fix(spend-logs): redact echoed prompts in error_information

[yassin-berriai]

Provider validation errors (e.g. OpenAI RateLimitError carrying 178 pydantic errors each with their own 'input': [...]) were stored verbatim in LiteLLM_SpendLogs.metadata.error_information.error_message via str(original_exception), producing rows >12 MB.

Sanitize before metadata is serialized:

• redact 'input'/'messages' values in error_message when store_prompts_in_spend_logs is False (back-door leak path)
• always apply the MAX_STRING_LENGTH_PROMPT_IN_DB size cap to error_message and traceback (DB-storage safeguard)

Scoped to the spend-log path so OTEL/Datadog/etc. callbacks still receive the untruncated error per LITELLM_TRUNCATION_DB_SAFEGUARD_NOTE.

Relevant issues

Linear ticket

Resolves LIT-2992

Pre-Submission checklist

Please complete all items before asking a LiteLLM maintainer to review your PR

• I have Added testing in the tests/test_litellm/ directory, Adding at least 1 test is a hard requirement - see details
• My PR passes all unit tests on make test-unit
• My PR's scope is as isolated as possible, it only solves 1 specific problem
• I have requested a Greptile review by commenting @greptileai and received a Confidence Score of at least 4/5 before requesting a maintainer review

Delays in PR merge?

If you're seeing a delay in your PR being merged, ping the LiteLLM Team on Slack (#pr-review).

CI (LiteLLM team)

CI status guideline:

• 50-55 passing tests: main is stable with minor issues.
• 45-49 passing tests: acceptable but needs attention
• <= 40 passing tests: unstable; be careful with your merges and assess the risk.

• Branch creation CI run
  Link:

• CI run for the last commit
  Link:

• Merge / cherry-pick CI run
  Links:

Screenshots / Proof of Fix

Type

🆕 New Feature
🐛 Bug Fix
🧹 Refactoring
📖 Documentation
🚄 Infrastructure
✅ Test

Changes

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[codecov]

Codecov Report

❌ Patch coverage is 94.82759% with 9 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
litellm/proxy/hooks/proxy_track_cost_callback.py	94.44%	5 Missing ⚠️
...tellm/proxy/spend_tracking/spend_tracking_utils.py	95.23%	4 Missing ⚠️

📢 Thoughts on this report? Let us know!

[veria-ai]

Spend-log error sanitization added

This PR sanitizes error_information before failed request metadata is written to spend logs, applying prompt redaction when prompt storage is disabled and capping large error fields before DB storage. I checked the failure hook call path, the prompt-storage gate, truncation behavior, and the new parser-based redaction logic for attacker-controlled error strings.

---

Status: 0 open
Risk: 2/10

[greptile-apps]

Greptile Summary

This PR fixes a privacy/size regression where provider validation errors (notably OpenAI pydantic errors carrying 'input': [...] per validation entry) were stored verbatim in LiteLLM_SpendLogs.metadata.error_information, producing rows of 12 MB or more and leaking request prompts when store_prompts_in_spend_logs is False.

• Introduces _redact_prompt_leaks_in_error_string, a parser-based scanner using _scan_balanced_value_end to correctly handle nested []/{} and quoted strings, replacing 'input'/'messages' values with the LiteLLM redaction marker.
• Adds _sanitize_error_information_for_spend_logs, which applies prompt-leak redaction to both error_message and traceback (when opt-out is active) and always enforces the MAX_STRING_LENGTH_PROMPT_IN_DB cap via the existing _sanitize_request_body_for_spend_logs_payload helper.
• The sanitization is scoped to the spend-log DB write path; OTEL/Datadog callbacks continue to receive the full untruncated error.

Confidence Score: 5/5

Safe to merge — the change is tightly scoped to the spend-log write path, addresses both issues raised in the previous review threads, and is backed by comprehensive unit tests.

The balanced-bracket parser correctly handles nested multimodal payloads and escaped quotes; redaction now covers both error_message and traceback; the DB-size cap always fires regardless of the prompt-storage flag; and the sanitization function is only invoked after the existing traceback-suppression step in proxy_track_cost_callback.py, keeping the ordering correct. No logic gaps or missed edge cases were found.

No files require special attention.

Important Files Changed

Filename	Overview
litellm/proxy/spend_tracking/spend_tracking_utils.py	Adds _scan_balanced_value_end, _redact_prompt_leaks_in_error_string, and _sanitize_error_information_for_spend_logs; the balanced-bracket parser correctly handles nested multimodal content and escaped quotes; redaction covers both error_message and traceback; DB-size cap is always applied.
litellm/proxy/hooks/proxy_track_cost_callback.py	Calls _sanitize_error_information_for_spend_logs after the existing traceback-suppression step and before the metadata is persisted; ordering is correct.
tests/test_litellm/proxy/spend_tracking/test_spend_tracking_utils.py	Adds 14 new unit tests covering Python repr, JSON, nested multimodal content, escaped quotes, unterminated values, the LIT-2992 reproduction scenario, and the opt-in/opt-out flag; all tests use mocks and make no real network calls per repo policy.

_{Reviews (2): Last reviewed commit: "fix(spend-logs): redact echoed prompts i..." | Re-trigger Greptile}

[yassin-berriai]

@greptileai

[krrish-berri-2]

@yassin-berriai — heads up that the required LiteLLM Linting / lint and Code Quality Checks / code-quality checks are failing on this PR. Since this PR modifies litellm/proxy/spend_tracking/spend_tracking_utils.py and litellm/proxy/hooks/proxy_track_cost_callback.py, the lint/code-quality failures look related to your changes. Could you take a look and get those green before this gets reviewed? Thanks!

(There are also a few ci/circleci: *_testing failures on unrelated test buckets — those look pre-existing/flaky to me, but worth a glance.)

(Posted automatically by the daily-top-10-prs scheduled task.)

[ryan-crabbe-berri]

lgtm