feat: dns compatible sentinel ids

pkg/db/queries/sentinel_update_available_replicas_and_health.sql

@@ -3,4 +3,4 @@ UPDATE sentinels SET
 available_replicas = sqlc.arg(available_replicas),
 health = sqlc.arg(health),
 updated_at = sqlc.arg(updated_at)
-WHERE k8s_name = sqlc.arg(k8s_name);
+WHERE id = sqlc.arg(sentinel_id);

pkg/db/schema.sql

@@ -566,7 +566,7 @@ CREATE TABLE `sentinels` (
 	`workspace_id` varchar(255) NOT NULL,
 	`project_id` varchar(255) NOT NULL,
 	`environment_id` varchar(255) NOT NULL,
-	`k8s_name` varchar(64) NOT NULL,
+	`k8s_name` varchar(64),
 	`k8s_address` varchar(255) NOT NULL,
 	`region` varchar(255) NOT NULL,
 	`image` varchar(255) NOT NULL,

pkg/uid/dns1035.go

@@ -1,38 +1,31 @@
 package uid
 
 import (
-	"math/rand/v2"
+	"fmt"
+	"regexp"
 	"strings"
 )
 
-const (
-	dns1035Alpha    = "abcdefghijklmnopqrstuvwxyz"
-	dns1035AlphaNum = dns1035Alpha + "0123456789"
-)
+var dns1035Pattern = regexp.MustCompile(`^[a-z][a-z0-9_]*$`)
 
-// DNS1035 generates a random string compliant with RFC 1035 DNS label rules.
-//
-// The first character is always a lowercase letter; subsequent characters are
-// lowercase letters or digits. Default length is 8 characters; pass a custom
-// length to override.
+// ToDNS1035 converts an identifier to DNS-1035 format by replacing underscores
+// with dashes. Returns an error if the input contains invalid characters.
 //
-// Uses math/rand/v2 which is NOT cryptographically secure.
-func DNS1035(length ...int) string {
-	n := 8
-	if len(length) > 0 {
-		n = length[0]
+// DNS-1035 labels must start with a lowercase letter and contain only lowercase
+// letters, digits, and dashes. Empty string returns empty string without error.
+func ToDNS1035(s string) (string, error) {
+	if s == "" {
+		return "", nil
 	}
 
-	if n == 0 {
-		return ""
-	}
-
-	var id strings.Builder
-	id.Grow(n)
-	id.WriteByte(dns1035Alpha[rand.IntN(len(dns1035Alpha))])
-	for i := 1; i < n; i++ {
-		id.WriteByte(dns1035AlphaNum[rand.IntN(len(dns1035AlphaNum))])
+	if !dns1035Pattern.MatchString(s) {
+		return "", fmt.Errorf("%s can not be converted to DNS1035", s)
 	}
+	return strings.ReplaceAll(s, "_", "-"), nil
+}
 
-	return id.String()
+// FromDNS1035 converts a DNS-1035 label back to identifier format by replacing
+// dashes with underscores. Does not validate the input.
+func FromDNS1035(s string) string {
+	return strings.ReplaceAll(s, "-", "_")
 }

pkg/uid/doc.go

@@ -1,30 +1,49 @@
 // Package uid generates prefixed random identifiers for Unkey resources.
 //
-// The package provides two main functions for generating random strings:
-// [New] for prefixed identifiers and [DNS1035] for DNS-compliant labels.
+// The package provides three generation functions: [DNS1035] and [New] for
+// fast, non-secure identifiers, and [Secure] for cryptographically secure
+// identifiers. Use [ToDNS1035] and [FromDNS1035] to convert between formats.
 //
 // # Security
 //
-// This package uses math/rand/v2 which is NOT cryptographically secure.
-// The generated identifiers are predictable and MUST NOT be used for
-// API keys, session tokens, or any security-sensitive purposes.
-// Use crypto/rand directly for those cases.
+// [DNS1035] and [New] use math/rand/v2 which is NOT cryptographically secure.
+// Generated identifiers are predictable. Use [Secure] for verification tokens,
+// API keys, or any security-sensitive purposes.
 //
 // # Usage
 //
+// Generate a DNS-1035 compliant label:
+//
+//	label := uid.DNS1035()      // "k3n5p8x2" (8 chars, starts with letter)
+//	label := uid.DNS1035(12)    // "a9k2n5p8x3m7"
+//
 // Generate a prefixed identifier:
 //
 //	id := uid.New(uid.KeyPrefix)      // "key_k3n5p8x2"
 //	id := uid.New(uid.APIPrefix, 12)  // "api_a9k2n5p8x3m7"
+//	id := uid.New("")                 // "k3n5p8x2" (no prefix)
 //
-// Generate a DNS-1035 compliant label:
+// Generate a secure identifier:
 //
-//	label := uid.DNS1035()    // "k3n5p8x2" (starts with letter)
-//	label := uid.DNS1035(12)  // "a9k2n5p8x3m7"
+//	token := uid.Secure()      // 24 chars, cryptographically secure
+//	token := uid.Secure(32)    // 32 chars
+//
+// Convert to DNS-1035 format:
+//
+//	label, err := uid.ToDNS1035("key_abc123")  // "key-abc123"
+//	id := uid.FromDNS1035("key-abc123")        // "key_abc123"
 //
 // # Prefixes
 //
-// Standard prefixes are defined as [Prefix] constants (KeyPrefix, APIPrefix,
-// WorkspacePrefix, etc.) to make IDs self-descriptive. See prefix.go for the
-// complete list.
+// Standard prefixes are defined as [Prefix] constants to make IDs
+// self-descriptive. See [KeyPrefix], [APIPrefix], [WorkspacePrefix], and
+// others in prefix.go.
+//
+// # Format
+//
+// All generated identifiers follow the same pattern: the first character is
+// always a lowercase letter (a-z), followed by alphanumeric characters (a-z,
+// 0-9). When a prefix is provided, it is joined with an underscore separator.
+// This ensures identifiers can be converted to valid DNS-1035 labels by
+// replacing underscores with dashes via [ToDNS1035].
 package uid