fix: 代码审查修复 — 安全、性能和正确性

- triggersApi: 添加 assertSubscriptionBaseUrl 防止 OAuth token 泄露
- claude.ts: 修复流式响应 O(n^2) 字符串拼接，改用数组累积
- claude.ts: 移除未使用的 import，动态 import 改为静态 import
- StatusLine: BuiltinStatusLine 仅在 statusLineEnabled 时显示，修复双行问题
- local-vault: 修复 --reveal 标志位置解析 bug
- share: 修复 sk-proj-* OpenAI 密钥未脱敏问题
- store.ts: 临时文件改用同目录创建，避免跨文件系统 rename 失败
- store.ts: 添加空字符串 key 校验
- permissionValidation: 端口正则限制为有效 TCP 范围 0-65535
- 测试 mock 补全: schedule/vault/skill-store 测试文件
- 移除过期的 biome-ignore 注释

Co-Authored-By: glm-5-turbo <zai-org@claude-code-best.win>

tests/mocks/axios.ts

@@ -40,7 +40,6 @@ import { mock } from 'bun:test'
 // triggers TS2322 (parameter type contravariance). The biome rule that
 // disallows `any` here is already disabled project-wide, so plain `any` is
 // the correct escape hatch for an internal test-only union.
-// biome-ignore lint/suspicious/noExplicitAny: see comment above
 type AnyFn = (...args: any[]) => unknown
 
 export type AxiosMethodStubs = {