fix: resolve deadlock, data races and path traversal vulnerabilities

- task.go: fix deadlock in ToStatusUpdate() — calling Percent() (which
  RLocks) while already holding RLock caused deadlock when a writer was
  waiting; compute percent inline instead
- usenet.go: fix data race in Cancel() — tracker and taskDir were read
  without the mutex while Download() writes them under it; read all
  fields under the same lock
- upnp.go: fix UPnP Remove() blocking shutdown — run cleanup in goroutine
  with 10s deadline (removeNATPMP worst case is 3s dial + 5s deadline)
- daemon.go: add path traversal protection for stream requests — validate
  sr.FilePath is within configured directories before os.Stat; defends
  against compromised API server sending arbitrary paths
- client.go: add wakeClient without timeout for long-poll wake endpoint
  where context controls cancellation
- sync.go: trigger immediate sync when entering watching mode so stream
  requests are picked up without waiting for the next scheduled interval

internal/engine/upnp.go

@@ -338,16 +338,28 @@ func localIPFor(host string) string {
 }
 
 // Remove deletes the port mapping from the router.
+// It runs in a goroutine with a 5-second deadline so it never blocks shutdown.
 func (m *UPnPMapping) Remove() {
 	if m == nil {
 		return
 	}
 
-	switch m.protocol {
-	case "natpmp":
-		m.removeNATPMP()
-	case "upnp":
-		m.removeUPnP()
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		switch m.protocol {
+		case "natpmp":
+			m.removeNATPMP()
+		case "upnp":
+			m.removeUPnP()
+		}
+	}()
+	select {
+	case <-done:
+	case <-time.After(10 * time.Second):
+		// removeNATPMP worst case: 3s dial + 5s natpmpMapPort deadline = 8s.
+		// 10s gives enough margin without blocking shutdown indefinitely.
+		log.Printf("stream: UPnP/NAT-PMP cleanup timed out after 10s — port %d may remain mapped", m.ExternalPort)
 	}
 }