feat: Add HMAC command auth, deauth flood detection, sign all tools

Firmware:
- HMAC-SHA256 command authentication (AUTH command, NVS persisted)
- Deauth flood detection with ring buffer and aggregate ALERT_DATA
- FLOODTHRESH command (count + window, NVS persisted)
- New STATUS fields: auth=on/off, flood_thresh=5/10
- mbedtls dependency in CMakeLists.txt, rx_buf increased to 192

Tools:
- esp-cmd/esp-fleet/esp-ota import sign_command from esp_ctl.auth
- Commands auto-signed when ESP_CMD_SECRET env var is set

Docs:
- CHEATSHEET: AUTH, FLOODTHRESH, HMAC auth, OUI, watch, osint sections
- TASKS: v1.3 completed section with all new features

tools/esp-cmd

@@ -4,6 +4,8 @@
 import socket
 import sys
 
+from esp_ctl.auth import sign_command
+
 DEFAULT_PORT = 5501
 TIMEOUT = 2.0
 
@@ -41,7 +43,7 @@ def main():
         sys.exit(0 if sys.argv[1:] and sys.argv[1] in ("-h", "--help") else 2)
 
     host = sys.argv[1]
-    cmd = " ".join(sys.argv[2:]).strip()
+    cmd = sign_command(" ".join(sys.argv[2:]).strip())
     ip = resolve(host)
 
     sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

tools/esp-fleet

@@ -7,6 +7,8 @@ import socket
 import subprocess
 import sys
 
+from esp_ctl.auth import sign_command
+
 DEFAULT_PORT = 5501
 TIMEOUT = 2.0
 
@@ -41,6 +43,7 @@ Examples:
 
 def query(name, host, cmd):
     """Send command to one sensor, return (name, reply_or_error)."""
+    cmd = sign_command(cmd)
     try:
         info = socket.getaddrinfo(host, DEFAULT_PORT, socket.AF_INET, socket.SOCK_DGRAM)
         ip = info[0][4][0]

tools/esp-ota

@@ -9,6 +9,8 @@ import sys
 import threading
 import time
 
+from esp_ctl.auth import sign_command
+
 DEFAULT_CMD_PORT = 5501
 DEFAULT_HTTP_PORT = 8070
 DEFAULT_FW = os.path.expanduser(
@@ -32,6 +34,7 @@ def resolve(host: str) -> str:
 
 def udp_cmd(ip: str, cmd: str, timeout: float = TIMEOUT) -> str:
     """Send UDP command and return reply."""
+    cmd = sign_command(cmd)
     sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
     sock.settimeout(timeout)
     try: