fix: trim whitespace from env-provided secrets#20
Merged
Conversation
CI-injected secrets often carry a trailing newline. An untrimmed api_key smuggled into the x-api-key HTTP header is rejected as a non-printable character, failing every live LLM test. Trim values read from environment variables in both env helpers.
meefs
pushed a commit
to meefs/cantrip
that referenced
this pull request
May 29, 2026
Test debt surfaced by actually running the live suite: the code-medium test declared `gates: [:done, :list_dir]` as bare atoms without a root dependency. Pre-deepfates#20, list_dir was "effectively unscoped" and tolerated missing root. Post-deepfates#20 (Cantrip.Gate.Path.validate/2 fail-closed on missing root), list_dir correctly errors, which made every iteration in the live test fail at the gate call. The cleanup work was correct; the live test wasn't updated to match the tightened security contract. Fix: pass `dependencies: %{root: File.cwd!()}` to the list_dir gate. All three live_anthropic_test tests now pass. Underscores why we should have been running live tests against the cleanup branch instead of treating them as "needs user's API key."
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The `verify` CI job failed every live LLM test with:
```
invalid value for header (only printable ASCII characters are allowed) "x-api-key": "[REDACTED]\n"
```
CI-injected secrets commonly carry a trailing newline. An untrimmed `api_key` smuggled into the `x-api-key` HTTP header is rejected by Mint/Finch as a non-printable character, taking down all of `LiveAnthropicTest`, `FamiliarEvalSignalTest`, and `RealLLMIntegrationTest`.
Fix
Trim whitespace from values read from environment variables in both env-reading helpers in `Cantrip.LLM` (`env/4` and `env_first/1`) via a new `trim_env/1`. This normalizes secrets (and model names, base URLs) before they reach the HTTP layer.
Verification