Fix input validation and error handling across API endpoints

- Deploy endpoint: validate appId, config, and subdomain before use (prevents 500 crash on empty body)
- Container ops: return 404 instead of 500 for non-existent containers
- Update-subdomain: require oldSubdomain/newSubdomain fields (prevents false 200 with undefined values)
- Global error handler: catch-all that never leaks stack traces or internal paths
- API 404 catch-all: return JSON instead of HTML for unmatched /api/* routes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

dashcaddy-api/server.js

@@ -1772,6 +1772,11 @@ app.get('/api/docs/spec', asyncHandler(async (req, res) => {
   }
 }, 'api-docs-spec'));
 
+// JSON 404 catch-all for unmatched API routes
+app.use('/api', (req, res) => {
+  res.status(404).json({ success: false, error: `Not found: ${req.method} ${req.path}` });
+});
+
 // Global error handler for typed errors
 app.use((err, req, res, next) => {
   if (err instanceof AppError) {
@@ -1789,7 +1794,10 @@ app.use((err, req, res, next) => {
       errors: err.errors || undefined
     });
   }
-  next(err);
+  // Catch-all: never leak stack traces or internal paths
+  const status = err.status || err.statusCode || 500;
+  log.error('server', 'Unhandled error', { error: err.message, path: req.path, method: req.method });
+  res.status(status).json({ success: false, error: status === 413 ? 'Request payload too large' : 'An internal error occurred' });
 });
 
 // Export app for testing