refactor: consolidate input validation into src/validate.rs (#305)

* refactor: consolidate input validation into src/validate.rs

Move scattered validation primitives (character allowlists, format
validators, injection detectors, container/Docker/DNS validators)
from engine.rs and compile/common.rs into a single validate.rs module.

- Move 5 is_valid_* allowlist functions from engine.rs
- Move is_valid_parameter_name, is_valid_env_var_name, is_safe_tool_name
  from compile/common.rs
- Move container/Docker/MCP validators from compile/common.rs
- Add shared predicates: contains_ado_expression, contains_pipeline_command,
  contains_newline, reject_pipeline_injection, validate_dns_domain
- Simplify validate_front_matter_identity (~70 → ~12 lines)
- Remove dead sanitize_light() from sanitize.rs

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address PR review feedback

- Remove misleading 're-export' and 'thin wrapper' comments from
  common.rs that no longer had corresponding code beneath them
- Restore explicit empty-key check in copilot_env() for a clearer
  error message ('empty key' vs generic 'not a valid env var name')

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jamesadevine