fix: resolve deadlock, data races and path traversal vulnerabilities

- task.go: fix deadlock in ToStatusUpdate() — calling Percent() (which
  RLocks) while already holding RLock caused deadlock when a writer was
  waiting; compute percent inline instead
- usenet.go: fix data race in Cancel() — tracker and taskDir were read
  without the mutex while Download() writes them under it; read all
  fields under the same lock
- upnp.go: fix UPnP Remove() blocking shutdown — run cleanup in goroutine
  with 10s deadline (removeNATPMP worst case is 3s dial + 5s deadline)
- daemon.go: add path traversal protection for stream requests — validate
  sr.FilePath is within configured directories before os.Stat; defends
  against compromised API server sending arbitrary paths
- client.go: add wakeClient without timeout for long-poll wake endpoint
  where context controls cancellation
- sync.go: trigger immediate sync when entering watching mode so stream
  requests are picked up without waiting for the next scheduled interval

internal/agent/sync.go

@@ -12,7 +12,8 @@ const (
 	// SyncIntervalWatching is the sync interval when someone is viewing the web UI.
 	SyncIntervalWatching = 3 * time.Second
 	// SyncIntervalIdle is the sync interval when nobody is watching.
-	SyncIntervalIdle = 60 * time.Second
+	// Keep this short enough to pick up stream requests quickly without hammering the server.
+	SyncIntervalIdle = 10 * time.Second
 )
 
 // SyncClient handles bidirectional state synchronization between the CLI and server.
@@ -68,6 +69,9 @@ func (sc *SyncClient) TriggerSync() {
 
 // Run starts the adaptive sync loop. Blocks until ctx is cancelled.
 func (sc *SyncClient) Run(ctx context.Context) error {
+	// Start wake listener in background — triggers immediate syncs on demand.
+	go sc.runWakeListener(ctx)
+
 	// Initial sync immediately
 	sc.doSync(ctx)
 
@@ -174,6 +178,38 @@ func (sc *SyncClient) processResponse(resp *SyncResponse) {
 	}
 }
 
+// runWakeListener holds a long-poll connection to /api/internal/agent/wake.
+// When the server resolves it with wake=true (e.g., a stream was requested),
+// it triggers an immediate sync so the CLI acts in <100ms instead of waiting
+// for the next scheduled interval. Reconnects immediately after each response
+// so coverage is continuous. Runs until ctx is cancelled.
+func (sc *SyncClient) runWakeListener(ctx context.Context) {
+	const retryDelay = 2 * time.Second
+	for {
+		if ctx.Err() != nil {
+			return
+		}
+		woke, err := sc.client.WaitForWake(ctx)
+		if ctx.Err() != nil {
+			return
+		}
+		if err != nil {
+			log.Printf("wake listener: %v (retrying in %s)", err, retryDelay)
+			select {
+			case <-ctx.Done():
+				return
+			case <-time.After(retryDelay):
+			}
+			continue
+		}
+		if woke {
+			log.Printf("wake signal received — syncing immediately")
+			sc.TriggerSync()
+		}
+		// On timeout (woke=false) or after a wake, reconnect immediately.
+	}
+}
+
 func (sc *SyncClient) adjustInterval(watching bool) {
 	prev := sc.watching.Load()
 	sc.watching.Store(watching)
@@ -189,6 +225,12 @@ func (sc *SyncClient) adjustInterval(watching bool) {
 		log.Printf("sync: interval=%s (watching=%v)", newInterval, watching)
 	}
 
+	// Trigger an immediate sync when entering watching mode so stream requests
+	// are picked up right away without waiting for the next scheduled interval.
+	if watching && !prev {
+		sc.TriggerSync()
+	}
+
 	if prev != watching && sc.OnWatchingChange != nil {
 		sc.OnWatchingChange(watching)
 	}