fix(mcp): Remove duplicate create_session_state_header_provider

  - Remove duplicate function from _internal.py (kept in mcp_toolset.py)
  - Inline _sanitize_header_value into sanitize_header_value
  - Update test imports to use public API

  Addresses review comment

Author: timof1308

src/google/adk/tools/mcp_tool/_internal.py

@@ -142,38 +142,6 @@ def validate_header_name(header_name: str) -> None:
     )
 
 
-def _sanitize_header_value(value: str) -> str:
-  """Sanitizes a header value to prevent injection attacks.
-
-  This function removes ONLY truly dangerous characters that could cause
-  header injection attacks, while remaining RFC 7230 compliant.
-
-  Args:
-      value: The header value to sanitize.
-
-  Returns:
-      The sanitized header value with dangerous characters removed.
-  """
-  if not isinstance(value, str):
-    value = str(value)
-
-  # Remove only characters that are truly dangerous for HTTP headers
-  # These are control characters that can break parsing or enable injection
-  # We DON'T remove all \r\n sequences as that would break legitimate multi-line headers
-  # and violate RFC 7230 §3.2.4 which allows header folding
-  sanitized_chars = []
-  for char in value:
-    if char not in _DANGEROUS_CHARS:
-      sanitized_chars.append(char)
-    else:
-      logger.warning(
-          f"Removed dangerous character {repr(char)} from header value "
-          "for security reasons"
-      )
-
-  return "".join(sanitized_chars)
-
-
 def _validate_header_value(value: Any, allow_binary: bool = False) -> None:
   """Validates header values with RFC 7230 compliance and proper binary handling.
 
@@ -236,7 +204,21 @@ def sanitize_header_value(value: Any) -> str:
   if not isinstance(value, str):
     value = str(value)
 
-  return _sanitize_header_value(value)
+  # Remove only characters that are truly dangerous for HTTP headers
+  # These are control characters that can break parsing or enable injection
+  # We DON'T remove all \r\n sequences as that would break legitimate multi-line headers
+  # and violate RFC 7230 §3.2.4 which allows header folding
+  sanitized_chars = []
+  for char in value:
+    if char not in _DANGEROUS_CHARS:
+      sanitized_chars.append(char)
+    else:
+      logger.warning(
+          f"Removed dangerous character {repr(char)} from header value "
+          "for security reasons"
+      )
+
+  return "".join(sanitized_chars)
 
 
 def validate_header_value(
@@ -263,55 +245,3 @@ def validate_header_value(
       raise ValueError(msg)
     else:
       logger.warning(msg)
-
-
-def create_session_state_header_provider(
-    state_key: str,
-    header_name: str = "Authorization",
-    header_format: str = "Bearer {value}",
-    default_value: str = None,
-    strict: bool = False,
-):
-  """Creates a header provider that extracts values from session state.
-
-  This utility function generates a header_provider callable that can be used
-  with McpToolset to automatically extract values from session state and
-  format them as HTTP headers for MCP server connections.
-
-  .. warning::
-      **Security Best Practice**: For sensitive, short-lived tokens like JWTs,
-    use ``request_state`` instead of ``session.state`` to avoid persisting
-    sensitive data to the database. Pass tokens via
-    ``RunAgentRequest.request_state``, which will override ``session.state``
-    for the duration of the request without being persisted.
-
-  Args:
-      state_key: The key to look up in session.state (or request_state).
-    header_name: The HTTP header name to set (default: 'Authorization').
-    header_format: Format string for the header value. Use {value} as a
-        placeholder for the state value (default: 'Bearer {value}').
-    default_value: Default value if state_key is not found in session state.
-      If None, the header is omitted when the key is missing.
-      strict: If True, raises ValueError when non-primitive types are
-      encountered. If False (default), logs a warning instead.
-
-  Returns:
-    A callable that takes a ReadonlyContext and returns a dictionary of
-    headers to be used for the MCP session.
-  """
-  # Validate header name upfront
-  validate_header_name(header_name)
-
-  def provider(ctx) -> dict[str, str]:
-    value = ctx.state.get(state_key, default_value)
-    # Skip header if value is None or empty string
-    if value is None or value == "":
-      return {}
-
-    validate_header_value(state_key, value, strict=strict)
-    formatted_value = header_format.format(value=value)
-    sanitized_value = sanitize_header_value(formatted_value)
-
-    return {header_name: sanitized_value}
-
-  return provider

tests/unittests/tools/mcp_tool/test_jwt_token_propagation.py

@@ -271,7 +271,7 @@ def test_header_name_validation_invalid_names(self):
 
   def test_header_value_sanitization_safe_values(self):
     """Test that safe header values are unchanged."""
-    from google.adk.tools.mcp_tool._internal import _sanitize_header_value
+    from google.adk.tools.mcp_tool._internal import sanitize_header_value
 
     safe_values = [
         "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9",
@@ -281,12 +281,12 @@ def test_header_value_sanitization_safe_values(self):
     ]
 
     for value in safe_values:
-      result = _sanitize_header_value(value)
+      result = sanitize_header_value(value)
       assert result == value
 
   def test_header_value_sanitization_dangerous_values(self):
     """Test that dangerous characters are removed from header values."""
-    from google.adk.tools.mcp_tool._internal import _sanitize_header_value
+    from google.adk.tools.mcp_tool._internal import sanitize_header_value
 
     dangerous_values = [
         ("Bearer token\x00injected", "Bearer tokeninjected"),
@@ -296,17 +296,17 @@ def test_header_value_sanitization_dangerous_values(self):
     ]
 
     for input_val, expected in dangerous_values:
-      result = _sanitize_header_value(input_val)
+      result = sanitize_header_value(input_val)
       assert result == expected
 
   def test_header_value_sanitization_non_string_values(self):
     """Test that non-string values are converted to string."""
-    from google.adk.tools.mcp_tool._internal import _sanitize_header_value
+    from google.adk.tools.mcp_tool._internal import sanitize_header_value
 
-    result_int = _sanitize_header_value(123)
+    result_int = sanitize_header_value(123)
     assert result_int == "123"
 
-    result_bool = _sanitize_header_value(True)
+    result_bool = sanitize_header_value(True)
     assert result_bool == "True"
 
   def test_session_state_header_provider_with_invalid_header_name(self):
@@ -505,7 +505,7 @@ def test_header_name_validation_rfc_compliant(self):
 
   def test_header_value_sanitization_rfc_compliant(self):
     """Test that header value sanitization is RFC 7230 compliant."""
-    from google.adk.tools.mcp_tool._internal import _sanitize_header_value
+    from google.adk.tools.mcp_tool._internal import sanitize_header_value
 
     # Safe header values should remain unchanged
     safe_values = [
@@ -519,7 +519,7 @@ def test_header_value_sanitization_rfc_compliant(self):
     ]
 
     for value in safe_values:
-      result = _sanitize_header_value(value)
+      result = sanitize_header_value(value)
       assert result == value
 
     # Only truly dangerous characters should be removed
@@ -546,12 +546,12 @@ def test_header_value_sanitization_rfc_compliant(self):
     ]
 
     for input_val, expected in dangerous_cases:
-      result = _sanitize_header_value(input_val)
+      result = sanitize_header_value(input_val)
       assert result == expected
 
   def test_header_value_preserves_rfc_folding(self):
     """Test that legitimate CRLF sequences for header folding are preserved."""
-    from google.adk.tools.mcp_tool._internal import _sanitize_header_value
+    from google.adk.tools.mcp_tool._internal import sanitize_header_value
 
     # Multi-line headers with proper folding should be preserved (RFC 7230 §3.2.4)
     folding_cases = [
@@ -565,7 +565,7 @@ def test_header_value_preserves_rfc_folding(self):
     ]
 
     for folding_case in folding_cases:
-      result = _sanitize_header_value(folding_case[0])
+      result = sanitize_header_value(folding_case[0])
       assert result == folding_case[1]
 
   def test_header_value_validation_rfc_compliant(self):