From Wave 5 test-coverage audit — F-Q-05 and F-Q-06. Severity: medium each.
F-Q-05 — Trailing-slash stripping
`KalshiConfig.post_init` rstrips trailing slashes from `base_url` and `ws_base_url` ("trailing slash is stripped automatically … to prevent double-slash in auth signing paths"). Auth signing strips trailing slash from the path (covered by `test_strips_trailing_slash`), but the config-level normalization at construction time has no test.
A user passing `base_url="https://api.elections.kalshi.com/trade-api/v2/"\` would otherwise produce double-slash paths and break RSA signing — exactly the failure mode the post-init prevents. A dataclass refactor that drops `post_init` slips through.
Test: construct `KalshiConfig(base_url="https://x/y/")\` and `KalshiConfig(ws_base_url="wss://x/y/")`. Assert both end without `/`. Plus a transport-level test: a signed GET with a trailing-slash base hits `/y/markets` (no `//markets`).
F-Q-06 — `extra_headers`
`KalshiConfig.extra_headers: dict[str, str]` is passed to `httpx.Client(headers=...)` and `httpx.AsyncClient(headers=...)` in `_base_client.py:94` and `:205`. No test verifies that user-supplied extras (e.g. `{"X-Trace-Id": "abc"}`) are actually sent on each request, nor that they don't conflict with per-request auth headers.
Distributed-tracing users have no regression coverage; a refactor moving `headers=config.extra_headers` to per-request would break header collision/precedence silently.
Test: config with `extra_headers={"X-Trace-Id": "trace-1", "User-Agent": "kalshi-sdk/test"}`. Fire a respx-mocked GET. Assert both headers on the wire AND `KALSHI-ACCESS-KEY` still present (verifies they don't overwrite each other).
From Wave 5 test-coverage audit — F-Q-05 and F-Q-06. Severity: medium each.
F-Q-05 — Trailing-slash stripping
`KalshiConfig.post_init` rstrips trailing slashes from `base_url` and `ws_base_url` ("trailing slash is stripped automatically … to prevent double-slash in auth signing paths"). Auth signing strips trailing slash from the path (covered by `test_strips_trailing_slash`), but the config-level normalization at construction time has no test.
A user passing `base_url="https://api.elections.kalshi.com/trade-api/v2/"\` would otherwise produce double-slash paths and break RSA signing — exactly the failure mode the post-init prevents. A dataclass refactor that drops `post_init` slips through.
Test: construct `KalshiConfig(base_url="https://x/y/")\` and `KalshiConfig(ws_base_url="wss://x/y/")`. Assert both end without `/`. Plus a transport-level test: a signed GET with a trailing-slash base hits `/y/markets` (no `//markets`).
F-Q-06 — `extra_headers`
`KalshiConfig.extra_headers: dict[str, str]` is passed to `httpx.Client(headers=...)` and `httpx.AsyncClient(headers=...)` in `_base_client.py:94` and `:205`. No test verifies that user-supplied extras (e.g. `{"X-Trace-Id": "abc"}`) are actually sent on each request, nor that they don't conflict with per-request auth headers.
Distributed-tracing users have no regression coverage; a refactor moving `headers=config.extra_headers` to per-request would break header collision/precedence silently.
Test: config with `extra_headers={"X-Trace-Id": "trace-1", "User-Agent": "kalshi-sdk/test"}`. Fire a respx-mocked GET. Assert both headers on the wire AND `KALSHI-ACCESS-KEY` still present (verifies they don't overwrite each other).