sanitize
Filesystem-segment-safe form of appName — spaces become underscores. Idempotent on already-safe input. Used to derive the per-app subdirectory under the active workspace.
Distinct from sanitizeAnalysisName (which also handles other unsafe characters) because app names are developer- controlled rather than user-controlled — the rule can be permissive.