chore(release): backport #30064, #29991, #30009 to stable/1.85.x

[mateo-berri]

Relevant issues

Backports three changes to stable/1.85.x.

First, #30064 (Claude Fable 5 across Anthropic, Bedrock, Vertex AI, and Azure AI), cherry-picked from the squashed commit on litellm_internal_staging (e15b37a18e). Part of the Fable 5 backport set: v1.89.0-rc.2 (#30143), stable/1.88.x (#30144), stable/1.87.x (#30146), stable/1.86.x (#30148), and this line.

Second, the CrowdStrike AIDR identity capture plus its fix #29991, mirroring the stable/1.84.x backport #29994 that shipped in v1.84.6. Without these two commits, anyone upgrading from 1.84.6 to a 1.85.x release silently loses the user identity the guardrail sends to CrowdStrike; upgrades should never drop a working capability.

Third, #30009, which authorizes batch files using the upload target_model_names instead of reverse-mapping body.model, fixing false 403s when multiple deployments share the same stripped provider model name.

No version bump, per the release process.

What is included

In merge order on this branch:

• 9f45b538d8 Add Claude Fable 5 across Anthropic, Bedrock, Vertex AI, and Azure AI #30064 Claude Fable 5: all 8 model-map entries (Anthropic, Bedrock converse + global/us/eu profiles, Vertex AI + @default, Azure AI), BEDROCK_CONVERSE_MODELS registration, setup wizard entry, sampling-params gating (supports_sampling_params: false with drop_params support and clean UnsupportedParamsError), the top_k=0 truthiness fix, and the unit tests
• 79d96b740f feat(guardrails): capture user and model metadata in CrowdStrike AIDR; cherry-picked from stable/1.84.x 6fc715c5bd (bump: version 1.84.6 (backport CrowdStrike AIDR metadata capture + identity fix) #29994) because its staging counterpart lives inside the aggregator commit 32c88ca74f (Litellm oss staging 080626 #29932); content verified identical to the aggregator's crowdstrike hunks except the from collections.abc import Mapping import, which staging already had via fix(guardrails): improve CrowdStrike AIDR input handling #26658 and this line did not
• 1ef0ef45ec fix(guardrails): read CrowdStrike AIDR identity from both metadata bags; cherry-picked from staging 1bbaf1c39d (fix(guardrails): read CrowdStrike AIDR identity from both metadata bags #29991)
• 38bfd32bff fix(proxy): authorize batch files using upload target_model_names; cherry-picked from staging 2cd7e87485 (fix(proxy): authorize batch files using upload target_model_names (LIT-3593) #30009)

Conflict resolutions / branch adaptations

#30064 (unchanged from the original revision of this PR). Same shape as 1.87.x/1.86.x (#30146/#30148), with one difference: the reasoning-effort e2e grid does not exist on this line, so the two grid files from #30064 are not backported (11 files here vs 13 upstream). Model map JSONs applied entry-level; 8 Fable entries inserted verbatim from upstream (validated byte-identical), supports_sampling_params: false added to the 4.7-family entries that exist here (18 flagged total). Staging-only Opus 4.8 / jp.* entries not imported. constants.py / setup_wizard.py: Fable 5 lines only. common_utils.py resolved to upstream's final helper block. test_anthropic_chat_transformation.py: kept this branch's tail, appended exactly #30064's 137-line sampling/top_k test block.

#29991. The _merge_metadata_bags helper is anchored after CrowdStrikeAIDRGuardrailMissingSecrets because upstream anchors it after _extract_text_from_content, which is #26658 code absent on this line. The helper body and the call-site change are byte-identical to staging. The test hunk takes only the PR's own added test_apply_guardrail_reads_identity_from_either_metadata_bag; a neighboring test visible in the conflict region pre-exists only on staging and was not imported.

#30009. Applied cleanly; every patch difference is a context line because this line's _enforce_batch_file_model_access predates the team-scoped auth path and calls can_key_call_model directly. The fix's own hunks are unchanged: auth uses target_model_names decoded from the unified file id, and the resolve_model_name_from_model_id reverse-mapping is removed. Both helpers the pick references (get_models_from_unified_file_id, _is_base64_encoded_unified_file_id) exist on this line with the same signatures as staging.

Known noise on this line

None. The targeted baseline on the branch tip before the new picks (the two upstream-touched test files) was 22 passed, 0 failed.

Screenshots / Proof of Fix

The CrowdStrike picks were verified by replaying the reproducer from #29991 against a live proxy running this branch: real gpt-4o completions, a local HTTP sink standing in for the CrowdStrike AIDR endpoint recording exactly what the proxy sends, and a key bound to a user that has an email.

KEY=...   # key bound to user cs-e2e-user (email alice@example.com)
for BODY in \
  '{"model":"gpt-4o","messages":[{"role":"user","content":"hello"}],"max_tokens":5}' \
  '{"model":"gpt-4o","messages":[{"role":"user","content":"hello"}],"max_tokens":5,"litellm_metadata":null}' \
  '{"model":"gpt-4o","messages":[{"role":"user","content":"hello"}],"max_tokens":5,"litellm_metadata":{"trace_id":"t1"}}'; do
  curl -s http://localhost:4002/v1/chat/completions \
    -H "Authorization: Bearer $KEY" -H "Content-Type: application/json" -d "$BODY" -o /dev/null
done

All three completions returned 200 with real model output. What the proxy sent to the CrowdStrike endpoint for every shape (on the unpatched line it sends no identity at all, and with only the feature commit the null and trace-dict shapes would drop it):

/v1/guard_chat_completions | user_id: cs-e2e-user | extra_info: {'user_name': 'alice@example.com'}
/v1/guard_chat_completions | user_id: cs-e2e-user | extra_info: {'user_name': 'alice@example.com'}
/v1/guard_chat_completions | user_id: cs-e2e-user | extra_info: {'user_name': 'alice@example.com'}

Proxy sanity on the same instance matches the pre-pick baseline captured on the branch tip: /health/liveliness, a real claude-haiku-4-5 completion, key generate plus a scoped-key completion, all green.

Targeted tests on the two upstream-touched files: 22 passed before the picks, 32 passed after, 0 new failures. The picks' own tests pass, including #30009's regression canary asserting can_key_call_model receives the upload alias and the reverse-lookup is never called. An adversarial audit of each pick against its upstream commit (diff fidelity, symbol resolution, ported tests, caller drift) found no divergence beyond the adaptation notes above.

Pre-Submission checklist

• The cherry-picked PRs carry their own tests
• My PR passes the targeted unit tests on this line (32 passed, 0 new failures vs baseline)
• Scope is limited to backporting already-merged changes
• I have requested a Greptile review by commenting @greptileai and received a Confidence Score of at least 4/5 before requesting a maintainer review

Type

🆕 New Feature (backport)
🐛 Bug Fix (backport)

Changes

Cherry-picks onto stable/1.85.x: #30064 (Fable 5), CrowdStrike AIDR metadata capture + #29991 (1.84.6 parity), #30009 (batch file auth via target_model_names). No version bump

[codecov]

Codecov Report

❌ Patch coverage is 16.27907% with 72 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
litellm/llms/anthropic/common_utils.py	24.44%	34 Missing ⚠️
...ardrail_hooks/crowdstrike_aidr/crowdstrike_aidr.py	8.69%	21 Missing ⚠️
...tellm/llms/bedrock/chat/converse_transformation.py	14.28%	6 Missing ⚠️
litellm/proxy/hooks/batch_rate_limiter.py	0.00%	6 Missing ⚠️
litellm/llms/anthropic/chat/transformation.py	0.00%	5 Missing ⚠️

📢 Thoughts on this report? Let us know!

[greptile-apps]

Greptile Summary

This backport brings three already-merged fixes onto stable/1.85.x: Claude Fable 5 model support across all four providers, CrowdStrike AIDR user identity capture (1.84.6 parity), and a batch-file authorization fix that eliminates false 403s when multiple deployments share a stripped provider model name.

• Fable 5 (Add Claude Fable 5 across Anthropic, Bedrock, Vertex AI, and Azure AI #30064): Adds 8 cost-map entries, registers anthropic.claude-fable-5 in BEDROCK_CONVERSE_MODELS, and gates temperature/top_p/top_k forwarding via a new _apply_sampling_param helper that reads supports_sampling_params from the model map; the top_k=0 truthiness bug in the Bedrock converse path is also fixed.
• CrowdStrike AIDR (fix(guardrails): read CrowdStrike AIDR identity from both metadata bags #29991 + 1.84.6 backport): _merge_metadata_bags coalesces both metadata and litellm_metadata bags so user_id/user_name are captured regardless of which bag the proxy populates, restoring parity with 1.84.6.
• Batch file auth (fix(proxy): authorize batch files using upload target_model_names (LIT-3593) #30009): _enforce_batch_file_model_access now uses target_model_names decoded from the unified file ID for managed files, bypassing the resolve_model_name_from_model_id reverse-lookup that produced false 403s with ambiguous stripped model names.

Confidence Score: 5/5

Safe to merge; all three cherry-picks adapt cleanly to this branch with no divergence beyond the documented conflict resolutions, and the targeted test suite shows 32 passing tests with no new failures.

The model-map gating logic, CrowdStrike identity capture, and batch-file auth path are each covered by dedicated mock tests. The _apply_sampling_param helper is driven by cost-map flags with name-based fallbacks; edge cases (top_k=0, temperature=1, provider-prefixed model IDs) all have explicit test coverage. The _merge_metadata_bags merge order is validated across four parametrized shapes matching the live reproducer. The batch auth simplification correctly scopes the resolve_model_name_from_model_id removal to managed files and leaves non-managed files on the existing body.model fallback path.

No files require special attention; the concerns already flagged in prior review threads (name-based fallback in _supports_sampling_params, custom_llm_provider="anthropic" narrowing in _supports_model_capability) are pre-existing threads the author is already tracking.

Important Files Changed

Filename	Overview
litellm/llms/anthropic/common_utils.py	Added _supports_sampling_params, _apply_sampling_param, _model_map_lookup_candidates, _get_model_capability, and _supports_model_capability helpers; refactored _is_adaptive_thinking_model to use them. Model-map driven gating for Fable 5 / Opus 4.7/4.8 sampling params.
litellm/llms/anthropic/chat/transformation.py	Routes temperature/top_p through _apply_sampling_param; adds a top_k gating block at the transform_request boundary shared by Anthropic/Bedrock/Vertex/Azure paths.
litellm/llms/bedrock/chat/converse_transformation.py	Propagates drop_params through _prepare_request_params and _handle_top_k_value; fixes top_k=0 truthiness bug; delegates sampling-param gating to _apply_sampling_param.
litellm/proxy/guardrails/guardrail_hooks/crowdstrike_aidr/crowdstrike_aidr.py	Adds _merge_metadata_bags to merge both metadata and litellm_metadata bags; forwards user_id, model, and extra_info (with user_name) to the CrowdStrike AIDR payload.
litellm/proxy/hooks/batch_rate_limiter.py	Fixes false 403s by authorizing batch files using target_model_names decoded from the unified file ID instead of reverse-mapping body.model; removes the resolve_model_name_from_model_id call.
model_prices_and_context_window.json	Adds 8 Claude Fable 5 entries (Anthropic, Bedrock base + 3 geo profiles, Vertex AI + @default, Azure AI) and adds supports_sampling_params: false to Opus 4.7/4.8 entries.
tests/test_litellm/proxy/guardrails/guardrail_hooks/test_crowdstrike_aidr.py	Adds 5 new mock tests covering identity capture, empty extra_info, missing metadata, and dual-bag identity reads; also strengthens two existing tests with monkeypatch.delenv guards.
tests/test_litellm/proxy/hooks/test_batch_file_validation.py	Updates the existing auth alias test to pass target_model_names directly and assert resolve_model_name_from_model_id is never called; adds a parametrized regression canary for the multi-deployment false-403 scenario.
tests/test_litellm/test_claude_fable_5_config.py	New test file validating Fable 5 pricing, capabilities, cost-map parity between root and backup, adaptive thinking flag presence, and sampling-params flag across all variants.
tests/test_litellm/llms/anthropic/chat/test_anthropic_chat_transformation.py	Appends 137 lines of sampling-param gating tests (drop, raise, temperature=1 passthrough, model-map override, top_k boundary) with no modifications to existing tests.
tests/test_litellm/llms/bedrock/chat/test_converse_transformation.py	Adds converse-specific sampling-param and top_k gating tests, including a top_k=0 truthiness regression canary.

_{Reviews (2): Last reviewed commit: "fix(proxy): authorize batch files using ..." | Re-trigger Greptile}

[greptile-apps]

Hardcoded model-name fallback for sampling-params gating

The fallback block hard-codes "fable", "opus-4-7", "opus-4-8" (and their variant spellings) directly in source code. Per the project rule, capability flags should live exclusively in model_prices_and_context_window.json and be read through get_model_info/_get_model_capability, so that a future model addition only needs a JSON edit rather than a code change. Every affected entry in this PR already carries "supports_sampling_params": false in the map and _get_model_capability will find it (including after Bedrock/Vertex prefix-stripping via _model_map_lookup_candidates), making the name-match branch dead code for any model that exists in the map. The only gap left is a model whose map entry is entirely absent — in that case falling back to True (supported) is also safer than a false-positive reject.

Rule Used: What: Do not hardcode model-specific flags in the ... (source)

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

custom_llm_provider changed from None to "anthropic" in _supports_factory call

The original _is_adaptive_thinking_model called _supports_factory with custom_llm_provider=None, which allows the factory to resolve the model against all providers in the cost map. The refactored _supports_model_capability now passes custom_llm_provider="anthropic", which may cause _supports_factory to narrow its search to Anthropic-keyed entries and miss Bedrock- or Vertex AI-routed Claude 4.6/4.7 models (e.g., vertex_ai/claude-opus-4-6) that exist under a non-Anthropic provider key. The _get_model_capability fallback at line 388 recovers for most cases, but if _supports_factory had previously returned True for a model that _get_model_capability cannot resolve (e.g., a cross-region inference ARN with no cost-map entry), the name-based fallback _is_claude_4_6_model/_is_claude_4_7_model becomes the only safety net for adaptive-thinking detection.

[yuneng-berri]

@greptileai

[veria-ai]

Low: Spoofable guardrail user identity

metadata can include caller-supplied fields. If extra_info.user_name is populated from metadata.user_api_key_user_email, an authenticated caller can send that metadata key and make CrowdStrike AIDR receive an arbitrary user name. Only forward this value from internal auth-derived metadata, or omit it when the authenticated email is not available.

[veria-ai]

PR overview

This pull request backports selected changes to the stable/1.85.x release branch, including updates around the CrowdStrike AIDR guardrail integration in the LiteLLM proxy.

There is one open security concern involving how the CrowdStrike AIDR hook derives the user name it forwards from request metadata. An authenticated caller may be able to influence that forwarded identity value, which could affect downstream attribution or guardrail context, but the impact appears limited to spoofing that field rather than broader access or execution. No issues have been marked fixed or addressed yet.

Open issues (1)

• Low: Spoofable guardrail user identity — litellm/proxy/guardrails/guardrail_hooks/crowdstrike_aidr/crowdstrike_aidr.py:340

Fixed/addressed: 0 · PR risk: 4/10