[API Updates] Model / shield / memory-bank routing + agent persistence + support for private headers (#92)

This is yet another of those large PRs (hopefully we will have less and less of them as things mature fast). This one introduces substantial improvements and some simplifications to the stack.

Most important bits:

* Agents reference implementation now has support for session / turn persistence. The default implementation uses sqlite but there's also support for using Redis.

* We have re-architected the structure of the Stack APIs to allow for more flexible routing. The motivating use cases are:
  - routing model A to ollama and model B to a remote provider like Together
  - routing shield A to local impl while shield B to a remote provider like Bedrock
  - routing a vector memory bank to Weaviate while routing a keyvalue memory bank to Redis

* Support for provider specific parameters to be passed from the clients. A client can pass data using `x_llamastack_provider_data` parameter which can be type-checked and provided to the Adapter implementations.

llama_stack/providers/impls/meta_reference/safety/shields/__init__.py

@@ -15,7 +15,6 @@ from .base import (  # noqa: F401
     TextShield,
 )
 from .code_scanner import CodeScannerShield  # noqa: F401
-from .contrib.third_party_shield import ThirdPartyShield  # noqa: F401
 from .llama_guard import LlamaGuardShield  # noqa: F401
 from .prompt_guard import (  # noqa: F401
     InjectionShield,

llama_stack/providers/impls/meta_reference/safety/shields/base.py

@@ -8,11 +8,26 @@ from abc import ABC, abstractmethod
 from typing import List
 
 from llama_models.llama3.api.datatypes import interleaved_text_media_as_str, Message
+from pydantic import BaseModel
 from llama_stack.apis.safety import *  # noqa: F403
 
 CANNED_RESPONSE_TEXT = "I can't answer that. Can I help with something else?"
 
 
+# TODO: clean this up; just remove this type completely
+class ShieldResponse(BaseModel):
+    is_violation: bool
+    violation_type: Optional[str] = None
+    violation_return_message: Optional[str] = None
+
+
+# TODO: this is a caller / agent concern
+class OnViolationAction(Enum):
+    IGNORE = 0
+    WARN = 1
+    RAISE = 2
+
+
 class ShieldBase(ABC):
     def __init__(
         self,
@@ -20,10 +35,6 @@ class ShieldBase(ABC):
     ):
         self.on_violation_action = on_violation_action
 
-    @abstractmethod
-    def get_shield_type(self) -> ShieldType:
-        raise NotImplementedError()
-
     @abstractmethod
     async def run(self, messages: List[Message]) -> ShieldResponse:
         raise NotImplementedError()
@@ -48,11 +59,6 @@ class TextShield(ShieldBase):
 
 
 class DummyShield(TextShield):
-    def get_shield_type(self) -> ShieldType:
-        return "dummy"
-
     async def run_impl(self, text: str) -> ShieldResponse:
         # Dummy return LOW to test e2e
-        return ShieldResponse(
-            shield_type=BuiltinShield.third_party_shield, is_violation=False
-        )
+        return ShieldResponse(is_violation=False)

llama_stack/providers/impls/meta_reference/safety/shields/code_scanner.py

@@ -7,13 +7,9 @@
 from termcolor import cprint
 
 from .base import ShieldResponse, TextShield
-from llama_stack.apis.safety import *  # noqa: F403
 
 
 class CodeScannerShield(TextShield):
-    def get_shield_type(self) -> ShieldType:
-        return BuiltinShield.code_scanner_guard
-
     async def run_impl(self, text: str) -> ShieldResponse:
         from codeshield.cs import CodeShield
 
@@ -21,7 +17,6 @@ class CodeScannerShield(TextShield):
         result = await CodeShield.scan_code(text)
         if result.is_insecure:
             return ShieldResponse(
-                shield_type=BuiltinShield.code_scanner_guard,
                 is_violation=True,
                 violation_type=",".join(
                     [issue.pattern_id for issue in result.issues_found]
@@ -29,6 +24,4 @@ class CodeScannerShield(TextShield):
                 violation_return_message="Sorry, I found security concerns in the code.",
             )
         else:
-            return ShieldResponse(
-                shield_type=BuiltinShield.code_scanner_guard, is_violation=False
-            )
+            return ShieldResponse(is_violation=False)

llama_stack/providers/impls/meta_reference/safety/shields/contrib/__init__.py

@@ -1,5 +0,0 @@
-# Copyright (c) Meta Platforms, Inc. and affiliates.
-# All rights reserved.
-#
-# This source code is licensed under the terms described in the LICENSE file in
-# the root directory of this source tree.

llama_stack/providers/impls/meta_reference/safety/shields/contrib/third_party_shield.py

@@ -1,35 +0,0 @@
-# Copyright (c) Meta Platforms, Inc. and affiliates.
-# All rights reserved.
-#
-# This source code is licensed under the terms described in the LICENSE file in
-# the root directory of this source tree.
-
-from typing import List
-
-from llama_models.llama3.api.datatypes import Message
-
-from llama_stack.providers.impls.meta_reference.safety.shields.base import (
-    OnViolationAction,
-    ShieldBase,
-    ShieldResponse,
-)
-
-_INSTANCE = None
-
-
-class ThirdPartyShield(ShieldBase):
-    @staticmethod
-    def instance(on_violation_action=OnViolationAction.RAISE) -> "ThirdPartyShield":
-        global _INSTANCE
-        if _INSTANCE is None:
-            _INSTANCE = ThirdPartyShield(on_violation_action)
-        return _INSTANCE
-
-    def __init__(
-        self,
-        on_violation_action: OnViolationAction = OnViolationAction.RAISE,
-    ):
-        super().__init__(on_violation_action)
-
-    async def run(self, messages: List[Message]) -> ShieldResponse:
-        super.run()  # will raise NotImplementedError

llama_stack/providers/impls/meta_reference/safety/shields/llama_guard.py

@@ -14,7 +14,7 @@ from llama_models.llama3.api.datatypes import Message, Role
 from transformers import AutoModelForCausalLM, AutoTokenizer
 
 from .base import CANNED_RESPONSE_TEXT, OnViolationAction, ShieldBase, ShieldResponse
-from llama_stack.apis.safety import *  # noqa: F403
+
 
 SAFE_RESPONSE = "safe"
 _INSTANCE = None
@@ -152,9 +152,6 @@ class LlamaGuardShield(ShieldBase):
             model_dir, torch_dtype=torch_dtype, device_map=self.device
         )
 
-    def get_shield_type(self) -> ShieldType:
-        return BuiltinShield.llama_guard
-
     def check_unsafe_response(self, response: str) -> Optional[str]:
         match = re.match(r"^unsafe\n(.*)$", response)
         if match:
@@ -192,18 +189,13 @@ class LlamaGuardShield(ShieldBase):
 
     def get_shield_response(self, response: str) -> ShieldResponse:
         if response == SAFE_RESPONSE:
-            return ShieldResponse(
-                shield_type=BuiltinShield.llama_guard, is_violation=False
-            )
+            return ShieldResponse(is_violation=False)
         unsafe_code = self.check_unsafe_response(response)
         if unsafe_code:
             unsafe_code_list = unsafe_code.split(",")
             if set(unsafe_code_list).issubset(set(self.excluded_categories)):
-                return ShieldResponse(
-                    shield_type=BuiltinShield.llama_guard, is_violation=False
-                )
+                return ShieldResponse(is_violation=False)
             return ShieldResponse(
-                shield_type=BuiltinShield.llama_guard,
                 is_violation=True,
                 violation_type=unsafe_code,
                 violation_return_message=CANNED_RESPONSE_TEXT,
@@ -213,12 +205,9 @@ class LlamaGuardShield(ShieldBase):
 
     async def run(self, messages: List[Message]) -> ShieldResponse:
         if self.disable_input_check and messages[-1].role == Role.user.value:
-            return ShieldResponse(
-                shield_type=BuiltinShield.llama_guard, is_violation=False
-            )
+            return ShieldResponse(is_violation=False)
         elif self.disable_output_check and messages[-1].role == Role.assistant.value:
             return ShieldResponse(
-                shield_type=BuiltinShield.llama_guard,
                 is_violation=False,
             )
         else:

llama_stack/providers/impls/meta_reference/safety/shields/prompt_guard.py

@@ -13,7 +13,6 @@ from llama_models.llama3.api.datatypes import Message
 from termcolor import cprint
 
 from .base import message_content_as_str, OnViolationAction, ShieldResponse, TextShield
-from llama_stack.apis.safety import *  # noqa: F403
 
 
 class PromptGuardShield(TextShield):
@@ -74,13 +73,6 @@ class PromptGuardShield(TextShield):
         self.threshold = threshold
         self.mode = mode
 
-    def get_shield_type(self) -> ShieldType:
-        return (
-            BuiltinShield.jailbreak_shield
-            if self.mode == self.Mode.JAILBREAK
-            else BuiltinShield.injection_shield
-        )
-
     def convert_messages_to_text(self, messages: List[Message]) -> str:
         return message_content_as_str(messages[-1])
 
@@ -103,21 +95,18 @@ class PromptGuardShield(TextShield):
             score_embedded + score_malicious > self.threshold
         ):
             return ShieldResponse(
-                shield_type=self.get_shield_type(),
                 is_violation=True,
                 violation_type=f"prompt_injection:embedded={score_embedded},malicious={score_malicious}",
                 violation_return_message="Sorry, I cannot do this.",
             )
         elif self.mode == self.Mode.JAILBREAK and score_malicious > self.threshold:
             return ShieldResponse(
-                shield_type=self.get_shield_type(),
                 is_violation=True,
                 violation_type=f"prompt_injection:malicious={score_malicious}",
                 violation_return_message="Sorry, I cannot do this.",
             )
 
         return ShieldResponse(
-            shield_type=self.get_shield_type(),
             is_violation=False,
         )