Security: Add zero-byte config data rejection

[jkebinger]

Summary

Implements comprehensive zero-byte protobuf rejection across all config loading mechanisms to prevent potential security issues from malformed data.

Security Features

• ✅ Reject zero-byte config data from HTTP responses with IllegalArgumentException
• ✅ Reject zero-byte config data from cache with IllegalArgumentException
• ✅ Ignore zero-byte config data from SSE streams with warning logs
• ✅ Exceptions trigger internal retry logic without propagating to embedding applications

Implementation Details

• HttpClient: Added zero-byte validation in requestConfigsFromURI() for HTTP responses and cached data
• SseConfigStreamingSubscriber: Added zero-byte detection in FlowSubscriber.onNext() for SSE streams
• Logging: All rejections logged with appropriate warning messages for debugging
• Exception Handling: Uses exceptions only for internal retry logic, prevents propagation to embedding apps

Test Coverage

• ✅ 4 new HttpClient tests covering zero-byte rejection from HTTP responses, cache, and valid config processing
• ✅ 5 new SseConfigStreamingSubscriber tests covering zero-byte SSE data, empty payloads, and valid processing
• ✅ Fixed existing tests to use valid non-zero protobuf data instead of empty default instances
• ✅ All tests pass (15 total tests for zero-byte functionality)

Test plan

• Verify zero-byte HTTP responses are rejected with IllegalArgumentException
• Verify zero-byte cached data is rejected with IllegalArgumentException
• Verify zero-byte SSE data is ignored with warning logs
• Verify valid config processing continues to work normally
• Verify exceptions trigger retry logic but don't propagate to embedding apps
• Run full test suite to ensure no regressions

🤖 Generated with Claude Code

[jdwyah]

thanks