feat: add enterprise gateway support with Wells Fargo configuration

- Add ssl_verify field to LLM class for certificate handling
- Forward ssl_verify and custom_llm_provider to LiteLLM calls
- Exclude extra_headers from telemetry logging for security
- Improve environment variable parsing for ssl_verify (supports false/true/cert paths)
- Add comprehensive tests for ssl_verify and custom_llm_provider
- Add enterprise_gateway_example.py demonstrating Wells Fargo configuration

This supersedes PR #963 by merging Wells Fargo requirements with the extra_headers support from PR #733.

Author: ak684

examples/enterprise_gateway_example.py

@@ -0,0 +1,130 @@
+#!/usr/bin/env python3
+"""
+Example demonstrating how to configure the LLM class for enterprise API gateways
+that require custom headers and SSL certificate handling.
+
+This example shows configuration patterns used at Wells Fargo and other enterprises
+with corporate proxies or API management systems like Tachyon/Apigee.
+"""
+
+import os
+import uuid
+from datetime import datetime
+from openhands.sdk.llm import LLM
+
+
+def create_enterprise_llm():
+    """
+    Create an LLM instance configured for enterprise gateway access.
+
+    This example shows how to:
+    1. Add custom headers required by the gateway (auth tokens, correlation IDs)
+    2. Set a custom base URL for the enterprise proxy
+    3. Disable SSL verification when corporate proxies break cert chains
+    4. Specify the underlying provider explicitly
+    """
+
+    # Generate dynamic headers that may be required by the gateway
+    now = datetime.now()
+    correlation_id = str(uuid.uuid4())
+    request_id = str(uuid.uuid4())
+
+    # Configure the LLM with enterprise gateway settings
+    llm = LLM(
+        model="openai/gemini-2.5-flash",  # Model name as exposed by gateway
+        api_key="placeholder",  # Often required even if not used
+
+        # Enterprise proxy endpoint
+        base_url="https://your-corporate-proxy.company.com/api/llm",
+
+        # Custom headers required by the gateway
+        extra_headers={
+            "Authorization": "Bearer YOUR_ENTERPRISE_TOKEN",
+            "Content-Type": "application/json",
+            "x-correlation-id": correlation_id,
+            "x-request-id": request_id,
+            "x-wf-request-date": now.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3],
+            "X-WF-USECASE-ID": "YOUR_USECASE_ID",
+            "x-wf-client-id": "YOUR_CLIENT_ID",
+            "x-wf-api-key": "YOUR_API_KEY",
+        },
+
+        # Disable SSL verification if corporate proxy breaks certificate chain
+        ssl_verify=False,  # Set to True in production if certs are properly configured
+
+        # Explicitly specify the provider for LiteLLM routing
+        custom_llm_provider="openai",
+
+        # Other configurations
+        num_retries=1,
+        timeout=30,
+    )
+
+    return llm
+
+
+def create_llm_from_env():
+    """
+    Create an LLM instance using environment variables.
+
+    Set these environment variables:
+    - LLM_MODEL=openai/gemini-2.5-flash
+    - LLM_API_KEY=placeholder
+    - LLM_BASE_URL=https://your-corporate-proxy.company.com/api/llm
+    - LLM_SSL_VERIFY=false
+    - LLM_CUSTOM_LLM_PROVIDER=openai
+    - LLM_EXTRA_HEADERS='{"Authorization": "Bearer TOKEN", "x-correlation-id": "123"}'
+    """
+
+    # The load_from_env method automatically handles:
+    # - Boolean parsing for ssl_verify (accepts: false, False, 0, no, off)
+    # - JSON parsing for complex fields like extra_headers
+    llm = LLM.load_from_env()
+
+    return llm
+
+
+def example_usage():
+    """Demonstrate using the enterprise-configured LLM."""
+
+    # Create the LLM instance
+    llm = create_enterprise_llm()
+
+    # Use the LLM for chat completion
+    response = llm.chat(
+        messages=[
+            {"role": "system", "content": "You are a helpful assistant."},
+            {"role": "user", "content": "What is the capital of France?"}
+        ]
+    )
+
+    print(f"Response: {response.choices[0].message.content}")
+
+    # The extra_headers are automatically included in the request to the gateway
+    # The ssl_verify setting is applied to the HTTPS connection
+    # The custom_llm_provider ensures proper routing through LiteLLM
+
+
+if __name__ == "__main__":
+    # Example 1: Direct configuration
+    print("Example 1: Direct configuration")
+    llm = create_enterprise_llm()
+    print(f"Created LLM with model: {llm.model}")
+    print(f"Base URL: {llm.base_url}")
+    print(f"SSL Verify: {llm.ssl_verify}")
+    print(f"Extra headers configured: {bool(llm.extra_headers)}")
+
+    # Example 2: Environment variable configuration
+    print("\nExample 2: Environment variable configuration")
+    # Set example environment variables (normally these would be set externally)
+    os.environ["LLM_MODEL"] = "openai/gpt-4"
+    os.environ["LLM_BASE_URL"] = "https://api-gateway.example.com/v1"
+    os.environ["LLM_SSL_VERIFY"] = "false"
+    os.environ["LLM_CUSTOM_LLM_PROVIDER"] = "openai"
+    os.environ["LLM_EXTRA_HEADERS"] = '{"x-api-key": "secret123"}'
+
+    llm_env = LLM.load_from_env()
+    print(f"Created LLM from env with model: {llm_env.model}")
+    print(f"Base URL: {llm_env.base_url}")
+    print(f"SSL Verify: {llm_env.ssl_verify}")
+    print(f"Extra headers: {llm_env.extra_headers}")

openhands-sdk/openhands/sdk/llm/llm.py

@@ -166,6 +166,14 @@ class LLM(BaseModel, RetryMixin, NonNativeToolCallingMixin):
     )
     ollama_base_url: str | None = Field(default=None)
 
+    ssl_verify: bool | str | None = Field(
+        default=None,
+        description=(
+            "TLS verification forwarded to LiteLLM; "
+            "set to False when corporate proxies break certificate chains."
+        ),
+    )
+
     drop_params: bool = Field(default=True)
     modify_params: bool = Field(
         default=True,
@@ -455,10 +463,13 @@ def completion(
         assert self._telemetry is not None
         log_ctx = None
         if self._telemetry.log_enabled:
+            sanitized_kwargs = {
+                k: v for k, v in call_kwargs.items() if k != "extra_headers"
+            }
             log_ctx = {
                 "messages": formatted_messages[:],  # already simple dicts
                 "tools": tools,
-                "kwargs": {k: v for k, v in call_kwargs.items()},
+                "kwargs": sanitized_kwargs,
                 "context_window": self.max_input_tokens or 0,
             }
             if tools and not use_native_fc:
@@ -566,11 +577,14 @@ def responses(
         assert self._telemetry is not None
         log_ctx = None
         if self._telemetry.log_enabled:
+            sanitized_kwargs = {
+                k: v for k, v in call_kwargs.items() if k != "extra_headers"
+            }
             log_ctx = {
                 "llm_path": "responses",
                 "input": input_items[:],
                 "tools": tools,
-                "kwargs": {k: v for k, v in call_kwargs.items()},
+                "kwargs": sanitized_kwargs,
                 "context_window": self.max_input_tokens or 0,
             }
         self._telemetry.on_request(log_ctx=log_ctx)
@@ -602,7 +616,9 @@ def _one_attempt(**retry_kwargs) -> ResponsesAPIResponse:
                         else None,
                         api_base=self.base_url,
                         api_version=self.api_version,
+                        custom_llm_provider=self.custom_llm_provider,
                         timeout=self.timeout,
+                        ssl_verify=self.ssl_verify,
                         drop_params=self.drop_params,
                         seed=self.seed,
                         **final_kwargs,
@@ -670,7 +686,9 @@ def _transport_call(
                     api_key=self.api_key.get_secret_value() if self.api_key else None,
                     api_base=self.base_url,
                     api_version=self.api_version,
+                    custom_llm_provider=self.custom_llm_provider,
                     timeout=self.timeout,
+                    ssl_verify=self.ssl_verify,
                     drop_params=self.drop_params,
                     seed=self.seed,
                     messages=messages,
@@ -932,6 +950,7 @@ def load_from_json(cls, json_path: str) -> LLM:
     @classmethod
     def load_from_env(cls, prefix: str = "LLM_") -> LLM:
         TRUTHY = {"true", "1", "yes", "on"}
+        FALSY = {"false", "0", "no", "off"}
 
         def _unwrap_type(t: Any) -> Any:
             origin = get_origin(t)
@@ -940,31 +959,44 @@ def _unwrap_type(t: Any) -> Any:
             args = [a for a in get_args(t) if a is not type(None)]
             return args[0] if args else t
 
-        def _cast_value(raw: str, t: Any) -> Any:
-            t = _unwrap_type(t)
+        def _cast_value(field_name: str, raw: str, annotation: Any) -> Any:
+            stripped = raw.strip()
+            lowered = stripped.lower()
+            if field_name == "ssl_verify":
+                if lowered in TRUTHY:
+                    return True
+                if lowered in FALSY:
+                    return False
+                return stripped
+
+            t = _unwrap_type(annotation)
             if t is SecretStr:
-                return SecretStr(raw)
+                return SecretStr(stripped)
             if t is bool:
-                return raw.lower() in TRUTHY
+                if lowered in TRUTHY:
+                    return True
+                if lowered in FALSY:
+                    return False
+                return None
             if t is int:
                 try:
-                    return int(raw)
+                    return int(stripped)
                 except ValueError:
                     return None
             if t is float:
                 try:
-                    return float(raw)
+                    return float(stripped)
                 except ValueError:
                     return None
             origin = get_origin(t)
             if (origin in (list, dict, tuple)) or (
                 isinstance(t, type) and issubclass(t, BaseModel)
             ):
                 try:
-                    return json.loads(raw)
+                    return json.loads(stripped)
                 except Exception:
                     pass
-            return raw
+            return stripped
 
         data: dict[str, Any] = {}
         fields: dict[str, Any] = {
@@ -979,7 +1011,7 @@ def _cast_value(raw: str, t: Any) -> Any:
             field_name = key[len(prefix) :].lower()
             if field_name not in fields:
                 continue
-            v = _cast_value(value, fields[field_name])
+            v = _cast_value(field_name, value, fields[field_name])
             if v is not None:
                 data[field_name] = v
         return cls(**data)