fix: reject duplicate env var keys with 400 instead of deduplicating

Replace deduplicateEnvPairs with validateEnvPairs that returns a 400
Bad Request error when duplicate keys are submitted, instead of
silently deduplicating (last wins).

Ref: #158

internal/handlers/handlers_test.go

@@ -664,15 +664,15 @@ func TestHandleEnvVarSaveEmptyKeyRejected(t *testing.T) {
 	assert.Equal(t, http.StatusBadRequest, recorder.Code)
 }
 
-// TestHandleEnvVarSaveDuplicateKeyDedup verifies that when the client
-// sends duplicate keys, the server deduplicates them (last wins).
-func TestHandleEnvVarSaveDuplicateKeyDedup(t *testing.T) {
+// TestHandleEnvVarSaveDuplicateKeyRejected verifies that when the client
+// sends duplicate keys, the server rejects them with 400 Bad Request.
+func TestHandleEnvVarSaveDuplicateKeyRejected(t *testing.T) {
 	t.Parallel()
 
 	testCtx := setupTestHandlers(t)
 	createdApp := createTestApp(t, testCtx, "envvar-dedup-app")
 
-	// Send two entries with the same key — last should win
+	// Send two entries with the same key — should be rejected
 	body := `[{"key":"FOO","value":"first"},{"key":"BAR","value":"bar"},{"key":"FOO","value":"second"}]`
 
 	r := chi.NewRouter()
@@ -688,21 +688,8 @@ func TestHandleEnvVarSaveDuplicateKeyDedup(t *testing.T) {
 	recorder := httptest.NewRecorder()
 	r.ServeHTTP(recorder, request)
 
-	assert.Equal(t, http.StatusOK, recorder.Code)
-
-	envVars, err := models.FindEnvVarsByAppID(
-		context.Background(), testCtx.database, createdApp.ID,
-	)
-	require.NoError(t, err)
-	assert.Len(t, envVars, 2, "duplicate key should be deduplicated")
-
-	keys := make(map[string]string)
-	for _, ev := range envVars {
-		keys[ev.Key] = ev.Value
-	}
-
-	assert.Equal(t, "second", keys["FOO"], "last occurrence should win")
-	assert.Equal(t, "bar", keys["BAR"])
+	assert.Equal(t, http.StatusBadRequest, recorder.Code)
+	assert.Contains(t, recorder.Body.String(), "duplicate environment variable key: FOO")
 }
 
 // TestHandleEnvVarSaveCrossAppIsolation verifies that posting env vars