Skip to content

fix(mcp): strip whitespace from KATANA_API_KEY#926

Merged
dougborg merged 1 commit into
mainfrom
fix/strip-katana-api-key
Jun 5, 2026
Merged

fix(mcp): strip whitespace from KATANA_API_KEY#926
dougborg merged 1 commit into
mainfrom
fix/strip-katana-api-key

Conversation

@dougborg

@dougborg dougborg commented Jun 5, 2026

Copy link
Copy Markdown
Owner

Summary

Completes the "strip both keys" config-hygiene fix. #923 (just merged) strips KATANA_SYNC_API_KEY; this strips the primary KATANA_API_KEY too.

A trailing newline or space on a copy-pasted KATANA_API_KEY would otherwise reach the auth layer as a malformed key and fail the first API call with no signal at the config site. Stripping at the lifespan read fixes it; an all-whitespace value collapses to "" and trips the existing required-key check (so a blank key still raises the clear ValueError).

Test plan

  • test_lifespan_strips_whitespace_from_api_key — a padded KATANA_API_KEY reaches the client stripped
  • Existing test_lifespan_missing_api_key still raises (blank/whitespace → ValueError)
  • pyright clean; test_server.py green (42 passed)

🤖 Generated with Claude Code

A trailing newline or space on a copied-and-pasted KATANA_API_KEY would
reach the auth layer as a malformed key and fail the first API call with
no signal at the config site. Strip it at the lifespan read (an
all-whitespace value collapses to "" and trips the existing required-key
check). Mirrors the KATANA_SYNC_API_KEY handling added in #923.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 5, 2026 19:35
@dougborg dougborg enabled auto-merge (squash) June 5, 2026 19:36

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens MCP server configuration hygiene by stripping leading/trailing whitespace from KATANA_API_KEY at process startup, preventing copy-paste artifacts (e.g., trailing newline) from reaching the auth layer as a malformed key.

Changes:

  • Strip KATANA_API_KEY via (os.getenv(...) or "").strip() in server.lifespan, so whitespace-only values collapse to "" and trigger the existing required-key validation.
  • Add a unit test ensuring the KatanaClient constructor receives the stripped api_key value.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
katana_mcp_server/src/katana_mcp/server.py Strips KATANA_API_KEY before validation and client construction, aligning with existing KATANA_SYNC_API_KEY hygiene.
katana_mcp_server/tests/test_server.py Adds coverage to assert whitespace-padded KATANA_API_KEY is passed to the client in stripped form.

@dougborg dougborg merged commit 7bc58b2 into main Jun 5, 2026
17 checks passed
@dougborg dougborg deleted the fix/strip-katana-api-key branch June 5, 2026 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants