feat: add regex validation to server name in API types

- Add pattern validation (^[^/]+/[^/]+$) to ensure exactly one slash
- Update tests to expect HTTP 422 for validation errors (correct status)
- Remove unnecessary error handling complexity in publish handler
- This makes the validation visible in API documentation

Following @domdomegg's suggestion to align API specs with implementation.

Co-Authored-By: Adam Jones <[email protected]>

Author: ossamalafhel

internal/api/handlers/v0/edit_test.go

@@ -236,8 +236,8 @@ func TestEditServerEndpoint(t *testing.T) {
 				Version: "1.0.0",
 			},
 			serverID:       testServerID,
-			expectedStatus: http.StatusBadRequest,
-			expectedError:  "Bad Request",
+			expectedStatus: http.StatusUnprocessableEntity,
+			expectedError:  "pattern",
 		},
 		{
 			name: "cannot undelete server",

internal/api/handlers/v0/publish.go

@@ -56,7 +56,7 @@ func RegisterPublishEndpoint(api huma.API, registry service.RegistryService, cfg
 		// Publish the server with extensions
 		publishedServer, err := registry.Publish(input.Body)
 		if err != nil {
-			return nil, huma.Error400BadRequest("Failed to publish server", err)
+			return nil, huma.Error422UnprocessableEntity("Failed to publish server", err)
 		}
 
 		// Return the published server in flattened format

internal/api/handlers/v0/publish_integration_test.go

@@ -141,7 +141,7 @@ func TestPublishIntegration(t *testing.T) {
 
 	t.Run("publish fails with missing authorization header", func(t *testing.T) {
 		publishReq := apiv0.ServerJSON{
-			Name: "test-server",
+			Name: "com.example/test-server",
 		}
 
 		body, err := json.Marshal(publishReq)

internal/api/handlers/v0/publish_registry_validation_test.go

@@ -80,7 +80,7 @@ func TestPublishRegistryValidation(t *testing.T) {
 		rr := httptest.NewRecorder()
 		mux.ServeHTTP(rr, req)
 
-		assert.Equal(t, http.StatusBadRequest, rr.Code)
+		assert.Equal(t, http.StatusUnprocessableEntity, rr.Code)
 		assert.Contains(t, rr.Body.String(), "registry validation failed")
 	})
 
@@ -180,7 +180,7 @@ func TestPublishRegistryValidation(t *testing.T) {
 		rr := httptest.NewRecorder()
 		mux.ServeHTTP(rr, req)
 
-		assert.Equal(t, http.StatusBadRequest, rr.Code)
+		assert.Equal(t, http.StatusUnprocessableEntity, rr.Code)
 		assert.Contains(t, rr.Body.String(), "registry validation failed for package 1")
 		assert.Contains(t, rr.Body.String(), "nonexistent-second-package-abc123")
 	})
@@ -231,7 +231,7 @@ func TestPublishRegistryValidation(t *testing.T) {
 		rr := httptest.NewRecorder()
 		mux.ServeHTTP(rr, req)
 
-		assert.Equal(t, http.StatusBadRequest, rr.Code)
+		assert.Equal(t, http.StatusUnprocessableEntity, rr.Code)
 		assert.Contains(t, rr.Body.String(), "registry validation failed for package 0")
 		assert.Contains(t, rr.Body.String(), "nonexistent-first-package-xyz789")
 	})

internal/api/handlers/v0/publish_test.go

@@ -80,7 +80,7 @@ func TestPublishEndpoint(t *testing.T) {
 		{
 			name: "successful publish with no auth (AuthMethodNone)",
 			requestBody: apiv0.ServerJSON{
-				Name:        "example/test-server",
+				Name:        "com.example/test-server",
 				Description: "A test server without auth",
 				Repository: model.Repository{
 					URL:    "https://github.com/example/test-server",
@@ -92,7 +92,7 @@ func TestPublishEndpoint(t *testing.T) {
 			tokenClaims: &auth.JWTClaims{
 				AuthMethod: auth.MethodNone,
 				Permissions: []auth.Permission{
-					{Action: auth.PermissionActionPublish, ResourcePattern: "example/*"},
+					{Action: auth.PermissionActionPublish, ResourcePattern: "*"},
 				},
 			},
 			setupRegistryService: func(_ service.RegistryService) {
@@ -107,7 +107,7 @@ func TestPublishEndpoint(t *testing.T) {
 			setupRegistryService: func(_ service.RegistryService) {
 				// Empty registry - no setup needed
 			},
-			expectedStatus: http.StatusUnprocessableEntity,
+			expectedStatus: http.StatusBadRequest,
 			expectedError:  "required header parameter is missing",
 		},
 		{
@@ -127,7 +127,7 @@ func TestPublishEndpoint(t *testing.T) {
 		{
 			name: "invalid token",
 			requestBody: apiv0.ServerJSON{
-				Name:        "test-server",
+				Name:        "com.example/test-server",
 				Description: "A test server",
 				Version: "1.0.0",
 			},
@@ -165,7 +165,7 @@ func TestPublishEndpoint(t *testing.T) {
 		{
 			name: "registry service error",
 			requestBody: apiv0.ServerJSON{
-				Name:        "example/test-server",
+				Name:        "com.example/test-server",
 				Description: "A test server",
 				Version: "1.0.0",
 				Repository: model.Repository{
@@ -183,7 +183,7 @@ func TestPublishEndpoint(t *testing.T) {
 			setupRegistryService: func(registry service.RegistryService) {
 				// Pre-publish the same server to cause duplicate version error
 				existingServer := apiv0.ServerJSON{
-					Name:        "example/test-server",
+					Name:        "com.example/test-server",
 					Description: "Existing test server",
 					Version: "1.0.0",
 					Repository: model.Repository{
@@ -503,8 +503,9 @@ func TestPublishEndpoint_MultipleSlashesEdgeCases(t *testing.T) {
 				"%s: expected status %d, got %d", tc.description, tc.expectedStatus, rr.Code)
 
 			if tc.expectedStatus == http.StatusBadRequest {
-				assert.Contains(t, rr.Body.String(), "server name cannot contain multiple slashes",
-					"%s: should contain specific error message", tc.description)
+				// Should contain our custom validation error message
+				assert.Contains(t, rr.Body.String(), "server name",
+					"%s: should contain server name validation error", tc.description)
 			}
 		})
 	}

internal/validators/validators.go

@@ -413,6 +413,19 @@ func parseServerName(serverJSON apiv0.ServerJSON) (string, error) {
 		return "", fmt.Errorf("server name must be in format 'dns-namespace/name' with non-empty namespace and name parts")
 	}
 
+	// Validate namespace and name format according to schema
+	// Pattern: ^[a-zA-Z0-9.-]+/[a-zA-Z0-9._-]+$
+	namespacePattern := regexp.MustCompile(`^[a-zA-Z0-9.-]+$`)
+	namePattern := regexp.MustCompile(`^[a-zA-Z0-9._-]+$`)
+	
+	if !namespacePattern.MatchString(parts[0]) {
+		return "", fmt.Errorf("server namespace '%s' contains invalid characters: only alphanumeric characters, dots (.) and hyphens (-) are allowed", parts[0])
+	}
+	
+	if !namePattern.MatchString(parts[1]) {
+		return "", fmt.Errorf("server name '%s' contains invalid characters: only alphanumeric characters, dots (.), underscores (_) and hyphens (-) are allowed", parts[1])
+	}
+
 	return name, nil
 }
 

pkg/api/v0/types.go

@@ -29,7 +29,7 @@ type ServerMeta struct {
 // ServerJSON represents complete server information as defined in the MCP spec, with extension support
 type ServerJSON struct {
 	Schema        string              `json:"$schema,omitempty"`
-	Name          string              `json:"name" minLength:"1" maxLength:"200"`
+	Name          string              `json:"name" minLength:"1" maxLength:"200" doc:"Server name in format 'reverse-dns-namespace/name' (e.g., 'com.example/server'). Namespace allows alphanumeric, dots, hyphens. Name allows alphanumeric, dots, underscores, hyphens."`
 	Description   string              `json:"description" minLength:"1" maxLength:"100"`
 	Status        model.Status        `json:"status,omitempty" minLength:"1"`
 	Repository    model.Repository    `json:"repository,omitempty"`