fix(project): allow spaces in All Projects search query

[0xfandom]

Context

Fixes #5813.

In Organization → Projects → All Projects, searching with a normal multi-word name fails. The POST /api/v1/project/search endpoint validated the name filter with a character validator that only permitted alphanumeric characters and hyphens:

name: z
  .string()
  .trim()
  .refine((val) => characterValidator([CharacterType.AlphaNumeric, CharacterType.Hyphen])(val), {
    message: "Invalid pattern: only alphanumeric characters, - are allowed."
  })
  .optional()

Project names legitimately contain spaces (and other characters), so a search like My Project is rejected with a validation error before it reaches the query.

The charset restriction was redundant as a safety measure: in the DAL the term is matched with a parameterized whereILike whose %/_ wildcards are escaped via sanitizeSqlLikeString, so user input cannot break out of the LIKE pattern or inject SQL. This PR relaxes the filter to a trimmed string bounded at 255 characters — the same shape the identity search endpoint (/api/v2/identities/search) already uses for its name filter.

Steps to verify the change

1. Create a project with a multi-word name, e.g. My Project.
2. Go to Organization → Projects → All Projects.
3. Search for My Project (with the space).
4. Before: request fails with a validation error / no results. After: the matching project is returned.

Type

• Fix

Checklist

• Title follows the conventional commit format
• Tested locally
• Updated docs (if needed)
• Updated CLAUDE.md files (if needed)
• Read the contributing guide

[greptile-apps]

Greptile Summary

This PR relaxes the input validation on the name field of the POST /api/v1/project/search endpoint, removing a charset restriction (alphanumeric + hyphen only) that prevented multi-word project names from being searched. SQL injection safety is preserved in the DAL through sanitizeSqlLikeString (escapes %, _, and \ in the LIKE pattern) combined with Knex's parameterized whereILike.

• The old validator rejected valid project names with spaces or other characters before they ever reached the database query.
• The replacement — z.string().trim().max(255).optional() — bounds input length at 255 characters, matching the pattern used by the identity search endpoint.
• No SSRF exposure: user input is only used as a LIKE filter argument and is never passed to a network call or URL.

Confidence Score: 5/5

Safe to merge — the change correctly removes a validator that blocked legitimate searches, and existing DAL-level protections (sanitizeSqlLikeString + parameterized query) are untouched.

The diff is a single-field schema change in a route handler. The downstream DAL already escapes LIKE wildcards with sanitizeSqlLikeString and uses Knex's parameterized whereILike, so relaxing the charset restriction doesn't weaken SQL safety. A 255-character max remains as a reasonable bound. No other validation, auth, or data paths are affected.

No files require special attention.

Important Files Changed

Filename	Overview
backend/src/server/routes/v1/project-router.ts	Removes the overly restrictive alphanumeric+hyphen charset validator on the project search name filter, replacing it with z.string().trim().max(255).optional(); SQL safety is already handled downstream via sanitizeSqlLikeString + parameterized whereILike in the DAL.

_{Reviews (1): Last reviewed commit: "fix(project): allow spaces in All Projec..." | Re-trigger Greptile}