Add safe attribute capture for pydantic_ai

[BenWilson2]

🛠 DevTools 🛠

Install mlflow from this PR

# mlflow
pip install git+https://github.com/mlflow/mlflow.git@refs/pull/19219/merge
# mlflow-skinny
pip install git+https://github.com/mlflow/mlflow.git@refs/pull/19219/merge#subdirectory=libs/skinny

For Databricks, use the following command:

%sh curl -LsSf https://raw.githubusercontent.com/mlflow/mlflow/HEAD/dev/install-skinny.sh | sh -s pull/19219/merge

Related Issues/PRs

Resolve #19195

What changes are proposed in this pull request?

Adds allowlist capture of object attributes for auto tracing for pydantic-ai. Our current implementation captures internal state of objects involved in patching async requests which causes pydantic ai's Async wrapper for clients to throw Exceptions (which are ignored, but is still clearly messing with Python GC of these async futures).

How is this PR tested?

• Existing unit/integration tests
• New unit/integration tests
• Manual tests

Does this PR require documentation update?

• No. You can skip the rest of this section.
• Yes. I've updated:
  • Examples
  • API references
  • Instructions

Release Notes

Is this a user-facing change?

• No. You can skip the rest of this section.
• Yes. Give a description of this change to be included in the release notes for MLflow users.

What component(s), interfaces, languages, and integrations does this PR affect?

Components

• area/tracking: Tracking Service, tracking client APIs, autologging
• area/models: MLmodel format, model serialization/deserialization, flavors
• area/model-registry: Model Registry service, APIs, and the fluent client calls for Model Registry
• area/scoring: MLflow Model server, model deployment tools, Spark UDFs
• area/evaluation: MLflow model evaluation features, evaluation metrics, and evaluation workflows
• area/gateway: MLflow AI Gateway client APIs, server, and third-party integrations
• area/prompts: MLflow prompt engineering features, prompt templates, and prompt management
• area/tracing: MLflow Tracing features, tracing APIs, and LLM tracing functionality
• area/projects: MLproject format, project running backends
• area/uiux: Front-end, user experience, plotting, JavaScript, JavaScript dev server
• area/build: Build and test infrastructure for MLflow
• area/docs: MLflow documentation pages

How should the PR be classified in the release notes? Choose one:

• rn/none - No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" section
• rn/breaking-change - The PR will be mentioned in the "Breaking Changes" section
• rn/feature - A new user-facing feature worth mentioning in the release notes
• rn/bug-fix - A user-facing bug fix worth mentioning in the release notes
• rn/documentation - A user-facing documentation change worth mentioning in the release notes

Should this PR be included in the next patch release?

Yes should be selected for bug fixes, documentation updates, and other small changes. No should be selected for new features and larger changes. If you're unsure about the release classification of this PR, leave this unchecked to let the maintainers decide.

What is a minor/patch release?

• Minor release: a release that increments the second part of the version number (e.g., 1.2.0 -> 1.3.0).
  Bug fixes, doc updates and new features usually go into minor releases.
• Patch release: a release that increments the third part of the version number (e.g., 1.2.0 -> 1.2.1).
  Bug fixes and doc updates usually go into patch releases.

• Yes (this PR will be cherry-picked and included in the next patch release)
• No (this PR will be included in the next minor release)

[Copilot]

Pull request overview

This PR adds safe attribute capture for pydantic_ai autologging to prevent interference with async cleanup processes. The changes implement allowlist-based attribute extraction instead of capturing all object attributes, which was causing issues with internal async client state management.

Key Changes:

• Introduced allowlist-based attribute capture using frozen sets for agent, model, tool, and MCP server attributes
• Added helper functions _is_safe_for_serialization and _safe_get_attribute to safely extract and validate attributes
• Refactored attribute getter functions to use allowlists instead of iterating over all __dict__ items

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
mlflow/pydantic_ai/autolog.py	Implements allowlist-based attribute capture with safe serialization checks to avoid capturing client/provider references that interfere with async cleanup
tests/pydantic_ai/test_pydanticai_tracing.py	Adds comprehensive tests for allowlist behavior and validates that client references are not captured in traces

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

list and tuple are included in _SAFE_ATTRIBUTE_TYPES on line 55, which means any list or tuple would be considered safe regardless of their contents. However, the function recursively validates dict values (lines 63-64) but not list/tuple elements. This inconsistency could allow unsafe objects to be captured if they're contained in a list or tuple. Consider adding recursive validation for list and tuple elements similar to the dict validation.

Suggested change

	if isinstance(value, _SAFE_ATTRIBUTE_TYPES):
	return True
	if isinstance(value, dict):
	return all(_is_safe_for_serialization(v) for v in value.values())
	if isinstance(value, (str, int, float, bool, type(None))):
	return True
	if isinstance(value, dict):
	return all(_is_safe_for_serialization(v) for v in value.values())
	if isinstance(value, (list, tuple)):
	return all(_is_safe_for_serialization(v) for v in value)

[Copilot]

The new _get_mcp_server_attributes function is not covered by the parametrized test test_attribute_getter_uses_allowlist. Consider adding a test case for this function similar to the existing test cases for _get_agent_attributes, _get_model_attributes, and _get_tool_attributes to ensure consistent behavior and test coverage.

[Copilot]

type(None) (which is NoneType) is included in _SAFE_ATTRIBUTE_TYPES, but the function explicitly returns False for None values on line 59-60. This creates contradictory logic: line 61 checks isinstance(value, _SAFE_ATTRIBUTE_TYPES) which would include None, but that check is never reached because None is caught earlier. Either remove type(None) from _SAFE_ATTRIBUTE_TYPES or remove the explicit None check on line 59-60.

[github-actions]

Documentation preview for d607320 is available at:

• https://pr-19219--mlflow-docs-preview.netlify.app/docs/latest/

More info

• Ignore this comment if this PR does not change the documentation.
• The preview is updated when a new commit is pushed to this PR.
• This comment was created by this workflow run.
• The documentation was built by this workflow run.

[serena-ruan]

Could you explain which part causes the error of

Exception ignored in: <function AsyncHttpxClientWrapper.del at ...>
AttributeError: 'AsyncHttpxClientWrapper' object has no attribute '_state'

? If we add allowlist does that mean in the future we need to extend the list to support new attributes (which seems more maintenance burden)?

[BenWilson2]

The fact that we're pulling in all attributes is the part that's causing an issue. We're pulling in the base class attributes from within their library which is causing a reference to exist when their async loop manager attempts to GC the object which raises the exception of a reference not being present.
While I agree this is a bit of an addition of maintenance burden, the fact that we're doing the 'easier to maintain' approach and that is causing exceptions to be raised in client code is not good.

[serena-ruan]

What about skipping all attributes starting with underscores?

[BenWilson2]

Let me give that a shot :) I think that might be a great compromise between maintainability and correctness :D Thanks @serena-ruan !

[serena-ruan]

Is this always true?

[BenWilson2]

There's a cleaner way to do this... instead of using dunder commands I'll use the standard method just as a guard to protect unserializable subclass components from the library

[serena-ruan]

What about skipping all attributes starting with underscores?

[serena-ruan]

LGTM!