fix: resolve deadlock, data races and path traversal vulnerabilities

- task.go: fix deadlock in ToStatusUpdate() — calling Percent() (which
  RLocks) while already holding RLock caused deadlock when a writer was
  waiting; compute percent inline instead
- usenet.go: fix data race in Cancel() — tracker and taskDir were read
  without the mutex while Download() writes them under it; read all
  fields under the same lock
- upnp.go: fix UPnP Remove() blocking shutdown — run cleanup in goroutine
  with 10s deadline (removeNATPMP worst case is 3s dial + 5s deadline)
- daemon.go: add path traversal protection for stream requests — validate
  sr.FilePath is within configured directories before os.Stat; defends
  against compromised API server sending arbitrary paths
- client.go: add wakeClient without timeout for long-poll wake endpoint
  where context controls cancellation
- sync.go: trigger immediate sync when entering watching mode so stream
  requests are picked up without waiting for the next scheduled interval

internal/engine/task.go

@@ -207,10 +207,20 @@ func (t *Task) ToStatusUpdate() agent.StatusUpdate {
 		// StatusPending, StatusClaimed, StatusCancelled — not reported
 	}
 
+	// Compute percent inline — do NOT call t.Percent() here since we already hold RLock.
+	// Calling Percent() (which also RLocks) while holding RLock deadlocks when a writer is waiting.
+	percent := 0
+	if t.TotalBytes > 0 {
+		percent = int(float64(t.DownloadedBytes) / float64(t.TotalBytes) * 100)
+		if percent > 100 {
+			percent = 100
+		}
+	}
+
 	return agent.StatusUpdate{
 		TaskID:          t.ID,
 		Status:          apiStatus,
-		Progress:        t.Percent(),
+		Progress:        percent,
 		DownloadedBytes: t.DownloadedBytes,
 		TotalBytes:      t.TotalBytes,
 		SpeedBps:        t.SpeedBps,