fix: use $.CSRFField in dashboard template range loop (closes #146)

Inside the {{range .AppStats}} block, the dot context is *AppStats,
not the root template data. Use $ to access the root-level CSRFField
added by addGlobals.

go.mod

@@ -19,7 +19,6 @@ require (
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/fx v1.24.0
 	golang.org/x/crypto v0.46.0
-	golang.org/x/time v0.12.0
 )
 
 require (
@@ -75,6 +74,7 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/sys v0.39.0 // indirect
 	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.5.2 // indirect

internal/handlers/handlers_test.go

@@ -405,12 +405,13 @@ func TestHandleDashboard(t *testing.T) {
 		assert.Contains(t, recorder.Body.String(), "Applications")
 	})
 
-	t.Run("renders dashboard with apps without crashing on CSRFField", func(t *testing.T) {
+	t.Run("renders dashboard with apps without CSRFField error", func(t *testing.T) {
 		t.Parallel()
 
 		testCtx := setupTestHandlers(t)
 
-		// Create an app so the template iterates over AppStats and hits .CSRFField
+		// Create an app so the range loop in dashboard.html executes,
+		// which triggers .CSRFField access on each AppStats item.
 		createTestApp(t, testCtx, "csrf-test-app")
 
 		request := httptest.NewRequest(http.MethodGet, "/", nil)
@@ -419,8 +420,7 @@ func TestHandleDashboard(t *testing.T) {
 		handler := testCtx.handlers.HandleDashboard()
 		handler.ServeHTTP(recorder, request)
 
-		assert.Equal(t, http.StatusOK, recorder.Code,
-			"dashboard should not 500 when apps exist (CSRFField must be accessible)")
+		assert.Equal(t, http.StatusOK, recorder.Code, "dashboard should render without template error")
 		assert.Contains(t, recorder.Body.String(), "csrf-test-app")
 	})
 }