Add validation to reject invisible/zero-width characters in SecretProviderClass configuration

[Copilot]

This PR addresses a critical debugging issue where invisible Unicode characters in SecretProviderClass YAML configurations can cause difficult-to-diagnose failures. As reported in the issue, users have experienced multi-day debugging sessions trying to identify why seemingly valid configurations don't work.

Problem

When invisible characters like Zero Width Space (U+200B) are accidentally included in SecretProviderClass YAML files, they create configuration strings that:

• Appear identical to valid configurations when viewed in most editors
• Pass YAML parsing successfully
• Fail during runtime with cryptic errors
• Are extremely difficult to detect without specialized tools

For example, these two object names look identical but behave differently:

"secret1"        # 7 bytes: [115 101 99 114 101 116 49]
"secret1​"       # 10 bytes: [115 101 99 114 101 116 49 226 128 139] - contains U+200B

Solution

Added comprehensive validation to detect invisible/zero-width Unicode characters in all KeyVaultObject string fields during the validation phase. The implementation:

1. New validation function validateNoInvisibleCharacters() that detects:

   • U+200B (Zero Width Space) - the specific character from the reported issue
   • U+200C (Zero Width Non-Joiner)
   • U+200D (Zero Width Joiner)
   • U+FEFF (Zero Width No-Break Space/BOM)
   • U+2060 (Word Joiner)
   • Other Unicode format characters (with exception for commonly-used soft hyphen)

2. Integration into the existing validate() function to check all KeyVaultObject fields:

   • objectName, objectAlias, objectVersion, objectType, objectFormat, objectEncoding, filePermission

3. Clear error messages that identify exactly which field contains an invisible character and its position:

   field objectName contains invisible character Zero Width Space (U+200B) at position 6
   

Testing

• Added 15 new test cases covering various invisible characters and scenarios
• All existing tests continue to pass (no regressions)
• Manual verification confirms the validation catches the exact issue described
• Full build and lint validation passes

This change prevents the multi-day debugging scenarios described in the issue by providing immediate, actionable feedback when invisible characters are detected.

Fixes #1544.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• testKV.vault.azure.net
  • Triggering command: /tmp/go-build1738392051/b501/provider.test -test.paniconexit0 -test.gocoverdir=/tmp/go-build1738392051/b501/gocoverdir -test.timeout=10m0s -test.coverprofile=/tmp/go-build1738392051/b501/_cover_.out -test.v=true (dns block)
  • Triggering command: /tmp/go-build3950577698/b001/provider.test -test.testlogfile=/tmp/go-build3950577698/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true (dns block)
  • Triggering command: /tmp/go-build2308977073/b501/provider.test -test.paniconexit0 -test.gocoverdir=/tmp/go-build2308977073/b501/gocoverdir -test.timeout=10m0s -test.coverprofile=/tmp/go-build2308977073/b501/_cover_.out -test.v=true (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

@enj 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.