Validate source control URL before registry identity lookup

Add validation in `lookupIdentities` to detect malformed URLs before
making HTTP requests to the registry server. This prevents sending
invalid URLs that may contain git credential error messages concatenated
to the original URL.

When macOS git-credential-osxkeychain fails to find credentials, it
outputs error messages in a format like:
'https://github.com/owner/repo.git': failed looking up identity for ...

In some edge cases, these error messages can get concatenated with the
original URL, resulting in malformed URLs being passed to the registry.
This causes server-side errors and confusing diagnostics.

The validation checks:
- URL can be parsed by Foundation
- URL has a non-empty host
- URL doesn't contain patterns indicative of concatenated error messages

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: pepicrft

Sources/PackageRegistry/RegistryClient.swift

@@ -1017,6 +1017,19 @@ public final class RegistryClient: AsyncCancellable {
         timeout: DispatchTimeInterval? = .none,
         observabilityScope: ObservabilityScope
     ) async throws -> Set<PackageIdentity> {
+        // Validate that the source control URL is well-formed before making the request.
+        // This catches malformed URLs that may contain error messages (e.g., from git credential helpers).
+        // Git credential errors often produce messages like:
+        // "'https://github.com/owner/repo.git': failed looking up identity for ..."
+        // which can get concatenated with the URL.
+        guard let url = scmURL.url,
+              let host = url.host,
+              !host.isEmpty,
+              !scmURL.absoluteString.contains("': "),
+              !scmURL.absoluteString.contains("' :") else {
+            throw RegistryError.invalidSourceControlURL(scmURL)
+        }
+
         guard let registry = self.configuration.defaultRegistry else {
             throw RegistryError.registryNotConfigured(scope: nil)
         }
@@ -1503,6 +1516,7 @@ public enum RegistryError: Error, CustomStringConvertible {
     case registryNotConfigured(scope: PackageIdentity.Scope?)
     case invalidPackageIdentity(PackageIdentity)
     case invalidURL(URL)
+    case invalidSourceControlURL(SourceControlURL)
     case invalidResponseStatus(expected: [Int], actual: Int)
     case invalidContentVersion(expected: String, actual: String?)
     case invalidContentType(expected: String, actual: String?)
@@ -1580,6 +1594,8 @@ public enum RegistryError: Error, CustomStringConvertible {
             return "invalid package identifier '\(packageIdentity)'"
         case .invalidURL(let url):
             return "invalid URL '\(url)'"
+        case .invalidSourceControlURL(let scmURL):
+            return "invalid source control URL '\(scmURL)'"
         case .invalidResponseStatus(let expected, let actual):
             return "invalid registry response status '\(actual)', expected '\(expected)'"
         case .invalidContentVersion(let expected, let actual):

Tests/PackageRegistryTests/RegistryClientTests.swift

@@ -3148,6 +3148,27 @@ fileprivate var availabilityURL = URL("\(registryURL)/availability")
         let identities = try await registryClient.lookupIdentities(scmURL: packageURL)
         #expect([PackageIdentity.plain("mona.LinkedList")] == identities)
     }
+
+    @Test func invalidSourceControlURL() async throws {
+        // Test that malformed URLs (e.g., containing git credential error messages) are rejected
+        let malformedURL = SourceControlURL("https://github.com/owner/repo.git': failed looking up identity")
+
+        let httpClient = HTTPClient(implementation: { _, _ in
+            throw StringError("should not make HTTP request for invalid URL")
+        })
+        var configuration = RegistryConfiguration()
+        configuration.defaultRegistry = Registry(url: registryURL, supportsAvailability: false)
+
+        let registryClient = makeRegistryClient(configuration: configuration, httpClient: httpClient)
+        await #expect {
+            try await registryClient.lookupIdentities(scmURL: malformedURL)
+        } throws: { error in
+            if case RegistryError.invalidSourceControlURL(malformedURL) = error {
+                return true
+            }
+            return false
+        }
+    }
 }
 
 @Suite("Login") struct Login {