Why this matters
The bug. RegExp.test returns true if the pattern matches *anywhere* in the string. Without ^ and a clear end, an attacker prefixes a URL pointing anywhere they want.
The fix. Anchor to the start with ^ and require either a path delimiter or end of string. Even better: use new URL() and check host === "api.bugdle.dev" && protocol === "https:".
Pattern recognition. Regex for security decisions = code review red flag.
Review heuristic
Read every schema definition asking: what's the smallest set of values this field actually means? If the schema admits more than that — wrong types, out-of-range numbers, extra unknown fields — the validation is leaky.
External reference: CWE-20: Improper Input Validation.