fix(guardrails): read CrowdStrike AIDR identity from both metadata bags

[yuneng-berri]

Relevant issues

Follow-up to #29517, which added user and model metadata capture to the CrowdStrike AIDR guardrail. That change resolved the metadata from a single bag with request_data.get("litellm_metadata", request_data.get("metadata")). Because dict.get returns the stored value when the key is present, a present litellm_metadata (an explicit null, or a caller-supplied dict used for tracing) shadows metadata, which is where /chat/completions actually places the authenticated identity. The result is that user_id and extra_info.user_name were silently dropped from the outbound guard payload for any request that carried a litellm_metadata field. The common case (no litellm_metadata in the body) still worked, so the original tests passed

Linear ticket

N/A

Pre-Submission checklist

• I have added meaningful tests
• My PR passes all unit tests on make test-unit
• My PR's scope is as isolated as possible; it only solves 1 specific problem
• I have requested a Greptile review by commenting @greptileai and received a Confidence Score of at least 4/5 before requesting a maintainer review

Screenshots / Proof of Fix

Verified end to end against a live proxy. The chat completion hits real Anthropic; a local HTTP server stands in for the CrowdStrike AIDR endpoint (we have no CrowdStrike account) and records the exact JSON the proxy sends, which is the only thing this change affects. A virtual key is bound to a user that has an email so user_api_key_user_id and user_api_key_user_email are populated.

Three request shapes, run once before the fix and once after:

KEY=...   # key bound to a user with email alice@example.com
for BODY in \
  '{"model":"e2e-haiku","messages":[{"role":"user","content":"hello"}]}' \
  '{"model":"e2e-haiku","messages":[{"role":"user","content":"hello"}],"litellm_metadata":null}' \
  '{"model":"e2e-haiku","messages":[{"role":"user","content":"hello"}],"litellm_metadata":{"trace_id":"t1"}}'; do
  curl -s http://localhost:4001/v1/chat/completions \
    -H "Authorization: Bearer $KEY" -H "Content-Type: application/json" -d "$BODY" -o /dev/null
done
# then read the request-side payloads the proxy POSTed to the CrowdStrike endpoint

What the proxy sent to CrowdStrike (request-side guard call), before the fix:

no litellm_metadata        -> user_id=cs-e2e-user  extra_info={"user_name":"alice@example.com"}
litellm_metadata: null     -> user_id=null         extra_info absent        # identity dropped
litellm_metadata: {trace}  -> user_id=null         extra_info={}            # identity dropped

After the fix:

no litellm_metadata        -> user_id=cs-e2e-user  extra_info={"user_name":"alice@example.com"}
litellm_metadata: null     -> user_id=cs-e2e-user  extra_info={"user_name":"alice@example.com"}
litellm_metadata: {trace}  -> user_id=cs-e2e-user  extra_info={"user_name":"alice@example.com"}

Unit tests on the touched file:

$ poetry run pytest -q tests/test_litellm/proxy/guardrails/guardrail_hooks/test_crowdstrike_aidr.py
17 passed

The new parametrized test test_apply_guardrail_reads_identity_from_either_metadata_bag fails on the pre-fix code (KeyError on user_id) for the null, user-dict, and non-mapping litellm_metadata cases, and passes after

Type

🐛 Bug Fix

Changes

The guardrail now reads identity from both metadata bags instead of choosing one by presence. It merges metadata and litellm_metadata (each only when it is a Mapping) and reads user_api_key_user_id and user_api_key_user_email from the merged view, so the identity is found regardless of which bag the proxy wrote it to. This is safe against caller forgery because the proxy strips every user_api_key_* key from caller-supplied metadata before guardrails run and writes the authenticated values into exactly one bag, so there is no collision and no way for a caller to inject an identity. Behavior is unchanged when neither bag is present (no user_id, model, or extra_info added) and when only one bag carries the identity

[greptile-apps]

Greptile Summary

This PR fixes a silent identity-drop bug in the CrowdStrike AIDR guardrail where user_id and extra_info.user_name were not sent to the guard endpoint whenever the caller included a litellm_metadata key in the request body (even as null), because dict.get("litellm_metadata", fallback) returns the stored None rather than the fallback.

• The fix replaces the single dict.get with a loop that iterates both metadata and litellm_metadata bags, merging each into a fresh dict only when it is a Mapping, then reads identity from the merged view.
• A new parametrized test covers the four problematic shapes (null, trace dict, non-mapping, and identity-in-litellm_metadata) and is verified to fail on the pre-fix code.

Confidence Score: 5/5

Safe to merge; the change is a minimal, targeted fix to a single helper that builds a guard payload, and the proxy's pre-call stripping of user_api_key_* keys from both bags ensures no forged identity can surface through the merge.

The fix is straightforward and self-contained. The proxy already strips user_api_key_* from caller-supplied metadata before guardrails run (litellm_pre_call_utils.py lines 1516–1531), so the new merge-then-read pattern cannot be exploited to forge an identity. The merge order (metadata first, litellm_metadata second) is correct for both the /chat/completions path (identity in metadata) and the assistant/thread path (identity in litellm_metadata). The new parametrized test is well-constructed and directly targets the regression.

No files require special attention.

Important Files Changed

Filename	Overview
litellm/proxy/guardrails/guardrail_hooks/crowdstrike_aidr/crowdstrike_aidr.py	Replaces single-bag identity resolution with a two-bag merge loop; the merge is safe because litellm_pre_call_utils already strips user_api_key_* keys from both bags before guardrails run.
tests/test_litellm/proxy/guardrails/guardrail_hooks/test_crowdstrike_aidr.py	Adds a parametrized test covering four metadata-bag combinations (litellm_metadata null, user dict, non-mapping, and identity-in-litellm_metadata); no existing tests modified, mocks remain unchanged.

_{Reviews (1): Last reviewed commit: "fix(guardrails): read CrowdStrike AIDR i..." | Re-trigger Greptile}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!