fix: remove dead DeleteEnvVarsByAppID and add empty-key 400 test

- Remove DeleteEnvVarsByAppID() which became dead code after
  ReplaceEnvVarsByAppID() was introduced (handles deletion internally
  within its transaction).
- Add TestHandleEnvVarSaveEmptyKeyRejected to verify that POSTing a
  JSON array with an empty key returns 400 Bad Request.

Addresses review advisories on PR #158.

internal/handlers/handlers_test.go

@@ -638,6 +638,32 @@ func TestHandleEnvVarSaveAppNotFound(t *testing.T) {
 	assert.Equal(t, http.StatusNotFound, recorder.Code)
 }
 
+// TestHandleEnvVarSaveEmptyKeyRejected verifies that submitting a JSON
+// array containing an entry with an empty key returns 400.
+func TestHandleEnvVarSaveEmptyKeyRejected(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+	createdApp := createTestApp(t, testCtx, "envvar-emptykey-app")
+
+	body := `[{"key":"VALID_KEY","value":"ok"},{"key":"","value":"bad"}]`
+
+	r := chi.NewRouter()
+	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
+
+	request := httptest.NewRequest(
+		http.MethodPost,
+		"/apps/"+createdApp.ID+"/env",
+		strings.NewReader(body),
+	)
+	request.Header.Set("Content-Type", "application/json")
+
+	recorder := httptest.NewRecorder()
+	r.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusBadRequest, recorder.Code)
+}
+
 // TestDeleteLabelOwnershipVerification tests that deleting a label
 // via another app's URL path returns 404 (IDOR prevention).
 func TestDeleteLabelOwnershipVerification(t *testing.T) {

internal/models/env_var.go

@@ -128,17 +128,6 @@ func FindEnvVarsByAppID(
 	return envVars, rows.Err()
 }
 
-// DeleteEnvVarsByAppID deletes all env vars for an app.
-func DeleteEnvVarsByAppID(
-	ctx context.Context,
-	db *database.Database,
-	appID string,
-) error {
-	_, err := db.Exec(ctx, "DELETE FROM app_env_vars WHERE app_id = ?", appID)
-
-	return err
-}
-
 // EnvVarPair is a key-value pair for bulk env var operations.
 type EnvVarPair struct {
 	Key   string