Trawling the roundup code, the user class is just like any other class.
There is no special status/handling/choke points for the user class.

To do this I think I have to create an auditor on the user class to
validate the username. 

My plan was to allow the user to specify a regexp to validate the
attribute against (setting in tracker/config.ini).

(By default the regexp would allow all possible characters in an email
address so: rouilj-1+mya_ddr@users.example.com should be possible.
(I am also considering allowing % ! and $ in case there are uucp,
csnet or bitnet addresses out there 8-)).

However this is such a fundamental check, I wonder if I need to
implement it as a permanent auditor that is coded into hyperdb.py
or roundupdb.py somehow. I don't see any support for this type of
permanent auditor in existing code.

Also this idea kind of flies in the face of the requirement for the
trackers to define business logic. So you can cause roundup to
act weird is we get invalid chars into usernames

Anybody got a suggestion here?