Validate schema and field names as identifiers

Restrict names to letters, digits, and underscores (must start with a
letter or underscore) so they work safely as SQL columns and JSON keys.
Adds shared IDENTIFIER_PATTERN constant, backend Zod validation, and
frontend inline error messages.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: bchapuis

apps/api/src/routes/schemas.ts

@@ -1,10 +1,11 @@
-import type {
-  CreateSchemaResponse,
-  DeleteSchemaResponse,
-  GetSchemaResponse,
-  ListSchemasResponse,
-  SchemaEntity,
-  UpdateSchemaResponse,
+import {
+  IDENTIFIER_PATTERN,
+  type CreateSchemaResponse,
+  type DeleteSchemaResponse,
+  type GetSchemaResponse,
+  type ListSchemasResponse,
+  type SchemaEntity,
+  type UpdateSchemaResponse,
 } from "@dafthunk/types";
 import { zValidator } from "@hono/zod-validator";
 import { Hono } from "hono";
@@ -22,8 +23,11 @@ import {
   updateSchemaRecord,
 } from "../db";
 
+const identifierMessage =
+  "Must start with a letter or underscore, and contain only letters, digits, or underscores";
+
 const fieldSchema = z.object({
-  name: z.string().min(1),
+  name: z.string().min(1).regex(IDENTIFIER_PATTERN, identifierMessage),
   type: z.enum(["string", "integer", "number", "boolean", "datetime", "json"]),
   required: z.boolean().optional(),
   primaryKey: z.boolean().optional(),
@@ -88,7 +92,10 @@ schemaRoutes.post(
     "json",
     z
       .object({
-        name: z.string().min(1, "Schema name is required"),
+        name: z
+          .string()
+          .min(1, "Schema name is required")
+          .regex(IDENTIFIER_PATTERN, identifierMessage),
         description: z.string().optional(),
         fields: z.array(fieldSchema).min(1, "At least one field is required"),
       })
@@ -152,7 +159,11 @@ schemaRoutes.put(
     "json",
     z
       .object({
-        name: z.string().min(1).optional(),
+        name: z
+          .string()
+          .min(1)
+          .regex(IDENTIFIER_PATTERN, identifierMessage)
+          .optional(),
         description: z.string().optional(),
         fields: z.array(fieldSchema).min(1).optional(),
       })

apps/app/src/components/schema-dialog.tsx

@@ -1,4 +1,4 @@
-import type { Field, FieldType, SchemaEntity } from "@dafthunk/types";
+import { IDENTIFIER_PATTERN, type Field, type FieldType, type SchemaEntity } from "@dafthunk/types";
 import Asterisk from "lucide-react/icons/asterisk";
 import Hash from "lucide-react/icons/hash";
 import KeyRound from "lucide-react/icons/key-round";
@@ -90,20 +90,28 @@ function FieldEditor({ fields, onChange, schemas }: FieldEditorProps) {
         </p>
       )}
       {fields.map((field, index) => {
+        const trimmed = field.name.trim();
         const isDuplicate =
-          field.name.trim() !== "" &&
-          (nameCounts.get(field.name.trim()) ?? 0) > 1;
+          trimmed !== "" && (nameCounts.get(trimmed) ?? 0) > 1;
+        const isInvalidName =
+          trimmed !== "" && !IDENTIFIER_PATTERN.test(trimmed);
         return (
           <div key={index} className="flex items-center gap-2">
-            <Input
-              placeholder="Name"
-              value={field.name}
-              onChange={(e) => updateField(index, { name: e.target.value })}
-              className={cn(
-                "flex-1 min-w-0",
-                isDuplicate && "border-destructive"
+            <div className="flex-1 min-w-0">
+              <Input
+                placeholder="Name"
+                value={field.name}
+                onChange={(e) => updateField(index, { name: e.target.value })}
+                className={cn(
+                  (isDuplicate || isInvalidName) && "border-destructive"
+                )}
+              />
+              {isInvalidName && (
+                <p className="text-xs text-destructive mt-1">
+                  Letters, digits, and underscores only
+                </p>
               )}
-            />
+            </div>
             <Input
               placeholder="Label"
               value={field.label ?? ""}
@@ -366,11 +374,16 @@ export function SchemaDialog({
 
   const fieldNames = fields.map((f) => f.name.trim());
   const hasDuplicateNames = new Set(fieldNames).size !== fieldNames.length;
+  const isNameValid =
+    name.trim().length > 0 && IDENTIFIER_PATTERN.test(name.trim());
 
   const isValid =
-    name.trim().length > 0 &&
+    isNameValid &&
     fields.length > 0 &&
-    fields.every((f) => f.name.trim().length > 0) &&
+    fields.every((f) => {
+      const t = f.name.trim();
+      return t.length > 0 && IDENTIFIER_PATTERN.test(t);
+    }) &&
     !hasDuplicateNames;
 
   return (
@@ -387,8 +400,19 @@ export function SchemaDialog({
               value={name}
               onChange={(e) => setName(e.target.value)}
               placeholder="Enter schema name"
-              className="mt-2"
+              className={cn(
+                "mt-2",
+                name.trim().length > 0 &&
+                  !IDENTIFIER_PATTERN.test(name.trim()) &&
+                  "border-destructive"
+              )}
             />
+            {name.trim().length > 0 &&
+              !IDENTIFIER_PATTERN.test(name.trim()) && (
+                <p className="text-xs text-destructive mt-1">
+                  Letters, digits, and underscores only (e.g. my_schema)
+                </p>
+              )}
           </div>
           <div>
             <Label htmlFor="schema-description">Description</Label>

packages/types/src/types.ts

@@ -18,6 +18,14 @@ export type FieldType =
   | "datetime"
   | "json";
 
+/**
+ * Pattern for valid identifier names (schema names, field names).
+ * Must start with a letter or underscore, followed by letters, digits, or underscores.
+ * Valid: firstName, first_name, FIRSTNAME
+ * Invalid: first-name, "first name", 123abc
+ */
+export const IDENTIFIER_PATTERN = /^[a-zA-Z_][a-zA-Z0-9_]*$/;
+
 /**
  * Field definition
  */