pub fn validate_agent_id_shape(agent_id: &str) -> Result<()>Expand description
Shape-only validation for an agent identifier — the pre-#977
behaviour, separated so internal callers that legitimately need to
load/generate keypairs with reserved-sentinel labels (e.g. the
daemon’s own self-signing keypair under
crate::identity::keypair::DAEMON_KEYPAIR_LABEL) can opt into
the looser check.
Allowed characters: alphanumeric plus _, -, :, @, ., /.
Length: 1..=128 bytes. Rejects whitespace, null bytes, control
chars, and shell metacharacters.
New callers SHOULD prefer validate_agent_id (the wire-side
function that ALSO rejects RESERVED_AGENT_IDS). Use this
shape-only entry point ONLY for internal paths that operate on
hardcoded-literal sentinels (the daemon’s keypair load + the
internal admin CallerContext::for_admin(...) construction sites);
every wire entry point (HTTP X-Agent-Id header, HTTP body
agent_id, MCP-tool agent_id input, CLI --as-agent) MUST go
through validate_agent_id instead.