fix(llm): mask api_key in BaseLLM.__repr__

[wufengwind]

Prevent API key exposure in logs and debug output when LLM objects are printed or logged.

Summary by CodeRabbit

• Bug Fixes
  • Masked sensitive API credential values in language model instance repr() output to prevent accidental exposure.
• Tests
  • Added unit coverage to confirm API keys are redacted in repr() results.

[corridor-security]

Summary: This PR adds a custom BaseLLM.__repr__ that masks the api_key field before rendering LLM objects.

Risk: Low risk. The change reduces accidental credential exposure in debug output and does not introduce new authentication, authorization, data-handling, or externally reachable attack surfaces; no exploitable security vulnerabilities were identified.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: b137cb80-9dc6-47b3-8a31-b592455a6d3c

📥 Commits

Reviewing files that changed from the base of the PR and between 00a4869 and 56dda1f.

📒 Files selected for processing (2)

• lib/crewai/src/crewai/llms/base_llm.py
• lib/crewai/tests/test_custom_llm.py

🚧 Files skipped from review as they are similar to previous changes (2)

• lib/crewai/src/crewai/llms/base_llm.py
• lib/crewai/tests/test_custom_llm.py

---

📝 Walkthrough

Walkthrough

Adds a __repr__ method to the BaseLLM class that calls model_dump() to produce a dict representation of the instance and redacts any truthy api_key value by replacing it with "***" before returning the formatted string. A unit test validates that the raw API key is not exposed in the repr output. The test file also reformats CustomLLM.acall to multi-line signature with docstring.

Changes

BaseLLM string representation

Layer / File(s)	Summary
__repr__ with api_key masking lib/crewai/src/crewai/llms/base_llm.py, lib/crewai/tests/test_custom_llm.py	Implements __repr__ on BaseLLM that serializes the instance via model_dump(), masks the api_key field with "***" when truthy, and returns a string combining the class name with the resulting dict. A new test validates that the raw API key is absent from the repr output while the masked form is present. Test file also reformats CustomLLM.acall to multi-line async method with docstring.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change: masking API keys in BaseLLM.repr method, which is the security-focused fix central to this PR.
Docstring Coverage	✅ Passed	Docstring coverage is 83.33% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}