fix(bedrock): tolerate a missing Connection header when signing

[EffortlessSteven]

What this does

get_auth_headers strips Connection from the SigV4-signed set so a proxy that drops it cannot break signature verification. It used del headers["connection"], which raises KeyError on httpx.Headers when the header is absent (a custom http_client may omit or strip it before signing).

Fix: remove the header only if present instead of deleting by an assumed key, so the signed set never includes connection and a missing Connection is a no-op, not a KeyError. Preserves the httpx.Headers container and case-insensitive match.

Verification

Red on main, green after.

Check	Result
missing-Connection regression	unpatched KeyError, patched signs
present mixed-case Connection	stays out of SignedHeaders
ruff format, ruff check	clean
pytest test_bedrock_auth + test_aws_auth	62 passed

Review map

• src/anthropic/lib/bedrock/_auth.py: copy headers, then pop("connection", None) instead of del; sign new_headers.
• tests/lib/test_bedrock_auth.py: missing-Connection regression; mixed-case Connection excluded from SignedHeaders; sanity.

[coderabbitai]

Warning

Review limit reached

@EffortlessSteven, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 5 minutes and 45 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 29b784e8-6055-47f1-a6aa-c9f5ee4d0502

📥 Commits

Reviewing files that changed from the base of the PR and between 0c89142 and 0ddb758.

📒 Files selected for processing (4)

• src/anthropic/lib/_parse/_transform.py
• src/anthropic/lib/bedrock/_auth.py
• tests/lib/_parse/test_transform.py
• tests/lib/test_bedrock_auth.py

📝 Walkthrough

Walkthrough

This PR fixes AWS SigV4 signing in Bedrock authentication by filtering out the connection header case-insensitively before signing, replacing a mutation-based approach. Three test cases cover Authorization header presence, connection header exclusion from SignedHeaders, and regression prevention.

Changes

Connection Header Filtering in Bedrock Auth

Layer / File(s)	Summary
SigV4 connection header filtering and tests src/anthropic/lib/bedrock/_auth.py, tests/lib/test_bedrock_auth.py	The get_auth_headers function builds a filtered header map that excludes any header matching connection case-insensitively, then creates the AWSRequest from the filtered headers. Tests verify Authorization headers are present, confirm connection is stripped from SignedHeaders, and ensure signing succeeds without a connection header.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A header once tangled in signing's way,
Now filtered with care, case by case,
Connection removed before AWS plays,
Tests confirm it vanished without a trace. 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: making the Connection header handling more robust to missing headers during SigV4 signing.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description clearly explains the bug fix: handling missing Connection headers in Bedrock SigV4 signing to avoid KeyError, with verification steps and a review map.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/bedrock-connection-header-robust

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request safely removes the "connection" header from the request headers before signing to prevent a potential KeyError when the header is missing, and adds comprehensive unit tests to verify this behavior. The reviewer suggested a cleaner and safer approach using headers.copy() and .pop("connection", None) to preserve the httpx.Headers type and correctly handle multi-value headers.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/lib/test_bedrock_auth.py`:
- Around line 29-45: The test test_strips_connection_header_from_signing only
checks lowercase "connection"; update it to also include a mixed-case header
(e.g., "Connection" or "ConNeCtIoN") when calling get_auth_headers so the
header-stripping behavior is verified case-insensitively, then assert (using the
existing signed = re.search(...) and assert "connection" not in
signed.group(1).split(";")) that the connection header is not present in the
SignedHeaders regardless of its case; keep using the same call-site and
Authorization parsing logic so the additional assertion uses the same signed
variable or a second equivalent extraction.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f59960c4-29d1-4b80-8927-55e039d0de81

📥 Commits

Reviewing files that changed from the base of the PR and between ddd43b7 and 0c89142.

📒 Files selected for processing (2)

• src/anthropic/lib/bedrock/_auth.py
• tests/lib/test_bedrock_auth.py

📜 Review details

🧰 Additional context used

🪛 OpenGrep (1.22.0)

tests/lib/test_bedrock_auth.py

[WARNING] 9-9: Hardcoded AWS access key detected. Use environment variables or a secrets manager instead.

(coderabbit.secrets.aws-access-key)

🪛 Ruff (0.15.15)

tests/lib/test_bedrock_auth.py

[error] 10-10: Possible hardcoded password assigned to: "_SECRET_KEY"

(S105)

🔇 Additional comments (2)

src/anthropic/lib/bedrock/_auth.py (1)

59-61: LGTM!

tests/lib/test_bedrock_auth.py (1)

14-27: LGTM!

Also applies to: 46-64