feat: query LiteLLM proxy for per-instance ACP costs via virtual keys

[simonrosenberg]

Summary

Adds per-instance LiteLLM virtual key tracking to get exact costs from the proxy for ACP agents (Codex, Gemini CLI) that don't report costs natively through the ACP protocol.

Also includes changes from #602 (content-hash assembly tags) to prevent stale image bugs when rebuilding.

How it works

1. Before each instance: create a virtual key via POST /key/generate (with $50 safety cap)
2. Pass the key to ACP agents via acp_env — overrides the provider API key from _get_acp_env() so the proxy tracks spend independently
3. After instance completes: query exact spend via GET /key/info?key=..., store as proxy_cost in test_result
4. Cleanup: delete the key via POST /key/delete

Design decisions

• Thread-safe: uses threading.local for virtual key storage — each worker thread tracks its own key without global state mutation
• Fail-hard when configured: if the proxy is configured but virtual key creation fails, raises RuntimeError instead of silently falling back to real provider keys
• No-op when unconfigured: all functions return None when LLM_API_MASTER_KEY / LLM_BASE_URL are unset
• Builds on _get_acp_env(): starts with provider credentials from the merged forward_env removal, then overrides API keys with the virtual key when available

Files changed

File	Change
benchmarks/utils/litellm_proxy.py	New — virtual key CRUD + thread-local storage
benchmarks/utils/acp.py	build_acp_agent() injects virtual key via acp_env, layered on _get_acp_env()
benchmarks/utils/evaluation.py	_execute_single_attempt() hooks key lifecycle
tests/test_litellm_proxy.py	New — unit tests for all proxy functions + thread isolation
benchmarks/utils/version.py	Content-hash support from #602
tests/test_version.py	Tests for phased image tag prefix
benchmarks/swebench/run_infer.py	Use get_phased_image_tag_prefix()
benchmarks/swtbench/run_infer.py	Use get_phased_image_tag_prefix()
benchmarks/swebenchmultimodal/run_infer.py	Use get_phased_image_tag_prefix()

Companion PRs

• Benchmarks: fix: include content hash in assembly image tags #602 (content-hash assembly tags) — merged into this branch
• Evaluation: OpenHands/evaluation add-llm-api-master-key — injects LLM_API_MASTER_KEY from SOPS secret into K8s pod env via Helm chart

Validated: proxy_cost works end-to-end

Validation run: swebench n=10 with acp-gemini

• SDK workflow: 23879934365
• Eval workflow: 23879947950
• K8s job: eval-23879947950-gemini-3-f (Complete, 50m)
• GCS results: gs://openhands-evaluation-results/swebench/litellm_proxy-gemini-3-flash-preview/23879947950/
• Result: 10/10 completed, 10/10 resolved, 0 errors

All 10 instances have proxy_cost in test_result:

Instance	proxy_cost (actual)	accumulated_cost (SDK est.)	Ratio
django__django-12155	$0.0669	$0.1351	49.5%
django__django-13279	$0.0894	$0.2835	31.5%
django__django-13670	$0.2320	$0.5616	41.3%
scikit-learn__scikit-learn-13439	$0.1946	$0.5055	38.5%
django__django-14434	$0.2541	$0.6566	38.7%
sphinx-doc__sphinx-7757	$0.2041	$0.5597	36.5%
django__django-11999	$0.2276	$0.5949	38.3%
scikit-learn__scikit-learn-25973	$0.2010	$0.3820	52.6%
scikit-learn__scikit-learn-25232	$0.4276	$1.3790	31.0%
sympy__sympy-15599	$0.4572	$1.4744	31.0%
TOTAL	$2.3546	$6.5322	36.1%

Why proxy_cost differs from accumulated_cost

The SDK's accumulated_cost for ACP agents is unreliable for two reasons:

1. Wrong pricing: SDK prices "acp-managed" at $0.50/M input + $3.00/M output (generic fallback). Gemini Flash actual pricing is $0.075/M input + $0.30/M output — 6.7x to 10x overpriced per token.

2. Under-reported tokens: ACP only reports final-response token counts. The gemini CLI internally uses ~2.5x more tokens (thinking, tool calls, retries) that it doesn't report back.

These errors partially cancel out (overpriced × under-counted), but the SDK estimate is still 2.8x too high. The proxy_cost from the LiteLLM virtual key is the only reliable cost metric for ACP agents.

Previous validation runs

• eval_limit=1 codex: proxy_cost=$0.014112 confirmed (run 23877049978)
• eval_limit=3 gemini: proxy_cost confirmed on 1/3 instances, 2/3 failed due to stale images missing gemini CLI (motivating fix: include content hash in assembly image tags #602)

Test plan

• All existing tests pass (pytest tests/)
• Unit tests for virtual key CRUD + thread isolation (test_litellm_proxy.py)
• Unit tests for phased image tag prefix (test_version.py)
• Pre-commit passes
• Production validated: 10/10 swebench instances with acp-gemini have proxy_cost in output
• Thread-local storage isolation verified
• Backward compatible: no-op when LLM_API_MASTER_KEY is unset
• Fails hard when proxy is configured but key creation fails

Closes #592

🤖 Generated with Claude Code

[all-hands-bot]

🟡 Acceptable - Solid engineering that solves a real problem, but missing unit tests.

What's Good:

• Solves a real problem: exact cost tracking from proxy vs token-count estimates
• Thread-safe design using threading.local instead of global state mutation
• Backward compatible: all functions no-op when LITELLM_MASTER_KEY unset
• Clean data structure: virtual key in thread-local → acp_env injection (no env pollution)
• Pragmatic error handling: logs warnings, doesn't crash evaluation
• Evidence provided: validation shows $0.014112 tracked vs $0.00 from SDK

Main Gap:
The new benchmarks/utils/litellm_proxy.py module has no unit tests. The validation script is useful but not a substitute for tests in the test suite. When this codebase adds new modules with public functions (create_virtual_key, get_key_spend, delete_key, thread-local accessors), those should have corresponding tests.

Verdict: Worth merging - the design is sound and solves a real problem. Tests can be added in a follow-up, but they shouldn't be skipped indefinitely.

[all-hands-bot]

🟡 Acceptable - Pragmatic design that solves a real problem, but still missing unit tests after previous review.

What's Good:

• Thread-local storage is the right data structure for this problem
• Clean fail-open error handling (logs warnings, doesn't crash evals)
• Backward compatible by design (all functions no-op when unconfigured)
• Evidence shows it works end-to-end ($0.014 tracked from real Codex run)

What's Not:
You're adding ~160 lines of infrastructure code with HTTP requests, error handling, and thread-local state management. The previous review already flagged missing unit tests. They're still missing.

[all-hands-bot]

🟡 Acceptable - Comprehensive tests added (addresses previous review), solid thread-safe design. However, the PR description lists changes to models.py, report_costs.py, and validate_virtual_keys.py that aren't in this diff. Also, clarify the LITELLM_MASTER_KEY vs LLM_API_KEY naming.

[all-hands-bot]

🟡 Suggestion: The PR description says infrastructure needs LITELLM_MASTER_KEY, but the code expects LLM_API_KEY. Either:

1. Update the docstring to clarify: "LLM_API_KEY should be set to the LiteLLM master key with admin permissions", or
2. Update the PR description to say the K8s secret should be exposed as LLM_API_KEY

This prevents deployment confusion when someone reads the PR description but doesn't see the env var they expect in the code.

[simonrosenberg]

This was fixed in a subsequent commit — the code now uses LLM_API_MASTER_KEY (a dedicated SOPS secret), and the module docstring matches:

Requires:
    - LLM_BASE_URL: The LiteLLM proxy URL (existing env var)
    - LLM_API_MASTER_KEY: Admin key for virtual key management (SOPS secret)

The Helm chart in OpenHands/evaluation add-llm-api-master-key injects LLM_API_MASTER_KEY from the SOPS-encrypted K8s secret into the pod env.

[all-hands-bot]

🟢 Good taste - Clean thread-safe design solving a real production problem.

Data Structure: Thread-local storage is the correct choice for isolated worker state. Clear ownership and lifecycle (create → use → query → delete). No shared mutable state.

Evidence: Strong production validation (10/10 instances with exact costs, $2.35 actual vs $6.53 SDK estimate). Real problem, real solution.

Pragmatism: Backward compatible (no-op when unconfigured), fail-hard where critical (key creation), fail-soft where acceptable (cleanup/query). Tests are comprehensive.

VERDICT: ✅ Worth merging - solid engineering with minor notes below.

[all-hands-bot]

🟡 Suggestion: Importing from swebench.build_base_images creates an architectural dependency from the general utils/version module to a benchmark-specific module. This is pragmatic for the documented use case ("phased-build benchmarks") and the lazy import avoids loading it unnecessarily, but it's worth noting this couples the modules. Acceptable trade-off given the clear documentation.

[all-hands-bot]

🟢 Acceptable: Fail-hard error handling on key creation is the RIGHT choice - if you can't create a virtual key when the proxy is configured, that's a critical failure. The asymmetric design (fail-hard create, fail-soft cleanup/query) is intentional and correct.

[all-hands-bot]

🟢 Acceptable: Creating the virtual key before workspace prep means if prep fails, you create/delete a key unnecessarily. Previous review noted this - it's a pragmatic choice that keeps the code simple. The cost is negligible (one extra HTTP round-trip on failure path), and the clarity is worth it.