Handle invalid source control URLs in registry identity lookup

Add validation for source control URLs in `lookupIdentities`:

1. Client-side validation before making HTTP requests:
   - URL must be parseable
   - URL must have a valid host
   - URL must not contain whitespace (indicates malformed URL with
     concatenated error messages)

2. Server-side validation via HTTP 400 response:
   - When the server returns 400 Bad Request, throw
     `RegistryError.invalidSourceControlURL`

This handles cases where malformed URLs (e.g., containing git credential
error messages like "'URL': failed looking up identity...") are passed
to the registry.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: pepicrft

Sources/PackageRegistry/RegistryClient.swift

@@ -1017,6 +1017,15 @@ public final class RegistryClient: AsyncCancellable {
         timeout: DispatchTimeInterval? = .none,
         observabilityScope: ObservabilityScope
     ) async throws -> Set<PackageIdentity> {
+        // Validate the URL before making a request.
+        // Valid source control URLs should be parseable and not contain whitespace
+        // (whitespace typically indicates a malformed URL with concatenated error messages).
+        guard let url = scmURL.url,
+              url.host != nil,
+              !scmURL.absoluteString.contains(where: \.isWhitespace) else {
+            throw RegistryError.invalidSourceControlURL(scmURL)
+        }
+
         guard let registry = self.configuration.defaultRegistry else {
             throw RegistryError.registryNotConfigured(scope: nil)
         }
@@ -1066,14 +1075,19 @@ public final class RegistryClient: AsyncCancellable {
             )
             observabilityScope.emit(debug: "matched identities for \(scmURL): \(packageIdentities)")
             return Set(packageIdentities.identifiers.map(PackageIdentity.plain))
+        case 400:
+            // 400 indicates the server rejected the URL as invalid.
+            // This can happen when malformed URLs (e.g., containing git credential error messages)
+            // are passed to the registry.
+            throw RegistryError.invalidSourceControlURL(scmURL)
         case 404:
             // 404 is valid, no identities mapped
             return []
         default:
             throw RegistryError.failedIdentityLookup(
                 registry: registry,
                 scmURL: scmURL,
-                error: self.unexpectedStatusError(response, expectedStatus: [200, 404])
+                error: self.unexpectedStatusError(response, expectedStatus: [200, 400, 404])
             )
         }
     }
@@ -1503,6 +1517,7 @@ public enum RegistryError: Error, CustomStringConvertible {
     case registryNotConfigured(scope: PackageIdentity.Scope?)
     case invalidPackageIdentity(PackageIdentity)
     case invalidURL(URL)
+    case invalidSourceControlURL(SourceControlURL)
     case invalidResponseStatus(expected: [Int], actual: Int)
     case invalidContentVersion(expected: String, actual: String?)
     case invalidContentType(expected: String, actual: String?)
@@ -1580,6 +1595,8 @@ public enum RegistryError: Error, CustomStringConvertible {
             return "invalid package identifier '\(packageIdentity)'"
         case .invalidURL(let url):
             return "invalid URL '\(url)'"
+        case .invalidSourceControlURL(let scmURL):
+            return "invalid source control URL '\(scmURL)'"
         case .invalidResponseStatus(let expected, let actual):
             return "invalid registry response status '\(actual)', expected '\(expected)'"
         case .invalidContentVersion(let expected, let actual):

Tests/PackageRegistryTests/RegistryClientTests.swift

@@ -3148,6 +3148,61 @@ fileprivate var availabilityURL = URL("\(registryURL)/availability")
         let identities = try await registryClient.lookupIdentities(scmURL: packageURL)
         #expect([PackageIdentity.plain("mona.LinkedList")] == identities)
     }
+
+    @Test func invalidSourceControlURL_clientValidation() async throws {
+        // Test that malformed URLs with whitespace are rejected before making HTTP requests
+        let malformedURL = SourceControlURL("https://github.com/owner/repo.git': failed looking up identity")
+
+        let httpClient = HTTPClient(implementation: { _, _ in
+            Issue.record("Should not make HTTP request for invalid URL")
+            throw StringError("unexpected HTTP request")
+        })
+        var configuration = RegistryConfiguration()
+        configuration.defaultRegistry = Registry(url: registryURL, supportsAvailability: false)
+
+        let registryClient = makeRegistryClient(configuration: configuration, httpClient: httpClient)
+        await #expect {
+            try await registryClient.lookupIdentities(scmURL: malformedURL)
+        } throws: { error in
+            if case RegistryError.invalidSourceControlURL(malformedURL) = error {
+                return true
+            }
+            return false
+        }
+    }
+
+    @Test func invalidSourceControlURL_serverValidation() async throws {
+        // Test that when the server returns 400 Bad Request, the client throws invalidSourceControlURL
+        let scmURL = packageURL
+
+        let handler: HTTPClient.Implementation = { request, _ in
+            // Server returns 400 Bad Request for invalid URLs
+            let data = #"{"message": "Invalid repository URL"}"#.data(using: .utf8)!
+            return .init(
+                statusCode: 400,
+                headers: .init([
+                    .init(name: "Content-Length", value: "\(data.count)"),
+                    .init(name: "Content-Type", value: "application/json"),
+                    .init(name: "Content-Version", value: "1"),
+                ]),
+                body: data
+            )
+        }
+
+        let httpClient = HTTPClient(implementation: handler)
+        var configuration = RegistryConfiguration()
+        configuration.defaultRegistry = Registry(url: registryURL, supportsAvailability: false)
+
+        let registryClient = makeRegistryClient(configuration: configuration, httpClient: httpClient)
+        await #expect {
+            try await registryClient.lookupIdentities(scmURL: scmURL)
+        } throws: { error in
+            if case RegistryError.invalidSourceControlURL(scmURL) = error {
+                return true
+            }
+            return false
+        }
+    }
 }
 
 @Suite("Login") struct Login {