Overview
Currently, evaluation monitors allow users to configure custom LLM API keys directly, storing encrypted credentials in the database. This needs to be replaced with the org-level AI Gateway LLM provider pattern already used by agents.
Goals
- Remove custom LLM credential input from evaluation monitors
- Allow monitors to use LLM providers registered at the org level via the AI Gateway (same as agents)
- Store proxy API keys in OpenBao key manager (not encrypted in DB)
- Create a monitor-level LLM proxy to enable per-monitor guardrails (rate limiting, etc.)
- Support all LLM providers supported by the gateway (OpenAI, Anthropic, Gemini, Mistral, AWS Bedrock, Azure OpenAI, Azure AI Foundry)
- Disable LLM-judge evaluators in the frontend until an LLM provider is configured for the monitor
Approach
Mirror the existing agent LLM provider pattern:
- Org-level LLM providers → per-monitor LLM proxies deployed to the gateway
- Proxy API keys stored in OpenBao, resolved at workflow execution time
- Injected as LiteLLM-compatible env vars into the evaluation job container
- New
monitor_llm_mapping junction table to track monitor ↔ proxy associations
Impact
- Backend: New DB migration, repository, and proxy lifecycle management in monitor manager service
- Executor: Read proxy secrets from OpenBao at runtime, pass as workflow parameters
- Frontend: Replace credential input form with an LLM provider picker; disable LLM-judge when no provider is set
Overview
Currently, evaluation monitors allow users to configure custom LLM API keys directly, storing encrypted credentials in the database. This needs to be replaced with the org-level AI Gateway LLM provider pattern already used by agents.
Goals
Approach
Mirror the existing agent LLM provider pattern:
monitor_llm_mappingjunction table to track monitor ↔ proxy associationsImpact