fix: resolve multiple bugs from code review #116

Fixes four issues identified in the community code review:

- Session persistence broken on Windows: session keys like
  "telegram:123456" contain ':', which is illegal in Windows
  filenames. filepath.Base() strips drive-letter prefixes on Windows,
  causing Save() to silently fail. Added sanitizeFilename() to
  replace invalid chars in the filename while keeping the original
  key in the JSON payload.

- HTTP client with no timeout: HTTPProvider used Timeout: 0 (infinite
  wait), which can hang the entire agent if an API endpoint becomes
  unresponsive. Set a 120s safety timeout.

- Slack AllowFrom type mismatch: SlackConfig used plain []string
  while every other channel uses FlexibleStringSlice, so numeric
  user IDs in Slack config would fail to parse.

- Token estimation wrong for CJK: estimateTokens() divided byte
  length by 4, but CJK characters are 3 bytes each, causing ~3x
  overestimation and premature summarization. Switched to
  utf8.RuneCountInString() / 3 for better cross-language accuracy.

Also added unit tests for the session filename sanitization.

Ref #116

pkg/providers/http_provider.go

@@ -15,6 +15,7 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+	"time"
 
 	"github.com/sipeed/picoclaw/pkg/auth"
 	"github.com/sipeed/picoclaw/pkg/config"
@@ -28,7 +29,7 @@ type HTTPProvider struct {
 
 func NewHTTPProvider(apiKey, apiBase, proxy string) *HTTPProvider {
 	client := &http.Client{
-		Timeout: 0,
+		Timeout: 120 * time.Second,
 	}
 
 	if proxy != "" {