Document rejection of invisible-separator baseURL wrappers

cursoragent · ericallam · cursoragent · commit 1a2f243cfde0 · 2026-02-15T06:22:50.000Z
Co-authored-by: Eric Allam &lt;eric@trigger.dev&gt;
diff --git a/.changeset/curly-radios-visit.md b/.changeset/curly-radios-visit.md
@@ -11,5 +11,6 @@ Add a new `@trigger.dev/ai` package with:
 - strict `baseURL` normalization/validation (trimming, path-safe slash handling, absolute `http(s)` URLs only, no query/hash/credentials)
 - rejection of internal whitespace characters in normalized `baseURL` values
 - rejection of internal invisible separator characters (e.g. zero-width/BOM characters) in normalized `baseURL` values
+- rejection of invisible separator wrappers around otherwise valid `baseURL` values (for example `\u200B...` and `\u2060...`)
 - deterministic baseURL validation error ordering for multi-issue inputs (internal whitespace → protocol → query/hash → credentials)
 - explicit default `baseURL` behavior (`https://api.trigger.dev`) and case-insensitive `HTTP(S)` protocol acceptance
diff --git a/packages/ai/CHANGELOG.md b/packages/ai/CHANGELOG.md
@@ -27,6 +27,7 @@
 - Added explicit validation that `baseURL` excludes query parameters and hash fragments.
 - Added explicit validation that `baseURL` excludes username/password credentials.
 - Added explicit validation that `baseURL` excludes internal whitespace/invisible separator characters (including zero-width/BOM characters).
+- Clarified that invisible separator characters are rejected even when wrapped around an otherwise valid `baseURL`.
 - Documented that `HTTP://` and `HTTPS://` are accepted (case-insensitive protocol matching).
 - Added deterministic validation ordering for multi-issue baseURL values
   (internal whitespace → protocol → query/hash → credentials).
