[Endpoints] [14/x] Add encryption availability endpoints

[BenWilson2]

🥞 Stacked PR

Use this link to review incremental changes.

• stack/endpoints/passphrase [Files changed]

---

Related Issues/PRs

#xxx

What changes are proposed in this pull request?

Adds:

• Security configuration validation endpoint to ensure that the API Key management UI is capable of being displayed (if passphrase is not set and configured, will display a 'getting started' page to instruct users on how they can enable the capability and disables the gateway functionality within the UI.
• Fixes for UI consistency across the pages for uniform display 'feel'
• Adjustments to css styling for consistency
• Fixes to spacing and consistent design system emotion css usage
• Fixes to tooltip displays on list pages

How is this PR tested?

• Existing unit/integration tests
• New unit/integration tests
• Manual tests

Does this PR require documentation update?

• No. You can skip the rest of this section.
• Yes. I've updated:
  • Examples
  • API references
  • Instructions

Release Notes

Is this a user-facing change?

• No. You can skip the rest of this section.
• Yes. Give a description of this change to be included in the release notes for MLflow users.

What component(s), interfaces, languages, and integrations does this PR affect?

Components

• area/tracking: Tracking Service, tracking client APIs, autologging
• area/models: MLmodel format, model serialization/deserialization, flavors
• area/model-registry: Model Registry service, APIs, and the fluent client calls for Model Registry
• area/scoring: MLflow Model server, model deployment tools, Spark UDFs
• area/evaluation: MLflow model evaluation features, evaluation metrics, and evaluation workflows
• area/gateway: MLflow AI Gateway client APIs, server, and third-party integrations
• area/prompts: MLflow prompt engineering features, prompt templates, and prompt management
• area/tracing: MLflow Tracing features, tracing APIs, and LLM tracing functionality
• area/projects: MLproject format, project running backends
• area/uiux: Front-end, user experience, plotting, JavaScript, JavaScript dev server
• area/build: Build and test infrastructure for MLflow
• area/docs: MLflow documentation pages

How should the PR be classified in the release notes? Choose one:

• rn/none - No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" section
• rn/breaking-change - The PR will be mentioned in the "Breaking Changes" section
• rn/feature - A new user-facing feature worth mentioning in the release notes
• rn/bug-fix - A user-facing bug fix worth mentioning in the release notes
• rn/documentation - A user-facing documentation change worth mentioning in the release notes

Should this PR be included in the next patch release?

Yes should be selected for bug fixes, documentation updates, and other small changes. No should be selected for new features and larger changes. If you're unsure about the release classification of this PR, leave this unchecked to let the maintainers decide.

What is a minor/patch release?

• Minor release: a release that increments the second part of the version number (e.g., 1.2.0 -> 1.3.0).
  Bug fixes, doc updates and new features usually go into minor releases.
• Patch release: a release that increments the third part of the version number (e.g., 1.2.0 -> 1.2.1).
  Bug fixes and doc updates usually go into patch releases.

• Yes (this PR will be cherry-picked and included in the next patch release)
• No (this PR will be included in the next minor release)

[github-actions]

Documentation preview for 6b6dc51 is available at:

• https://pr-19176--mlflow-docs-preview.netlify.app/docs/latest/

More info

• Ignore this comment if this PR does not change the documentation.
• The preview is updated when a new commit is pushed to this PR.
• This comment was created by this workflow run.
• The documentation was built by this workflow run.

[Copilot]

Pull request overview

This PR adds encryption availability validation endpoints to enable secure API key management in the MLflow Gateway UI. When the encryption passphrase is not configured, the UI displays a setup guide instead of non-functional API key features. The changes include comprehensive test coverage for the cryptography utilities, entity models, and UI components.

• Adds encryption configuration validation endpoint to check if secrets management is properly configured
• Implements comprehensive cryptography utilities with envelope encryption using AES-256-GCM and PBKDF2
• Adds database models and entities for secrets, model definitions, endpoints, and bindings
• Implements UI components and pages for the Gateway feature with proper error handling

Reviewed changes

Copilot reviewed 108 out of 119 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
tests/entities/test_gateway_endpoint.py	Comprehensive tests for Gateway entity models including proto round-trip conversions
tests/cli/test_cryptography.py	Tests for KEK rotation CLI command with various scenarios and edge cases
requirements/genai-requirements.yaml	Adds litellm dependency configuration for Gateway features
pyproject.toml	Adds litellm<2,>=1.0.0 to genai extras
pyproject.release.toml	Mirrors litellm dependency addition for release configuration
mlflow/utils/providers.py	Provider configuration utilities using litellm for credential and capability management
mlflow/utils/cryptography.py	Core cryptography implementation with envelope encryption and key rotation
mlflow/store/tracking/sqlalchemy_store.py	Store implementations for secrets, model definitions, endpoints, and bindings
mlflow/store/tracking/rest_store.py	REST API client methods for Gateway features
mlflow/store/tracking/dbmodels/models.py	SQLAlchemy model conversions to MLflow entities
mlflow/store/tracking/abstract_store.py	Abstract store method signatures for Gateway features
mlflow/store/tracking/_secret_cache.py	Encrypted in-memory cache for decrypted secrets with forward secrecy
mlflow/server/js/src/lang/default/en.json	Internationalization strings for Gateway UI
mlflow/server/js/src/gateway/utils/providerUtils.ts	Provider grouping and formatting utilities
mlflow/server/js/src/gateway/utils/dateUtils.ts	Timestamp conversion utilities with unit detection
mlflow/server/js/src/gateway/utils/dateUtils.test.ts	Tests for timestamp conversion edge cases
mlflow/server/js/src/gateway/types.ts	TypeScript type definitions for Gateway API
mlflow/server/js/src/gateway/routes.ts	Route path definitions for Gateway pages
mlflow/server/js/src/gateway/route-defs.ts	Route configuration with lazy loading
mlflow/server/js/src/gateway/pages/ModelDefinitionsPage.tsx	Models list page with CRUD operations
mlflow/server/js/src/gateway/pages/ModelDefinitionsPage.test.tsx	Tests for models list page rendering
mlflow/server/js/src/gateway/pages/ModelDefinitionDetailsPage.tsx	Model details page with configuration display
mlflow/server/js/src/gateway/pages/GatewayPage.tsx	Endpoints list page
mlflow/server/js/src/gateway/pages/GatewayLayout.tsx	Layout with backend validation and setup guide
mlflow/server/js/src/gateway/hooks/useUpdateSecretMutation.ts	React hook for updating secrets
mlflow/server/js/src/gateway/hooks/useUpdateModelDefinitionMutation.tsx	React hook for updating model definitions
mlflow/server/js/src/gateway/hooks/useSecretsQuery.ts	React hook for fetching secrets list
mlflow/server/js/src/gateway/hooks/useSecretsConfigQuery.ts	React hook for checking secrets configuration
mlflow/server/js/src/gateway/hooks/useSecretQuery.ts	React hook for fetching single secret
mlflow/server/js/src/gateway/hooks/useProvidersQuery.ts	React hook for fetching provider list
mlflow/server/js/src/gateway/hooks/useProviderConfigQuery.ts	React hook for fetching provider configuration

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[daniellok-db]

this should align with the breakpoints defined in LongFormSection / LongFormSummary and the create/edit pages

[daniellok-db]

where is this used? i don't see any references in code

[daniellok-db]

is this used anywhere?

[daniellok-db]

was it necessary to revert the changes here? i think the @mlflow/mlflow import pattern is better as it stays consistent even as we move files around.

[daniellok-db]

stamping to unblock

[B-Step62]

@BenWilson2 Let's split the PR. This includes so many changes across different domains.