Merge branch 'features/fa_optim'

Author: Paweł Kędzia

.version

@@ -1 +1 @@
-0.4.0
+0.4.1

CHANGELOG.md

@@ -15,4 +15,5 @@
 | 0.2.4   | Anonymizer module, integration anonymization with any endpoint (using dynamic payload analysis and full payload anonymisation), dedicated `/api/anonymize_text` endpoint as memory only anonymization. Whole router may be run in `FORCE_ANONYMISATION` mode.                               |
 | 0.3.0   | Anonymization available with three strategies: `fast_masker`, `genai`, `prov_masker`.                                                                                                                                                                                                       |
 | 0.3.1   | Refactoring `lb.strategies` to be more flexible modular. Introduced `MaskerPipeline` and `GuardrailPipeline` both configured via env. Removed genai-based masking endpoint.                                                                                                                 |
-| 0.4.0   | The main repository is divided into dedicated ones: plugins, services, web — separate repositories. Clean up the whole repository. Examples of integration with llamaindex, langchain, openai, litellm and haystack.                                                                        |
+| 0.4.0   | The main repository is divided into dedicated ones: plugins, services, web — separate repositories. Clean up the whole repository. Examples of integration with llamaindex, langchain, openai, litellm and haystack.                                                                        |
+| 0.4.1   | Audit log is stored using GPG. Add bash script (`scripts/gen_and_export_gpg.sh` to prepare GPG keys and simple `scripts/decrypt_auditor_logs.sh` to decrypt encrypted audit logs.                                                                                                           |

llm_router_api/base/constants.py

@@ -217,13 +217,6 @@ def __verify_balancing_strategy():
 
     @staticmethod
     def __verify_default_masking_strategy():
-        if MASKING_WITH_AUDIT:
-            if not FORCE_MASKING:
-                raise Exception(
-                    f"`export LLM_ROUTER_FORCE_MASKING=1` environment is "
-                    f"required when `LLM_ROUTER_MASKING_WITH_AUDIT=1`\n\n"
-                )
-
         if FORCE_MASKING and not len(MASKING_STRATEGY_PIPELINE):
             raise Exception(
                 "When FORCE_MASKING is set to `True`, you must specify the "

…_api/base/lb/provider_strategy_facase.py …_api/base/lb/provider_strategy_facade.pyllm_router_api/base/lb/provider_strategy_facase.py renamed to llm_router_api/base/lb/provider_strategy_facade.py llm_router_api/base/lb/provider_strategy_facase.py renamed to llm_router_api/base/lb/provider_strategy_facade.py

@@ -11,7 +11,7 @@
 from typing import Dict, Optional, Any
 
 from llm_router_api.base.model_config import ApiModelConfig
-from llm_router_api.base.lb.provider_strategy_facase import ProviderStrategyFacade
+from llm_router_api.base.lb.provider_strategy_facade import ProviderStrategyFacade
 
 
 @dataclass(frozen=True)

llm_router_api/base/model_handler.py

@@ -18,6 +18,7 @@
    ``logs/auditor/<audit_type>__<timestamp>.audit``.
 """
 
+import uuid
 import json
 import gnupg
 
@@ -28,8 +29,16 @@
     AuditorLogStorageInterface,
 )
 
+# Base output directory for the auditor
+DEFAULT_AUDITOR_OUT_DIR = Path("logs/auditor")
+DEFAULT_AUDITOR_OUT_DIR.mkdir(parents=True, exist_ok=True)
+
 
 class GPGAuditorLogStorage(AuditorLogStorageInterface):
+    # Default gpg auditor public key
+    AUDITOR_PUB_KEY_DIR = Path("resources/keys")
+    AUDITOR_PUB_KEY_FILE = AUDITOR_PUB_KEY_DIR / Path("llm-router-auditor-pub.asc")
+
     """
     GPG‑backed storage for audit logs.
 
@@ -46,13 +55,6 @@ class GPGAuditorLogStorage(AuditorLogStorageInterface):
         for encryption.
     """
 
-    # Base output directory for the auditor
-    DEFAULT_AUDITOR_OUT_DIR = Path("logs/auditor")
-    DEFAULT_AUDITOR_OUT_DIR.mkdir(parents=True, exist_ok=True)
-
-    AUDITOR_PUB_KEY_DIR = Path("resources/keys")
-    AUDITOR_PUB_KEY_FILE = AUDITOR_PUB_KEY_DIR / Path("llm-router-auditor-pub.asc")
-
     def __init__(self):
         """
         Create a new GPG‑based audit log storage instance.
@@ -70,6 +72,8 @@ def __init__(self):
         self._gpg = gnupg.GPG(gnupghome=str(self.AUDITOR_PUB_KEY_DIR))
         self._gpg.encoding = "utf-8"
 
+        self.__verify()
+
         with self.AUDITOR_PUB_KEY_FILE.open("r", encoding="utf-8") as f:
             self._import_result = self._gpg.import_keys(f.read())
             if not self._import_result.count:
@@ -103,7 +107,7 @@ def store_log(self, audit_log, audit_type: str):
         """
         date_str = datetime.now().strftime("%Y%m%d_%H%M%S.%f")
         out_file_name = f"{audit_type}__{date_str}.audit"
-        out_file_path = self.DEFAULT_AUDITOR_OUT_DIR / out_file_name
+        out_file_path = DEFAULT_AUDITOR_OUT_DIR / out_file_name
         with open(out_file_path, "wt") as f:
             audit_str = json.dumps(audit_log, indent=2, ensure_ascii=False)
             encrypted_data = self._gpg.encrypt(
@@ -113,3 +117,46 @@ def store_log(self, audit_log, audit_type: str):
                 armor=True,
             )
             f.write(str(encrypted_data))
+
+    def __verify(self):
+        """
+        Perform internal sanity checks during initialisation.
+
+        This method verifies that the required GPG public key file exists
+        and that the process has write access to ``DEFAULT_AUDITOR_OUT_DIR``.
+        It raises an exception if either check fails.
+        """
+        self.__check_key_exists()
+        self.__check_write_permission()
+
+    def __check_key_exists(self):
+        """
+        Ensure that the GPG public key file specified by
+        ``AUDITOR_PUB_KEY_FILE`` is present on the filesystem.
+
+        Raises
+        ------
+        Exception
+            If the public key file does not exist.
+        """
+        if not self.AUDITOR_PUB_KEY_FILE.exists():
+            raise Exception(
+                f"GPG public key {self.AUDITOR_PUB_KEY_FILE} does not exists!"
+            )
+
+    def __check_write_permission(self):
+        """
+        Verify that the process can write to ``DEFAULT_AUDITOR_OUT_DIR``.
+        Writes a temporary file containing the string ``"llm-router"``,
+        then removes it. Raises ``PermissionError`` if any step fails.
+        """
+        try:
+            temp_name = f"perm_check_{uuid.uuid4().hex}.audit"
+            temp_path = DEFAULT_AUDITOR_OUT_DIR / temp_name
+            with open(temp_path, "wt") as f:
+                f.write("llm-router")
+            temp_path.unlink()
+        except Exception as exc:
+            raise PermissionError(
+                f"Unable to write to {DEFAULT_AUDITOR_OUT_DIR}: {exc}"
+            )

llm_router_api/core/auditor/log_storage/gpg.py

@@ -33,7 +33,7 @@
     USE_PROMETHEUS,
     SERVER_BALANCE_STRATEGY,
 )
-from llm_router_api.base.lb.provider_strategy_facase import ProviderStrategyFacade
+from llm_router_api.base.lb.provider_strategy_facade import ProviderStrategyFacade
 
 if USE_PROMETHEUS:
     from llm_router_api.core.metrics import PrometheusMetrics

llm_router_api/core/engine.py

@@ -10,7 +10,7 @@
 
 from llm_router_api.base.model_handler import ModelHandler
 from llm_router_api.base.constants import REST_API_LOG_LEVEL
-from llm_router_api.base.lb.provider_strategy_facase import ProviderStrategyFacade
+from llm_router_api.base.lb.provider_strategy_facade import ProviderStrategyFacade
 
 from llm_router_api.endpoints.passthrough import PassthroughI
 from llm_router_api.endpoints.builtin.openai import OpenAIResponseHandler

llm_router_api/register/auto_loader.py

@@ -50,7 +50,7 @@ export LLM_ROUTER_REDIS_PORT=${LLM_ROUTER_REDIS_PORT:-6379}
 # Data protection (additional endpoints will be available)
 # ------------ Masker section
 export LLM_ROUTER_FORCE_MASKING=${LLM_ROUTER_FORCE_MASKING:-0}
-export LLM_ROUTER_MASKING_WITH_AUDIT=${LLM_ROUTER_MASKING_WITH_AUDIT:-0}
+export LLM_ROUTER_MASKING_WITH_AUDIT=${LLM_ROUTER_MASKING_WITH_AUDIT:-1}
 export LLM_ROUTER_MASKING_STRATEGY_PIPELINE=${LLM_ROUTER_MASKING_STRATEGY_PIPELINE:-"fast_masker"}
 # ------------ Guardrails section (request)
 export LLM_ROUTER_FORCE_GUARDRAIL_REQUEST=${LLM_ROUTER_FORCE_GUARDRAIL_REQUEST:-0}