I argue the opposite: there’s no better fix for this. You can write the most elegant fix, whatever it is, and prevent that from happening only on the codebase that’s fixed. That doesn’t mean that the codebase will always be the only authority on authentication.
The username policy fixes this issue for good, regardless of whatever you write in the future, or whatever new mechanism is introduced.
It’s a restriction for sure, but it’s not a nonsense restriction? Who would have a username starting with a hyphen? I didn’t even know it was possible until today.
> I argue the opposite: there’s no better fix for this
The better fix would be to not have the username pass through a parser looking for cli flags in the first place.