feat: add opt-in per-request overrides for content logging and raw request/response visibility (#3066)

## Summary

Adds two opt-in configuration flags — `allow_per_request_content_storage_override` and `allow_per_request_raw_override` — that gate whether per-request context keys and HTTP headers can override the global content logging and raw request/response visibility settings. When enabled, callers can suppress sensitive content (e.g. PII, credentials) from log records on specific requests via `x-bf-disable-content-logging`, or override raw capture behavior via `x-bf-send-back-raw-request`/`x-bf-send-back-raw-response`, without changing global configuration. When disabled (the default), provider-level and global settings remain authoritative and per-request overrides are silently ignored.

## Changes

- Added `BifrostContextKeyDisableContentLogging`, `BifrostContextKeyAllowPerRequestStorageOverride`, and `BifrostContextKeyAllowPerRequestRawOverride` to the `BifrostContextKey` enum.
- Introduced a `contentLoggingEnabled(ctx)` helper on `LoggerPlugin` that checks the per-request context override (only when `BifrostContextKeyAllowPerRequestStorageOverride` is set) before falling back to the global `disableContentLogging` config. This replaces all inline `p.disableContentLogging == nil || !*p.disableContentLogging` checks throughout the logging plugin.
- Propagated the resolved `contentLoggingEnabled` bool as an explicit parameter to `updateLogEntry`, `applyStreamingOutputToEntry`, `applyNonStreamingOutputToEntry`, and `applyRealtimeOutputToEntry`, removing the redundant local re-evaluation inside `applyRealtimeOutputToEntry`.
- Gated the existing `BifrostContextKeySendBackRawRequest`, `BifrostContextKeySendBackRawResponse`, and `BifrostContextKeyStoreRawRequestResponse` per-request overrides in `requestWorker` behind the new `BifrostContextKeyAllowPerRequestRawOverride` flag.
- Added `AllowPerRequestContentStorageOverride` and `AllowPerRequestRawOverride` fields to `ClientConfig` with corresponding hash entries, `Config` accessor methods, and two new methods on the `HandlerStore` interface (`ShouldAllowPerRequestStorageOverride`, `ShouldAllowPerRequestRawOverride`).
- Refactored `ConvertToBifrostContext` to accept a `HandlerStore` instead of individual parameters, propagating the new override flags into the bifrost context at request ingress.
- Added UI toggles for both new flags in the Logs Settings view and updated the `CoreConfig` TypeScript type and defaults.
- Added tests covering all precedence combinations (no config, global on/off, ctx override on/off, nil ctx), as well as integration-style tests for `updateLogEntry` and the apply-output helpers verifying both suppression and force-enable behavior.
- Documented the new `x-bf-disable-content-logging` option in `docs/providers/request-options.mdx` with cURL and Go SDK examples, precedence rules, and a prerequisite callout for `allow_per_request_content_storage_override`.

## Type of change

- [ ] Bug fix
- [x] Feature
- [ ] Refactor
- [ ] Documentation
- [ ] Chore/CI

## Affected areas

- [x] Core (Go)
- [x] Transports (HTTP)
- [ ] Providers/Integrations
- [x] Plugins
- [x] UI (React)
- [x] Docs

## How to test

```sh
go test ./plugins/logging/... ./transports/bifrost-http/lib/...
```

To validate end-to-end via the gateway, first enable `allow_per_request_content_storage_override` in your logging config, then send a chat completion request with the header and confirm the log record omits message content while still recording token counts and latency:

```sh
curl --location 'http://localhost:8080/v1/chat/completions' \
  --header 'x-bf-disable-content-logging: true' \
  --header 'Content-Type: application/json' \
  --data '{
    "model": "openai/gpt-4o-mini",
    "messages": [{"role": "user", "content": "Sensitive data here"}]
  }'
```

The resulting log record should have empty `input_history`, `output_message`, and `raw_request`/`raw_response` fields, while `total_tokens`, `latency`, and routing metadata remain populated.

To verify the gate is enforced, send the same request without enabling `allow_per_request_content_storage_override` — the header should be ignored and content should appear in the log record as normal.

## Breaking changes

- [x] No

## Security considerations

Both override flags default to `false`, meaning existing deployments are unaffected on upgrade. The per-request override is applied only at log-write time and does not affect what is sent to the upstream provider. Operators should consider carefully before enabling `allow_per_request_raw_override`, as it permits callers to request that raw provider payloads be returned in API responses.

## Checklist

- [ ] I read `docs/contributing/README.md` and followed the guidelines
- [x] I added/updated tests where appropriate
- [x] I updated documentation where needed
- [ ] I verified builds succeed (Go and UI)
- [ ] I verified the CI pipeline passes locally if applicable

Author: Pratham-Mishra04

core/bifrost.go

@@ -5526,16 +5526,24 @@ func (bifrost *Bifrost) requestWorker(provider schemas.Provider, config *schemas
 
 		// Step 1: compute effective value for each flag (provider config ← per-request override).
 		effectiveSendBackReq := config.SendBackRawRequest
-		if override, ok := req.Context.Value(schemas.BifrostContextKeySendBackRawRequest).(bool); ok {
-			effectiveSendBackReq = override
+		allowRawOverride, _ := req.Context.Value(schemas.BifrostContextKeyAllowPerRequestRawOverride).(bool)
+		if allowRawOverride {
+			if override, ok := req.Context.Value(schemas.BifrostContextKeySendBackRawRequest).(bool); ok {
+				effectiveSendBackReq = override
+			}
 		}
 		effectiveSendBackResp := config.SendBackRawResponse
-		if override, ok := req.Context.Value(schemas.BifrostContextKeySendBackRawResponse).(bool); ok {
-			effectiveSendBackResp = override
+		if allowRawOverride {
+			if override, ok := req.Context.Value(schemas.BifrostContextKeySendBackRawResponse).(bool); ok {
+				effectiveSendBackResp = override
+			}
 		}
 		effectiveStore := config.StoreRawRequestResponse
-		if override, ok := req.Context.Value(schemas.BifrostContextKeyStoreRawRequestResponse).(bool); ok {
-			effectiveStore = override
+		allowStorageOverride, _ := req.Context.Value(schemas.BifrostContextKeyAllowPerRequestStorageOverride).(bool)
+		if allowStorageOverride {
+			if override, ok := req.Context.Value(schemas.BifrostContextKeyStoreRawRequestResponse).(bool); ok {
+				effectiveStore = override
+			}
 		}
 
 		// Step 2: derive per-side capture and strip flags.

core/schemas/bifrost.go

@@ -248,6 +248,9 @@ const (
 	BifrostContextKeyRealtimeEventType                   BifrostContextKey = "bifrost-realtime-event-type"                      // string
 	BifrostIsAsyncRequest                                BifrostContextKey = "bifrost-is-async-request"                         // bool (set by bifrost - DO NOT SET THIS MANUALLY)) - whether the request is an async request (only used in gateway)
 	BifrostContextKeyRequestHeaders                      BifrostContextKey = "bifrost-request-headers"                          // map[string]string (all request headers with lowercased keys)
+	BifrostContextKeyAllowPerRequestStorageOverride       BifrostContextKey = "bifrost-allow-per-request-storage-override"        // bool (set by transport from config — gates whether x-bf-disable-content-logging and x-bf-store-raw-request-response per-request overrides are honored)
+	BifrostContextKeyAllowPerRequestRawOverride           BifrostContextKey = "bifrost-allow-per-request-raw-override"            // bool (set by transport from config — gates whether x-bf-send-back-raw-request and x-bf-send-back-raw-response per-request overrides are honored)
+	BifrostContextKeyDisableContentLogging               BifrostContextKey = "x-bf-disable-content-logging"                     // bool (per-request override for content logging; only honored when BifrostContextKeyAllowPerRequestStorageOverride is true)
 	BifrostContextKeySkipListModelsGovernanceFiltering   BifrostContextKey = "bifrost-skip-list-models-governance-filtering"    // bool (set by bifrost - DO NOT SET THIS MANUALLY))
 	BifrostContextKeySCIMClaims                          BifrostContextKey = "scim_claims"
 	BifrostContextKeyUserID                              BifrostContextKey = "bifrost-user-id"   // string (to store the user ID (set by enterprise auth middleware - DO NOT SET THIS MANUALLY))

docs/openapi/schemas/management/config.yaml

@@ -31,6 +31,14 @@ ClientConfig:
     disable_content_logging:
       type: boolean
       description: Whether content logging is disabled
+    allow_per_request_content_storage_override:
+      type: boolean
+      default: false
+      description: Allow individual requests to override content storage via the x-bf-disable-content-logging header or context key. When false (default), per-request overrides are ignored.
+    allow_per_request_raw_override:
+      type: boolean
+      default: false
+      description: Allow individual requests to override raw request/response visibility via the x-bf-send-back-raw-request and x-bf-send-back-raw-response headers. When false (default), provider-level settings are authoritative and per-request overrides are ignored.
     enforce_auth_on_inference:
       type: boolean
       description: Whether to enforce virtual key authentication on inference requests

docs/providers/request-options.mdx

@@ -46,34 +46,36 @@ type CompatConfig struct {
 // ClientConfig represents the core configuration for Bifrost HTTP transport and the Bifrost Client.
 // It includes settings for excess request handling, Prometheus metrics, and initial pool size.
 type ClientConfig struct {
-	DropExcessRequests              bool                             `json:"drop_excess_requests"`    // Drop excess requests if the provider queue is full
-	InitialPoolSize                 int                              `json:"initial_pool_size"`       // The initial pool size for the bifrost client
-	PrometheusLabels                []string                         `json:"prometheus_labels"`       // The labels to be used for prometheus metrics
-	EnableLogging                   *bool                            `json:"enable_logging"`          // Enable logging of requests and responses
-	DisableContentLogging           bool                             `json:"disable_content_logging"` // Disable logging of content
-	DisableDBPingsInHealth          bool                             `json:"disable_db_pings_in_health"`
-	LogRetentionDays                int                              `json:"log_retention_days" validate:"min=1"`  // Number of days to retain logs (minimum 1 day)
-	EnforceAuthOnInference          bool                             `json:"enforce_auth_on_inference"`            // Require auth (VK, API key, or user token) on inference endpoints
-	EnforceGovernanceHeader         bool                             `json:"enforce_governance_header,omitempty"`  // Deprecated: use EnforceAuthOnInference
-	EnforceSCIMAuth                 bool                             `json:"enforce_scim_auth,omitempty"`          // Deprecated: use EnforceAuthOnInference
-	AllowDirectKeys                 bool                             `json:"allow_direct_keys"`                    // Allow direct keys to be used for requests
-	AllowedOrigins                  []string                         `json:"allowed_origins,omitempty"`            // Additional allowed origins for CORS and WebSocket (localhost is always allowed)
-	AllowedHeaders                  []string                         `json:"allowed_headers,omitempty"`            // Additional allowed headers for CORS and WebSocket
-	MaxRequestBodySizeMB            int                              `json:"max_request_body_size_mb"`             // The maximum request body size in MB
-	Compat                          CompatConfig                     `json:"compat"`                               // Compat plugin configuration
-	MCPAgentDepth                   int                              `json:"mcp_agent_depth"`                      // The maximum depth for MCP agent mode tool execution
-	MCPToolExecutionTimeout         int                              `json:"mcp_tool_execution_timeout"`           // The timeout for individual tool execution in seconds
-	MCPCodeModeBindingLevel         string                           `json:"mcp_code_mode_binding_level"`          // Code mode binding level: "server" or "tool"
-	MCPToolSyncInterval             int                              `json:"mcp_tool_sync_interval"`               // Global tool sync interval in minutes (default: 10, 0 = disabled)
-	MCPDisableAutoToolInject        bool                             `json:"mcp_disable_auto_tool_inject"`         // When true, MCP tools are not injected into requests by default
-	HeaderFilterConfig              *tables.GlobalHeaderFilterConfig `json:"header_filter_config,omitempty"`       // Global header filtering configuration for x-bf-eh-* headers
-	AsyncJobResultTTL               int                              `json:"async_job_result_ttl"`                 // Default TTL for async job results in seconds (default: 3600 = 1 hour)
-	RequiredHeaders                 []string                         `json:"required_headers,omitempty"`           // Headers that must be present on every request (case-insensitive)
-	LoggingHeaders                  []string                         `json:"logging_headers,omitempty"`            // Headers to capture in log metadata
-	WhitelistedRoutes               []string                         `json:"whitelisted_routes,omitempty"`         // Routes that bypass auth middleware
-	HideDeletedVirtualKeysInFilters bool                             `json:"hide_deleted_virtual_keys_in_filters"` // Hide deleted virtual keys from logs/MCP filter data
-	RoutingChainMaxDepth            int                              `json:"routing_chain_max_depth"`              // Maximum depth for routing rule chain evaluation (default: 10)
-	ConfigHash                      string                           `json:"-"`                                    // Config hash for reconciliation (not serialized)
+	DropExcessRequests                    bool                             `json:"drop_excess_requests"`                       // Drop excess requests if the provider queue is full
+	InitialPoolSize                       int                              `json:"initial_pool_size"`                          // The initial pool size for the bifrost client
+	PrometheusLabels                      []string                         `json:"prometheus_labels"`                          // The labels to be used for prometheus metrics
+	EnableLogging                         *bool                            `json:"enable_logging"`                             // Enable logging of requests and responses
+	DisableContentLogging                 bool                             `json:"disable_content_logging"`                    // Disable logging of content
+	AllowPerRequestContentStorageOverride bool                             `json:"allow_per_request_content_storage_override"` // Allow per-request override of content storage via x-bf-disable-content-logging header/context
+	AllowPerRequestRawOverride            bool                             `json:"allow_per_request_raw_override"`             // Allow per-request override of raw request/response visibility via x-bf-send-back-raw-request and x-bf-send-back-raw-response headers
+	DisableDBPingsInHealth                bool                             `json:"disable_db_pings_in_health"`
+	LogRetentionDays                      int                              `json:"log_retention_days" validate:"min=1"`  // Number of days to retain logs (minimum 1 day)
+	EnforceAuthOnInference                bool                             `json:"enforce_auth_on_inference"`            // Require auth (VK, API key, or user token) on inference endpoints
+	EnforceGovernanceHeader               bool                             `json:"enforce_governance_header,omitempty"`  // Deprecated: use EnforceAuthOnInference
+	EnforceSCIMAuth                       bool                             `json:"enforce_scim_auth,omitempty"`          // Deprecated: use EnforceAuthOnInference
+	AllowDirectKeys                       bool                             `json:"allow_direct_keys"`                    // Allow direct keys to be used for requests
+	AllowedOrigins                        []string                         `json:"allowed_origins,omitempty"`            // Additional allowed origins for CORS and WebSocket (localhost is always allowed)
+	AllowedHeaders                        []string                         `json:"allowed_headers,omitempty"`            // Additional allowed headers for CORS and WebSocket
+	MaxRequestBodySizeMB                  int                              `json:"max_request_body_size_mb"`             // The maximum request body size in MB
+	Compat                                CompatConfig                     `json:"compat"`                               // Compat plugin configuration
+	MCPAgentDepth                         int                              `json:"mcp_agent_depth"`                      // The maximum depth for MCP agent mode tool execution
+	MCPToolExecutionTimeout               int                              `json:"mcp_tool_execution_timeout"`           // The timeout for individual tool execution in seconds
+	MCPCodeModeBindingLevel               string                           `json:"mcp_code_mode_binding_level"`          // Code mode binding level: "server" or "tool"
+	MCPToolSyncInterval                   int                              `json:"mcp_tool_sync_interval"`               // Global tool sync interval in minutes (default: 10, 0 = disabled)
+	MCPDisableAutoToolInject              bool                             `json:"mcp_disable_auto_tool_inject"`         // When true, MCP tools are not injected into requests by default
+	HeaderFilterConfig                    *tables.GlobalHeaderFilterConfig `json:"header_filter_config,omitempty"`       // Global header filtering configuration for x-bf-eh-* headers
+	AsyncJobResultTTL                     int                              `json:"async_job_result_ttl"`                 // Default TTL for async job results in seconds (default: 3600 = 1 hour)
+	RequiredHeaders                       []string                         `json:"required_headers,omitempty"`           // Headers that must be present on every request (case-insensitive)
+	LoggingHeaders                        []string                         `json:"logging_headers,omitempty"`            // Headers to capture in log metadata
+	WhitelistedRoutes                     []string                         `json:"whitelisted_routes,omitempty"`         // Routes that bypass auth middleware
+	HideDeletedVirtualKeysInFilters       bool                             `json:"hide_deleted_virtual_keys_in_filters"` // Hide deleted virtual keys from logs/MCP filter data
+	RoutingChainMaxDepth                  int                              `json:"routing_chain_max_depth"`              // Maximum depth for routing rule chain evaluation (default: 10)
+	ConfigHash                            string                           `json:"-"`                                    // Config hash for reconciliation (not serialized)
 }
 
 // GenerateClientConfigHash generates a SHA256 hash of the client configuration.
@@ -174,6 +176,15 @@ func (c *ClientConfig) GenerateClientConfigHash() (string, error) {
 		hash.Write([]byte("mcpDisableAutoToolInject:true"))
 	}
 
+	// Only hash non-default value to avoid legacy config hash churn on upgrade.
+	if c.AllowPerRequestContentStorageOverride {
+		hash.Write([]byte("allowPerRequestContentStorageOverride:true"))
+	}
+
+	if c.AllowPerRequestRawOverride {
+		hash.Write([]byte("allowPerRequestRawOverride:true"))
+	}
+
 	if c.AsyncJobResultTTL > 0 {
 		hash.Write([]byte("asyncJobResultTTL:" + strconv.Itoa(c.AsyncJobResultTTL)))
 	} else {

framework/configstore/clientconfig.go

@@ -0,0 +1 @@
+- feat: added per-request content logging toggle that overrides the global setting