Address Codex review findings:
1. slash-http.ts: Token validation now rejects when commandTokens set is
empty (e.g. registration failure). Previously an empty set meant any
token was accepted — fail-open vulnerability.
2. slash-state.ts: Replaced global singleton with per-account state Map
keyed by accountId. Multi-account deployments no longer overwrite each
other's tokens, registered commands, or handlers. The HTTP route
dispatcher matches inbound tokens to the correct account.
3. monitor.ts: Updated getSlashCommandState/deactivateSlashCommands calls
to pass accountId.
fb720193d9