Enhance handler name validation to enforce strict snake_case format

Author: GrantBirki

lib/hooks/core/config_validator.rb

@@ -125,8 +125,8 @@ def self.valid_handler_name?(handler_name)
         # Must not be empty or only whitespace
         return false if handler_name.strip.empty?
 
-        # Must match a safe pattern: alphanumeric + underscore, starting with lowercase
-        return false unless handler_name.match?(/\A[a-z][a-z0-9_]*\z/)
+        # Must match strict snake_case pattern: starts with lowercase, no trailing/consecutive underscores
+        return false unless handler_name.match?(/\A[a-z][a-z0-9]*(?:_[a-z0-9]+)*\z/)
 
         # Convert to PascalCase for security check (since DANGEROUS_CLASSES uses PascalCase)
         pascal_case_name = handler_name.split("_").map(&:capitalize).join("")

spec/unit/lib/hooks/core/config_validator_security_spec.rb

@@ -49,7 +49,10 @@
             { path: "/webhook", handler: "handler test" },      # spaces
             { path: "/webhook", handler: "handler\ntest" },     # newlines
             { path: "/webhook", handler: "handlerTest" },       # camelCase
-            { path: "/webhook", handler: "HandlerTest" }        # PascalCase
+            { path: "/webhook", handler: "HandlerTest" },       # PascalCase
+            { path: "/webhook", handler: "handler_" },          # trailing underscore
+            { path: "/webhook", handler: "my__handler" },       # consecutive underscores
+            { path: "/webhook", handler: "handler__test" }      # consecutive underscores in middle
           ]
 
           invalid_configs.each do |config|