fix: seven quick-win bug fixes across engine, server, TUI, CLI

1. Alertless monitors no longer spam error logs — triggerAlert
   returns early when alertID <= 0.

2. HTTP response body drained before close — enables connection
   reuse via keep-alive instead of fresh TCP+TLS per check.

3. /api/backup/export enforces GET — was the only endpoint
   accepting any HTTP method.

4. limitStr guards against max < 3 — prevents negative slice
   index panic on very narrow terminals.

5. Filter input accepts multibyte characters — len(msg.Runes)
   instead of len(msg.String()) for proper Unicode support.

6. Startup warning corrected — with no UPTOP_CLUSTER_SECRET,
   endpoints reject (401), not accept. Warning now says so.

7. UPTOP_KEYS file open failure logged — was silently swallowed,
   leaving operators with no admin seeded and no message.

internal/monitor/checker.go

@@ -3,6 +3,7 @@ package monitor
 import (
 	"context"
 	"fmt"
+	"io"
 	"net"
 	"net/http"
 	"strconv"
@@ -103,7 +104,10 @@ func runHTTPCheck(ctx context.Context, site models.SiteConfig, strict, insecure
 		result.ErrorReason = truncateError(err.Error(), maxErrorLength)
 		return result
 	}
-	defer resp.Body.Close()
+	defer func() {
+		_, _ = io.Copy(io.Discard, resp.Body)
+		_ = resp.Body.Close()
+	}()
 
 	result.StatusCode = resp.StatusCode
 	if !isCodeAccepted(resp.StatusCode, site.AcceptedCodes) {

internal/monitor/monitor.go

@@ -864,6 +864,9 @@ func (e *Engine) handleStatusChange(snap models.Site, rawStatus string, code int
 }
 
 func (e *Engine) triggerAlert(alertID int, title, message string) {
+	if alertID <= 0 {
+		return
+	}
 	cfg, err := e.db.GetAlert(context.Background(), alertID)
 	if err != nil {
 		e.AddLog(fmt.Sprintf("Failed to load alert config %d: %v", alertID, err))