Problem
The name field in schema/spec-schema.json (line 7) only enforces minLength: 1:
"name": { "type": "string", "minLength": 1 }This accepts spaces, newlines, control characters, emoji, and other values that break directory creation and pyproject.toml generation. The CLI has ad-hoc guards for /, \, and leading . but those only run in certain code paths — the schema is the single source of truth.
Fix
Add a pattern constraint to the name property in schema/spec-schema.json. A reasonable pattern following PyPI/PEP 508 naming conventions:
"name": { "type": "string", "minLength": 1, "pattern": "^[a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?$" }The license field on line 10 already uses a pattern — this follows the same approach.
Tests
Add test cases in tests/test_spec.py covering:
- Valid names:
my-project, foo_bar, a, my.pkg
- Invalid names:
"", "has spaces", "../traversal", "-leading-dash", "trailing-", "new\nline"
Files to change
schema/spec-schema.jsontests/test_spec.py
Ref
DEBT.md item D3
Problem
The
namefield inschema/spec-schema.json(line 7) only enforcesminLength: 1:This accepts spaces, newlines, control characters, emoji, and other values that break directory creation and
pyproject.tomlgeneration. The CLI has ad-hoc guards for/,\, and leading.but those only run in certain code paths — the schema is the single source of truth.Fix
Add a
patternconstraint to thenameproperty inschema/spec-schema.json. A reasonable pattern following PyPI/PEP 508 naming conventions:The
licensefield on line 10 already uses a pattern — this follows the same approach.Tests
Add test cases in
tests/test_spec.pycovering:my-project,foo_bar,a,my.pkg"","has spaces","../traversal","-leading-dash","trailing-","new\nline"Files to change
schema/spec-schema.jsontests/test_spec.pyRef
DEBT.md item D3