v0.6.1: Code review bugfixes — 7 correctness/safety/quality fixes

- Fix http.NotFound(w, nil) → pass actual request in handlers
- Fix dashboard running/stopped counts to match displayed stacks
- Fix Secure cookie blocking HTTP login (dynamic based on request)
- Remove misleading subtle.ConstantTimeCompare in session check
- Fix cleanupSessions goroutine leak (proper ticker + done channel)
- Add http.MaxBytesReader (1MB) to API POST endpoints
- Cache time.LoadLocation("Europe/Budapest") in template funcmap

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

controller/internal/api/router.go

@@ -188,6 +188,7 @@ func (r *Router) getDeployFields(w http.ResponseWriter, _ *http.Request, name st
 }
 
 func (r *Router) deployStack(w http.ResponseWriter, req *http.Request, name string) {
+	limitBody(w, req)
 	r.logger.Printf("[API] Deploy requested for stack: %s", name)
 
 	var body struct {
@@ -261,6 +262,7 @@ func (r *Router) actionStack(w http.ResponseWriter, action, name string) {
 }
 
 func (r *Router) updateOptionalConfig(w http.ResponseWriter, req *http.Request, name string) {
+	limitBody(w, req)
 	r.logger.Printf("[API] Optional config update requested for stack: %s", name)
 
 	var body struct {
@@ -306,6 +308,7 @@ func (r *Router) getStackHDDData(w http.ResponseWriter, _ *http.Request, name st
 }
 
 func (r *Router) deleteStack(w http.ResponseWriter, req *http.Request, name string) {
+	limitBody(w, req)
 	r.logger.Printf("[API] Delete requested for stack: %s", name)
 
 	var body struct {
@@ -585,3 +588,8 @@ func writeJSON(w http.ResponseWriter, status int, v interface{}) {
 		log.Printf("[ERROR] Failed to write JSON response: %v", err)
 	}
 }
+
+// limitBody wraps the request body with a size limit (default 1MB).
+func limitBody(w http.ResponseWriter, req *http.Request) {
+	req.Body = http.MaxBytesReader(w, req.Body, 1<<20) // 1MB
+}