Add environment variable expansion to llmconfig.yml api_key and extra_headers #70

Copilot · 2025-11-11T13:14:38Z

LLM configurations currently use os.path.expandvars() for api_key expansion, which silently returns unexpanded strings when environment variables are missing. This differs from MCP server auth_token handling, which uses resolve_env_var() to provide explicit error messages.

Changes

Unified environment variable expansion:

Replace os.path.expandvars() with resolve_env_var() in litellm_caller.py and cli.py
Raises ValueError with clear message when required environment variables are unset
Add environment variable expansion support to extra_headers field

Example usage:

models:
  openrouter-llama:
    model_url: "https://openrouter.ai/api/v1"
    model_name: "meta-llama/llama-3-70b-instruct"
    api_key: "${OPENROUTER_API_KEY}"
    extra_headers:
      HTTP-Referer: "${OPENROUTER_SITE_URL}"
      X-Title: "${OPENROUTER_SITE_NAME}"

Test coverage:

6 unit tests in test_config_manager.py for ModelConfig validation
6 integration tests in test_llm_env_expansion.py for LiteLLMCaller behavior
Tests verify env var expansion, literal values, missing variables, and extra_headers

Original prompt

This section details on the original issue you should resolve

<issue_title>allow custom api key expansion in llmconfig.yml</issue_title>
<issue_description>similar to the custom key in the mcp.json</issue_description>

Comments on the Issue (you are @copilot in this section)
@garland3 Similar to how the mcp.json can read an env var for the key. re-use code when possible.

Fixes allow custom api key expansion in llmconfig.yml #67

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Co-authored-by: garland3 <[email protected]>

…ansion details Add comprehensive documentation for configuring OpenRouter-powered LLMs, including environment variable expansion in API keys and headers for security and flexibility. Include examples, best practices, and error handling to guide admins on secure setup, preventing direct key storage in configs.

github-actions · 2025-11-14T04:46:07Z

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

⚠️ Security issues found in Python code

Recommendations

Review all SARIF files uploaded to GitHub Security tab
Address high and critical severity vulnerabilities immediately
Run npm audit fix and pip-audit locally to fix dependencies
Consider implementing additional security controls

Modified the GitHub Actions workflow to include a new step that sets up Node.js version 20, using actions/setup-node@v4. This change ensures that Node.js is available in the CI environment, likely necessary for subsequent build steps involving JavaScript or Node-based tools. Placed after the checkout step to maintain logical order in the job execution.

Copilot

Pull Request Overview

This PR unifies environment variable expansion for LLM configurations by replacing os.path.expandvars() with resolve_env_var(), aligning the implementation with MCP server authentication handling. The change provides explicit error messages when required environment variables are unset and extends environment variable expansion support to the extra_headers field in LLM model configurations.

Key changes:

Replace silent os.path.expandvars() with resolve_env_var() that raises clear errors for missing variables
Add environment variable expansion to extra_headers dictionary values
Remove unused CLI module (backend/modules/llm/cli.py)

Reviewed Changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
`backend/modules/llm/litellm_caller.py`	Implements `resolve_env_var()` for `api_key` and `extra_headers` with proper error handling
`backend/modules/llm/cli.py`	Entire file deleted (323 lines) - CLI module removed
`backend/tests/test_llm_env_expansion.py`	Adds 6 integration tests covering env var expansion for api_key and extra_headers
`backend/tests/test_config_manager.py`	Adds 6 unit tests validating ModelConfig with environment variables
`docs/02_admin_guide.md`	Extensive documentation update (86 new lines) covering env var expansion patterns, security best practices, and examples

Copilot · 2025-11-14T04:46:50Z

docs/02_admin_guide.md

+    compliance_level: "External"
 ```

+**Note**: The second example demonstrates environment variable expansion in `extra_headers`, which is useful for services like OpenRouter that require site identification headers.


The phrase 'The second example' is ambiguous since both configuration examples in lines 386-403 are OpenRouter configurations with environment variables. Consider replacing with 'The OpenRouter example above' or 'This example' to be more precise.

Suggested change

**Note**: The second example demonstrates environment variable expansion in `extra_headers`, which is useful for services like OpenRouter that require site identification headers.

**Note**: The OpenRouter example above demonstrates environment variable expansion in `extra_headers`, which is useful for services like OpenRouter that require site identification headers.

Copilot · 2025-11-14T04:46:51Z

docs/02_admin_guide.md

+- **Never**: Commit API keys to `config/defaults/llmconfig.yml` or any version-controlled files
+
+This environment variable expansion system works identically to the MCP server `auth_token` field, providing consistent behavior across all authentication and configuration mechanisms in the application.
+


The documentation claims the behavior is 'identical' to MCP server auth_token, but doesn't mention the key limitation that resolve_env_var() only supports exact ${VAR} patterns at the beginning of strings (using re.match()), not partial substitution like 'prefix-${VAR}-suffix'. Consider adding a note about this limitation or clarifying that only full-value environment variable substitution is supported.

Suggested change

> **Limitation:** Only full-value environment variable substitution is supported. The value must be exactly in the form `"${VAR_NAME}"` (with nothing else before or after). Partial substitution, such as `"prefix-${VAR}-suffix"`, is **not** supported and will not be expanded. This applies to all fields that support environment variable expansion, including `api_key`, `auth_token`, and custom headers.

github-actions · 2025-11-14T04:49:52Z

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

⚠️ Security issues found in Python code

Recommendations

Review all SARIF files uploaded to GitHub Security tab
Address high and critical severity vulnerabilities immediately
Run npm audit fix and pip-audit locally to fix dependencies
Consider implementing additional security controls

github-actions · 2025-11-14T04:52:11Z

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

⚠️ Security issues found in Python code

Recommendations

Review all SARIF files uploaded to GitHub Security tab
Address high and critical severity vulnerabilities immediately
Run npm audit fix and pip-audit locally to fix dependencies
Consider implementing additional security controls

github-actions · 2025-11-14T04:54:28Z

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

⚠️ Security issues found in Python code

Recommendations

Review all SARIF files uploaded to GitHub Security tab
Address high and critical severity vulnerabilities immediately
Run npm audit fix and pip-audit locally to fix dependencies
Consider implementing additional security controls

…urce - Upgrade Node.js from default dnf package to v20.x for improved compatibility and features - Remove npm explicit install as it's bundled with Node.js - Apply consistent changes to both Dockerfile and Dockerfile-test for standardized builds - Use NodeSource repository for reliable, up-to-date Node.js provisioning

github-actions · 2025-11-14T04:59:21Z

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

⚠️ Security issues found in Python code

Recommendations

Review all SARIF files uploaded to GitHub Security tab
Address high and critical severity vulnerabilities immediately
Run npm audit fix and pip-audit locally to fix dependencies
Consider implementing additional security controls

github-actions · 2025-11-14T05:00:43Z

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

⚠️ Security issues found in Python code

Recommendations

Review all SARIF files uploaded to GitHub Security tab
Address high and critical severity vulnerabilities immediately
Run npm audit fix and pip-audit locally to fix dependencies
Consider implementing additional security controls

Uncomment the entire GitHub Actions workflow file to activate continuous integration and delivery, including steps for Node.js setup, Docker image building for tests and production, running tests in containers, and pushing images with metadata tagging. This enables automated processes for branches like main and develop, improving development efficiency and deployment reliability.

github-actions · 2025-11-14T10:30:29Z

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

⚠️ Security issues found in Python code

Recommendations

Review all SARIF files uploaded to GitHub Security tab
Address high and critical severity vulnerabilities immediately
Run npm audit fix and pip-audit locally to fix dependencies
Consider implementing additional security controls

…api-key-expansion

github-actions · 2025-11-14T10:35:04Z

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

⚠️ Security issues found in Python code

Recommendations

Review all SARIF files uploaded to GitHub Security tab
Address high and critical severity vulnerabilities immediately
Run npm audit fix and pip-audit locally to fix dependencies
Consider implementing additional security controls

github-actions · 2025-11-14T10:36:28Z

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

⚠️ Security issues found in Python code

Recommendations

Review all SARIF files uploaded to GitHub Security tab
Address high and critical severity vulnerabilities immediately
Run npm audit fix and pip-audit locally to fix dependencies
Consider implementing additional security controls

Changed require('@tailwindcss/typography') to ES6 import syntax (import tailwindTypography from '@tailwindcss/typography') in tailwind.config.js for better module consistency and modern JavaScript practices.

github-actions · 2025-11-14T10:42:50Z

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

⚠️ Security issues found in Python code

Recommendations

Review all SARIF files uploaded to GitHub Security tab
Address high and critical severity vulnerabilities immediately
Run npm audit fix and pip-audit locally to fix dependencies
Consider implementing additional security controls

github-actions · 2025-11-14T10:51:24Z

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

⚠️ Security issues found in Python code

Recommendations

Review all SARIF files uploaded to GitHub Security tab
Address high and critical severity vulnerabilities immediately
Run npm audit fix and pip-audit locally to fix dependencies
Consider implementing additional security controls

Initial plan

ff3c57d

Copilot AI assigned Copilot and garland3 Nov 11, 2025

Copilot started work on behalf of garland3 November 11, 2025 13:15 View session

Copilot AI and others added 4 commits November 11, 2025 13:23

Implement custom API key expansion in llmconfig.yml

48a45fc

Co-authored-by: garland3 <[email protected]>

Fix linting issues in LLM env expansion code

3bac345

Co-authored-by: garland3 <[email protected]>

Remove package-lock.json from tracking

6083f48

Remove package-lock.json from tracking

2dcb618

Co-authored-by: garland3 <[email protected]>

Copilot AI changed the title ~~[WIP] Allow custom API key expansion in llmconfig.yml~~ Add environment variable expansion to llmconfig.yml api_key and extra_headers Nov 11, 2025

Copilot AI requested a review from garland3 November 11, 2025 13:32

Copilot finished work on behalf of garland3 November 11, 2025 13:32

garland3 requested a review from Copilot November 14, 2025 04:43

Copilot started reviewing on behalf of garland3 November 14, 2025 04:44 View session

Copilot finished reviewing on behalf of garland3 November 14, 2025 04:46

Copilot AI reviewed Nov 14, 2025

View reviewed changes

node version

7eb28ef

node

c3834b2

garland3 added 2 commits November 14, 2025 04:56

remove problem for now.

46d2a63

Merge remote-tracking branch 'origin/main' into copilot/allow-custom-…

05425f0

…api-key-expansion

node

f62125f

refactor(frontend): switch Tailwind Typography plugin to ES6 import

4965969

Changed require('@tailwindcss/typography') to ES6 import syntax (import tailwindTypography from '@tailwindcss/typography') in tailwind.config.js for better module consistency and modern JavaScript practices.

garland3 marked this pull request as ready for review November 14, 2025 10:41

config

edb59eb

garland3 merged commit 025512f into main Nov 14, 2025
6 checks passed

garland3 deleted the copilot/allow-custom-api-key-expansion branch November 14, 2025 10:49

	Note: The second example demonstrates environment variable expansion in `extra_headers`, which is useful for services like OpenRouter that require site identification headers.
	Note: The OpenRouter example above demonstrates environment variable expansion in `extra_headers`, which is useful for services like OpenRouter that require site identification headers.

		- Never: Commit API keys to `config/defaults/llmconfig.yml` or any version-controlled files

		This environment variable expansion system works identically to the MCP server `auth_token` field, providing consistent behavior across all authentication and configuration mechanisms in the application.



	> Limitation: Only full-value environment variable substitution is supported. The value must be exactly in the form `"${VAR_NAME}"` (with nothing else before or after). Partial substitution, such as `"prefix-${VAR}-suffix"`, is not supported and will not be expanded. This applies to all fields that support environment variable expansion, including `api_key`, `auth_token`, and custom headers.

Add environment variable expansion to llmconfig.yml api_key and extra_headers #70

Add environment variable expansion to llmconfig.yml api_key and extra_headers #70

Uh oh!

Conversation

Copilot AI commented Nov 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Comments on the Issue (you are @copilot in this section)

Uh oh!

github-actions bot commented Nov 14, 2025

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

Recommendations

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Reviewed Changes

Uh oh!

Copilot AI Nov 14, 2025

Choose a reason for hiding this comment

Uh oh!

Copilot AI Nov 14, 2025

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Nov 14, 2025

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

Recommendations

Uh oh!

github-actions bot commented Nov 14, 2025

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

Recommendations

Uh oh!

github-actions bot commented Nov 14, 2025

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

Recommendations

Uh oh!

github-actions bot commented Nov 14, 2025

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

Recommendations

Uh oh!

github-actions bot commented Nov 14, 2025

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

Recommendations

Uh oh!

github-actions bot commented Nov 14, 2025

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

Recommendations

Uh oh!

github-actions bot commented Nov 14, 2025

🔒 Security Scan Results

Security Scan Summary

Scan Results

Python SAST (Bandit)

Recommendations

Uh oh!

github-actions bot commented Nov 14, 2025

🔒 Security Scan Results

Security Scan Summary

Scan Results

Copilot AI commented Nov 11, 2025 •

edited

Loading