fix(mcp): strip whitespace from KATANA_API_KEY#926
Merged
Conversation
A trailing newline or space on a copied-and-pasted KATANA_API_KEY would reach the auth layer as a malformed key and fail the first API call with no signal at the config site. Strip it at the lifespan read (an all-whitespace value collapses to "" and trips the existing required-key check). Mirrors the KATANA_SYNC_API_KEY handling added in #923. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens MCP server configuration hygiene by stripping leading/trailing whitespace from KATANA_API_KEY at process startup, preventing copy-paste artifacts (e.g., trailing newline) from reaching the auth layer as a malformed key.
Changes:
- Strip
KATANA_API_KEYvia(os.getenv(...) or "").strip()inserver.lifespan, so whitespace-only values collapse to""and trigger the existing required-key validation. - Add a unit test ensuring the
KatanaClientconstructor receives the strippedapi_keyvalue.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| katana_mcp_server/src/katana_mcp/server.py | Strips KATANA_API_KEY before validation and client construction, aligning with existing KATANA_SYNC_API_KEY hygiene. |
| katana_mcp_server/tests/test_server.py | Adds coverage to assert whitespace-padded KATANA_API_KEY is passed to the client in stripped form. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Completes the "strip both keys" config-hygiene fix. #923 (just merged) strips
KATANA_SYNC_API_KEY; this strips the primaryKATANA_API_KEYtoo.A trailing newline or space on a copy-pasted
KATANA_API_KEYwould otherwise reach the auth layer as a malformed key and fail the first API call with no signal at the config site. Stripping at the lifespan read fixes it; an all-whitespace value collapses to""and trips the existing required-key check (so a blank key still raises the clearValueError).Test plan
test_lifespan_strips_whitespace_from_api_key— a paddedKATANA_API_KEYreaches the client strippedtest_lifespan_missing_api_keystill raises (blank/whitespace →ValueError)test_server.pygreen (42 passed)🤖 Generated with Claude Code