SPIFFE: trust domain format not validated at startup

## Summary

The SPIFFE specification (§2.2) requires that a trust domain name is a valid DNS name with only lower-case characters. ZeroID reads \`wimse_domain\` from configuration at startup but does not validate that the value is a well-formed, lower-case DNS name before using it as the trust domain component in all issued SPIFFE IDs.

## Location

Server startup / configuration loading — wherever \`wimse_domain\` (or equivalent) is read from env/config.

## Impact

An uppercase, whitespace-containing, or otherwise malformed trust domain is silently propagated into every SPIFFE ID the server issues, producing globally invalid identifiers.

## Fix

At startup (or config load time), validate that the trust domain:
1. Is a valid DNS hostname (RFC 1123).
2. Contains only lower-case characters.
3. Does not contain a leading \`spiffe://\` prefix (a common misconfiguration).

Fail fast with a clear error if validation fails.

## Reference

- [SPIFFE spec §2.2](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE.md#22-trust-domain): "Trust domain names are defined by their corresponding authority … must be DNS names"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SPIFFE: trust domain format not validated at startup #47

Summary

Location

Impact

Fix

Reference

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

SPIFFE: trust domain format not validated at startup #47

Description

Summary

Location

Impact

Fix

Reference

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions