fix(api): validate slug format on project creation

Reject slugs with special characters, spaces, or path separators.
Only lowercase letters, digits, and hyphens allowed (^[a-z0-9-]+$).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: chapterjason

packages/api/src/cli/create-project.js

@@ -9,6 +9,10 @@ if (!slug) {
   console.error("Usage: create-project <slug>");
   process.exit(1);
 }
+if (!/^[a-z0-9-]+$/.test(slug)) {
+  console.error(`Error: slug "${slug}" is invalid. Only lowercase letters, digits, and hyphens are allowed.`);
+  process.exit(1);
+}
 
 mkdirSync(API_DATA_DB_DIR, { recursive: true });
 const keys = loadApiKeys();