Validate `coder_app` URL field to require a parseable scheme

[blinkagent]

Part of coder/coder#22349

Problem

The url field on the coder_app resource has no validation (unlike icon, which uses helpers.ValidateURL). This allows template authors to specify invalid URLs like bare strings (e.g. url = "my-repo"), which are accepted by Go's permissive url.Parse() but crash the Coder frontend when JavaScript's stricter new URL() constructor encounters them.

Context

• Go's url.Parse("my-repo") succeeds — it treats it as a relative URL
• JavaScript's new URL("my-repo") throws TypeError: Invalid URL — it requires an absolute URL with a scheme
• The existing helpers.ValidateURL also uses url.Parse and would not catch this class of bug

Proposed Fix

Add validation to the url field that ensures the value would be parseable in a browser/JavaScript context:

1. When external = true: The URL must contain a scheme (e.g. http://, https://, vscode://, jetbrains-gateway://, etc.). A bare string or relative path should be rejected.
2. When external = false: The URL is proxied internally and should follow the http://localhost:PORT[/SUBPATH] pattern. Relative URLs without a scheme should still be accepted here since they're resolved server-side.

The validation should go beyond url.Parse — at minimum, check that url.Parse(val).Scheme is non-empty for external apps. Consider also validating against the set of known/allowed protocols if appropriate.

This is a breaking change for templates that currently have invalid URLs, so it may warrant a deprecation warning period or a terraform plan diagnostic rather than a hard error.

---

Created on behalf of @angrycub