKd$e^d%e e<d&eHddfd'd(Z`d)ead*ed+ead,e[ddf d-d.Zbd)ead+ead,e[ddfd/d0Zcd1e edd$e^d,e[ddfd2d3Zed+ead4e e2ddfd5d6Zfd+ead%e e<d4e e2d,e[ddf d7d8Zg 9 dd+ead4e e2d:e e4d;e e)d1e edd)ead,e[de eKd&eHd%e e<d*ed$e^d"e e/de^fde e4de^fd?d@Zid>e e4de e6fdAdBZj dd,e[d*edCead%e e<d>e e4de^f dDdEZkd>e e4fdFdGZl dd,e[dHe dId*edCead%e e<d>e e4de^fdJdKZmdLe[dMende^fdNdOZodPe6dLe[dQe+de^fdRdSZpdTee e4fddZ dd%ee e4fddZ dd%ee e4fddZd4e e2d:e e4d%e e<dZe eGd[ed&eHf ddZd4e e2d%e e<d&eHfddZd4e e2d%e e<d&eHfddZd"e e/d%e e<d&eHfddZd"e e/d%e e<d&eHfddZ dde[dZe eGd[ed&e eHde e/f ddZd%e e<d4e e2dZe eGd[ed&eHf ddZd+eadZe eGd[ed&eHd%e e<f ddZde[de[de^fddZde[dende^fddZde[de[de^fdd Zde[de^fd d Zd+ead4e e2d%e e<fd d Zde ddee[de e,fddZdS(z Got Valid Token from Cache, DB Run checks for: 1. If user can call model 2. If user is in budget 3. If end_user ('user' passed to /chat/completions, /embeddings endpoint) is in budget N) TYPE_CHECKINGAnyDictListLiteralOptionalUnioncast) HTTPExceptionRequeststatus) BaseModel)verbose_proxy_logger) DualCache)LimitedSizeOrderedDict)CLI_JWT_EXPIRATION_HOURSCLI_JWT_TOKEN_NAMEDEFAULT_ACCESS_GROUP_CACHE_TTLDEFAULT_IN_MEMORY_TTL-DEFAULT_MANAGEMENT_OBJECT_IN_MEMORY_CACHE_TTLDEFAULT_MAX_RECURSE_DEPTH-EMAIL_BUDGET_ALERT_MAX_SPEND_ALERT_PERCENTAGE)get_llm_provider) RBAC_ROLESCallInfoLiteLLM_AccessGroupTableLiteLLM_BudgetTableLiteLLM_EndUserTableLitellm_EntityTypeLiteLLM_JWTAuthLiteLLM_ObjectPermissionTable#LiteLLM_OrganizationMembershipTableLiteLLM_OrganizationTableLiteLLM_ProjectTableCachedObjLiteLLM_TagTableLiteLLM_TeamMembershipLiteLLM_TeamTableLiteLLM_TeamTableCachedObjLiteLLM_UserTable LiteLLMRoutesLitellmUserRolesNewTeamRequestProxyErrorTypesProxyExceptionRoleBasedPermissionsSpecialModelNamesUserAPIKeyAuth) RouteChecks)PrismaDBExceptionHandler)TOOL_CAPABLE_CALL_TYPESextract_request_tool_names route_request) PrismaClient ProxyLogginglog_db_metrics)Router)get_utc_datetime)$organization_role_based_access_check)get_model_from_request)Spand)max_sizeentityerrorreturncsht|dkrt|jdkrdSt|d}tfdddDr$d}td|d |d |dS) a Log a warning when budget lookup fails; cache will not be populated. Skips logging for expected "user not found" cases (bare Exception from get_user_object when user_id_upsert=False). Adds a schema migration hint when the error appears schema-related. ExceptionNc3s|]}|vVqdSN).0xZerr_strrHU/home/app/Keep/.python/lib/python3.10/site-packages/litellm/proxy/auth/auth_checks.py Vs  z-_log_budget_lookup_failure..)columnZschemazdoes not existZprismaZmigratezJ Run `prisma db push` or `prisma migrate deploy` to fix schema mismatches.zBudget lookup failed for zJ; cache will not be populated. Each request will hit the database. Error: .)strtype__name__loweranyrrC)rBrChintrHrKrL_log_budget_lookup_failureIs    rVmodel llm_routerc CsB|dus|dur dSt|tr|gn|}|D]}zd|j|d}|dur0td|dWdS|j}|j}|dus>|durQtd|d|d|d WdS|d ksY|d krltd|d |d|d WdStd|d |d|d Wqty}ztd|dt|dWYd}~dSd}~wwdS)aV Check if a model has zero cost (no configured pricing). Uses the router's get_model_group_info method to get pricing information. Args: model: The model name or list of model names llm_router: The LiteLLM router instance Returns: bool: True if all costs for the model are zero, False otherwise NF)Z model_groupzNo model group info found for z, assuming it has costzModel z has undefined cost (input: z , output: z), assuming it has costrz has non-zero cost (input: )z- has zero cost explicitly configured (input: zError checking cost for model : T) isinstancerPZget_model_group_infordebugZinput_cost_per_tokenZoutput_cost_per_tokenrF)rWrXZ model_list model_nameZmodel_group_infoZ input_costZ output_costerHrHrL_is_model_cost_zerocsD  r_project_object_modelskip_budget_checks valid_tokenproxy_logging_objcs~|durdS|jdurtd|jd|r%t|jdkr%t|||d|s=t|||dIdHt|||dIdHdSdS)z Run all project-level checks: blocked, model access, budget, soft budget. Extracted from common_checks() to keep statement count manageable. NTzProject=z= is blocked. Update via `/project/update` if you're an admin.rrWr`rX)r`rcrd)blockedrF project_idlenmodelscan_project_access_model_project_max_budget_check_project_soft_budget_checkr`rarXrbrcrdrHrHrL_run_project_checkss2    rngeneral_settingsrequest request_bodyroutecCs|ddsdSt|dr|jnd}|o|dk}tj|d}|tjjvp.tj |tjjd}|rB|rD|sFd|vrHt d|ddSdSdSdS) NZenforce_user_paramFmethodPOSTrr)rrallowed_routesuserz1'user' param not passed in. 'enforce_user_param'=) gethasattrrsupperr1is_llm_api_router)Z mcp_routesvalueZcheck_route_accessrF)rorprqrrZ http_methodZis_post_methodZis_openai_routeZ is_mcp_routerHrHrL_enforce_user_param_checks,     r}cCsn|ddsdStj|dr/d|vr1t|dtr3d|dvr5td|ddtjdtj d dSdSdSdS) NZreject_clientside_metadata_tagsFrumetadatatagszVClient-side 'metadata.tags' not allowed in request. 'reject_clientside_metadata_tags'=z,. Tags can only be set via API key metadata.z metadata.tagsmessagerQparamcode) rxr1r{r[dictr-r,bad_request_errorr HTTP_400_BAD_REQUEST)rorqrrrHrHrL&_reject_clientside_metadata_tags_checks"    rglobal_proxy_spendcCshtjdkr&|s(|dur*tj|dr,|dkr.|dkr0|tjkr2tj|tjddSdSdSdSdSdSdS)Nrruz /v1/modelsz/models current_cost max_budget)litellmrr1r{BudgetExceededError)rrbrrrHrHrL_global_proxy_budget_checks"   r team_objectcCsF|dipi}|dsdSddlm}||s!tdddiddS) Nr~Z guardrailsr)can_modify_guardrailsirCz8Your team does not have permission to modify guardrails. status_codedetail)rxZ*litellm.proxy.guardrails.guardrail_helpersrr )rqrZ_request_metadatarrHrHrL_guardrail_modification_checks  rc sddlm}|dur dS||}|rtdd|DsdSt||}|s'dSt|jtr2|jp1ini}t|jtr?|jp>ini}|d} |d} t| t rXt | dkrX| n| } t| t ret | dkrgdSdd| Dfd d |D} | rt d | d t j d tjddS)u Enforce key/team tool allowlist (metadata.allowed_tools). No DB in hot path — effective allowlist is read from valid_token.metadata and valid_token.team_metadata. Raises ProxyException with tool_access_denied if a tool is not allowed. r)get_call_types_for_routeNcss|]}|jtvVqdSrG)r|r3)rIctrHrHrLrM9s  z(check_tools_allowlist..Z allowed_toolscSsh|]}t|qSrH)rP)rItrHrHrL Qz(check_tools_allowlist..cg|]}|vr|qSrHrH)rInZ allowed_setrHrL Rz)check_tools_allowlist..zTool(s) z5 are not in the allowed tools list for this key/team.toolsr)Z2litellm.litellm_core_utils.api_route_to_call_typesrrTr4r[r~rZ team_metadatarxlistrhr-r,Ztool_access_deniedr ZHTTP_403_FORBIDDEN) rqrcrrrrZ call_typesZ tool_namesZkey_metaZ team_metaZ key_allowedZ team_allowedZ effectiveZ disallowedrHrrLcheck_tools_allowlist(sR         rF user_objectend_user_objectc  s.ddlm} m}t||}|dur |jdur td|jd|rI|rIt|||| r-| jnddIdHsIt d|jd |d |j t j d t jd | dur| jrdd lm}ddlm}|j| jd}|dur|jpkid}|rt| j}||}|st dt jdt jd |r|dur|durt|||dIdHt| ||| | |dIdH| sCt||| dIdHt||| dIdHt| || ||dIdHt || ||| dIdH|dus|jdur|dur|j!dur|j!}||j"krt#j$|j"|d|j%d|j"d|dt&||| | ||dIdH|durC|j'durC|j'j!}|durC|j"|krCt#j$|j"|d|j%d|j"d|dt(|| ||t)|||t*|| |t+||t,|||dt-| dd}|durt|dkrtd nd!}t.|||| || d"}t/||| d#IdHt0|| ||d$IdHdS)%a Common checks across jwt + key-based auth. 1. If team is blocked 1.1. If project is blocked 2. If team can call model 2.2 If project can call model 3. If team is in budget 3.0.2. If project is in budget 3.0.3. If project is over soft budget (alert only) 4. If user passed in (JWT or key.user_id) - is in budget 5. If end_user (either via JWT or 'user' passed to /chat/completions, /embeddings endpoint) is in budget 6. [OPTIONAL] If 'enforce_end_user' enabled - did developer pass in 'user' param for openai endpoints 7. [OPTIONAL] If 'litellm.max_budget' is set (>0), is proxy under budget 8. [OPTIONAL] If guardrails modified - is request allowed to change this 9. Check if request body is safe 10. [OPTIONAL] Organization checks - is user_object.organization_id is set, run these checks 11. [OPTIONAL] Vector store checks - is the object allowed to access the vector store r) prisma_clientuser_api_key_cacheNTzTeam=z6 is blocked. Update via `/team/unblock` if your admin.)rWrrXteam_model_aliasesz'Team not allowed to access model. Team=z, Model=z. Allowed team models = rWr)global_agent_registry)get_chain_id_from_headers)agent_idZ"require_trace_id_on_calls_by_agentzORequests made with this agent's key must include the x-litellm-trace-id header.rWrXrrm)rrdrc)rcrrrrd)rqrrrdrczExceededBudget: User= over budget. Spend= , Budget=rrr)rrrcrrrdExceededBudget: End User=)rrrrqteam_idlitellm-dashboarduiapi)rr token_typeuser_objrp request_datarc)rqrrc)rqrcrrr)1litellm.proxy.proxy_serverrrr>rfrFrcan_team_access_modelrr-rir,Zteam_model_access_deniedr HTTP_401_UNAUTHORIZEDrZ,litellm.proxy.agent_endpoints.agent_registryrZ$litellm.proxy.litellm_pre_call_utilsrZget_agent_by_idZlitellm_paramsrxrheadersrrcan_user_call_modelrn_team_max_budget_check_team_soft_budget_check_organization_max_budget_check_tag_max_budget_checkrspendrruser_id_check_team_member_budgetlitellm_budget_tabler}rrrr=getattr_is_allowed_routevector_store_access_checkr)rqrrrrrorrrXrdrcrprbr`rrrarrZagentZrequire_trace_idZ headers_dictZtrace_idZ user_budgetend_user_budgetZ token_teamrZ_is_route_allowedrHrHrL common_checks\s"                         rrcsRtjj}durttrtfdd|DrdStfdd|Dr'dSdS)z1 - Check if the route is a UI used route Nc3s|]}|VqdSrG) startswithrI allowed_routerurHrLrM?sz_is_ui_route..Tc3s|] }tj|dVqdS))rrpatternN)r1Z_route_matches_patternrrurHrLrMCs  F)r)Z ui_routesr|r[rPrT)rrrrvrHrurL _is_ui_route2s rcCs>|durdS|}|j}zt|}W|StytjYSwrG) user_roler* ValueErrorZ INTERNAL_USER)r_user _user_rolerolerHrHrL_get_user_roleKs  rrcCs>t|d}|dur tdt|dstj||||||ddS)z< - Route b/w api token check and normal token check rNz4Invalid proxy server token passed. valid_token=None.)rrrrrprrcT)rrF_is_user_proxy_adminr1Z$non_proxy_admin_allowed_routes_check)rrrprrcrrrHrHrL_is_api_route_allowed\s  rcCsH|durdS|jdur|jtjjkrdS|jdur"|jtjjkr"dSdS)NFT)rr* PROXY_ADMINr|rrHrHrLrws  rr)rrcCs*|dkr t||dr dSt|||||dS)z; - Route b/w ui token check and normal token check r)rrrT)rrrprrcr)rr)rrrrprrcrrHrHrLrs r user_routervcCsdddlm}|D]'}|tjvr(t|jD]}||\}}}||r&dSqq||kr/dSqdS)a  Return if a user is allowed to access route. Helper function for `allowed_routes_check`. Parameters: - user_route: str - the route the user is trying to call - allowed_routes: List[str|LiteLLMRoutes] - the list of allowed routes for the user. r) compile_pathTF)Zstarlette.routingrr) __members__r|match)rrvrrtemplateregex_rHrHrL_allowed_routes_checks   rrlitellm_proxy_rolescCsf|tjkrt||jd}|S|tjkr1|jdur# t|ddgd}|S|jdur1t||jd}|SdS)zE Check if user -> not admin - allowed to access these routes )rrvN openai_routesZ info_routesF)r*rrZadmin_allowed_routesTEAMZteam_allowed_routes)rrrZ is_allowedrHrHrLallowed_routes_checks(    ruser_api_key_dictrequested_user_idcCsDd}|jtjkr|jtjkrd}|dur |jdur |j|kr d}|S)NTF)rr*rZPROXY_ADMIN_VIEW_ONLYr)rrZret_valrHrHrL allowed_route_check_inside_routes   rc Cs`g}|D])}zt|j}t|tr|t|n||Wqty-||Yqw|SrG)r)r|r[setextendrKeyErrorappend)rvZ actual_routesZ route_nameZ route_valuerHrHrLget_actual_routess    rrrparent_otel_spanc s|dus tjdur dSdtj}|j|dIdH}|dur&td i|Sz5|jjjdtjidIdH}|durEtdtjWdS|j || t dIdHtd i| WSt yx}zt dt|WYd}~dSd}~ww) a Fetches the default end user budget from the database if litellm.max_end_user_budget_id is configured. This budget is applied to end users who don't have an explicit budget_id set. Results are cached for performance. Args: prisma_client: Database client instance user_api_key_cache: Cache for storing/retrieving budget data parent_otel_span: Optional OpenTelemetry span for tracing Returns: LiteLLM_BudgetTable if configured and found, None otherwise Nzdefault_end_user_budget:keyZ budget_idwherez/Default end user budget not found in database: rr|ttlz(Error fetching default end user budget: rH)rmax_end_user_budget_idasync_get_cacherdbZlitellm_budgettable find_uniquerwarningasync_set_cacherrrFrCrP)rrr cache_keyZ cached_budgetZ budget_recordr^rHrHrLget_default_end_user_budgets6    r end_user_objcs^|jdur|Stjdur|St|||dIdH}|dur-||_tdtjd|j|S)a Helper function to apply default budget to end user if they don't have a budget assigned. Args: end_user_obj: The end user object to potentially apply default budget to prisma_client: Database client instance user_api_key_cache: Cache for storing/retrieving data parent_otel_span: Optional OpenTelemetry span for tracing Returns: Updated end user object with default budget applied if applicable N)rrrzApplied default budget z to end user )rrrrrr\r)rrrrZdefault_budgetrHrHrL!_apply_default_budget_to_end_user/s    rc Csft|rdS|jdurdS|jj}|dur/|j|kr1tj|j|d|jd|jd|ddSdS)z Check if end user is within their budget limit. Args: end_user_obj: The end user object to check route: The request route Raises: litellm.BudgetExceededError: If end user has exceeded their budget Nrrrr)r1Z is_info_routerrrrrr)rrrrrHrHrL_check_end_user_budgetZs  r end_user_idc s4|dur td|durdSd|}|j|dIdH}|dur;td i|}t||||dIdH}t||d|SzC|jjjd|iddd d IdH} | durSttd i| } t| |||dIdH} |j d|| d IdHt| |d| WSty} zt | t j r| WYd} ~ dSd} ~ ww) a? Returns end user object from database or cache. If end user exists but has no budget_id, applies the default budget (if configured via litellm.max_end_user_budget_id). Args: end_user_id: The ID of the end user prisma_client: Database client instance user_api_key_cache: Cache for storing/retrieving data route: The request route parent_otel_span: Optional OpenTelemetry span for tracing proxy_logging_obj: Optional proxy logging object Returns: LiteLLM_EndUserTable if found, None otherwise NNo db connectedzend_user_id:{}r)rrrr)rrrrT)robject_permissionrincluderr|rH)rFformatrrrrrZlitellm_endusertablerrrr[rr) rrrrrrrd_keycached_user_objZ return_objresponse _responser^rHrHrLget_end_user_objectwsT      r tag_namesc s0|duriS|s iSi}g}|D]-}d|}|j|dIdH} | dur9t| tr4td i| ||<q| ||<q||q|rz9|jjjdd|iiddidIdH} | D]!} | j}d|}|j || d IdHtd i| ||<qVW|St y} zt d | WYd} ~ |Sd} ~ ww|S) a% Batch fetch multiple tag objects from cache and db. Optimizes for latency by: 1. Fetching all cached tags in parallel 2. Batch fetching uncached tags in one DB query Args: tag_names: List of tag names to fetch prisma_client: Prisma database client user_api_key_cache: Cache for storing tag objects parent_otel_span: Optional OpenTelemetry span for tracing proxy_logging_obj: Optional proxy logging object Returns: Dictionary mapping tag_name to LiteLLM_TagTable object Nztag:rtag_nameinrTrrz)Error batch fetching tags from database: rH) rr[rr$rrZlitellm_tagtable find_manyr rrFrr\) r rrrrd tag_objectsZ uncached_tagsr rZ cached_tagZdb_tagsZdb_tagr^rHrHrLget_tag_objects_batchsH         rr cs:|dus |dur dSt|g||||dIdH}||S)a Returns tag object from cache or db. Uses default cache TTL (same as end_user objects) to avoid drift. Args: tag_name: Name of the tag to fetch prisma_client: Prisma database client user_api_key_cache: Cache for storing tag objects parent_otel_span: Optional OpenTelemetry span for tracing proxy_logging_obj: Optional proxy logging object Returns: LiteLLM_TagTable object if found, None otherwise N)r rrrrd)rrx)r rrrrdr rHrHrLget_tag_objects rrrr%c sddlm}|durtd|dus|durdSd||}|j|dIdH}|dur3|di|Sz2|jjjd||did d id IdH} | durNWdS|j|| d IdH|di| } | WStyvt d ||YdSw)a Returns team membership object if user is member of team. Do a isolated check for team membership vs. doing a combined key + team + user + team-membership check, as key might come in frequently for different users/teams. Larger call will slowdown query time. This way we get to cache the constant (key/team/user info) and only update based on the changing value (team membership). r)r%Nrzteam_membership:{}:{}rZuser_id_team_id)rrrTrrz:Error getting team membership for user_id: %s, team_id: %srH) litellm.proxy._typesr%rFrrrZlitellm_teammembershiprrrr exception) rrrrrrdr%rZcached_membership_objrrrHrHrLget_team_membership;s8     r team_modelscsddlm}|dur dS||vrdS|t|r|j|dtdkr4t|D] \}}|vr3dSq(fdd|D}||vrCdSdS)Nr defaultdictT)r]crrHrHrImZ access_groupsrHrLrrz)model_in_access_group..F) collectionsrrget_model_access_groupsrh enumerate)rWrrXridxrfiltered_modelsrHrrLmodel_in_access_groupqs&    rrlast_db_access_timedb_cache_expirycCsPt}||vr dS||ddurdS||ddur&||||kr&dSdS)zM Prevent calling db repeatedly for items that don't exist in the db. TrNFtime)rrr  current_timerHrHrL_should_check_dbsr$r|cCs|tf||<dSrGr!rr|rrHrHrL_update_last_db_access_timesr& rbac_role)riroutescCsLtttt|dg}|durdS|D]}|j|kr#t||SqdS)zC Get the role based permissions from the general settings. Zrole_permissionsN)r rrr.rxrr)r'rorZrole_based_permissionsZrole_based_permissionrHrHrL_get_role_based_permissionss   r)cCt||ddS)zH Get the models allowed for a user role. Used by JWT Auth. rir'rorr)r'rorHrHrLget_role_based_modelss  r.cCr*)z1 Get the routes allowed for a user role. r(r+r,r-rHrHrLget_role_based_routess r/ sso_user_id user_emailcsd}|dur|jjjd|iddidIdH}|durK|durK|jjjd|ddiddidIdH}|durK|durKt|jjjd |jid|id |S) a< Checks if sso user is in db. Called when user id match is not found in db. - Check if sso_user_id is user_id in db - Check if sso_user_id is sso_user_id in db - Check if user_email is user_email in db - If not, create new user with user_email and sso_user_id and user_id = sso_user_id Nr0organization_membershipsTrr1Z insensitive)equalsmoder)rdata)rlitellm_usertabler find_firstasyncio create_taskupdater)rr0r1rrHrHrL_get_fuzzy_user_objects(   r;user_id_upsert check_db_onlyc  s|durdS|s)|j|dIdH} | dur)t| tr"tdi| St| tr)| S|dur1tdzd|} t| ttd} | r_|j j j d|iddid IdH} | dur^t |||d IdH} nd} | dur|rd|i} |durs|| d <t jdur~| t j|j j j| ddid IdH} nt| jdurt| jd krdd| jD}|| _tdit| }|}|j||tdIdHt| |td|WSty}ztd|td|d|d}~ww)z - Check if user id in proxy User Table - if valid, return LiteLLM_UserTable object with defined limits - if not, then raise an error Nrrz user_id:{}rrr rr2Tr)rr0r1r1)r5rrcSs&g|]}|durtdi|qS)NrH)r! model_dump)rIZ membershiprHrHrLrVs z#get_user_object..rr%rwz$User doesn't exist in db. 'user_id'=z0. Create user via `/user/new` call. Got error - rH)rr[rr(rFrr$rr rr6rr;rZdefault_internal_user_paramsr:creater2rhr?rrr&rVr)rrrr<rrdr0r1r=rdb_access_time_keyshould_check_dbrZnew_user_paramsZ_dumped_membershipsrZ response_dictr^rHrHrLget_user_object s           rCcs|j||tdIdHdS)Nr)rrrr|rrdrHrHrL_cache_management_objectvs rE team_tablecs0d|}t|_t||||dIdHdS)N team_id:{}rD)rr"last_refreshed_atrE)rrFrrdrrHrHrL_cache_team_objects  rI hashed_tokenuser_api_key_objcs*|}t|_t||||dIdHdS)NrD)r"rHrE)rJrKrrdrrHrHrL_cache_key_objects rLcs8|}|j|d|dur|jjj|dIdHdSdS)Nr) delete_cacheinternal_usage_cache dual_cacheasync_delete_cache)rJrrdrrHrHrL_delete_cache_key_objects rQteam_id_upsertc s~|jjjd|idIdH}|dur=|r=ddlm}t|d}tddid}ttj d }||||d IdH}t d i|}|S) Nrrr)new_team)rrQhttp)scope)r)r5 http_requestrrH) rlitellm_teamtablerZ1litellm.proxy.management_endpoints.team_endpointsrSr+r r0r*rr&) rrrRrrSZ new_team_dataZ mock_requestZsystem_admin_userZcreated_team_dictrHrHrL_get_team_db_checks      rXcs|jjjd|idIdHS)Nrr)rrWr)rrrHrHrL_get_team_object_from_dbs rYc s|}t|||d} | rt|||dIdH} nd} | durttd i| } | jr`| js`zt| j||d|dIdH| _Wn!ty_} zt d|d| jd| WYd} ~ nd} ~ wwt || ||dIdHt || |d| S) Nr>)rrrRobject_permission_idrrrrd*Failed to load object_permission for team  with object_permission_id=rZ)rrFrrdr%rH) r$rXrFr'rr[rget_object_permissionrr\rIr&) rrrrr rdrrRrArBrrr^rHrHrL(_get_team_object_from_user_api_key_cachesT   r_cszd}|dur|jjr|jjj||dIdH}|dur$|j|dIdH}|dur;t|tr4tdi|St|tr;|SdS)N)rrrrH)rNrOrr[rr')rrdrrcached_team_objrHrHrL_get_team_object_from_caches"   racheck_cache_onlyc s|dur tdd|}|s/t||||dIdH} | dur!| S|r/tddd|did zt||||tt||d IdHWStyRtddd |d id w) z - Check if team id in proxy Team Table - if valid, return LiteLLM_TeamTable object with defined limits - if not, then raise an error Raises: - HTTPException: If team doesn't exist in db or cache (status_code=404) NFNo DB Connected. See - https://docs.litellm.ai/docs/proxy/virtual_keysrGrrdrrrCz:Team doesn't exist in cache + check_cache_only=True. Team=rOr)rrrrdrr rrRzTeam doesn't exist in db. Team=z#. Create team via `/team/new` call.)rFrrar r_rr ) rrrrrdrbr=rRrr`rHrHrLget_team_object4sN     rfaccess_group_idaccess_group_tablecs&d|}|j||tdIdHdS)Naccess_group_id:{}r)rrr)rgrhrrdrrHrHrL_cache_access_objectvs rjcs>d|}|j|d|dur|jjj|dIdHdSdS)Nrir)rrMrNrOrP)rgrrdrrHrHrL_delete_cache_access_objects  rkc s|dur tdd|}|j|dIdH}|dur.t|tr'tdi|St|tr.|Sz4|jjjd|idIdH}|durLt ddd |d id tdi|}t ||||d IdH|WSt yjty}zt d |t ddd |d|id d}~ww)a - Check if access_group_id in proxy AccessGroupTable - Always checks cache first, then DB only when not found in cache - if valid, return LiteLLM_AccessGroupTable object - if not, then raise an error Unlike get_team_object, this has no check_cache_only or check_db_only flags; it always follows cache-first-then-db semantics. Raises: - HTTPException: If access group doesn't exist in db or cache (status_code=404) NrcrirrgrrerCz/Access group doesn't exist in db. Access group=rOr)rgrhrrdz2Error getting access group for access_group_id: %s . Error: rH) rFrrr[rrrZlitellm_accessgrouptablerr rjrr) rgrrrdrZcached_access_objrrr^rHrHrLget_access_objectsX       rm team_aliasr?c s|dur tdd|}t||||dIdH}|dur|Sz|jjjd|idIdH}|s;tddd |d id t|d krMtd dd|did |d}tdi| } | j r| j szt | j ||||dIdH| _ Wn"ty} zt d| jd| j d| WYd} ~ nd} ~ ww|j|| tdIdHd| j} |j| | tdIdH| WStyty} zt d|tddd|dt| id d} ~ ww)a Look up a team by its team_alias (name) in the database. Args: team_alias: The team name/alias to look up prisma_client: Database client user_api_key_cache: Cache for storing results parent_otel_span: Optional OpenTelemetry span proxy_logging_obj: Optional proxy logging object Returns: LiteLLM_TeamTableCachedObj: The team object if found Raises: HTTPException: If team doesn't exist or multiple teams have the same alias Nrcz team_alias:{}rdrnrrerCzTeam with alias 'z8' doesn't exist in db. Create team via `/team/new` call.rr<z!Multiple teams found with alias 'zJ'. Please use team_id_jwt_field instead or ensure team aliases are unique.rrZr\r]rZrrGz"Error looking up team by alias: %sz Error looking up team by alias '': rH)rFrrarrWr r rhr'r?r[rr^rr\rrrrrP) rnrrrrdrr`teamsteamZteam_objr^Zteam_id_cache_keyrHrHrLget_team_object_by_aliass           rt org_aliasc sf|dur tdd|}|j|dIdH}|dur.t|tr'tdi|St|tr.|Sz[|jjjd|idIdH}|sJt ddd |d id t |d kr\t d dd|did |d}tdi| } |j || t dIdH|j d| j| t dIdH| WSt yty} ztd|t ddd|dt| id d} ~ ww)a  Look up an organization by its organization_alias in the database. Args: org_alias: The organization name/alias to look up prisma_client: Database client user_api_key_cache: Cache for storing results parent_otel_span: Optional OpenTelemetry span proxy_logging_obj: Optional proxy logging object Returns: LiteLLM_OrganizationTable if found, None otherwise Raises: HTTPException: If organization not found or multiple orgs have the same alias Nrcz org_alias:{}rZorganization_aliasrrerCzOrganization with alias 'zH' doesn't exist in db. Create organization via `/organization/new` call.rr<roz)Multiple organizations found with alias 'zQ'. Please use org_id_jwt_field instead or ensure organization aliases are unique.rr org_id:{}z*Error looking up organization by alias: %srpz(Error looking up organization by alias 'rqrH)rFrrr[rr"rlitellm_organizationtabler r rhr?rrorganization_idrrrP) rurrrrdrcached_org_objZorgsorgZorg_objr^rHrHrLget_org_object_by_aliasLsl           r{c@s^eZdZededefddZe d dedeedefddZed edee fd d Z dS) ExperimentalUIJWTToken user_inforDc Csddlm}ddlm}|jdurtdt|dd}|dddd }td d d t j d ||j d |j dt |jd }||jddS)Nr timedeltaencrypt_value_helperz/User role is required for experimental UI login )minutes%Y-%m-%dT%H:%M:%S.%f+00:00zui-tokenr@r) tokenkey_name key_aliasrZ rpm_limitexpiresrrrimax_parallel_requestsrTZ exclude_none)datetimer0litellm.proxy.common_utils.encrypt_decrypt_utilsrrrFr;strftimer0rmax_ui_session_budgetrrir*model_dump_json)r}rrexpiration_timerrcrHrHrL(get_experimental_ui_login_jwt_auth_tokens(   z?ExperimentalUIJWTToken.get_experimental_ui_login_jwt_auth_tokenNrc Csddlm}ddlm}|jdurtdt|td}|dddd }|}|durDt |d rD|j rDt |j dkrB|j dnd}t t t t tj||j||jdt|jd }||jd d S)a Generate a JWT token for CLI authentication with configurable expiration. The expiration time can be controlled via the LITELLM_CLI_JWT_EXPIRATION_HOURS environment variable (defaults to 24 hours). Args: user_info: User information from the database team_id: Team ID for the user (optional, uses user's team if available) Returns: Encrypted JWT token string rr~rNz'User role is required for CLI JWT login)hoursrrrrr) rrrrrrrrirrTr)rrrrrrFr;rrryrrrhr0rrrrrir*r)r}rrrrrZ_team_idrcrHrHrLget_cli_jwt_auth_tokens,    z-ExperimentalUIJWTToken.get_cli_jwt_auth_tokenrJc Csddl}ddlm}ddlm}||ddd}|durdSz |d i||WStyA}z td|d|d |d}~ww) Nr)r0)decrypt_value_helperZ ui_hash_keyr\)rZexception_typezInvalid hash key. Hash key=z. Decrypted token=rlrH)jsonZ$litellm.proxy.auth.user_api_key_authr0rrloadsrF)rJrr0rZdecrypted_tokenr^rHrHrLget_key_object_from_ui_hash_keys   z6ExperimentalUIJWTToken.get_key_object_from_ui_hash_keyrG) rR __module__ __qualname__ staticmethodr(rPrrrr0rrHrHrHrLr|s$ 3r|c sz |j|d||dIdHWStyd}zJt|r_d}t|drKt|dd}t|ttfs1d}t|dd }t|ttfs@d }|j d ||d IdH}|r_|j|d||dIdHWYd}~Sd}~ww) zY Fetch key object from DB and retry once if a DB connection error can be healed. Z combined_view)rZ table_namerrdNFattempt_db_reconnectZ"_db_auth_reconnect_timeout_secondsg@Z'_db_auth_reconnect_lock_timeout_secondsg?Z"auth_get_key_object_lookup_failure)reasonZtimeout_secondsZlock_timeout_seconds) get_datarFr2Zis_database_transport_errorryrr[intfloatr)rJrrrdr^Z did_reconnectZauth_reconnect_timeoutZauth_reconnect_lock_timeoutrHrHrL(_fetch_key_object_from_db_with_reconnectsJ    rjwt_claim_namejwt_claim_valuecs2|jjj||dddIdH}|dur|jSdS)z Lookup a JWT-to-virtual-key mapping from the database. Returns the hashed token (str) if a matching active mapping is found, else None. T)rr is_activerN)rZlitellm_jwtkeymappingr7r)rrrmappingrHrHrLget_jwt_key_mapping_objectAs  rc s<|dur td|}|j|dIdH}|dur+t|tr$tdi|St|tr+|S|r5td|dt||||dIdH}|durQtd|tj dt j d tdi|j d d } | j r| jszt| j ||||d IdH| _Wnty} ztd | j d| WYd} ~ nd} ~ wwt|| ||dIdH| S)z - Check if team id in proxy Team Table - if valid, return LiteLLM_TeamTable object with defined limits - if not, then raise an error Nrcrz8Key doesn't exist in cache + check_cache_only=True. key=rO)rJrrrdzvAuthentication Error, Invalid proxy server token passed. key={}, not found in db. Create key via `/key/generate` call.rrTrrZzCFailed to load object_permission for key with object_permission_id=rZ)rJrKrrdrH)rFrr[rr0rr-rr,Ztoken_not_found_in_dbr rr?r[rr^rr\rL) rJrrrrdrbrZcached_key_objZ _valid_tokenrr^rHrHrLget_key_objectXsp       rr[cs|dur tdd|}|j|dIdH}|dur.t|tr'tdi|St|tr.|Sz+|jjjd|idIdH}|durCWdS|j || t dIdHtdi|WStycYdSw) z - Check if object permission id in proxy ObjectPermissionTable - if valid, return LiteLLM_ObjectPermissionTable object - if not, then raise an error Nrczobject_permission_id:{}rr[rrrH) rFrrr[rr rlitellm_objectpermissiontablerrr?r)r[rrrrdrZcached_obj_permissionrrHrHrLr^s6       r^org_idinclude_budget_tablec s|dur tdt|tsdSd|}|rd|}|j|d}|dur9t|tr2tdi|St|tr9|Sz8dd|ii}|rHdd i|d <|jjj di|IdH} | dur[t|j |t | d rg| n| t d IdH| WStytd |dw)a - Check if org id in proxy Org Table - if valid, return LiteLLM_OrganizationTable object - if not, then raise an error Args: org_id: Organization ID to look up prisma_client: Database client user_api_key_cache: Cache for storing results parent_otel_span: Optional OpenTelemetry span proxy_logging_obj: Optional proxy logging object include_budget_table: If True, includes litellm_budget_table in the query Nrcrvzorg_id:{}:with_budgetrrrxrTrr?rz/Organization doesn't exist in db. Organization=z3. Create organization via `/organization/new` call.rH)rFr[rPrrrr"rrwrrryr?r) rrrrrdrrryZ query_kwargsrrHrHrLget_org_objectsH             raccess_group_idsresource_field)access_model_namesaccess_mcp_server_idsaccess_agent_idsc s|sgS|dus |dur+ddlm}ddlm}ddlm}|p"|}|p&|}|p*|}|dur1gSg}|D](} zt| |||dIdH} |t| |gWq5ty]t d| |Yq5wt t |S)a] Fetch access groups by their IDs (from cache or DB) and collect the specified resource field across all of them. Args: access_group_ids: List of access group IDs to fetch resource_field: Which resource list to extract from each access group - "access_model_names": model names (for model access checks) - "access_mcp_server_ids": MCP server IDs (for MCP access checks) - "access_agent_ids": agent IDs (for agent access checks) prisma_client: Optional PrismaClient (lazy-imported from proxy_server if None) user_api_key_cache: Optional DualCache (lazy-imported from proxy_server if None) proxy_logging_obj: Optional ProxyLogging (lazy-imported from proxy_server if None) Returns: Deduplicated list of resource identifiers from all resolved access groups. Nrr)rd)r)rgrrrdz5Could not fetch access group %s for resource field %s) rrrdrrmrrrFrr\rr) rrrrrdZ_prisma_clientZ_proxy_logging_objZ_user_api_key_cache resourcesZag_idagrHrHrL!_get_resources_from_access_groups! s<      rct|d|||dIdHS)z{ Collect model names from unified access groups. Models are matched by model name for backwards compatibility. rrrrrrdNrrrrrdrHrHrL_get_models_from_access_groups`   rcr)z_ Collect MCP server IDs from unified access groups. MCPs are matched by server ID. rrNrrrHrHrL&_get_mcp_server_ids_from_access_groupss rrcr)z[ Collect agent IDs from unified access groups. Agents are matched by agent ID. rrNrrrHrHrL!_get_agent_ids_from_access_groups rrrirc sddlm}|t|r|j||dtdkr-|dur-t|D] \}}|vr,dSq!fdd|D}t||dr>dSt||drFdSd } t|dkrTt|dksXd |vrZd} tj j |vrbd} |durp||vrp| d urpd SdS) Nrr)r]rTcrrHrHrrrHrLr rz._check_model_access_helper..rWrrWallowed_model_listF*) rrrrrhr_model_in_team_aliases+_model_matches_any_wildcard_pattern_in_listr/Zall_proxy_modelsr|) rWrXrirrrrrrZall_model_accessrHrrL_check_model_access_helper s8     rrw object_type)rwrsrrzprojectfallback_depthTc Cs|tkr td|t|tr$|D]}t|||||||ddqdS|g}|tjvr5|tj|n|rH||j vrH| |} | rH|| |D]}t |||||drXdSqJt |d|d|d|t j|d d tjd ) a Checks if token can call a given model Args: - model: str - llm_router: Optional[Router] - models: List[str] - team_model_aliases: Optional[Dict[str, str]] - object_type: Literal["user", "team", "key", "org"]. We use the object type to raise the correct exception type Returns: - True: if token allowed to call model Raises: - Exception: If token not allowed to call model zGUnable to parse model, max fallback depth exceeded - received model: {}r<)rWrXrirrrrT)rWrXrirrz# not allowed to access model. This z can only access models=z. Tried to access )rrWr)rrFrr[r_can_object_call_modelrZmodel_alias_maprZmodel_group_aliasZ_get_model_from_aliasrr-r,Z&get_model_access_error_type_for_objectr r) rWrXrirrrrrZpotential_modelsrarHrHrLr sV      rcCs|r||vrdSdS)a Returns True if `model` being accessed is an alias of a team model - `model=gpt-4o` - `team_model_aliases={"gpt-4o": "gpt-4o-team-1"}` - returns True - `model=gp-4o` - `team_model_aliases={"o-3": "o3-preview"}` - returns False TFrHrrHrHrLr srllm_model_listc snzt|||j|j|jddWSty6|jpg}|r5t|dIdH}|r5t||||j|jddYSw)aM Checks if token can call a given model 1. First checks native key-level model permissions (current implementation) 2. If not allowed natively, falls back to access_group_ids on the key Returns: - True: if token allowed to call model Raises: - Exception: If token not allowed to call model rrWrXrirrrrN)rrirrr-rr)rWrrcrXZkey_access_group_idsmodels_from_groupsrHrHrLcan_key_call_model( s6    r org_objectcCst|||r|jng|ddS)z@ Returns True if the team can access a specific model. rz)rWrXrirrrri)rWrrXrrHrHrLcan_org_access_modelV s  rc szt|||r |jng||r|jndddWStyD|r$|jp#gng}|rCt|dIdH}|rCt|||||r<|jndddYSw)z Returns True if the team can access a specific model. 1. First checks native team-level model permissions (current implementation) 2. If not allowed natively, falls back to access_group_ids on the team Nrsrr)rrirr-rr)rWrrXrZteam_access_group_idsrrHrHrLri s<        rcCs t|||r |jddSgddS)zr Returns True if the project can access a specific model. Raises ProxyException if access is denied. rrWrXrirrrerHrHrLrj s rjcsH|durdStjj|jvrtd|tjdtjdt |||jddS)NTzeUser not allowed to access model. No default model access, only team models allowed. Tried to access rWrrwr) r/Zno_default_modelsr|rir-r,Zkey_model_access_deniedr rrrrHrHrLr s r user_modelcs*t|dddgd||ddIdHdS) z Try to route the fallback model request. Validate if it can't be routed. Help catch invalid fallback models. rwzWho was Alexander?)rcontent)rWmessagesZ acompletion)r5rXrZ route_typeNTr5)rWrXrrHrHrLis_valid_fallback_model s    rc s|jdurD|jdurFd}|dur|j}t|j|j|j|j|j|j|j||j t j d }t |jd|d|j|jkrHtj|j|jddSdSdS)z Raises: BudgetExceededError if the token is over it's max budget. Triggers a budget alert if the token is over it's max budget. N) rrr soft_budgetrrrxr1r event_groupZ token_budgetrQr}r)rrr1rrrrrrrrKEYr8r9 budget_alertsrr)rcrdrr1 call_inforHrHrL_virtual_key_max_budget_check s<   !rc s|jr?|j|jkrAtd|j|j|jt|j|j|j|j|j|j|j |j |r+|j nd|j t jd }t|jd|ddSdSdS)zI Triggers a budget alert if the token is over it's soft budget. z:Crossed Soft Budget for token %s, spend %s, soft_budget %sN rrrrrrrnrxr1rrrr)rrrr\rrrrrrnrr1rrrr8r9r)rcrdrrrHrHrL_virtual_key_soft_budget_check s8  rc s|jdurV|jdurX|jdkrZ|jt}|j|kr\|j|jkr^td|j|j|j|t|j|j|j|j|j|j |j |j |rB|j nd|j tjd }t|jd|ddSdSdSdSdSdS)z Triggers a budget alert if the token has reached EMAIL_BUDGET_ALERT_MAX_SPEND_ALERT_PERCENTAGE (default 80%) of its max budget. This is a warning alert before the token actually exceeds the max budget. Nrz\Reached Max Budget Alert Threshold for token %s, spend %s, max_budget %s, alert_threshold %srZmax_budget_alertr)rrrrr\rrrrrrnrr1rrrr8r9r)rcrdrZalert_thresholdrrHrHrL#_virtual_key_max_budget_alert_check0 sN     rc s|durW|jdurY|dur[|dur]|jdur_t|j|j|||dIdH}|dura|jdurc|jjdure|jj}|jpCheck if team member is over their max budget within the team.N)rrrrrdgzBudget has been exceeded! User=z in Team= Current cost: , Max budget: r)rrrrrrrr) rrrcrrrdZteam_membershipZteam_member_budgetZteam_member_spendrHrHrLrg sB       rc s|durK|jdurM|jdurO|j|jkrQ|r5t|j|j|j|j|j|j|jtj d}t |j d|dt j|j|jd|jd|jd|jddSdSdSdS) z Check if the team is over it's max budget. Raises: BudgetExceededError if the team is over it's max budget. Triggers a budget alert if the team is over it's max budget. NrrrrrrnrxrZ team_budgetrzBudget has been exceeded! Team=rrr)rrrrrrrnrrrr8r9rrr)rrcrdrrHrHrLr s>    rcsH|dur|jdur|jdur|j|jkrtd|j|j|j|rd}|jdurat|jtra|jd}|durat|t rFdd|D}nt|t rUdd| dD}|r_dd|D}nd}|duskt |d krttd |jdSt |j|j|j|j|j|j|j|jd|jtj|d }t|jd |d dSdSdSdSdSdS)zG Triggers a budget alert if the team is over it's soft budget. Nz9Crossed Soft Budget for team %s, spend %s, soft_budget %sZsoft_budget_alerting_emailscSs"g|] }t|tr|r|qSrH)r[rPstriprIemailrHrHrLr sz+_team_soft_budget_check..cSsg|] }|r|qSrH)rrrHrHrLr s ,cSsg|]}|r|qSrHrHrrHrHrLr rrzoSkipping team soft budget alert for team %s: no alert_emails configured in metadata.soft_budget_alerting_emails) rrrrrrrnrxr1rr alert_emailsrr)rrrr\rr~r[rrxrrPsplitrhrrrrrnrrrrr8r9r)rrcrdrZsoft_budget_alert_emailsrrHrHrLr s|      rc s|durdSd}|jdur|jj}|durS|jdurU|j|krW|r?t|j|j||j|j|j|jt j d}t |j d|dtj|j|d|jd|jd|ddSdSdS) z Check if the project is over its max budget. Raises: BudgetExceededError if the project is over its max budget. Triggers a budget alert if the project is over its max budget. NrZproject_budgetrz"Budget has been exceeded! Project=rrr)rrrrrrrrnrrPROJECTr8r9rrrrg)r`rcrdrrrHrHrLrk sD     rkc s|durdSd}|jdur|jj}|durL|jdurN|j|krPtd|j|j||rRt|j|jd||j|j |j |j t j d }t|jd|ddSdSdSdSdS)zy Triggers a budget alert if the project is over its soft budget. Mirrors _team_soft_budget_check() pattern. Nz_model_matches_any_wildcard_pattern_in_list..Tc3rr)r3_model_custom_llm_provider_matches_wildcard_patternrrrHrLrMO rF)rTrrHrrLr: s  rcCsBz t|d\}}}}Wn tyYdSwt|d||dS)z Returns True for this scenario: - `model=gpt-4o` - `allowed_model_pattern=openai/*` or - `model=claude-3-5-sonnet-20240620` - `allowed_model_pattern=anthropic/*` rF/r)rrFr)rWrZcustom_llm_providerrrHrHrLr[ s   rcCsd|vS)zb Returns True if the pattern is a wildcard pattern. Checks if `*` is in the pattern. rrH)rrHrHrLrr srcsddlm}|durtddStjdurtddStjj||ddd}|dur5td dS|durW|jdurW|j j j d |jid IdH}|durWt d ||d |dury|jdury|j j j d |jid IdH}|duryt d||d dS)z Checks if the object (key, team, org) has access to the vector store. Raises ProxyException if the object (key, team, org) cannot access the specific vector store. rrNz;Prisma client not found, skipping vector store access checkTzCVector store registry not found, skipping vector store access checkr)Znon_default_paramsrzAVector store to run not found, skipping vector store access checkr[rr)rvector_store_ids_to_runobject_permissionsrs) rrrr\rZvector_store_registryZget_vector_store_ids_to_runrxr[rrr_can_object_call_vector_stores)rqrrcrrZkey_object_permissionZteam_object_permissionrHrHrLr{ sV     r)rrsrzrrcCsj|durdS|jdur dSt|jdkrdS|D]}||jvr2td|d|jt|dtjdqdS)zg Raises ProxyException if the object (key, team, org) cannot access the specific vector store. NTrz9User not allowed to access vector store. Tried to access z. Only allowed to access Z vector_storer)Z vector_storesrhr-r,Z-get_vector_store_access_error_type_for_objectr r)rrrZvector_store_idrHrHrLr s$   r)FNrG)NN)NNNNN)NNN)NNF)NNrwr)__doc__r8rr"typingrrrrrrrr Zfastapir r r Zpydanticr rZlitellm._loggingrZlitellm.caching.cachingrZlitellm.caching.dual_cacherZlitellm.constantsrrrrrrrZ1litellm.litellm_core_utils.get_llm_provider_logicrrrrrrrrrr r!r"r#r$r%r&r'r(r)r*r+r,r-r.r/r0Zlitellm.proxy.auth.route_checksr1Z"litellm.proxy.db.exception_handlerr2Z-litellm.proxy.guardrails.tool_name_extractionr3r4Zlitellm.proxy.route_llm_requestr6Zlitellm.proxy.utilsr7r8r9Zlitellm.routerr:Z litellm.utilsr;Zauth_checks_organizationr=Z auth_utilsr>Zopentelemetry.tracer?_Spanrr rr|Zmanagement_routesZ all_routesrPrFrVrr_rnrr}rrrrrrrrrrrrrrrrrrrrrrrrrr$r&r)r.r/r;rCrErIrLrQrXrYr_rarfrjrkrmrtr{r|rrrr^rrrrrrrrrrrrjrrrrrrrrrkrlrrrrrrrrrrHrHrHrLs(    $ h          E -     @      Y     "  ; +  X  D % 5           *  l       = # F   I m [l -  R / J A    6 J  2  *    6 * 7 ( + Q 1 4 / W5! E