LCORE-861: Azure Entra ID token managment #988

asimurka · 2026-01-13T16:15:23Z

Description

This PR brings the new functionality of Azure Entra ID authentication.
Part of it is also the management of the automatic enrichment of the llama stack config with the BYOK section from the LCS config, which shares the principle with the dynamic injection of access tokens.
Since Llama Stack needs a valid Azure API key already at the start of the service, it was necessary to add mechanisms to generate the initial access token even before the start of the Llama Stack service. This works for both library and service mode.
Documentation is also part of it, which discusses in detail the workflow of access tokens for both deployment modes and provides examples of configs for local deployment.

Type of change

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

Assisted-by: (Cursor
Generated by: (e.g., tool name and version; N/A if not used)

Related Tickets & Documents

Related Issue #
Closes # LCORE-864 LCORE-862 LCORE-863 LCORE-865 LCORE-867 LCORE-866 LCORE-779

Checklist before requesting a review

I have performed a self-review of my code.
PR has passed all pre-merge test jobs.
If it is a core feature, I have added thorough tests.

Testing

Please provide detailed steps to perform tests related to this code change.
How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

Release Notes

New Features
- Added Azure Entra ID authentication support for Azure OpenAI inference, replacing API key-based authentication with tenant/client credentials.
- Introduced automatic token refresh management for Azure Entra ID sessions.
- Added support for library-mode client reloading with dynamic provider configuration updates.
Documentation
- Added comprehensive Azure Provider Entra ID Authentication Guide covering configuration, deployment, and security considerations.
- Updated LLM provider compatibility table with Azure model availability information.
Dependencies
- Added azure-core and azure-identity packages for Entra ID authentication support.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

coderabbitai · 2026-01-13T16:15:28Z

Walkthrough

This PR introduces Azure Entra ID token management to replace static API key environment variables. It adds a singleton AzureEntraIDManager for token lifecycle handling, integrates token refresh into query endpoints, updates Docker and workflow configurations with separate credential variables, provides example configurations for different deployment modes, and includes comprehensive documentation and tests for the new authentication flow.

Changes

Cohort / File(s)	Summary
Azure Token Management Core `src/authorization/azure_token_manager.py`, `src/models/config.py`	Added AzureEntraIDManager singleton class with token caching, expiration tracking (30-second leeway), and async refresh via ClientSecretCredential. Introduced AzureEntraIdConfiguration model with tenant_id, client_id, client_secret, and scope fields.
Application Startup & Configuration `src/main.py`, `src/configuration.py`, `src/lightspeed_stack.py`	Integrated AzureEntraIDManager initialization at app startup to refresh tokens and populate AZURE_API_KEY environment variable. Added azure_entra_id property to AppConfig. Removed legacy Llama Stack configuration generation CLI flags.
Query & Streaming Endpoints `src/app/endpoints/query.py`, `src/app/endpoints/query_v2.py`, `src/app/endpoints/streaming_query.py`	Added Azure token refresh checks before API calls; if token expired, refreshes and reloads library client or updates provider data with new credentials. Removed informational OpenAI response logging.
Client Lifecycle Management `src/client.py`	Added reload_library_client() and update_provider_data() methods to AsyncLlamaStackClientHolder; refactored client initialization to support library vs service modes; added config enrichment for BYOK RAG with dynamic reload capability.
Llama Stack Configuration Integration `src/llama_stack_configuration.py`	Introduced setup_azure_entra_id_token() to write AZURE_API_KEY to env file; refactored BYOK RAG enrichment; updated generate_configuration() to handle Azure token setup and config enrichment; changed BYOK RAG typing from strongly-typed to dict-based.
Container & Deployment `test.containerfile`, `scripts/llama-stack-entrypoint.sh`	Added azure-identity pip dependency; created entrypoint script to enrich llama-stack config when lightspeed config present; copied configuration and entrypoint scripts into image with proper permissions.
Docker Compose Configuration `docker-compose.yaml`, `docker-compose-library.yaml`	Replaced AZURE_API_KEY environment variable with separate TENANT_ID, CLIENT_ID, CLIENT_SECRET credentials in both services; added lightspeed-stack.yaml volume mount; updated comments to reflect dynamic token retrieval.
Makefile & Build `Makefile`	Added CONFIG and LLAMA_STACK_CONFIG default variables; updated run target to pass -c $(CONFIG) flag; introduced new run-llama-stack target for service initialization with env extraction.
CI/CD Workflows `.github/workflows/e2e_tests.yaml`, `.github/workflows/e2e_tests_providers.yaml`	Updated message text to reference run-${{ matrix.environment }}.yaml; added Azure Entra ID config injection step for azure environment; removed explicit Azure API token retrieval; replaced AZURE_API_KEY with TENANT_ID, CLIENT_ID, CLIENT_SECRET in Run services steps.
Example Configurations `examples/azure-run.yaml`, `examples/lightspeed-stack-azure-entraid-lib.yaml`, `examples/lightspeed-stack-azure-entraid-service.yaml`	Substantially rewrote azure-run.yaml with new provider structure, storage paths, vector_io support; added two new example YAMLs for library and service modes with Azure Entra ID credentials wired to environment variables.
Documentation `docs/providers.md`, `README.md`	Added comprehensive Azure Provider Entra ID Authentication Guide covering configuration, token lifecycle, deployment workflows, security considerations; updated LLM provider compatibility table rows for Azure.
Unit Tests `tests/unit/authorization/test_azure_token_manager.py`, `tests/unit/test_configuration.py`, `tests/unit/test_client.py`, `tests/unit/test_llama_stack_configuration.py`, `tests/unit/models/config/test_dump_configuration.py`	Added comprehensive token manager tests (singleton, expiration, refresh, error handling); added configuration validation tests for azure_entra_id field; updated client tests for reload/update functionality; adapted BYOK RAG tests to dict-based structures; updated config dump tests for new azure_entra_id field.
E2E Test Configuration & Code `tests/e2e/configs/run-azure.yaml`, `tests/e2e/configuration/library-mode/`, `tests/e2e/configuration/server-mode/`, `tests/e2e/features/steps/info.py`	Minor formatting and whitespace normalization in test configs; updated info.py step to use hardcoded "openai/gpt-4o-mini" assertion instead of dynamic provider/model composition.
Dependencies `pyproject.toml`	Added azure-core and azure-identity package dependencies.

Sequence Diagram(s)

sequenceDiagram
    participant Client as API Client
    participant Main as App Main
    participant AEM as AzureEntraIDManager
    participant Endpoint as Query Endpoint
    participant LlamaStack as Llama Stack Service
    
    Note over Main: Application Startup
    Main->>AEM: set_config(azure_config)
    Main->>AEM: refresh_token()
    AEM->>AEM: _retrieve_access_token() via ClientSecretCredential
    AEM->>AEM: _update_access_token() store in AZURE_API_KEY env
    Main->>Main: AZURE_API_KEY set in environment
    
    Note over Client,Main: Request Processing
    Client->>Endpoint: POST /query
    Endpoint->>AEM: check is_token_expired
    alt Token Expired
        Endpoint->>AEM: refresh_token()
        AEM->>AEM: fetch new token via credentials
        AEM->>AEM: store in AZURE_API_KEY
        Endpoint->>Endpoint: reload_library_client or update_provider_data
    end
    Endpoint->>LlamaStack: call with refreshed credentials
    LlamaStack-->>Endpoint: response
    Endpoint-->>Client: response

sequenceDiagram
    participant Script as llama-stack-entrypoint.sh
    participant Config as llama_stack_configuration.py
    participant Enricher as ConfigEnricher
    participant Container as Llama Stack Container
    
    Note over Script: Container Startup
    Script->>Script: Check if lightspeed config present
    alt Lightspeed Config Exists
        Script->>Config: execute generate_configuration()
        Config->>Enricher: setup_azure_entra_id_token()
        Enricher->>Enricher: retrieve creds from environment
        Enricher->>Enricher: write AZURE_API_KEY to .env
        Config->>Enricher: enrich_byok_rag()
        Enricher->>Enricher: construct vector_dbs & vector_io
        Config->>Config: write enriched YAML
        Script->>Script: source generated .env (optional)
        Script->>Container: exec llama-stack with enriched config
    else No Lightspeed Config
        Script->>Container: exec llama-stack with original config
    end

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

LCORE-332: Lightspeed core needs to fully support WatsonX LLM provider #943 — Modifies src/app/endpoints/query.py for client/token handling and updates e2e workflow configuration similarly.
LCORE-642: Llama Stack configuration regeneration #651 — Modifies src/llama_stack_configuration.py BYOK RAG enrichment functions with overlapping construct_vector_dbs_section and construct_vector_io_providers_section changes.
LCORE-331: Azure inference supported #654 — Updates Azure inference integration across workflows and docker-compose, transitioning credential management approach (complements this PR's dynamic token strategy).

Suggested labels

needs-ok-to-test

Suggested reviewers

radofuchs
tisnik

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'LCORE-861: Azure Entra ID token managment' accurately reflects the main objective of implementing Azure Entra ID authentication and token management, though it contains a typo ('managment' should be 'management').
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

📝 Generate docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

asimurka · 2026-01-14T09:00:56Z

.github/workflows/e2e_tests_providers.yaml

          echo "=== Recent commits ==="
          git log --oneline -5

+      - name: Add Azure Entra ID config block to all test configs


The same set of LCS config files is shared across all the test jobs. Thus the Entra ID config block has to be added only to the relevant test jobs.

asimurka · 2026-01-14T09:07:03Z

src/authorization/azure_token_manager.py

+    def _update_access_token(self, token: str, expires_on: int) -> None:
+        """Update the token in env var and track expiration time."""
+        self._expires_on = expires_on - TOKEN_EXPIRATION_LEEWAY
+        os.environ["AZURE_API_KEY"] = token


Azure token is stored only as an environment variable (single source of truth principle). Every uvicorn process should have its own scope for environment variables. Environment variable is used for the injection into LLS config.

asimurka · 2026-01-14T09:12:18Z

src/client.py

+    def update_provider_data(self, updates: dict[str, str]) -> AsyncLlamaStackClient:
+        """Update provider data headers for service client.
+
+        For use with service mode only.


Different principle for service client then for library client. The re-injection of a new access token would need to restart the whole service, which is not feasible. Therefore, it replaces tokens in providers' header which is preferably used.

asimurka · 2026-01-14T09:13:37Z

src/lightspeed_stack.py

-    # configuration for Llama Stack
-    if args.generate_llama_stack_configuration:
-        try:
-            generate_configuration(


Moved to src/llama_stack_configuration.py

coderabbitai

Actionable comments posted: 7

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

src/lightspeed_stack.py (2)

26-40: Docstring references removed CLI flags.

The docstring still documents the removed -g/--generate-llama-stack-configuration, -i/--input-config-file, and -o/--output-config-file flags (lines 33-36) that are no longer part of the argument parser.

📝 Suggested fix

 def create_argument_parser() -> ArgumentParser:
     """Create and configure argument parser object.

     The parser includes these options:
     - -v / --verbose: enable verbose output
     - -d / --dump-configuration: dump the loaded configuration to JSON and exit
     - -c / --config: path to the configuration file (default "lightspeed-stack.yaml")
-    - -g / --generate-llama-stack-configuration: generate a Llama Stack
-                                                 configuration from the service configuration
-    - -i / --input-config-file: Llama Stack input configuration filename (default "run.yaml")
-    - -o / --output-config-file: Llama Stack output configuration filename (default "run_.yaml")

     Returns:
         Configured ArgumentParser for parsing the service CLI options.
     """

69-86: Docstring references removed functionality.

The main() docstring still references --generate-llama-stack-configuration behavior (lines 77-79) and mentions "Llama Stack generation fails" as a SystemExit condition (lines 84-85), but this functionality has been moved to src/llama_stack_configuration.py.

📝 Suggested fix

 def main() -> None:
     """Entry point to the web service.

     Start the Lightspeed Core Stack service process based on CLI flags and configuration.

     Parses command-line arguments, loads the configured settings, and then:
     - If --dump-configuration is provided, writes the active configuration to
       configuration.json and exits (exits with status 1 on failure).
-    - If --generate-llama-stack-configuration is provided, generates and stores
-      the Llama Stack configuration to the specified output file and exits
-      (exits with status 1 on failure).
     - Otherwise, sets LIGHTSPEED_STACK_CONFIG_PATH for worker processes, starts
       the quota scheduler, and starts the Uvicorn web service.

     Raises:
-        SystemExit: when configuration dumping or Llama Stack generation fails
-                    (exits with status 1).
+        SystemExit: when configuration dumping fails (exits with status 1).
     """

tests/unit/test_client.py (2)

53-66: Missing @pytest.mark.asyncio decorator.

This async test function is missing the @pytest.mark.asyncio decorator, which could cause it to not execute properly as an async test.
Proposed fix
+@pytest.mark.asyncio
 async def test_get_async_llama_stack_remote_client() -> None:
69-83: Missing @pytest.mark.asyncio decorator.

Same issue as above - this async test function needs the @pytest.mark.asyncio decorator.
Proposed fix
+@pytest.mark.asyncio
 async def test_get_async_llama_stack_wrong_configuration() -> None:

🤖 Fix all issues with AI agents

In `@docs/providers.md`:
- Around line 87-89: The YAML example uses AZURE_TENANT_ID / AZURE_CLIENT_ID /
AZURE_CLIENT_SECRET but the bash export example uses TENANT_ID / CLIENT_ID /
CLIENT_SECRET; make them consistent by renaming the bash exports to
AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET (or alternately rename
the YAML keys to the non-prefixed names) and update all occurrences (including
the other instance noted) or add a brief note explaining the intentional
difference so readers aren’t confused.

In `@examples/azure-run.yaml`:
- Around line 71-77: The YAML uses an outdated Azure OpenAI api_version value;
update the api_version field under the inference -> config block (the entry with
provider_id: azure and provider_type: remote::azure) to a current release—e.g.,
set api_version to "2025-04-01-preview" for the data-plane or "2025-06-01" if
you need control-plane GA features—so the inference provider uses a supported
API version.

In `@scripts/llama-stack-entrypoint.sh`:
- Around line 7-10: The issue is that INPUT_CONFIG and ENRICHED_CONFIG can point
to the same file so the existence check for ENRICHED_CONFIG can be true even
when enrichment failed; update the script so ENRICHED_CONFIG uses a distinct
default path (e.g., a different filename) or capture the enrichment script's
exit status instead of suppressing errors with "|| true" and use that exit code
to decide whether to treat the output as enriched; refer to the variables
INPUT_CONFIG and ENRICHED_CONFIG and the enrichment invocation (the command
currently followed by "|| true") and the conditional "if [ -f
\"$ENRICHED_CONFIG\" ]" when making the change.

In `@src/app/endpoints/query.py`:
- Around line 319-339: The current code uses next(...) to find azure_config and
will raise StopIteration if no provider with provider_type == "remote::azure"
exists and may convert a missing api_base into the string "None"; change the
lookup to a safe search (e.g., use next((p.config for p in await
client.providers.list() if p.provider_type == "remote::azure"), None) or
explicitly iterate and return None if not found), then check that azure_config
is not None before calling client_holder.update_provider_data (handle the
missing provider case appropriately), and when building azure_api_base use a
safe default instead of str(None) (e.g., use azure_config.get("api_base") or ""
only if not None) so you never store the literal "None" string.

In `@src/app/endpoints/streaming_query.py`:
- Around line 896-916: The next(...) call that looks for a provider with
provider_type == "remote::azure" can raise StopIteration; change the lookup to
use a safe lookup (e.g., azure_config = next((p.config for p in await
client.providers.list() if p.provider_type == "remote::azure"), None)) and then
check azure_config is not None before using it in
client_holder.update_provider_data; if azure_config is None, handle gracefully
(log/raise a clear error or return an appropriate response) so
AzureEntraIDManager.refresh_token() path won't crash when the Azure provider is
missing.

In `@src/llama_stack_configuration.py`:
- Around line 106-108: The except block that catches ClientAuthenticationError
and CredentialUnavailableError (the Azure Entra ID token generation block that
currently calls logger.error("Azure Entra ID: Failed to generate token: %s", e))
must not silently swallow failures; after logging the error re-raise the caught
exception (raise) so callers can handle or fail fast. Locate the except handling
those two exceptions in the token generation function and append a re-raise (or
alternatively change the function to return an explicit failure status and
propagate that to callers) so authentication failures are observable to callers.
- Around line 146-148: The code builds provider_id using
brag.get("vector_db_id") which can be None and yield a malformed "byok_" value;
update the logic around the vector_db_id/provider_id assignment (where
"vector_db_id", "provider_id", "embedding_model" are set) to validate or provide
a safe default for vector_db_id (e.g., use empty-string-safe fallback or a
sentinel like "unknown") and then construct provider_id from that validated
value (or skip/omit provider_id when vector_db_id is absent) so provider_id is
never "byok_" with an empty suffix.

🧹 Nitpick comments (22)

pyproject.toml (1)

63-64: Add version constraints to Azure dependencies for consistency with other packages.

Both azure-core and azure-identity are missing version constraints, while every other dependency in the file specifies minimum or exact versions (e.g., fastapi>=0.115.12, kubernetes>=30.1.0). Consider using azure-core>=1.37.0 and azure-identity>=1.25.1 to maintain consistency and prevent unexpected behavior from major version updates.
src/app/main.py (1)
44-55: Redundant environment variable assignment.

Lines 49-51 set AZURE_API_KEY from access_token, but AzureEntraIDManager.refresh_token() already sets os.environ["AZURE_API_KEY"] internally via _update_access_token(). The explicit assignment is unnecessary.
♻️ Suggested simplification
     azure_config = configuration.configuration.azure_entra_id
     if azure_config is not None:
         AzureEntraIDManager().set_config(azure_config)
         try:
             await AzureEntraIDManager().refresh_token()
-            os.environ["AZURE_API_KEY"] = (
-                AzureEntraIDManager().access_token.get_secret_value()
-            )
             logger.info("Azure Entra ID token set in environment")
         except ValueError as e:
             logger.error("Failed to refresh Azure token: %s", e)
Additionally, consider whether a failed token refresh should prevent startup. Currently, a ValueError is logged but the service continues, which could lead to authentication failures at runtime.
src/app/endpoints/query.py (1)
319-327: Consider storing the singleton reference for cleaner code.

AzureEntraIDManager() is instantiated multiple times (lines 321, 322, 324, and 336). While it's a singleton, storing a single reference improves readability.
♻️ Suggested refactor
         if provider_id == "azure":
+            azure_manager = AzureEntraIDManager()
             if (
-                AzureEntraIDManager().is_entra_id_configured
-                and AzureEntraIDManager().is_token_expired
+                azure_manager.is_entra_id_configured
+                and azure_manager.is_token_expired
             ):
-                await AzureEntraIDManager().refresh_token()
+                await azure_manager.refresh_token()

                 if client_holder.is_library_client:
                     client = await client_holder.reload_library_client()
                 else:
                     # ... provider lookup ...
                     client = client_holder.update_provider_data(
                         {
-                            "azure_api_key": AzureEntraIDManager().access_token.get_secret_value(),
+                            "azure_api_key": azure_manager.access_token.get_secret_value(),
                             "azure_api_base": str(azure_config.get("api_base")),
                         }
                     )
scripts/llama-stack-entrypoint.sh (1)
15-19: Consider capturing enrichment failures for debugging.

The || true suppresses all errors from the enrichment script without logging them. If enrichment fails, operators won't have visibility into why.
♻️ Suggested improvement
     echo "Enriching llama-stack config..."
-    python3 /opt/app-root/llama_stack_configuration.py \
+    if ! python3 /opt/app-root/llama_stack_configuration.py \
         -c "$LIGHTSPEED_CONFIG" \
         -i "$INPUT_CONFIG" \
         -o "$ENRICHED_CONFIG" \
-        -e "$ENV_FILE" 2>&1 || true
+        -e "$ENV_FILE" 2>&1; then
+        echo "Warning: Config enrichment failed, will use original config"
+    fi
src/models/config.py (1)
1482-1494: Consider adding Field metadata for consistency.

The tenant_id, client_id, and client_secret fields lack the title and description metadata that other configuration fields in this module include. This affects API documentation and schema generation consistency.
♻️ Suggested addition of field metadata
 class AzureEntraIdConfiguration(ConfigurationBase):
     """Microsoft Entra ID authentication attributes for Azure."""

-    tenant_id: SecretStr
-    client_id: SecretStr
-    client_secret: SecretStr
+    tenant_id: SecretStr = Field(
+        ...,
+        title="Tenant ID",
+        description="Azure AD tenant ID for authentication.",
+    )
+    client_id: SecretStr = Field(
+        ...,
+        title="Client ID",
+        description="Azure AD application (client) ID.",
+    )
+    client_secret: SecretStr = Field(
+        ...,
+        title="Client Secret",
+        description="Azure AD client secret for authentication.",
+    )
     scope: str = Field(
         "https://cognitiveservices.azure.com/.default",
         title="Token scope",
         description="Azure Cognitive Services scope for token requests. "
         "Override only if using a different Azure service.",
     )
examples/lightspeed-stack-azure-entraid-service.yaml (2)

1-8: Consider adding a security note for auth_enabled: false.

This example has auth_enabled: false on line 5. While appropriate for development examples, consider adding a comment clarifying this should be enabled in production deployments.

9-17: Clarify the placeholder api_key value.

The api_key: xyzzy on line 17 is a placeholder. Since Azure Entra ID manages authentication dynamically, consider adding a comment explaining that this value is overridden at runtime by the token management system, or use a more descriptive placeholder like "<replaced-at-runtime>".
Makefile (1)
20-23: Handle missing .env file gracefully and clarify in-place config modification.

Two observations:

Missing .env handling: If .env doesn't exist or AZURE_API_KEY isn't defined, grep will fail silently and AZURE_API_KEY will be empty, potentially causing runtime issues without clear error messages.

In-place modification: Using the same file for -i and -o ($(LLAMA_STACK_CONFIG)) overwrites the original. This may be intentional but could surprise users.
Suggested improvement for `.env` handling
 run-llama-stack: ## Start Llama Stack with enriched config (for local service mode)
+	`@test` -f .env || (echo "Error: .env file not found" && exit 1)
 	uv run src/llama_stack_configuration.py -c $(CONFIG) -i $(LLAMA_STACK_CONFIG) -o $(LLAMA_STACK_CONFIG) && \
-	AZURE_API_KEY=$$(grep '^AZURE_API_KEY=' .env | cut -d'=' -f2-) \
+	AZURE_API_KEY=$$(grep '^AZURE_API_KEY=' .env | cut -d'=' -f2- || echo "") \
 	uv run llama stack run $(LLAMA_STACK_CONFIG)
src/app/endpoints/streaming_query.py (1)
897-901: Consider caching the AzureEntraIDManager() instance.

While AzureEntraIDManager is a singleton, calling it three times in this block is slightly verbose. Consider storing it in a local variable for readability.
Suggested improvement
         if provider_id == "azure":
+            azure_manager = AzureEntraIDManager()
             if (
-                AzureEntraIDManager().is_entra_id_configured
-                and AzureEntraIDManager().is_token_expired
+                azure_manager.is_entra_id_configured
+                and azure_manager.is_token_expired
             ):
-                await AzureEntraIDManager().refresh_token()
+                await azure_manager.refresh_token()
tests/unit/authorization/test_azure_token_manager.py (1)
122-143: Type annotation improvement and assertion placement.

The caplog parameter should use pytest.LogCaptureFixture instead of Any for proper type checking.

The assertion at line 143 is inside the caplog.at_level context manager - while this works, placing it outside is cleaner.
Suggested improvement
     `@pytest.mark.asyncio`
     async def test_refresh_token_failure_logs_error(
         self,
         token_manager: AzureEntraIDManager,
         dummy_config: AzureEntraIdConfiguration,
         mocker: MockerFixture,
-        caplog: Any,
+        caplog: pytest.LogCaptureFixture,
     ) -> None:
         """Log error when token retrieval fails due to ClientAuthenticationError."""
         token_manager.set_config(dummy_config)
         mock_credential_instance = mocker.Mock()
         mock_credential_instance.get_token.side_effect = ClientAuthenticationError(
             "fail"
         )
         mocker.patch(
             "authorization.azure_token_manager.ClientSecretCredential",
             return_value=mock_credential_instance,
         )

         with caplog.at_level("ERROR"):
             await token_manager.refresh_token()
-            assert "Failed to retrieve Azure access token" in caplog.text
+        assert "Failed to retrieve Azure access token" in caplog.text
tests/unit/test_llama_stack_configuration.py (1)

157-177: Multiple type: ignore comments indicate potential model validation issues.

The extensive use of # type: ignore[call-arg] suggests the Pydantic models have required fields not being provided. While this works at runtime, consider:

Creating a test fixture with all required fields

Using model_construct() to bypass validation for test-only scenarios

This would improve type safety and make the test more maintainable.

docker-compose.yaml (1)

11-14: Inconsistent SELinux volume mount labels.

Line 12 uses :Z (exclusive private label) for run.yaml, while line 14 uses :z (shared label) for lightspeed-stack.yaml. This inconsistency could cause issues:

:Z relabels the content to be private to the container

:z allows sharing between containers

If both services need to read lightspeed-stack.yaml, :z is correct for that file. Consider making the labels consistent based on actual sharing requirements.
src/authorization/azure_token_manager.py (2)
59-74: Consider making token retrieval truly async or documenting blocking behavior.

The refresh_token method is async but calls the synchronous _retrieve_access_token which blocks on the Azure SDK's get_token(). This blocks the event loop during token retrieval.

Options:

Run the blocking call in an executor: await asyncio.to_thread(self._retrieve_access_token)

Document that brief blocking is expected (token refresh is infrequent)

For a token refresh that happens every ~hour, the brief blocking may be acceptable, but worth documenting.
Option 1: Use asyncio.to_thread
+import asyncio
+
     async def refresh_token(self) -> None:
         """Refresh the cached Azure access token.

         This is async to enforce proper ordering in the event loop -
         callers must await this before using the refreshed token.

         Raises:
             ValueError: If Entra ID configuration has not been set.
         """
         if self._entra_id_config is None:
             raise ValueError("Azure Entra ID configuration not set")

         logger.info("Refreshing Azure access token")
-        token_obj = self._retrieve_access_token()
+        token_obj = await asyncio.to_thread(self._retrieve_access_token)
         if token_obj:
             self._update_access_token(token_obj.token, token_obj.expires_on)
90-100: Error logging lacks exception details for debugging.

When token retrieval fails, only a generic message is logged without the exception details. This makes troubleshooting authentication issues harder.
Include exception in log
         except (ClientAuthenticationError, CredentialUnavailableError):
-            logger.error("Failed to retrieve Azure access token")
+            logger.error("Failed to retrieve Azure access token", exc_info=True)
             return None
src/llama_stack_configuration.py (8)
82-100: Consider security implications of writing token to disk.

The Azure access token is written in plaintext to the .env file. While this enables the Llama Stack service to read it at startup, be aware that:

Tokens persisted to disk may be accessed by other processes

The file should have restrictive permissions (e.g., 0600)

Consider adding file permission restrictions after writing.
Proposed enhancement: Set restrictive file permissions
         with open(env_file, "w", encoding="utf-8") as f:
             f.writelines(lines)
+        
+        # Restrict file permissions to owner-only
+        os.chmod(env_file, 0o600)

         logger.info(
126-127: Docstring type doesn't match signature.

The docstring references list[ByokRag] but the actual parameter type is list[dict[str, Any]]. Update the docstring to match the implementation.
Proposed fix
     Parameters:
         ls_config (dict[str, Any]): Existing Llama Stack configuration mapping
         used as the base; existing `vector_dbs` entries are preserved if
         present.
-        byok_rag (list[ByokRag]): List of BYOK RAG definitions to be added to
+        byok_rag (list[dict[str, Any]]): List of BYOK RAG definitions to be added to
         the `vector_dbs` section.
139-140: Potential mutation of input data via reference assignment.

Assigning output = ls_config["vector_dbs"] creates a reference to the original list. Subsequent output.append() calls will modify the original ls_config["vector_dbs"] in place. Per coding guidelines, avoid in-place parameter modification; return new data structures instead.
Proposed fix: Create a copy
     # fill-in existing vector_dbs entries
     if "vector_dbs" in ls_config:
-        output = ls_config["vector_dbs"]
+        output = list(ls_config["vector_dbs"])
173-174: Docstring type doesn't match signature.

Same issue as construct_vector_dbs_section: docstring mentions list[ByokRag] but actual type is list[dict[str, Any]].
Proposed fix
-        byok_rag (list[ByokRag]): List of BYOK RAG specifications to convert
+        byok_rag (list[dict[str, Any]]): List of BYOK RAG specifications to convert
         into provider entries.
187-188: Same reference assignment issue - creates mutation side effect.

As per coding guidelines, avoid in-place parameter modification.
Proposed fix
     # fill-in existing vector_io entries
     if "providers" in ls_config and "vector_io" in ls_config["providers"]:
-        output = ls_config["providers"]["vector_io"]
+        output = list(ls_config["providers"]["vector_io"])
253-256: Missing error handling for input file operations.

If input_file doesn't exist or contains invalid YAML, the exception will propagate up unhandled. Consider wrapping in try-except for consistent error handling.
Proposed fix
     logger.info("Reading Llama Stack configuration from file %s", input_file)

-    with open(input_file, "r", encoding="utf-8") as file:
-        ls_config = yaml.safe_load(file)
+    try:
+        with open(input_file, "r", encoding="utf-8") as file:
+            ls_config = yaml.safe_load(file)
+    except FileNotFoundError:
+        logger.error("Input Llama Stack config not found: %s", input_file)
+        raise
+    except yaml.YAMLError as e:
+        logger.error("Invalid YAML in input file %s: %s", input_file, e)
+        raise
310-312: Consider using sys.exit for error conditions.

When the config file is not found, the function logs an error and returns. For CLI tools, it's more conventional to exit with a non-zero status code to signal failure to calling scripts or CI pipelines.
Proposed fix
+import sys
+
 ...
 
     except FileNotFoundError:
         logger.error("Config not found: %s", args.config)
-        return
+        sys.exit(1)
275-276: Docstring could be more descriptive.

Per coding guidelines, all functions require docstrings with brief descriptions. The current docstring "CLI entry point." is minimal. Consider expanding to describe what the CLI does.
Proposed enhancement
 def main() -> None:
-    """CLI entry point."""
+    """CLI entry point for Llama Stack configuration enrichment.
+
+    Reads Lightspeed configuration, applies Azure Entra ID token setup
+    and BYOK RAG enrichment, and writes the enriched Llama Stack config.
+    """

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9c8a7ff and def9221.

⛔ Files ignored due to path filters (1)

uv.lock is excluded by !**/*.lock

📒 Files selected for processing (38)

.github/workflows/e2e_tests.yaml
.github/workflows/e2e_tests_providers.yaml
Makefile
README.md
docker-compose-library.yaml
docker-compose.yaml
docs/providers.md
examples/azure-run.yaml
examples/lightspeed-stack-azure-entraid-lib.yaml
examples/lightspeed-stack-azure-entraid-service.yaml
pyproject.toml
scripts/llama-stack-entrypoint.sh
src/app/endpoints/query.py
src/app/endpoints/query_v2.py
src/app/endpoints/streaming_query.py
src/app/main.py
src/authorization/azure_token_manager.py
src/client.py
src/configuration.py
src/lightspeed_stack.py
src/llama_stack_configuration.py
src/models/config.py
test.containerfile
tests/e2e/configs/run-azure.yaml
tests/e2e/configuration/library-mode/lightspeed-stack-auth-noop-token.yaml
tests/e2e/configuration/library-mode/lightspeed-stack-invalid-feedback-storage.yaml
tests/e2e/configuration/library-mode/lightspeed-stack-no-cache.yaml
tests/e2e/configuration/library-mode/lightspeed-stack.yaml
tests/e2e/configuration/server-mode/lightspeed-stack-auth-noop-token.yaml
tests/e2e/configuration/server-mode/lightspeed-stack-no-cache.yaml
tests/e2e/configuration/server-mode/lightspeed-stack.yaml
tests/e2e/features/steps/info.py
tests/unit/authentication/test_api_key_token.py
tests/unit/authorization/test_azure_token_manager.py
tests/unit/models/config/test_dump_configuration.py
tests/unit/test_client.py
tests/unit/test_configuration.py
tests/unit/test_llama_stack_configuration.py

💤 Files with no reviewable changes (6)

tests/e2e/configuration/library-mode/lightspeed-stack-auth-noop-token.yaml
tests/e2e/configuration/library-mode/lightspeed-stack-no-cache.yaml
src/app/endpoints/query_v2.py
tests/e2e/configuration/server-mode/lightspeed-stack-auth-noop-token.yaml
tests/e2e/configuration/server-mode/lightspeed-stack-no-cache.yaml
tests/e2e/configuration/library-mode/lightspeed-stack-invalid-feedback-storage.yaml

🧰 Additional context used

📓 Path-based instructions (8)

**/*.py