fix(api): enforce query formatting

api_service.py

@@ -11,6 +11,7 @@ import logging
 import os
 import re
 import time
+import urllib.parse
 from contextlib import asynccontextmanager
 from typing import TYPE_CHECKING, Any
 
@@ -30,7 +31,7 @@ redis_client = None
 @asynccontextmanager
 async def _lifespan(_app: FastAPI) -> AsyncIterator[None]:
     """Lifespan handler: connect to Redis on startup and close on shutdown."""
-    global redis_client
+    global redis_client  # type: ignore[PLW0603]
     if REDIS_URL:
         try:
             import redis.asyncio as aioredis
@@ -160,6 +161,10 @@ async def _cache_set(key: str, value: CacheValue, ttl: int = CACHE_TTL_SECONDS)
 async def validate_signature(signature: str = Query(...)) -> JSONResponse:
     """Validate a book signature and return total pages."""
     # check cache first
+    # ensure signature is stripped of leading/trailing whitespace
+    signature = signature.strip()
+    # enforce url quotes
+    signature = urllib.parse.quote(signature)
     cache_key = f"signature:{signature}"
     cached = await _cache_get(cache_key)
     if cached is not None: