o ưiRn@sdZddlmZddlmZmZmZddlmZddl m Z ddl m Z ddl mZddlmZdd lmZdd lmZmZmZmZmZmZmZmZmZmZmZmZm Z eZ!e!j"d d gee ged dCdee#fddZ$e!j%dd gee ged ee fdede fddZ&e!j"dd gee ged de#fddZ'e!j%dd gee ged ee fde#dede fddZ(e!j)dd gee ged ee fde#de de fdd Z*e!j"d!d gee ged d"e#d#e#fd$d%Z+e!j,d&d gee gd'de#fd(d)Z-e!j"d*d gee ged de#fd+d,Z.e!j)d*d gee ged ee fde#dede fd-d.Z/e!j,d*d gee gd'de#fd/d0Z0e!j"d1d gee gd'de#fd2d3Z1e!j%d4d gee gd'ee fdede fd5d6Z2e!j"d7d gee ged d8d9Z3e!j%d:d gee ged ee fdede fd;d<Z4e!j"d=d gee ged d>e#fd?d@Z5e!j,d=d gee gd'd>e#fdAdBZ6dS)Dzh CRUD ENDPOINTS FOR POLICIES Provides REST API endpoints for managing policies and policy attachments. )Optional) APIRouterDepends HTTPException)verbose_proxy_logger)UserAPIKeyAuth)user_api_key_auth)get_attachment_registry)PipelineExecutor)get_policy_registry) GuardrailPipelinePipelineTestRequestPolicyAttachmentCreateRequestPolicyAttachmentDBResponsePolicyAttachmentListResponsePolicyCreateRequestPolicyDBResponsePolicyListDBResponsePolicyUpdateRequestPolicyVersionCompareResponsePolicyVersionCreateRequestPolicyVersionListResponse PolicyVersionStatusUpdateRequestz/policies/listZPolicies)tags dependenciesZresponse_modelNversion_statusc sddlm}|durtdddztj||dIdH}t|t|dWStyA}zt d |tdt |dd}~ww) a List all policies from the database. Optionally filter by version_status. Query params: - version_status: Optional. One of "draft", "published", "production". If omitted, all versions are returned. Example Request: ```bash curl -X GET "http://localhost:4000/policies/list" \ -H "Authorization: Bearer " curl -X GET "http://localhost:4000/policies/list?version_status=production" \ -H "Authorization: Bearer " ``` Example Response: ```json { "policies": [ { "policy_id": "123e4567-e89b-12d3-a456-426614174000", "policy_name": "global-baseline", "version_number": 1, "version_status": "production", "inherit": null, "description": "Base guardrails for all requests", "guardrails_add": ["pii_masking"], "guardrails_remove": [], "condition": null, "created_at": "2024-01-01T00:00:00Z", "updated_at": "2024-01-01T00:00:00Z" } ], "total_count": 1 } ``` r prisma_clientNDatabase not connected status_codedetailr)policies total_countzError listing policies: ) litellm.proxy.proxy_serverrrr get_all_policies_from_dbrlen Exceptionr exceptionstr)rrr$er-c/home/app/Keep/.python/lib/python3.10/site-packages/litellm/proxy/policy_engine/policy_endpoints.py list_policies"s ,  r/z /policiesrequestuser_api_key_dictc sddlm}|durtdddz|j}tj|||dIdH}|WStyR}z#td|d t | vrFtd d |j d dtdt |dd}~ww) a Create a new policy. Example Request: ```bash curl -X POST "http://localhost:4000/policies" \ -H "Authorization: Bearer " \ -H "Content-Type: application/json" \ -d '{ "policy_name": "global-baseline", "description": "Base guardrails for all requests", "guardrails_add": ["pii_masking", "prompt_injection"], "guardrails_remove": [] }' ``` Example Response: ```json { "policy_id": "123e4567-e89b-12d3-a456-426614174000", "policy_name": "global-baseline", "inherit": null, "description": "Base guardrails for all requests", "guardrails_add": ["pii_masking", "prompt_injection"], "guardrails_remove": [], "condition": null, "created_at": "2024-01-01T00:00:00Z", "updated_at": "2024-01-01T00:00:00Z" } ``` rrNrrr )policy_requestr created_byzError creating policy: zunique constraintzPolicy with name 'z' already exists) r&rruser_idr Zadd_policy_to_dbr)rr*r+lower policy_name)r0r1rr3resultr,r-r-r. create_policy]s, )   r9z%/policies/name/{policy_name}/versionsr7c tddlm}|durtdddz tj||dIdHWSty9}ztd|tdt|dd}~ww) zV List all versions of a policy by name, ordered by version_number descending. rrNrrr r7rzError listing policy versions: ) r&rrr Zget_versions_by_policy_namer)rr*r+r7rr,r-r-r.list_policy_versionss  r=c sddlm}|durtdddz|j}tj|||j|dIdHWStyW}z(t d|d t | vsCd t | vrKtd t |dtdt |dd}~ww) z Create a new draft version of a policy. Copies all fields from the source. Source is current production if source_policy_id is not provided. rrNrrr )r7rsource_policy_idr3zError creating policy version: not foundz no production) r&rrr5r Zcreate_new_versionr>r)rr*r+r6)r7r0r1rr3r,r-r-r.create_policy_versions&   rAz/policies/{policy_id}/status policy_idc sddlm}|durtdddz|j}tj||j||dIdHWSty+tyv}z@t d|d t | vsRd t | vsRd t | vrZtd t |dd t | vrjtdt |dtdt |dd}~ww)z Update a policy version's status. Valid transitions: - draft -> published - published -> production (demotes current production to published) - production -> published (demotes, policy becomes inactive) rrNrrr )rBZ new_statusr updated_byzError updating version status: zinvalid statusz only draftzcannot promoter4r?r@) r&rrr5r Zupdate_version_statusrr)rr*r+r6)rBr0r1rrCr,r-r-r.update_policy_version_statuss.   0rDz/policies/compare version_a version_bc sddlm}|durtdddz tj|||dIdHWStyJ}z td|d t| vr>td t|dtdt|dd}~ww) z_ Compare two policy versions. Query params: version_a, version_b (policy version IDs). rrNrrr )Z policy_id_aZ policy_id_brzError comparing versions: r?r@) r&rrr Zcompare_versionsr)rr*r+r6)rErFrr,r-r-r.compare_policy_versionss"  rGz)/policies/name/{policy_name}/all-versions)rrc r:) zP Delete all versions of a policy. Also removes from in-memory registry. rrNrrr r;zError deleting all versions: ) r&rrr Zdelete_all_versionsr)rr*r+r<r-r-r.delete_all_policy_versions&s  rHz/policies/{policy_id}c ddlm}|durtdddztj||dIdH}|dur+tdd |d d|WSty5tyP}ztd |tdt|dd}~ww) z Get a policy by ID. Example Request: ```bash curl -X GET "http://localhost:4000/policies/123e4567-e89b-12d3-a456-426614174000" \ -H "Authorization: Bearer " ``` rrNrrr rBrr@Policy with ID not foundzError getting policy: ) r&rrr get_policy_by_id_from_dbr)rr*r+)rBrr8r,r-r-r. get_policyCs*     rNc sddlm}|durtdddz:tj||dIdH}|dur+tdd |d dt|d d d kr9tddd|j}tj||||dIdH}|WStyStyn}zt d|tdt |dd}~ww)a Update an existing policy. Example Request: ```bash curl -X PUT "http://localhost:4000/policies/123e4567-e89b-12d3-a456-426614174000" \ -H "Authorization: Bearer " \ -H "Content-Type: application/json" \ -d '{ "description": "Updated description", "guardrails_add": ["pii_masking", "toxicity_filter"] }' ``` rrNrrr rJr@rKrLr productionZdraftr4zcOnly draft versions can be updated. Publish or create a new version to change published/production.)rBr2rrCzError updating policy: ) r&rrr rMgetattrr5Zupdate_policy_in_dbr)rr*r+)rBr0r1rexistingrCr8r,r-r-r. update_policyisB      rRc ddlm}|durtdddz'tj||dIdH}|dur+tdd |d dtj||dIdH}|WSty@ty[}ztd |tdt |dd}~ww) a^ Delete a policy. Example Request: ```bash curl -X DELETE "http://localhost:4000/policies/123e4567-e89b-12d3-a456-426614174000" \ -H "Authorization: Bearer " ``` Example Response: ```json { "message": "Policy 123e4567-e89b-12d3-a456-426614174000 deleted successfully" } ``` rrNrrr rJr@rKrLzError deleting policy: ) r&rrr rMZdelete_policy_from_dbr)rr*r+)rBrrQr8r,r-r-r. delete_policys2      rTz)/policies/{policy_id}/resolved-guardrailsc sddlm}|durtdddz.tj||dIdH}|dur+tdd |d dtj|j|d IdH}|j|j|d WStyGtyZ}ztd t |dd}~wt yu}zt d|tdt |dd}~ww)a Get the resolved guardrails for a policy (including inherited guardrails). This endpoint resolves the full inheritance chain and returns the final set of guardrails that would be applied for this policy. Example Request: ```bash curl -X GET "http://localhost:4000/policies/123e4567-e89b-12d3-a456-426614174000/resolved-guardrails" \ -H "Authorization: Bearer " ``` Example Response: ```json { "policy_id": "123e4567-e89b-12d3-a456-426614174000", "policy_name": "healthcare-compliance", "resolved_guardrails": ["pii_masking", "prompt_injection", "toxicity_filter"] } ``` rrNrrr rJr@rKrLr;)rBr7Zresolved_guardrailsr4zError resolving guardrails: ) r&rrr rMZresolve_guardrails_from_dbr7rB ValueErrorr+r)rr*)rBrpolicyresolvedr,r-r-r.get_resolved_guardrailss>      rXz/policies/test-pipelinec sz td i|j}Wnty }z tdd|dd}~ww|jdid}ztj|j|j||ddd IdH}| WStyY}zt d |td t |dd}~ww) a Test a guardrail pipeline with sample messages. Executes the pipeline steps against the provided test messages and returns step-by-step results showing which guardrails passed/failed, actions taken, and timing information. Example Request: ```bash curl -X POST "http://localhost:4000/policies/test-pipeline" \ -H "Authorization: Bearer " \ -H "Content-Type: application/json" \ -d '{ "pipeline": { "mode": "pre_call", "steps": [ {"guardrail": "pii-guard", "on_pass": "next", "on_fail": "block"} ] }, "test_messages": [{"role": "user", "content": "My SSN is 123-45-6789"}] }' ``` r4zInvalid pipeline: r Ntest)messagesmodelmetadata completionz test-pipeline)stepsmodedatar1Z call_typer7zError testing pipeline: rr-) r Zpipeliner)rZ test_messagesr Z execute_stepsr^r_Z model_dumprr*r+)r0r1Zvalidated_pipeliner,r`r8r-r-r. test_pipelines4  raz/policies/attachments/listc sddlm}|durtdddzt|IdH}t|t|dWSty?}zt d|tdt |dd}~ww) a List all policy attachments from the database. Example Request: ```bash curl -X GET "http://localhost:4000/policies/attachments/list" \ -H "Authorization: Bearer " ``` Example Response: ```json { "attachments": [ { "attachment_id": "123e4567-e89b-12d3-a456-426614174000", "policy_name": "global-baseline", "scope": "*", "teams": [], "keys": [], "models": [], "created_at": "2024-01-01T00:00:00Z", "updated_at": "2024-01-01T00:00:00Z" } ], "total_count": 1 } ``` rrNrrr ) attachmentsr%z"Error listing policy attachments: ) r&rrr Zget_all_attachments_from_dbrr(r)rr*r+)rrbr,r-r-r.list_policy_attachments\s  #  rcz/policies/attachmentsc sddlm}|durtdddz4tj|ddIdH}d d |D}|j|vr4td d |jd d|j}tj|||dIdH}|WStyMt yh}zt d|tdt |dd}~ww)a Create a new policy attachment. Example Request: ```bash curl -X POST "http://localhost:4000/policies/attachments" \ -H "Authorization: Bearer " \ -H "Content-Type: application/json" \ -d '{ "policy_name": "global-baseline", "scope": "*" }' ``` Example with team-specific attachment: ```bash curl -X POST "http://localhost:4000/policies/attachments" \ -H "Authorization: Bearer " \ -H "Content-Type: application/json" \ -d '{ "policy_name": "healthcare-compliance", "teams": ["healthcare-team", "medical-research"] }' ``` Example Response: ```json { "attachment_id": "123e4567-e89b-12d3-a456-426614174000", "policy_name": "global-baseline", "scope": "*", "teams": [], "keys": [], "models": [], "created_at": "2024-01-01T00:00:00Z", "updated_at": "2024-01-01T00:00:00Z" } ``` rrNrrr rOr#cSsh|]}|jqSr-)r7).0pr-r-r. sz+create_policy_attachment..r@zPolicy 'z%' not found. Create the policy first.)Zattachment_requestrr3z"Error creating policy attachment: ) r&rrr r'r7r5r Zadd_attachment_to_dbr)rr*r+)r0r1rr$Z policy_namesr3r8r,r-r-r.create_policy_attachments8 1      rgz%/policies/attachments/{attachment_id} attachment_idc rI) z Get a policy attachment by ID. Example Request: ```bash curl -X GET "http://localhost:4000/policies/attachments/123e4567-e89b-12d3-a456-426614174000" \ -H "Authorization: Bearer " ``` rrNrrr rhrr@Attachment with ID rLz!Error getting policy attachment: ) r&rrr get_attachment_by_id_from_dbr)rr*r+)rhrr8r,r-r-r.get_policy_attachments,     rlc rS) ay Delete a policy attachment. Example Request: ```bash curl -X DELETE "http://localhost:4000/policies/attachments/123e4567-e89b-12d3-a456-426614174000" \ -H "Authorization: Bearer " ``` Example Response: ```json { "message": "Attachment 123e4567-e89b-12d3-a456-426614174000 deleted successfully" } ``` rrNrrr rir@rjrLz"Error deleting policy attachment: ) r&rrr rkZdelete_attachment_from_dbr)rr*r+)rhrrQr8r,r-r-r.delete_policy_attachments4      rm)N)7__doc__typingrZfastapirrrZlitellm._loggingrZlitellm.proxy._typesrZ$litellm.proxy.auth.user_api_key_authrZ/litellm.proxy.policy_engine.attachment_registryr Z-litellm.proxy.policy_engine.pipeline_executorr Z+litellm.proxy.policy_engine.policy_registryr Z!litellm.types.proxy.policy_enginer r rrrrrrrrrrrZroutergetr+r/postr9r=rAputrDrGdeleterHrNrRrTrXrarcrgrlrmr-r-r-r.s<       <5 ?    #    7.? : . J!