Fix #4270: Emit BCP180 error for nested getSecret() instead of crashing

[jiangmingzhe]

Previously, when getSecret() was used inside nested objects in module parameters (e.g., params: { config: { secret: kv.getSecret('x') } }), the compiler would crash with NotImplementedException during emit instead of validating the placement during semantic analysis.

This fix adds validation logic in FunctionPlacementValidatorVisitor to detect when getSecret() is nested inside object structures by:

• Walking up the syntax tree from the function call
• Counting ObjectSyntax nodes between the property and params boundary
• Allowing 0 levels of nesting for params, 1 for extensionConfigs
• Emitting BCP180 diagnostic for invalid nested cases

The ARM template schema only supports KeyVault references at the top parameter level (as { reference: {...} }), not nested within value objects, so this validation prevents generating invalid ARM templates.

Added comprehensive test coverage:

• Nested objects at various depths (2-3 levels)
• Nested objects in loops and ternary expressions
• Nested objects inside arrays
• All existing tests continue to pass (valid cases unaffected)

Fixes #4270

Description

Example Usage

Checklist

• I have read and adhere to the contribution guide.

Microsoft Reviewers: Open in CodeFlow

[shenglol]

Would looking up the property by name still work if the parameter or extension config contains an object that itself has a property named params or extensionConfigs? For example:

module foo 'foo.bicep' = {
  params: {
    myParam: {
      params: { // <-- this could be mistaken for the top-level `params` due to the name
      }
    }
  }
}

Maybe instead we can first locate the module declaration syntax and then use that to find the top-level params / extensionConfigs object within its body. If we go this route, I think we wouldn’t need to filter syntaxRecorder to get the target ancestors list above.