fix: address code review findings for DNS management

- CRITICAL: Change DNS zones endpoint from GET to POST to avoid
  leaking API token in URL query parameters
- HIGH: Add sync.RWMutex to protect dnsProvider field in Server,
  Deployer, and proxy Manager against concurrent read/write races
- HIGH: Capture old DNS provider reference synchronously before
  launching background cleanup goroutine
- HIGH: Use getDNS()/getDNSProviderLocked() accessors instead of
  direct field reads in all DNS operations

scripts/dev-server.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# Start (or restart) the Docker Watcher dev server on port 8090.
+# Usage: ./scripts/dev-server.sh
+
+set -euo pipefail
+
+PORT="${LISTEN_ADDR:-:8090}"
+PORT_NUM="${PORT#:}"
+
+# Kill existing process on the port if any.
+PID=$(netstat -aon 2>/dev/null | grep ":${PORT_NUM}.*LISTEN" | awk '{print $5}' | head -1)
+if [ -n "$PID" ] && [ "$PID" != "0" ]; then
+    echo "Stopping existing process on port ${PORT_NUM} (PID ${PID})..."
+    taskkill //F //PID "$PID" 2>/dev/null || kill "$PID" 2>/dev/null || true
+    sleep 1
+fi
+
+# Generate a random encryption key if not set.
+export ENCRYPTION_KEY="${ENCRYPTION_KEY:-$(openssl rand -hex 32)}"
+export ADMIN_PASSWORD="${ADMIN_PASSWORD:-admin123}"
+export LISTEN_ADDR="${PORT}"
+
+echo "Starting Docker Watcher on http://localhost:${PORT_NUM}"
+echo "Login: admin / ${ADMIN_PASSWORD}"
+exec go run ./cmd/server