re.match() in preflight.py allows tokens with trailing or embedded garbage to pass validation

[ooloth]

Current state

loops/common/preflight.py (line 50) validates tokens or identifiers with re.match(). re.match() anchors only at the start of the string — it succeeds as soon as the pattern matches a prefix, regardless of what follows. A value like validtoken\nINJECTED or legit-id/../traversal passes the check because the initial characters satisfy the pattern. Any downstream code that trusts the validation result and uses the full string is exposed to values that the regex was intended to reject.

Ideal state

• All token and identifier validation uses re.fullmatch(), which requires the entire string to match the pattern
• No string with trailing characters, embedded newlines, or out-of-charset suffixes passes the validation gate

Starting points

• loops/common/preflight.py line 50 — the re.match() call

QA plan

1. Call the preflight check with "validprefix\nextra-garbage" — expect it passes today
2. After fix, repeat with the same value — expect it fails with a clear validation error
3. Call with a valid token — expect it still passes

Done when

Preflight validation uses re.fullmatch() and rejects any string that does not conform to the full expected pattern, including strings with trailing or embedded characters outside the charset.