LABEL CHECK / DOSSIER
LiteLLM
closure trend: format-translation and release-shippable fixes close within weeks; concurrency, budget-enforcement, and fallback deltas are not closing — fix PRs sit unmerged or were closed while the backing issues were stale-bot closed unfixed
Verdict
The unified-API and provider-breadth claims hold as labeled, but the production-control claims — budgets, rate limits, fallback, and the README's 8ms-P95-at-1k-RPS figure — are contradicted by issue-traced behavior under exactly the concurrent multi-tenant conditions the proxy is marketed for, with the key fixes unmerged and the backing issues stale-bot closed unfixed.
Claim ledger — 13 rows
Delta ledger — 11 open
In-memory budget/rate counters lose 75-93% of increments under concurrent load; atomic-increment fix unmerged
closes when:Atomic increment fix merged and a concurrent increment test (4+ threads, 50 increments each) yields the expected counter value on a current release, TD re-verified
evidence:[1][2]Issue stale-bot closed not-planned 2026-05-20 with PR #20979 still open unmerged — re-checked 2026-06-11Re-verified open 2026-06-28 against v1.90.0
Concurrent requests bypass TPM limits 6.6x — tokens deducted after completion, not reserved; reservation fix closed unmerged
closes when:Concurrent requests against a TPM limit cannot collectively exceed it (pre-call token reservation or equivalent), TD re-verified on a current release
evidence:[1][2]Issue open and reopened; PR #23775 closed without merge — re-checked 2026-06-11UPDATE 2026-06-28: pre-call token reservation merged in v1.85.0 (PR #27001); #18730 still open and reporter-unconfirmed; v1.90.0 added an opt-out (PR #30211) — falsification criterion partially met, awaiting TD execution[5]Re-verified open 2026-06-28 against v1.90.0
Budget enforcement bypassed via AzureOpenAI client (15x overshoot), team virtual keys, and pass-through routes — all closed not-planned without fixes
closes when:A configured budget binds across the AzureOpenAI-client, team-key, and pass-through routes in a TD re-test on a current release
evidence:[1][2][3]Re-verified open 2026-06-28 against v1.90.0
NotFoundError (404) unconditionally bypasses the fallback chain; fix PR open unmerged since Feb 2026
closes when:A 404/NotFoundError from one deployment triggers failover to an available alternative deployment, TD re-verified on a current release
evidence:[1][2]Issue stale-bot closed not-planned 2026-06-01; PR #21378 still open — re-checked 2026-06-11Re-verified open 2026-06-28 against v1.90.0
Mid-stream fallback injects a default English system prompt over the caller's persona; no disable option (closed not-planned)
closes when:Mid-stream fallback continuation preserves the caller's system prompt, or a configuration option disables the injected prompt; TD re-verified
evidence:[1]Re-verified open 2026-06-28 against v1.90.0
Multimodal fallback OpenAI→Gemini drops image data via in-place message mutation (closed not-planned)
closes when:OpenAI-to-Gemini fallback delivers image content (non-zero image tokens in usage metrics), TD re-verified
evidence:[1]Re-verified open 2026-06-28 against v1.90.0
README's 8ms P95 at 1k RPS contradicted by measured ~300 RPS GIL ceiling (P99 18s at 310 RPS; OOM at 350 RPS sustained)
closes when:An independent load test sustains 1k RPS with ~8ms P95 on a vendor-documented configuration, or re-measurement fails to reproduce the ~300 RPS ceiling; either result TD-verified
evidence:[1]Contradicting post-mortem article removed (HTTP 404 since 2026-04-22); measurement retained at secondary-research backingRe-verified open 2026-06-28 against v1.90.0
Gateway cache metrics unreliable — cache_hit reports 0 while upstream bills cached_tokens; savings unverifiable from gateway telemetry
closes when:Gateway cache_hit metrics match upstream provider cached-token billing in a TD re-test
evidence:[1]Re-verified open 2026-06-28 against v1.90.0
Upstream Retry-After header not forwarded under the standard header; clients retry immediately, amplifying provider rate-limit pressure
closes when:Upstream Retry-After is forwarded to clients under the standard header and respected by router backoff, TD re-verified
evidence:[1][2]Issue stale-bot closed not-planned 2026-05-29; fix PR #21648 closed unmerged — re-checked 2026-06-11UPDATE 2026-06-28: fix PR #21648 auto-closed without merge 2026-06-03; v1.90.0 PR #27687 enriches rate-limit error fields but does not forward Retry-After — no fix pathRe-verified open 2026-06-28 against v1.90.0
Guardrail fail-open cluster — 8 implementations silently fail open (Lakera category_thresholds disables the blocked verdict, llm_as_a_judge defaults overall_score to 100, OpenAI/Azure moderation scans only the trailing turn, Presidio fails open on analyzer error)
closes when:Each guardrail blocks the policy-violating input/output it is configured for under analyzer-error and threshold edge cases, TD re-verified on a current release
SSE error codes outside the 100-599 range silently discarded — router never fails over or cools down for ZhipuAI/DashScope upstream errors (#31284)
closes when:A non-standard upstream SSE error code triggers router fallback/cooldown rather than being silently dropped, TD re-verified
evidence:[1]
Closed deltas — 4 (falsification-gated)
Deferred-HTTP providers (Vertex AI, Bedrock, Predibase, Codestral) bypassed streaming fallback entirely
closed by:PR #22375, merged 2026-02-28 — sync streaming fallback plus 429 handling for all streaming paths
thinking.summary silently dropped routing Anthropic requests to the OpenAI Responses API
closed by:PRs #21441/#21491 (merged 2026-03-05), shipped in v1.82.3-stable (2026-03-17); TD re-verified present through v1.83.14-stable.patch.3
Reported Bedrock guardrail bypass (original input returned instead of blocked output)
closed by:TD re-verification of #22949: root cause was reporter configuration (full guardrail ARN corrupting the URL path instead of the short ID) — not a LiteLLM code defect; the finding's row is corrected, not vendor-fixed
API keys logged in plaintext in proxy log output (pre-v1.82.4)
closed by:v1.82.4 — plaintext key logging suppressed; not backported, mitigation on older versions is upgrade
Methodology
- sampling
- Theory Delta Method §2 material-claim sampling rule (theorydelta-policy strategy/method.md): a claim is sampled iff it appears on the vendor's own label and would plausibly influence an adoption decision. Label surfaces enumerated and captured 2026-06-11: the docs.litellm.ai landing page, the BerriAI/litellm README, and the 'Budgets, Rate Limits' docs page (docs.litellm.ai/docs/proxy/users). 13 material claims extracted; all sampled (full dossier, 10-claim floor met).
- verification depth
- source-reviewed — not executed by Theory Delta
- verification statement
- Evidence is drawn from LiteLLM's public issue tracker, pull requests, release notes, GitHub security advisories, the vendor's own security disclosure, and the Theory Delta corpus blocks backing them; the open/closed state of every cited issue and fix PR was re-checked against the GitHub API on 2026-06-11 and again on 2026-06-28 (v1.90.0). Theory Delta has not executed LiteLLM in its own environment for this dossier. Star counts are excluded from assessment as unreliable quantitative metrics.
- backing confidence
- medium
- strongest case against
- Many backing issues were stale-bot closed ('not planned') rather than triaged, so some behaviors may have been fixed incidentally in LiteLLM's roughly weekly releases since the finding's last full verification (2026-03-22) without an issue or PR recording it; the ~300 RPS ceiling contradicting the 8ms-P95 claim rests on a production post-mortem whose source article has been removed (HTTP 404 since 2026-04-22) and has not been re-measured; several guardrail issues were vendor-closed as completed and TD has not re-verified those fixes; and release velocity (v1.88.1 shipped 2026-06-09) can outpace any source-review window.