Add input sanitization and stricter validation for agent/serviceId identifiers

[mikewheeleer]

Harden identifier validation for agent and serviceId fields

Description

agent and serviceId are validated only by length in src/index.ts (≤256 and ≤128 chars). They flow into the composite key ${agent}::${serviceId} (usageKey), into URL path params, into CSV exports, and into event payloads. An agent or serviceId containing ::, control characters, commas, or newlines can corrupt key parsing, CSV rows, and downstream consumers. This issue tightens the character set.

Requirements and context

• Repository scope: Agentpay-Org/Agentpay-backend only.
• Restrict agent and serviceId to a safe character class (e.g. [A-Za-z0-9._-]) and explicitly reject the :: separator so the composite key cannot be ambiguous.
• Apply the same validation consistently across POST /usage, POST /usage/bulk, POST /settle, POST /services, POST /services/bulk, and the path-param read routes.
• Reject control characters and whitespace-only values; return the standard 400 invalid_request shape.
• Preserve existing length caps.

Suggested execution

• Fork the repo and create a branch
• git checkout -b security/validation-21-identifier-sanitization
• Implement changes
  • Write code in: a shared isValidId helper and the affected handlers in src/index.ts.
  • Write comprehensive tests in: new src/identifiers.test.ts — reject ::, newlines, control chars; accept valid ids.
  • Add documentation: document the identifier rules in README.md.
  • Add TSDoc on the validation helper.
  • Validate security assumptions: no key ambiguity, no CSV row injection from ids.
• Test and commit

Test and commit

• Run npm run build, npm test, and npm run lint.
• Cover edge cases: id containing ::, id with newline, unicode control chars, max-length valid id.
• Include the full npm test output in the PR description.

Example commit message

security: enforce safe character set for agent and serviceId

Guidelines

• Minimum 95 percent test coverage for impacted modules.
• Clear, reviewer-focused documentation.
• Timeframe: 96 hours.

Community & contribution rewards

• 💬 Join the AgentPay community on Discord for questions, reviews, and faster merges: https://discord.gg/eXvRKkgcv
• ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.