Config management bug fix

[rkritika1508]

Summary

Target issue is #56
Explain the motivation for making this change. What existing problem does the pull request solve?
When guardrails calls kaapi-backend for ban lists API, we use X-API-KEY header.
For X-API-KEY header in guardrail repo, we should take the entire API key like "ApiKey " and not directly.

Checklist

Before submitting a pull request, please ensure that you mark these task.

• Ran fastapi run --reload app/main.py or docker compose up in the repository root and test.
• If you've fixed a bug or added code that is tested and has test cases.

Notes

Please add here if any other information is required for the reviewer.

Summary by CodeRabbit

• Bug Fixes
  • Fixed API key authentication header format—the X-API-KEY header now accepts raw API key values without the "ApiKey " prefix.

[coderabbitai]

Warning

Rate limit exceeded

@rkritika1508 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minutes and 56 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

The X-API-KEY header in the tenant authentication flow now passes the raw API token directly instead of prefixing it with "ApiKey ". Corresponding test expectations are updated to match this change.

Changes

Cohort / File(s)	Summary
API Authentication Header backend/app/api/deps.py	Removed "ApiKey " prefix from X-API-KEY header value; now sends raw token directly.
Multitenant Tests backend/app/tests/test_deps_multitenant.py	Updated test assertions to expect raw API key values without "ApiKey " prefix in header expectations.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

• ProjectTech4DevAI/kaapi-guardrails#56: Directly addresses X-API-KEY header handling in the auth/config area by removing the "ApiKey " prefix requirement.

Suggested reviewers

• AkhileshNegi

Poem

🐰 A token stripped bare of its prefix so grand,
Now travels as-is through our auth-land,
Tests dance along in synchronized cheer,
Simpler headers, crystal clear! ✨

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Config management bug fix' is vague and generic, using non-descriptive terminology that doesn't convey the specific technical change being made.	Replace with a more specific title such as 'Remove ApiKey prefix from X-API-KEY header in tenant backend calls' to clarify the actual change.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/config-management-fixes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

backend/app/tests/test_deps_multitenant.py (1)

112-143: test_validate_multitenant_key_accepts_raw_header_value is a near-duplicate of test_validate_multitenant_key_parses_credentials_shape.

Both test the happy path with the same assertions (URL, X-API-KEY header value, timeout, returned TenantContext). The only difference is the token string ("No3x47A5" vs "abc123") and the hardcoded auth URL. This adds no additional coverage over the existing test.

Consider removing this test or replacing it with a more focused assertion (e.g., testing a token that contains spaces or special characters to exercise stripping behavior) to avoid test suite bloat.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/app/tests/test_deps_multitenant.py` around lines 112 - 143, The test
test_validate_multitenant_key_accepts_raw_header_value is a near-duplicate of
test_validate_multitenant_key_parses_credentials_shape and should be removed or
changed; either delete this redundant test, or modify it to exercise different
behavior of validate_multitenant_key (for example supply a token with
leading/trailing spaces or special characters to verify stripping/encoding
behavior and assert the X-API-KEY header and TenantContext accordingly),
referencing the test names
test_validate_multitenant_key_accepts_raw_header_value,
test_validate_multitenant_key_parses_credentials_shape and the
validate_multitenant_key function so you update the right tests.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@backend/app/tests/test_deps_multitenant.py`:
- Line 45: Update the test assertions that check
captured["headers"]["X-API-KEY"] to expect the header with the "ApiKey " prefix
(e.g., "ApiKey abc123" and "ApiKey No3x47A5") so they match the corrected
deps.py behavior; change the two failing assertions (the one showing
captured["headers"]["X-API-KEY"] == "abc123" and the similar assertion around
the other token) to assert the prefixed values instead.

---

Nitpick comments:
In `@backend/app/tests/test_deps_multitenant.py`:
- Around line 112-143: The test
test_validate_multitenant_key_accepts_raw_header_value is a near-duplicate of
test_validate_multitenant_key_parses_credentials_shape and should be removed or
changed; either delete this redundant test, or modify it to exercise different
behavior of validate_multitenant_key (for example supply a token with
leading/trailing spaces or special characters to verify stripping/encoding
behavior and assert the X-API-KEY header and TenantContext accordingly),
referencing the test names
test_validate_multitenant_key_accepts_raw_header_value,
test_validate_multitenant_key_parses_credentials_shape and the
validate_multitenant_key function so you update the right tests.

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{"name":"HttpError","status":401,"request":{"method":"PATCH","url":"https://api.github.com/repos/ProjectTech4DevAI/kaapi-guardrails/issues/comments/3920263984","headers":{"accept":"application/vnd.github.v3+json","user-agent":"octokit.js/0.0.0-development octokit-core.js/7.0.6 Node.js/24","authorization":"token [REDACTED]","content-type":"application/json; charset=utf-8"},"body":{"body":"<!-- This is an auto-generated comment: summarize by coderabbit.ai -->\n<!-- This is an auto-generated comment: failure by coderabbit.ai -->\n\n> [!CAUTION]\n> ## Review failed\n> \n> An error occurred during the review process. Please try again later.\n\n<!-- end of auto-generated comment: failure by coderabbit.ai -->\n\n<!-- walkthrough_start -->\n\n<details>\n<summary>📝 Walkthrough</summary>\n\n## Walkthrough\n\nThe X-API-KEY header in the tenant authentication flow now passes the raw API token directly instead of prefixing it with \"ApiKey \". Corresponding test expectations are updated to match this change.\n\n## Changes\n\n|Cohort / File(s)|Summary|\n|---|---|\n|**API Authentication Header** <br> `backend/app/api/deps.py`|Removed \"ApiKey \" prefix from X-API-KEY header value; now sends raw token directly.|\n|**Multitenant Tests** <br> `backend/app/tests/test_deps_multitenant.py`|Updated test assertions to expect raw API key values without \"ApiKey \" prefix in header expectations.|\n\n## Estimated code review effort\n\n🎯 1 (Trivial) | ⏱️ ~3 minutes\n\n## Possibly related issues\n\n- [ProjectTech4DevAI/kaapi-guardrails#56](https://github.com/ProjectTech4DevAI/kaapi-guardrails/issues/56): Directly addresses X-API-KEY header handling in the auth/config area by removing the \"ApiKey \" prefix requirement.\n\n## Suggested reviewers\n\n- AkhileshNegi\n\n## Poem\n\n> 🐰 A token stripped bare of its prefix so grand,\n> Now travels as-is through our auth-land,\n> Tests dance along in synchronized cheer,\n> Simpler headers, crystal clear! ✨\n\n</details>\n\n<!-- walkthrough_end -->\n\n<!-- pre_merge_checks_walkthrough_start -->\n\n<details>\n<summary>🚥 Pre-merge checks | ✅ 1 | ❌ 2</summary>\n\n### ❌ Failed checks (1 warning, 1 inconclusive)\n\n|     Check name     | Status         | Explanation                                                                                                                                                 | Resolution                                                                                                                                    |\n| :----------------: | :------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------- |\n| Docstring Coverage | ⚠️ Warning     | Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.                                                                        | Write docstrings for the functions missing them to satisfy the coverage threshold.                                                            |\n|     Title check    | ❓ Inconclusive | The title 'Config management bug fix' is vague and generic, using non-descriptive terminology that doesn't convey the specific technical change being made. | Replace with a more specific title such as 'Remove ApiKey prefix from X-API-KEY header in tenant backend calls' to clarify the actual change. |\n\n<details>\n<summary>✅ Passed checks (1 passed)</summary>\n\n|     Check name    | Status   | Explanation                                                 |\n| :---------------: | :------- | :---------------------------------------------------------- |\n| Description Check | ✅ Passed | Check skipped - CodeRabbit’s high-level summary is enabled. |\n\n</details>\n\n<sub>✏️ Tip: You can configure your own custom pre-merge checks in the settings.</sub>\n\n</details>\n\n<!-- pre_merge_checks_walkthrough_end -->\n\n<!-- finishing_touch_checkbox_start -->\n\n<details>\n<summary>✨ Finishing Touches</summary>\n\n<details>\n<summary>🧪 Generate unit tests (beta)</summary>\n\n- [ ] <!-- {\"checkboxId\": \"f47ac10b-58cc-4372-a567-0e02b2c3d479\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Create PR with unit tests\n- [ ] <!-- {\"checkboxId\": \"07f1e7d6-8a8e-4e23-9900-8731c2c87f58\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Post copyable unit tests in a comment\n- [ ] <!-- {\"checkboxId\": \"6ba7b810-9dad-11d1-80b4-00c04fd430c8\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Commit unit tests in branch `feat/config-management-fixes`\n\n</details>\n\n</details>\n\n<!-- finishing_touch_checkbox_end -->\n\n<!-- announcements_start -->\n\n> [!TIP]\n> [Issue Planner](https://www.coderabbit.ai/issue-planner) is now in beta. Read the [docs](https://docs.coderabbit.ai/issues/planning) and try it out! Share your feedback on [Discord](https://discord.com/invite/coderabbit).\n\n<!-- announcements_end -->\n\n<!-- tips_start -->\n\n---\n\nThanks for using [CodeRabbit](https://coderabbit.ai?utm_source=oss&utm_medium=github&utm_campaign=ProjectTech4DevAI/kaapi-guardrails&utm_content=57)! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.\n\n<details>\n<summary>❤️ Share</summary>\n\n- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai)\n- [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai)\n- [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai)\n- [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)\n\n</details>\n\n<sub>Comment `@coderabbitai help` to get the list of available commands and usage tips.</sub>\n\n<!-- tips_end -->\n\n<!-- internal state start -->\n\n\n<!-- DwQgtGAEAqAWCWBnSTIEMB26CuAXA9mAOYCmGJATmriQCaQDG+Ats2bgFyQAOFk+AIwBWJBrngA3EsgEBPRvlqU0AgfFwA6NPEgQAfACgjoCEYDEZyAAUASpETZWaCrKPR1AGxJcAwvgwAZvBEkMyYaKRsGLiQAtghQQAekJAGAHKOApRcAKwA7CkGAKo2ADJcsLi43IgcAPR1ROqw2AIaTMx1VhT4ImLQorAALAAiJBIAggCSdQDWaGjc8MTYzrRU8B6IddzYHh51+YVFiNmQFLMU6vDzAIw5AAwAHIUAyvjYFAwksVQYDLAuAESNQ6kxAsEwGEMBESFFcGAktJCtBnKQYgI/gCuGF4FhUq9cNRsLV+NwyJAABTrNABXAASkKPgoIJo9GoXAATA9OQA2MA8sC3J7QW63DicoYcYUALSMY0QDCu3HE/g4BigAFl8OIJNR4GrIElILB8AB3SC4WA/AAaYAmVimYAA0gBRACaJpBSj4qF4+Ak8CU9DN1qwRFWFBpm2QDDQ+2QVp+80WywEaAYszI9HTWA8SFwyAdUw0GsgPk+LOisRIsDQgfwFC4EbWGy2kDNaGQJLxIX8HnkSfOaAtWfkeo82B+lOAY70jICjct1sgduLLo9XrQPtLUCm0WzdBrdYbTeXtvtjo3nut28o9lNe3oeIYk6U56New8kGLkDH9lwK4MBCXgSCRENmkgAAiCYlmdEh5CggAaFANBIDQUJguCEMgWcEL0KDd3La1M3zRAYnUOFkDItlYjwSAMB1UJnCzegOm4LwaHVFIoBsbAsCHRZuCpAADAIuyJJZzn43QwBZDx8G3dBuG4OpcQwDRuFkET+D4ETaHwTN73Y/BTkgbBuBExlMHoGhyNLHif1oWzpELFAAnQOiQk7ZBwN0hR323YMiLSHVpC4DiM1rfAPB9I0lyC65/Hjc5xngEgzXvPFFwoMJVQwABuS00RICjEAcH4MEye9GJif1A2DKlIu+U1YvvUDTmielSw1MBDAMEwoGzfgPLQPBCFIcgqFojp4QivhBD6XVkTkALlFUdQtB0fQBvAKA4FQVBMBwAhiDIZQZpYObhwtBwnBcWJ5CYH0VDUTRtFk/rdtMAx0yMjBaDqISgaWOolBqTTZHVKCYYMCwfydSaLqPO6wge/APIBTBSEQIx9pXNcrzdG9vSyrAAH1gVwAFyZoGFokpnpmHJv6swBhjzR4LtTkTFcqAtAg2cgWh4BZMQBxQDByO9EaeBZJJexQGIzUgrD4HgxCNEgUL+CTPgFKaBh/MoHo+DrAH82AxhzZxorwUAmKjQUi0WXU3mfkQNA2B68xLAmDwaGmg0pctfAPyUV9nH1fxkAxyASESbhG1opddgEfMjfYa5pDx7X/BIIxSjxZEseAuguAAaluOohSMV1yPgPKj2en4WUDDL44CHLOEgTU6HgRwDBhqC8Z+1nsxB1S7MLOpp/J8HEHJ5g9nEOnME0LTodh+HpjOqbqBRxw0fkOPS5x3OBnI7tuFoA/bLD+WvDEZdqA/QmnWJrc4sQR9Yq58qPz8x/I6P8OEJxTg7M0D4MRjpqw1tBOWYF4CJC1q8ckDB4BBDjPsWQKEE7oNoreOK4CS42yPAEJm0FYLqxwioBgtxOQAGYoKh2gnQhhzD0DswoSwKh2F5ChUYYkIYeQJg5BYQQaCgjhGiPEVrHWOprR8CyCeA0VBvxLntj0DwiJnbW2xsiZwPw0pKGrHicOmCAg9Xhr7H8AcLrB0TGHIcEcPBR3yrHDy+Dk5HlTq0DO8dojZ1xukfOhdi6xjIbQSunIa6cjrg3JubFFCtzSh3MC3cuB9xFoPYeo9+qDUCfQOOY1TpI2ms3K67AuBANRs4eQq0W5UA2u9bafVvpQFmuocmQZF5t3SplWg5NyLOBiDtDp8dvQAE4wJPEYZyKZUyAhPDQFM2gjDFmqCeE8IYJAnhTN5HkPItwGCcluGsp4txeSfWMHtBQrBum9PJv0jKdBybDR2oU0CS9KCkHJgCUQsxF4jIoGM9pBgADeBgUhQSQAAeSkBQK4zkyBQSBPGU4SFoXQSQLYAAQgpIytA/CsHYFYUybI0VGgxSQLFMKf4fFigSwysxbBUvElsWl2KoIi1oHxDAIxDKEiAkQRAPgSKzCpYBKcdLoK8v5e4XAXhxWAqlRQGV3L5X8QVEqeAKpg4qszOymlsqoKW1YlMcqU5EDCqpTDU1bjyKGtmDYaQK9EBUoANrYpSFClI/roIAszGkL2JA7WKq8NbVVsqA1QRGbgEkxrOUxv9VBfBbiYT5XDSuVekaADkfgIQhGhLCeEXkjTILzSgZAeoIw/BspAcp8AGAoR7FbRiGAwBKEVMqZalpKDMDxDFfARBBx1hiAZaQGA80xHBFIMdHt0GYObf2gEGBm0pTPj8LIiswhKA0MhH1qaWSIBingYOdrXXNR+CrK0nlmCNkXaIZdRtc0e2wACdAyA82uofVIH8/DEHGh4cwVcl4P6biIWTft9MMQZjZmxeMWwq2SMjlcAIC70BiFWN+LdB6U0wofUoO1nYKDruAoegNMKxb+CCBGFkaqNVUego2YIeJ4zOpDWwO1b6R4BoAL4pr9VRqCQbZhcbDVwKCgqGDkRFeWAMyhSCUZE/GxN6Lk1Hphem8IWapMybk4rJgiLYTVsgA8DQDwHgAFIOwIE/YdKW2Au7NvStELWcBUkAEdsCiyPFaE9rVnzICeBZqz1n8Naegies9enoIAHUrg0GFoZQzwFfJLiHAEfiYhHGhCQIgRWSZQOSM9uIRAGGPzGaUz8AL0gguReY1BIjknoKkfI0QFTsbWNNBhB4Tjoa7UGVk4BXsHqj2CaPcJ2NYmJN2p1b24OxFo1RbjUSBNHquDSq5U1nTmaL1SedfYWYeryT0CgH4JQNhXrqEAJgEyAEBEFgGALwUhvx1IeqgMgKgvC0EayJlrJHnAda66mnr7H+sSrm1J7tur9X+D4/6/j2KAC6DqJK2Aja1qCvJGE5ACAwAQtAidoF5LyIYtw9kMByFT24aAmFDCUEMB4vIBABFoFZ2gXchj09oAwJ4XcGC8hyE8EgDwAi8gCIw3ZQx8hoAeCps1GObALb1XFqCQwngMAeGsnIGzRBE85GgEgjwpkLAp08AQeROScm10MBZ9OicMCUFM4UZOshnKeLQXkJBRC3AEEMBgUyheqEV8NtLRA/AmdIPuQOfXCQHypdN6C48AaTxBvAMGJAIZaST6tggRIPAADEcseKpbcAj0Fsv/A8fF5oBnRvpapQ8CbKaoKp8BsDae2w54LyXivSisHIZ56awX+MJea+OKpZySvUFq+5ZjnXq0DeRWbfMxN7FyPkcTO+WwCgfyxOLw+e0wppT8Dk24GNU4wz1skBv6Mm5kKlfkSsFfugExcCuvboMklg7cB+H4lwDRQeG31P3Ggvzf3vxoHeXZn0CAA= -->\n\n<!-- internal state end -->"},"request":{"retryCount":1}},"response":{"url":"https://api.github.com/repos/ProjectTech4DevAI/kaapi-guardrails/issues/comments/3920263984","status":401,"headers":{"access-control-allow-origin":"*","access-control-expose-headers":"ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset","connection":"close","content-security-policy":"default-src 'none'","content-type":"application/json; charset=utf-8","date":"Wed, 18 Feb 2026 15:53:58 GMT","referrer-policy":"origin-when-cross-origin, strict-origin-when-cross-origin","server":"github.com","strict-transport-security":"max-age=31536000; includeSubdomains; preload","vary":"Accept-Encoding, Accept, X-Requested-With","x-content-type-options":"nosniff","x-frame-options":"deny","x-github-media-type":"github.v3; format=json","x-github-request-id":"045C:27AA0B:5E9C329:19DFEF8F:6995E095","x-xss-protection":"0"},"data":{"message":"Bad credentials","documentation_url":"https://docs.github.com/rest","status":"401"}}}