chore/sps-context-header-allowed-chars

[djbqrex]

Sps-Execution-Context ASCII constraints

What changed:

This update:

• Tightens the Sps-Execution-Context guidance in the request-response spec. It specifically enforces a restricted ASCII-only character set for the header. Limited to A-Z, a-z, 0-9, the underscore _, and hyphen -.
• Clarifies how the header should be passed to subsequent calls.

Why this matters:

The header drives dataflow context across services and being a header, it is a user defined value that is a common surface for log injection risks. Narrowing the allowed character set, keeping default-to-prod behavior, and ensuring the header value is echoed in responses helps improve safety, testability, and consistency across the stack without broad API changes.

The changes stay documentation-only and are designed to minimize disruption while guiding developers and tools toward safer, predictable handling and propagation of the header.

Concerns:

Backwards compatibility is a concern and we need to ensure no use of the header in production today violates this new change. To do that we will advertise this change to relevant channels and gather feedback.

[travisgosselin]

A reminder as this change goes in we'll need to update the shared model for sps-execution-context: https://github.com/SPSCommerce/sps-api-design/blob/e6d6181cdafe0fee311c4bf1bf0ae75a6d8988f7/reusable-models/sps-api-standards/global.1.0.oas.yml#L244-L253