refactor(mcp): remove dead code from _internal.py and update tests

Remove unused _validate_header_value, _is_printable_ascii, _is_control_char,
_is_whitespace, _get_forbidden_char_desc, and _HEADER_WHITESPACE constant
from _internal.py. Update tests to cover the actual provider code path
instead of the removed internal function.

Author: timof1308

src/google/adk/tools/mcp_tool/_internal.py

@@ -21,23 +21,18 @@
 
 - Header validation implements RFC 7230 §3.2 for proper HTTP header format
 - Only truly dangerous control characters are removed from header values
-- Legitimate multi-line headers with proper folding are preserved
-- Binary data handling is separate from text data for security
 - All functions log security-relevant warnings when appropriate
 
 **RFC 7230 Compliance:**
 
 - Header names: only letters, digits, and hyphens allowed
 - Header values: control characters (0x00-0x1F, 0x7F) are dangerous
-- Header folding: CRLF sequences are preserved for legitimate use cases
-- Binary data: handled separately with explicit allow_binary flag
 
 **Attack Prevention:**
 
 - HTTP header injection attacks via control character filtering
 - Response splitting attacks through CRLF handling
 - Log injection attacks via character sanitization
-- Type confusion attacks through strict validation
 """
 
 from __future__ import annotations
@@ -48,9 +43,6 @@
 
 logger = logging.getLogger("google_adk." + __name__)
 
-# Header whitespace characters (RFC 7230 §3.2.4)
-_HEADER_WHITESPACE = "\r\n"
-
 # RFC 7230 compliant header name pattern (allows letters, digits, hyphens)
 _HEADER_NAME_PATTERN = re.compile(r"^[a-zA-Z0-9-]+\Z")
 
@@ -90,38 +82,6 @@
 }
 
 
-def _is_printable_ascii(char: str) -> bool:
-  """Check if character is printable ASCII."""
-  try:
-    return 0x20 <= ord(char) <= 0x7E
-  except ValueError:
-    return False
-
-
-def _is_control_char(char: str) -> bool:
-  """Check if character is a control character."""
-  return char in _DANGEROUS_CHARS
-
-
-def _is_whitespace(char: str) -> bool:
-  """Check if character is whitespace."""
-  return char in _HEADER_WHITESPACE
-
-
-def _get_forbidden_char_desc(char: str) -> str:
-  """Get description of forbidden character."""
-  if char == "\r":
-    return "carriage return"
-  elif char == "\n":
-    return "line feed"
-  elif char == "\t":
-    return "horizontal tab"
-  elif _is_printable_ascii(char):
-    return f"non-printable ASCII: {repr(char)}"
-  else:
-    return f"control character: {repr(char)}"
-
-
 def validate_header_name(header_name: str) -> None:
   """Validates that a header name conforms to RFC 7230.
   Only allows printable ASCII, no control chars, spaces, or separators.
@@ -158,53 +118,6 @@ def validate_header_format(header_format: str) -> None:
     )
 
 
-def _validate_header_value(value: Any, allow_binary: bool = False) -> None:
-  """Validates header values with RFC 7230 compliance and proper binary handling.
-
-  Args:
-      value: The header value to validate.
-      allow_binary: Whether to allow binary data (bytes) in header values.
-
-  Raises:
-      ValueError: If value contains dangerous characters.
-  """
-  if value is None:
-    return
-
-  if isinstance(value, bytes):
-    if not allow_binary:
-      raise ValueError("Binary data not allowed in HTTP header values")
-    # For binary data, check for dangerous bytes
-    for byte_val in value:
-      if byte_val < 128:  # ASCII range
-        char = chr(byte_val)
-        if char in _DANGEROUS_CHARS:
-          raise ValueError(
-              f"Binary data contains dangerous byte: {repr(char)} "
-              f"({_get_forbidden_char_desc(char)})"
-          )
-    return
-
-  # For strings, check for dangerous characters that could enable injection
-  if isinstance(value, str):
-    for char in value:
-      if char in _DANGEROUS_CHARS:
-        raise ValueError(
-            f"Header value contains dangerous character: {repr(char)} "
-            f"({_get_forbidden_char_desc(char)})"
-        )
-    return
-
-  # For other types, convert to string and validate
-  str_value = str(value)
-  for char in str_value:
-    if char in _DANGEROUS_CHARS:
-      raise ValueError(
-          "Header value (converted to string) contains dangerous character: "
-          f"{repr(char)} ({_get_forbidden_char_desc(char)})"
-      )
-
-
 def sanitize_header_value(value: Any) -> str:
   """Sanitizes a header value to prevent injection attacks.
 

tests/unittests/tools/mcp_tool/test_jwt_token_propagation.py

@@ -579,40 +579,27 @@ def test_header_value_crlf_stripped_in_provider(self):
     headers = provider(mock_context)
     assert headers == {"Authorization": "Bearer clean-token-123"}
 
-  def test_header_value_validation_rfc_compliant(self):
-    """Test that header value validation is RFC 7230 compliant."""
-    from google.adk.tools.mcp_tool._internal import _validate_header_value
+  def test_header_value_sanitization_in_provider(self):
+    """Test that header value sanitization works through the provider path."""
+    from google.adk.tools.mcp_tool.mcp_toolset import create_session_state_header_provider
 
-    # Valid header values should pass validation
-    valid_values = [
-        "Bearer token123",
-        "application/json",
-        "text/html; charset=utf-8",
-        "Basic dXNlcjpwYXNz",
-        "multipart/form-data; boundary=something",
-        123,  # Numbers should be converted to string
-        True,  # Boolean should be converted to string
-        45.67,  # Float should be converted to string
-    ]
+    mock_context = Mock(spec=ReadonlyContext)
 
-    for value in valid_values:
-      try:
-        _validate_header_value(value)  # Should not raise
-      except ValueError:
-        pytest.fail(f"Valid value {value!r} should not raise ValueError")
-
-    # Invalid header values should raise ValueError
-    invalid_values = [
-        "token\x00with\x01null",  # Contains control characters
-        "data\x02with\x03control",  # Contains control characters
-        b"binary\x00data",  # Binary data with null bytes
-        # {"complex": "object"},  # Complex object (when converted to string) - REMOVED as it is valid
-        # ["list", "data"],  # List (when converted to string) - REMOVED as it is valid
-    ]
+    # Test that dangerous characters in values get sanitized
+    mock_context.state = {"token": "clean-token"}
+    provider = create_session_state_header_provider(
+        state_key="token", header_name="Authorization", header_format="{value}"
+    )
+    headers = provider(mock_context)
+    assert headers == {"Authorization": "clean-token"}
 
-    for value in invalid_values:
-      with pytest.raises(ValueError):
-        _validate_header_value(value)
+    # Test that numbers and booleans are handled correctly
+    mock_context.state = {"count": 123}
+    provider = create_session_state_header_provider(
+        state_key="count", header_name="X-Count", header_format="{value}"
+    )
+    headers = provider(mock_context)
+    assert headers == {"X-Count": "123"}
 
   def test_session_state_header_provider_rfc_compliant(self):
     """Test that session state header provider handles edge cases correctly."""
@@ -648,26 +635,6 @@ def test_session_state_header_provider_rfc_compliant(self):
     headers = provider(mock_context)
     assert headers == {"Authorization": "Bearer default-token"}
 
-  def test_binary_data_handling(self):
-    """Test proper handling of binary data in header values."""
-    from google.adk.tools.mcp_tool._internal import _validate_header_value
-
-    # Binary data should be rejected by default
-    with pytest.raises(ValueError, match="Binary data not allowed"):
-      _validate_header_value(b"binary data")
-
-    # Binary data should be accepted with allow_binary=True if no dangerous bytes
-    safe_binary = b"safe binary data"
-    try:
-      _validate_header_value(safe_binary, allow_binary=True)
-    except ValueError:
-      pytest.fail("Safe binary data should be allowed with allow_binary=True")
-
-    # Binary data with dangerous bytes should be rejected even with allow_binary=True
-    dangerous_binary = b"dangerous\x00data\x01with\x02control"
-    with pytest.raises(ValueError, match="dangerous"):
-      _validate_header_value(dangerous_binary, allow_binary=True)
-
   def test_header_format_crlf_injection_protection(self):
     """Test that header format strings with CRLF sequences are rejected."""
     from google.adk.tools.mcp_tool._internal import validate_header_format