fix(types): allow ':' and '/' in snapshot names for OCI tag-aware refs

types/snapshot.go

@@ -20,8 +20,8 @@ type SnapshotConfig struct {
 
 // Validate checks SnapshotConfig caller-controlled fields. Empty Name is allowed (name is optional).
 func (cfg *SnapshotConfig) Validate() error {
-	if cfg.Name != "" && !validName.MatchString(cfg.Name) {
-		return fmt.Errorf("snapshot name %q is invalid: must match %s (max 63 chars)", cfg.Name, validName.String())
+	if cfg.Name != "" && !validSnapshotName.MatchString(cfg.Name) {
+		return fmt.Errorf("snapshot name %q is invalid: must match %s (max 63 chars)", cfg.Name, validSnapshotName.String())
 	}
 	return nil
 }

types/snapshot_test.go

@@ -14,11 +14,17 @@ func TestSnapshotConfig_Validate(t *testing.T) {
 		{"empty allowed", "", false},
 		{"simple", "my-snap", false},
 		{"with dot underscore", "my.snap_v1", false},
+		{"oci repo:tag", "namespace/repo:v1", false},
+		{"oci repo only", "namespace/repo", false},
+		{"colon only", "repo:tag", false},
 		{"max 63", strings.Repeat("a", 63), false},
 		{"over 63", strings.Repeat("a", 64), true},
 		{"leading hyphen", "-bad", true},
+		{"leading slash", "/bad", true},
+		{"leading colon", ":bad", true},
 		{"space", "bad name", true},
-		{"slash", "bad/name", true},
+		{"semicolon", "bad;rm", true},
+		{"backtick", "bad`name", true},
 		{"control char", "bad\x00name", true},
 	}
 	for _, tt := range cases {

types/vm.go

@@ -15,8 +15,9 @@ const (
 )
 
 var (
-	validName     = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9._-]{0,62}$`)
-	validUsername = regexp.MustCompile(`^[a-z_][a-z0-9_-]{0,31}$`)
+	validName         = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9._-]{0,62}$`)
+	validSnapshotName = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9._:/-]{0,62}$`)
+	validUsername     = regexp.MustCompile(`^[a-z_][a-z0-9_-]{0,31}$`)
 	// shellUnsafe rejects chars that break the chpasswd YAML scalar in cidata.
 	shellUnsafe = regexp.MustCompile("[`$;|&(){}\\\\<>!'\"\\x00-\\x1f\\x7f]")
 )