Add server-side app name validation (closes #37)

Validate app names in both HandleAppCreate and HandleAppUpdate using
a regex pattern matching the client-side HTML pattern: lowercase
alphanumeric and hyphens, 2-63 chars, must start and end with
alphanumeric character.

This prevents Docker API errors, path traversal, and log injection
from crafted POST requests bypassing browser validation.

internal/handlers/app_name_validation.go

@@ -0,0 +1,44 @@
+package handlers
+
+import (
+	"errors"
+	"regexp"
+	"strconv"
+)
+
+const (
+	// appNameMinLength is the minimum allowed length for an app name.
+	appNameMinLength = 2
+	// appNameMaxLength is the maximum allowed length for an app name.
+	appNameMaxLength = 63
+)
+
+// validAppNameRe matches names containing only lowercase alphanumeric characters and
+// hyphens, starting and ending with an alphanumeric character.
+var validAppNameRe = regexp.MustCompile(`^[a-z0-9][a-z0-9-]*[a-z0-9]$`)
+
+// validateAppName checks that the given app name is safe for use in Docker
+// container names, image tags, and file system paths.
+var (
+	errAppNameLength = errors.New(
+		"app name must be between " +
+			strconv.Itoa(appNameMinLength) + " and " +
+			strconv.Itoa(appNameMaxLength) + " characters",
+	)
+	errAppNamePattern = errors.New(
+		"app name must contain only lowercase letters, numbers, " +
+			"and hyphens, and must start and end with a letter or number",
+	)
+)
+
+func validateAppName(name string) error {
+	if len(name) < appNameMinLength || len(name) > appNameMaxLength {
+		return errAppNameLength
+	}
+
+	if !validAppNameRe.MatchString(name) {
+		return errAppNamePattern
+	}
+
+	return nil
+}