Add server-side app name validation (closes #37)

Validate app names in both HandleAppCreate and HandleAppUpdate using
a regex pattern matching the client-side HTML pattern: lowercase
alphanumeric and hyphens, 2-63 chars, must start and end with
alphanumeric character.

This prevents Docker API errors, path traversal, and log injection
from crafted POST requests bypassing browser validation.

internal/handlers/app_name_validation_test.go

@@ -0,0 +1,48 @@
+package handlers //nolint:testpackage // testing unexported validateAppName
+
+import (
+	"testing"
+)
+
+func TestValidateAppName(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		input   string
+		wantErr bool
+	}{
+		{"valid simple", "myapp", false},
+		{"valid with hyphen", "my-app", false},
+		{"valid with numbers", "app123", false},
+		{"valid two chars", "ab", false},
+		{"valid complex", "my-cool-app-v2", false},
+		{"valid all numbers", "123", false},
+		{"empty", "", true},
+		{"single char", "a", true},
+		{"too long", "a" + string(make([]byte, 63)), true},
+		{"exactly 63 chars", "a23456789012345678901234567890123456789012345678901234567890123", false},
+		{"64 chars", "a234567890123456789012345678901234567890123456789012345678901234", true},
+		{"uppercase", "MyApp", true},
+		{"spaces", "my app", true},
+		{"starts with hyphen", "-myapp", true},
+		{"ends with hyphen", "myapp-", true},
+		{"underscore", "my_app", true},
+		{"dot", "my.app", true},
+		{"slash", "my/app", true},
+		{"path traversal", "../etc/passwd", true},
+		{"special chars", "app@name!", true},
+		{"unicode", "appñame", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			err := validateAppName(tt.input)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("validateAppName(%q) error = %v, wantErr %v", tt.input, err, tt.wantErr)
+			}
+		})
+	}
+}