fix: Allow spaces in account names and improve validation error messages [skip-version]

Fixes snipeship#50

- Updated account name validation pattern to allow spaces
- Added patternErrorMessage option to validateString function
- Added descriptive error message: "can only contain letters, numbers, spaces, hyphens, and underscores"
- Quoted account names in CLI command suggestions to prevent shell injection
- Applied fixes to all account creation handlers (OAuth, Zai, Minimax, NanoGPT, Anthropic-compatible, OpenAI-compatible, Vertex AI)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: tombii

packages/cli-commands/src/commands/token-health.ts

@@ -39,7 +39,7 @@ export function checkReauthNeeded(dbOps: DatabaseOperations): void {
 
 	console.log("\n🔧 Re-authentication commands:");
 	needsReauth.forEach((account) => {
-		console.log(`  bun run cli --reauthenticate ${account.name}`);
+		console.log(`  bun run cli --reauthenticate "${account.name}"`);
 	});
 
 	console.log("\n💡 Or run the health check for detailed information:");

packages/core/src/validation.ts

@@ -14,6 +14,7 @@ export function validateString(
 		minLength?: number;
 		maxLength?: number;
 		pattern?: RegExp;
+		patternErrorMessage?: string;
 		allowedValues?: readonly string[];
 		transform?: (value: string) => string;
 	} = {},
@@ -53,7 +54,10 @@ export function validateString(
 
 	// Validate pattern
 	if (options.pattern && !options.pattern.test(sanitized)) {
-		throw new ValidationError(`${field} has an invalid format`, field, value);
+		const errorMessage = options.patternErrorMessage
+			? `${field} ${options.patternErrorMessage}`
+			: `${field} has an invalid format`;
+		throw new ValidationError(errorMessage, field, value);
 	}
 
 	// Validate allowed values
@@ -327,9 +331,9 @@ export const patterns = {
 	uuid: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,
 	alphanumeric: /^[a-zA-Z0-9]+$/,
 	alphanumericWithSpaces: /^[a-zA-Z0-9\s]+$/,
-	// Account name: alphanumeric with hyphens and underscores only (safe for shell commands)
-	// Removed spaces, @, ., + to prevent command injection in CLI suggestions
-	accountName: /^[a-zA-Z0-9\-_]+$/,
+	// Account name: alphanumeric with spaces, hyphens, and underscores
+	// Spaces are allowed for better UX - CLI command suggestions will quote names properly
+	accountName: /^[a-zA-Z0-9\s\-_]+$/,
 	// Path pattern for API endpoints
 	apiPath: /^\/v1\/[a-zA-Z0-9\-_/]*$/,
 	// URL pattern

packages/http-api/src/handlers/accounts.ts

@@ -370,6 +370,8 @@ export function createAccountAddHandler(
 				minLength: 1,
 				maxLength: 100,
 				pattern: patterns.accountName,
+			patternErrorMessage:
+				"can only contain letters, numbers, spaces, hyphens, and underscores",
 				transform: sanitizers.trim,
 			});
 
@@ -616,6 +618,8 @@ export function createAccountRenameHandler(dbOps: DatabaseOperations) {
 				minLength: 1,
 				maxLength: 100,
 				pattern: patterns.accountName,
+			patternErrorMessage:
+				"can only contain letters, numbers, spaces, hyphens, and underscores",
 				transform: sanitizers.trim,
 			});
 
@@ -679,6 +683,8 @@ export function createZaiAccountAddHandler(dbOps: DatabaseOperations) {
 				minLength: 1,
 				maxLength: 100,
 				pattern: patterns.accountName,
+			patternErrorMessage:
+				"can only contain letters, numbers, spaces, hyphens, and underscores",
 				transform: sanitizers.trim,
 			});
 
@@ -834,6 +840,8 @@ export function createOpenAIAccountAddHandler(dbOps: DatabaseOperations) {
 				minLength: 1,
 				maxLength: 100,
 				pattern: patterns.accountName,
+			patternErrorMessage:
+				"can only contain letters, numbers, spaces, hyphens, and underscores",
 				transform: sanitizers.trim,
 			});
 
@@ -998,6 +1006,8 @@ export function createVertexAIAccountAddHandler(dbOps: DatabaseOperations) {
 				minLength: 1,
 				maxLength: 100,
 				pattern: patterns.accountName,
+			patternErrorMessage:
+				"can only contain letters, numbers, spaces, hyphens, and underscores",
 				transform: sanitizers.trim,
 			});
 
@@ -1137,6 +1147,8 @@ export function createMinimaxAccountAddHandler(dbOps: DatabaseOperations) {
 				minLength: 1,
 				maxLength: 100,
 				pattern: patterns.accountName,
+			patternErrorMessage:
+				"can only contain letters, numbers, spaces, hyphens, and underscores",
 				transform: sanitizers.trim,
 			});
 
@@ -1269,6 +1281,8 @@ export function createNanoGPTAccountAddHandler(dbOps: DatabaseOperations) {
 				minLength: 1,
 				maxLength: 100,
 				pattern: patterns.accountName,
+			patternErrorMessage:
+				"can only contain letters, numbers, spaces, hyphens, and underscores",
 				transform: sanitizers.trim,
 			});
 			if (!name) {
@@ -1440,6 +1454,8 @@ export function createAnthropicCompatibleAccountAddHandler(
 				minLength: 1,
 				maxLength: 100,
 				pattern: patterns.accountName,
+			patternErrorMessage:
+				"can only contain letters, numbers, spaces, hyphens, and underscores",
 				transform: sanitizers.trim,
 			});
 

packages/http-api/src/handlers/oauth.ts

@@ -26,6 +26,8 @@ export function createOAuthInitHandler(dbOps: DatabaseOperations) {
 				minLength: 1,
 				maxLength: 100,
 				pattern: patterns.accountName,
+			patternErrorMessage:
+				"can only contain letters, numbers, spaces, hyphens, and underscores",
 			});
 
 			if (!name) {