Reject consecutive hyphen GitHub logins

[xiefuzheng713-alt]

Summary

• reject GitHub login values containing consecutive hyphens (--) anywhere the shared login shape is validated;
• apply the same rule to public account normalization, wallet/payout account normalization, treasury recipient filters, and deploy admin/accepted-labeler settings;
• add regressions for account API/page/MCP, activity account filtering, treasury to_account filtering, wallet registration, and deploy readiness.

Bounty #799
Source report: #798 (comment)

Evidence

The live public API currently accepts an uncreatable GitHub username shape as a normal GitHub ledger account:

GET https://api.mrwk.online/api/v1/accounts/github:a--b -> 200
GET https://api.mrwk.online/api/v1/activity?account=github%3Aa--b -> 200
GET https://api.mrwk.online/api/v1/treasury/proposals?status=pending&action=pay_bounty&to_account=github%3Aa--b -> 200

GitHub's public username validation rejects the same shape because usernames may contain only alphanumeric characters or single hyphens and cannot begin/end with a hyphen. Treating github:a--b as valid can mislead agents and contributors into routing account, activity, wallet-link, treasury-filter, or payout state through an impossible GitHub identity.

Duplicate/current check: historical PR #480 implemented the same direction but was closed unmerged because its old bounty path was closed or exhausted. This PR reapplies the focused fix against current origin/main and uses the current #799 implementation lane plus the fresh #798 source report.

Validation

• uv run --extra dev pytest tests/test_treasury_proposals.py::test_treasury_proposals_list_rejects_invalid_recipient_filter tests/test_account_validation.py::test_account_views_reject_consecutive_hyphen_github_login tests/test_activity.py::test_activity_query_rejects_control_characters tests/test_wallets.py::test_wallet_registration_rejects_consecutive_hyphen_github_login tests/test_deploy_readiness.py::test_deploy_readiness_rejects_consecutive_hyphen_admin_or_labeler_logins -q -> 8 passed, 1 warning
• uv run --extra dev pytest tests/test_account_validation.py tests/test_account_routes.py tests/test_activity.py tests/test_wallets.py tests/test_deploy_readiness.py tests/test_treasury_proposals.py -q -> 167 passed, 1 warning
• uv run --extra dev ruff check app/accounts.py app/config.py app/ledger/service.py tests/test_account_validation.py tests/test_activity.py tests/test_wallets.py tests/test_deploy_readiness.py tests/test_treasury_proposals.py -> passed
• uv run --extra dev ruff format --check app/accounts.py app/config.py app/ledger/service.py tests/test_account_validation.py tests/test_activity.py tests/test_wallets.py tests/test_deploy_readiness.py tests/test_treasury_proposals.py -> 8 files already formatted
• uv run --extra dev mypy app -> success
• uv run --extra dev python scripts/docs_smoke.py -> docs smoke ok
• git diff --check origin/main...HEAD -> clean
• git merge-tree --write-tree origin/main HEAD -> clean tree f649db024045832619b997f6b472c2d560e3bcec

Scope and Safety

No auth session behavior, wallet signatures, balances, ledger mutation, bounty lifecycle, proposal execution, payout execution, private data, secrets, bridge, exchange, cash-out, or price behavior is changed.

Summary by CodeRabbit

• Bug Fixes

  • Tightened GitHub login validation to reject usernames containing consecutive hyphens, improving acceptance accuracy across account, wallet, and settings flows.

• Tests

  • Added tests covering account endpoints, activity queries, wallet registration, deploy-readiness checks, and proposal filters to ensure invalid GitHub logins are consistently rejected.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 5c61df73-5c27-44de-ba86-0b29b95c2e50

📥 Commits

Reviewing files that changed from the base of the PR and between 39473db and 3cd1796.

📒 Files selected for processing (1)

• tests/test_treasury_proposals.py

---

📝 Walkthrough

Walkthrough

GITHUB_LOGIN_RE is tightened to reject logins containing consecutive hyphens (--) in three production files; tests were added or extended to verify rejection across account, activity, deploy settings, wallet registration, and treasury proposal filters.

Changes

GitHub login validation tightening

Layer / File(s)	Summary
GitHub login regex pattern updates app/config.py, app/accounts.py, app/ledger/service.py	GITHUB_LOGIN_RE is updated across three files to add a negative lookahead (?!.*--) that rejects consecutive hyphens while preserving lowercase/digit/hyphen character constraints and length limits.
Validation test coverage for consecutive-hyphen rejection tests/test_account_validation.py, tests/test_activity.py, tests/test_deploy_readiness.py, tests/test_wallets.py, tests/test_treasury_proposals.py	New test test_account_views_reject_consecutive_hyphen_github_login and other test additions/extensions assert github:a--b (and similar -- cases) are rejected with HTTP 400 or specific validation errors across API/page routes, activity queries, deploy settings validation, wallet registration, and treasury recipient-filter handling.

Possibly related PRs

• ramimbo/mergework#388: Introduced the original GITHUB_LOGIN_RE pattern in app/accounts.py; this PR tightens that pattern to reject consecutive hyphens.

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and concretely names the main change: rejecting GitHub logins with consecutive hyphens, which is the core surface altered across the codebase.
Description check	✅ Passed	The description covers summary, evidence with examples and source references, validation with test results and tooling verification, and scope/safety notes. All required sections are present and substantive.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Mergework Public Artifact Hygiene	✅ Passed	No investment, price, cash-out, payout, or security claims found in modified code, tests, README, or comments; all artifacts describe MRWK appropriately.
Bounty Pr Focus	✅ Passed	PR correctly implements consecutive-hyphen rejection across all three GITHUB_LOGIN_RE definitions with focused test coverage matching stated objectives; no unrelated scope.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[akmhatey-ai]

Reviewed current head 3cd1796c481f5d09a3ef3d9e88022142a01ce7fa for Refs #643.

What I checked:

• inspected the shared GitHub login validation change in app/accounts.py, app/config.py, and app/ledger/service.py;
• checked the affected account, activity, treasury recipient-filter, wallet registration, and deploy-readiness tests;
• compared against the live source report on #798 and the historical PR #480: #480 was closed unmerged because its old bounty path was closed/exhausted, while #851 reapplies the same focused fix on current origin/main and adds activity plus treasury filter coverage;
• verified current production still accepts the impossible GitHub identity shape before this fix: account, activity, and treasury proposal filter endpoints all return HTTP 200 for github:a--b, while GitHub's signup check returns 422 for a--b;
• checked the three regex definitions are now identical, common valid logins such as a-b, a1, and a 39-character login still match, and a--b, leading-hyphen, and trailing-hyphen logins no longer match;
• checked wallet link/claim payload helpers reject a--b with invalid github login;
• confirmed the PR is open, non-draft, mergeStateStatus=CLEAN, mergeable=MERGEABLE, with hosted quality checks and CodeRabbit successful, and no prior human review existed on #851 before this review.

Validation I ran locally:

• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python -m pytest tests/test_treasury_proposals.py::test_treasury_proposals_list_rejects_invalid_recipient_filter tests/test_account_validation.py::test_account_views_reject_consecutive_hyphen_github_login tests/test_activity.py::test_activity_query_rejects_control_characters tests/test_wallets.py::test_wallet_registration_rejects_consecutive_hyphen_github_login tests/test_deploy_readiness.py::test_deploy_readiness_rejects_consecutive_hyphen_admin_or_labeler_logins -q -> 8 passed, 1 warning
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python -m pytest tests/test_account_validation.py tests/test_account_routes.py tests/test_activity.py tests/test_wallets.py tests/test_deploy_readiness.py tests/test_treasury_proposals.py -q -> 167 passed, 1 warning
• uv run --extra dev ruff check app/accounts.py app/config.py app/ledger/service.py tests/test_account_validation.py tests/test_activity.py tests/test_wallets.py tests/test_deploy_readiness.py tests/test_treasury_proposals.py -> passed
• uv run --extra dev ruff format --check app/accounts.py app/config.py app/ledger/service.py tests/test_account_validation.py tests/test_activity.py tests/test_wallets.py tests/test_deploy_readiness.py tests/test_treasury_proposals.py -> 8 files already formatted
• uv run --extra dev mypy app -> success for 42 source files
• uv run --extra dev python scripts/docs_smoke.py -> docs smoke ok
• git merge-tree --write-tree origin/main HEAD -> clean tree bb33dcd5ebaf9e4ca9682b1893968ed03e94e4f3
• git diff --check origin/main...HEAD -> clean
• git diff origin/main...HEAD | gitleaks stdin --no-banner --redact -> no leaks found

I do not see a current-head blocker. No private data, credentials, wallet material, production mutation, payout/proof/ledger execution, exchange, bridge, cash-out, price behavior, or fabricated payout claims were used.

[aglichandrap]

Review evidence (head SHA: 3cd1796c481f):

• ✅ Regex change: GITHUB_LOGIN_RE updated from ^[a-z0-9](?:[a-z0-9-]{0,37}[a-z0-9])?$ to ^(?!.*--)[a-z0-9](?:[a-z0-9-]{0,37}[a-z0-9])?$ — negative lookahead for -- is correct.
• ✅ Consistency: Same regex applied in all 3 locations: app/accounts.py, app/config.py, app/ledger/service.py.
• ✅ Tests: 25 new lines testing github:a--b rejection across API, accepted-work page, HTML page, and MCP endpoint. Good coverage.
• ✅ Mergeable: state=clean, mergeable=True.
• ✅ Files touched: 8 files, +55/-3 — minimal, focused change.

No blockers found. Approve.