feat: Add HMAC command auth, deauth flood detection, sign all tools

Firmware:
- HMAC-SHA256 command authentication (AUTH command, NVS persisted)
- Deauth flood detection with ring buffer and aggregate ALERT_DATA
- FLOODTHRESH command (count + window, NVS persisted)
- New STATUS fields: auth=on/off, flood_thresh=5/10
- mbedtls dependency in CMakeLists.txt, rx_buf increased to 192

Tools:
- esp-cmd/esp-fleet/esp-ota import sign_command from esp_ctl.auth
- Commands auto-signed when ESP_CMD_SECRET env var is set

Docs:
- CHEATSHEET: AUTH, FLOODTHRESH, HMAC auth, OUI, watch, osint sections
- TASKS: v1.3 completed section with all new features

TASKS.md

@@ -2,17 +2,42 @@
 
 **Last Updated:** 2026-02-04
 
-## Current Sprint: v1.1 - Passive Sensing & Multi-Sensor
+## Current Sprint: v1.3 - OSINT & Fleet Ops
 
 ### P2 - Normal
 - [ ] Multi-sensor BLE correlation in esp-ctl (zone tracking)
 - [ ] Test OTA rollback (flash bad firmware, verify auto-revert)
+- [ ] Create HA webhook automations for deauth_flood / unknown_probe
 
 ### P3 - Low
 - [ ] Document esp-crab dual-antenna capabilities
 - [ ] Document esp-radar console features
 - [ ] Pin mapping for ESP32-DevKitC V1
 
+## Completed: v1.3 - Security & OSINT
+
+- [x] HMAC command authentication (firmware + esp-ctl/esp-cmd/esp-fleet/esp-ota)
+- [x] AUTH command (set/query/disable secret, NVS persisted)
+- [x] auth=on/off in STATUS
+- [x] Deauth flood detection (ring buffer, aggregate ALERT_DATA)
+- [x] FLOODTHRESH command (count + window, NVS persisted)
+- [x] flood_thresh field in STATUS
+- [x] MAC OUI vendor lookup (`esp-ctl oui`, IEEE CSV database)
+- [x] OSINT SQLite database (probe_ssids, device_sightings tables)
+- [x] Watch daemon (`esp-ctl watch` — listen + enrich + store)
+- [x] OSINT query CLI (`esp-ctl osint probes/devices/mac/stats`)
+- [x] Home Assistant webhook integration (deauth_flood, unknown_probe, unknown_ble)
+- [x] Watch config file (`~/.config/esp-ctl/watch.yaml`)
+
+## Completed: v1.2
+
+- [x] On-device CSI feature extraction (amp_rms, amp_std, amp_max, amp_max_idx, energy)
+- [x] CSIMODE command: RAW, COMPACT, HYBRID N (NVS persisted)
+- [x] Compact payload format `"F:rms,std,max,idx,energy"` (~80% bandwidth reduction)
+- [x] Hybrid mode: compact every packet, raw every Nth
+- [x] STATUS fields: csi_mode, hybrid_n
+- [x] Adaptive sampling reuses extracted energy (no duplicate computation in COMPACT/HYBRID)
+
 ## Completed: v1.1
 
 - [x] Sensor ID in data packets (hostname prefix on CSI_DATA, BLE_DATA, EVENT)
@@ -98,10 +123,10 @@
 ## Notes
 
 - Adaptive threshold varies by environment; 0.001-0.01 is a good starting range
-- NVS keys: `send_rate`, `tx_power`, `adaptive`, `threshold`, `ble_scan`, `target_ip`, `target_port`, `hostname`, `boot_count`
+- NVS keys: `send_rate`, `tx_power`, `adaptive`, `threshold`, `ble_scan`, `target_ip`, `target_port`, `hostname`, `boot_count`, `csi_mode`, `hybrid_n`, `auth_secret`, `flood_thresh`, `flood_window`
 - EVENT packets now include sensor hostname: `EVENT,<hostname>,motion=... rate=... wander=...`
-- ALERT_DATA format: `ALERT_DATA,<hostname>,<deauth|disassoc>,<sender_mac>,<target_mac>,<rssi>`
-- STATUS fields: `uptime=`, `uptime_s=`, `heap=`, `rssi=`, `channel=`, `tx_power=`, `rate=`, `csi_rate=`, `hostname=`, `version=`, `adaptive=`, `motion=`, `ble=`, `target=`, `temp=`, `csi_count=`, `boots=`, `rssi_min=`, `rssi_max=`
+- ALERT_DATA format: `ALERT_DATA,<hostname>,<deauth|disassoc>,<sender_mac>,<target_mac>,<rssi>` or `ALERT_DATA,<hostname>,deauth_flood,<count>,<window_s>`
+- STATUS fields: `uptime=`, `uptime_s=`, `heap=`, `rssi=`, `channel=`, `tx_power=`, `rate=`, `csi_rate=`, `hostname=`, `version=`, `adaptive=`, `motion=`, `ble=`, `target=`, `temp=`, `csi_count=`, `boots=`, `rssi_min=`, `rssi_max=`, `csi_mode=`, `hybrid_n=`, `auth=`, `flood_thresh=`
 - PROBE_DATA format: `PROBE_DATA,<hostname>,<mac>,<rssi>,<ssid>`
 - Probe requests deduped per MAC (default 10s cooldown, tunable via PROBERATE)
 - mDNS service: `_esp-csi._udp` on data port (for sensor discovery)