feat(proxy): add /v1/memory CRUD endpoints

[krrish-berri-2]

Summary

• New LiteLLM_MemoryTable stores memory entries with a globally unique key plus optional JSON metadata. value is a String (LLM-readable text) and metadata is an optional Json? envelope — the Letta + mem0 hybrid — so future structured fields can be added without a schema migration. Callers namespace their own keys (e.g. user:123:notes) if per-user isolation is needed.
• Adds CRUD endpoints under /v1/memory:
  • POST /v1/memory — create (409 on any duplicate key)
  • GET /v1/memory — list with optional key_prefix (Redis-style namespace scan); caller-scoped, admins see all
  • GET /v1/memory/{key} — fetch one (slashes in keys supported via {key:path})
  • PUT /v1/memory/{key} — upsert (idempotent under concurrent writes; explicit metadata: null clears the column)
  • DELETE /v1/memory/{key} — delete
• Non-admin callers cannot set user_id / team_id other than their own; a caller with neither user_id nor team_id is rejected (400) to avoid orphan rows. PROXY_ADMIN can scope to any user/team.
• UI: new Memory page in the AI GATEWAY sidebar. Full CRUD with server-paginated table, prefix search, detail drawer, and a create/edit modal (optional JSON metadata). Writes go through useMutation + queryClient.invalidateQueries so every cached page refetches on change.

Test plan

• Unit tests in tests/test_litellm/proxy/memory/test_memory_endpoints.py (20 tests, all passing):
  • Create defaults scope to caller
  • Create duplicate key → 409
  • Non-admin setting foreign user_id → 403
  • Admin can set any scope
  • Identity-less caller → 400 (prevents orphan rows)
  • List is caller-scoped; admin sees all
  • key_prefix filter works and never leaks across scopes
  • GET by key respects visibility (404 if row belongs to someone else)
  • PUT creates when missing, updates when present
  • PUT admin can bootstrap foreign scope
  • PUT unique-violation race → falls through to update
  • PUT explicit metadata: null clears the column
  • PUT omitted metadata preserves the column
  • PUT with empty body → 400
  • DELETE removes row; 404 when row not visible
• Prisma migration applied on a fresh DB (tested locally against Neon PG16).
• Smoke test the endpoints against a running proxy (verified POST/GET/PUT/DELETE via curl + via the new UI).

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
0 out of 2 committers have signed the CLA.

❌ krrish-berri-2
❌ mateo-berri
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[greptile-apps]

Greptile Summary

This PR adds a /v1/memory CRUD API (POST/GET/PUT/DELETE) backed by a new LiteLLM_MemoryTable with a globally-unique key, Prisma schema and migration, 20 mock-only unit tests, and a full React UI page in the AI Gateway sidebar.

Most issues surfaced in earlier review rounds have been resolved: the encodeMemoryKeyForPath helper preserves literal slashes for {key:path} routes, the upsert race condition is caught and retried rather than surfacing a 500, model_fields_set correctly distinguishes explicit-null metadata from omitted metadata, and the visibility filter now uses a top-level AND to avoid dict-key collisions.

• P1: _is_team_admin_for calls prisma_client.db.litellm_teamtable.find_unique() directly instead of the get_team_object cache helper, violating the repo's rule against raw DB queries on endpoint paths. Every PUT/DELETE on a team-scoped row triggers a synchronous DB round-trip that bypasses Redis/in-process caching.

Confidence Score: 4/5

Safe to merge after addressing the direct DB query in _is_team_admin_for; all other previously-raised P1/P0 issues have been resolved.

One remaining P1 — the raw team-table DB query in _is_team_admin_for bypasses the caching layer that every other team-management endpoint relies on. All other issues flagged in prior review rounds have been addressed: metadata sentinel pattern, upsert race condition, visibility filter merge, encodeMemoryKeyForPath, orphan row rejection, and unique-violation detection.

litellm/proxy/memory/memory_endpoints.py (_is_team_admin_for direct DB call); litellm/proxy/schema.prisma (missing @@Map)

Important Files Changed

Filename	Overview
litellm/proxy/memory/memory_endpoints.py	New CRUD endpoints for /v1/memory. Previous P1/P0 issues (race condition, metadata sentinel, visibility filter merge, orphan rows) have all been addressed; the direct-DB query in _is_team_admin_for remains.
litellm/types/memory_management.py	Pydantic models for memory endpoints; correctly uses Optional[Any] so model_fields_set can distinguish omitted vs explicit-null metadata.
ui/litellm-dashboard/src/components/networking.tsx	Adds memory CRUD API functions; encodeMemoryKeyForPath correctly preserves literal slashes for the {key:path} backend route while encoding all other unsafe characters.
ui/litellm-dashboard/src/components/MemoryView/MemoryView.tsx	Memory UI with server-side pagination, prefix search, and CRUD. The metadata clear path correctly sends explicit null on edit so the backend's model_fields_set registers the intent.
litellm/proxy/schema.prisma	Adds LiteLLM_MemoryTable model with key String @unique (globally unique); missing @@Map annotation that all sibling models use for explicitness.
tests/test_litellm/proxy/memory/test_memory_endpoints.py	20 mock-only unit tests using FastAPI TestClient with in-memory fakes; no real network calls, compliant with repo's test isolation policy.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Incoming /v1/memory request] --> B[user_api_key_auth]
    B --> C{Endpoint?}
    C -->|POST /v1/memory| D[_resolve_scope\nenforce user_id/team_id\nreject orphan rows]
    D --> E[DB create\nunique key or 409]
    C -->|GET /v1/memory| F[_visibility_filter\nNone=admin sees all\nOR clause for user/team]
    F --> G[DB find_many\npaginated + key prefix]
    C -->|GET /v1/memory/key| H[_find_memory_for_caller\nAND key + vis filter]
    H --> I{Found?}
    I -->|Yes| J[Return row]
    I -->|No| K[404]
    C -->|PUT /v1/memory/key| L[_find_memory_for_caller]
    L --> M{Exists?}
    M -->|Yes| N[_assert_write_access\nowner or team admin]
    N --> O[DB update]
    M -->|No| P[_resolve_scope]
    P --> Q[DB create\nrace catch + re-update]
    C -->|DELETE /v1/memory/key| R[_find_memory_for_caller]
    R --> S[_assert_write_access]
    S --> T[DB delete]

Loading

_{Reviews (18): Last reviewed commit: "fix(schema): close LiteLLM_MemoryTable m..." | Re-trigger Greptile}

[veria-ai]

Low: New memory CRUD endpoints with standard auth

This PR adds /v1/memory CRUD endpoints scoped by user/team identity. Authentication uses the standard user_api_key_auth middleware, database access goes through Prisma ORM (parameterized queries), and scope enforcement prevents non-admins from writing to other users' scopes. The routes are not currently registered in any of the LiteLLMRoutes allowed-route lists, so only PROXY_ADMIN users can reach them today. No significant security issues found.

---

Status: 0 open
Risk: 2/10

Posted by Veria AI · 2026-04-23T14:31:12.762Z

[veria-ai]

Low: Cross-tenant key existence oracle via globally unique constraint

This PR adds CRUD endpoints for user/team-scoped memory entries. Authentication is properly enforced on all routes via user_api_key_auth. Write-authorization checks prevent cross-user mutation through team visibility. Internal error details are no longer leaked. The remaining design concern is that the globally unique key column combined with 409 responses allows authenticated users to probe for key existence across tenant boundaries, but exploitability is limited since keys are opaque strings chosen by callers and the information disclosed is minimal (existence only, not content).

---

Status: 6 open
Risk: 3/10

Posted by Veria AI · 2026-04-25T00:55:15.669Z

[krrish-berri-2]

On the cross-tenant key-existence oracle (medium): acknowledged but intentional.

The global-unique-key design is the chosen model (matches Redis SET / mem0 / Letta block semantics — one key, one value, callers namespace their own keys). A 409 inherently signals that some row with that key exists; the alternative is a per-scope unique constraint, which we explicitly decided against (NULL-in-compound-unique hazard, ambiguous routing for GET /v1/memory/{key}, and the silent-duplicate bug that originally motivated the switch — see #26218 commit history).

What we did mitigate: the 409 detail string is now "Memory with key 'X' already exists." with no scope information, and the post-race-recovery 409 dropped its old "in a different scope" wording in this push. The information disclosure is "this key is taken globally" — same as Redis SET … NX would give you, and the same as any registry of globally-unique slugs.

If a deployment wants per-tenant key isolation, callers prefix their keys (team:acme:notes, user:123:role). That's documented in the schema comment. Resolving as intentional.

[greptile-apps]

Direct DB query bypasses the team caching layer

_is_team_admin_for calls prisma_client.db.litellm_teamtable.find_unique() directly instead of the get_team_object helper (which reads from the Redis/in-process cache). Every PUT or DELETE on a team-scoped memory entry triggers a synchronous DB round-trip. All other team-management endpoints use the shared helper to benefit from caching and avoid DB regression under load — this path should do the same.

Rule Used: What: In critical path of request, there should be... (source)

addressed already

[gitguardian]

⚠️ GitGuardian has uncovered 2 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
31539530	Triggered	Generic Password	f775fa1	.github/workflows/_test-unit-services-base.yml	View secret
29203053	Triggered	Generic Password	f775fa1	.circleci/config.yml	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secrets safely. Learn here the best practices.
3. Revoke and rotate these secrets.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[greptile-apps]

Direct DB query bypasses the team caching layer (rule violation)

_is_team_admin_for calls prisma_client.db.litellm_teamtable.find_unique() directly on every PUT/DELETE that touches a team-scoped row. Per the repository's performance rule, DB queries in endpoint handlers must go through the shared helper functions (get_team_object etc.) so they benefit from the Redis / in-process cache. Each team-write without that cache hits the DB synchronously, which regresses under load in the same way the rule was introduced to prevent.

Rule Used: What: In critical path of request, there should be... (source)

[codecov]

Codecov Report

❌ Patch coverage is 27.35849% with 154 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
litellm/proxy/memory/memory_endpoints.py	14.91%	154 Missing ⚠️

📢 Thoughts on this report? Let us know!