Why this matters
The bug. Bash's [ (alias for test) is a regular command. It receives $USERNAME *after* word-splitting and globbing. "admin foo" becomes two arguments, "" becomes zero arguments, and = becomes ambiguous. Worst case: under set -euo pipefail, the [ failure aborts the script — but only after the deny branch was supposed to run, so the operational effect can range from 'script crashes' to 'wrong branch taken' depending on which token confuses the parser.
The fix. Always quote variables in [ … ] tests. Better yet, use [[ … ]] (Bash builtin) which performs no word-splitting inside.
Lint. shellcheck flags this as SC2086. Turn it on in CI.
Review heuristic
Read every schema definition asking: what's the smallest set of values this field actually means? If the schema admits more than that — wrong types, out-of-range numbers, extra unknown fields — the validation is leaky.
External reference: CWE-20: Improper Input Validation.
↳ shellcheck SC2086; CWE-20.