fix(proxy): point /metrics 401 at the opt-out flag

[yuneng-berri]

Summary

Cherry-pick of #27502 onto litellm_1.84.0rc2. rc2 already ships require_auth_for_metrics_endpoint=True (via the staging→main promote in #27245), so operators upgrading to this rc with existing Prometheus scrapers hit 401 "Malformed API Key passed in. Ensure Key has 'Bearer ' prefix." with no migration hint.

This change appends the opt-out discovery hint to the existing 401 body in prometheus_auth_middleware.py — auth still runs, still rejects bad/missing credentials, the legacy opt-out flag still bypasses cleanly. Just makes the response operators actually see point at the YAML they need.

Post-fix body:

"Unauthorized access to metrics endpoint: <inner error>. To allow unauthenticated access, set 'litellm_settings.require_auth_for_metrics_endpoint: false' in your proxy_config.yaml."

Test plan

• Cherry-pick applied cleanly with no conflicts on origin/litellm_1.84.0rc2
• uv run pytest tests/test_litellm/proxy/middleware/test_prometheus_auth_middleware.py tests/test_litellm/proxy/middleware/test_prometheus_auth_middleware_asgi.py -v against rc2 worktree — 11 passed (including new test_invalid_auth_metrics_includes_optout_hint)
• Identical diff to #27502 (24 insertions, 1 deletion across the same 2 files)

[greptile-apps]

Greptile Summary

This cherry-pick onto litellm_1.84.0rc2 improves the 401 error body returned by PrometheusAuthMiddleware when /metrics auth fails, appending a hint pointing operators to litellm_settings.require_auth_for_metrics_endpoint: false. Auth enforcement is unchanged — only the error message is extended.

• prometheus_auth_middleware.py: The except branch now appends the opt-out flag name and config file path to the existing error string, giving operators an actionable migration path instead of a bare "Malformed API Key" message.
• test_prometheus_auth_middleware.py: Adds test_invalid_auth_metrics_includes_optout_hint to assert the 401 body contains the flag name and the value false; all existing tests remain intact and unmodified.

Confidence Score: 5/5

Safe to merge — the change only extends the 401 error message string; no auth logic, routing, or middleware control flow is altered.

The diff is minimal (one f-string extended, one new test added). Auth still runs and rejects invalid credentials identically; the only observable difference is operators now see the opt-out flag in the 401 body. Existing tests are untouched and the new test verifies the hint is present.

The new test assertion in test_prometheus_auth_middleware.py uses "false" in response.text which is slightly broader than necessary, but poses no correctness risk.

Important Files Changed

Filename	Overview
litellm/proxy/middleware/prometheus_auth_middleware.py	Appends an opt-out discovery hint to the 401 error body; auth logic is unchanged.
tests/test_litellm/proxy/middleware/test_prometheus_auth_middleware.py	Adds test_invalid_auth_metrics_includes_optout_hint; the "false" in response.text assertion is slightly weaker than checking the full require_auth_for_metrics_endpoint: false substring.

_{Reviews (1): Last reviewed commit: "fix(proxy): point /metrics 401 at the op..." | Re-trigger Greptile}

[greptile-apps]

The assert "false" in response.text assertion is overly broad — it would also pass if the inner error message or any other part of the JSON body happened to contain the word "false". Checking for the full key-value substring is more precise and will catch regressions if the hint wording changes.

Suggested change

	assert "require_auth_for_metrics_endpoint" in response.text
	assert "false" in response.text
	assert "require_auth_for_metrics_endpoint" in response.text
	assert "require_auth_for_metrics_endpoint: false" in response.text

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!