Final Copilot comments

Author: edbaltra

src/main/groovy/com/rundeck/plugins/ansible/ansible/AnsibleRunner.java

@@ -1286,10 +1286,26 @@ public String encryptExtraVarsKey(String extraVars) throws Exception {
 
     /**
      * Sanitizes a node name to be safe for use in filesystem paths.
-     * Replaces unsafe characters with underscores and prevents hidden files and problematic names.
+     * <p>
+     * This method performs the following transformations:
+     * <ul>
+     *   <li>Replaces all characters except alphanumeric, dot, underscore, and hyphen with underscores</li>
+     *   <li>Prevents hidden files by prepending underscore if name starts with dot</li>
+     *   <li>Handles empty strings by prepending underscore</li>
+     * </ul>
+     * </p>
+     * <p>
+     * Examples:
+     * <ul>
+     *   <li>{@code "node-1"} → {@code "node-1"} (no change)</li>
+     *   <li>{@code "node@host"} → {@code "node_host"} (@ replaced)</li>
+     *   <li>{@code ".hidden"} → {@code "_.hidden"} (prevents hidden file)</li>
+     *   <li>{@code ""} → {@code "_"} (handles empty)</li>
+     * </ul>
+     * </p>
      *
-     * @param nodeName The original node name
-     * @return A sanitized node name safe for use in file paths
+     * @param nodeName The original node name to sanitize
+     * @return A sanitized node name safe for use in file paths, never null
      */
     String sanitizeNodeNameForFilesystem(String nodeName) {
         // Replace unsafe characters with underscores

src/main/groovy/com/rundeck/plugins/ansible/ansible/AnsibleRunnerContextBuilder.java

@@ -226,8 +226,9 @@ public String getPasswordFromPath(String storagePath) throws ConfigurationExcept
      *
      * @param storagePath The storage path to read from
      * @param resourceType Description of resource type for error messages (e.g., "ssh password", "ssh private key")
-     * @return The content as a UTF-8 string, or null if storagePath is null
-     * @throws ConfigurationException if reading fails
+     * @return The content as a UTF-8 string. Returns null ONLY if storagePath parameter is null (early return).
+     *         After attempting to read content, this method either returns a non-null string or throws an exception.
+     * @throws ConfigurationException if the storage path cannot be read or does not exist
      */
     private String readFromStoragePath(String storagePath, String resourceType) throws ConfigurationException {
         if (storagePath == null) {

src/test/groovy/com/rundeck/plugins/ansible/ansible/AnsibleRunnerSpec.groovy

@@ -623,6 +623,24 @@ class AnsibleRunnerSpec extends Specification{
         "key with spaces"    || "key with spaces"  // internal spaces are valid in unquoted YAML keys; node names with leading/trailing spaces are not supported
     }
 
+    def "escapeYamlKey: node names with leading/trailing spaces are not modified"() {
+        given:
+        def builder = AnsibleRunner.playbookInline("test")
+        builder.customTmpDirPath("/tmp")
+        def runner = builder.build()
+
+        expect:
+        // This documents that escapeYamlKey does not normalize leading/trailing spaces.
+        // Node names with such spaces are considered unsupported at a higher level.
+        runner.escapeYamlKey(key) == expectedResult
+
+        where:
+        key                    || expectedResult
+        " leading-space"       || " leading-space"
+        "trailing-space "      || "trailing-space "
+        "  both-sides  "       || "  both-sides  "
+    }
+
     def "escapeYamlValue: should quote values with special characters"() {
         given:
         def builder = AnsibleRunner.playbookInline("test")