feat: Add HMAC command auth, deauth flood detection, sign all tools

Firmware:
- HMAC-SHA256 command authentication (AUTH command, NVS persisted)
- Deauth flood detection with ring buffer and aggregate ALERT_DATA
- FLOODTHRESH command (count + window, NVS persisted)
- New STATUS fields: auth=on/off, flood_thresh=5/10
- mbedtls dependency in CMakeLists.txt, rx_buf increased to 192

Tools:
- esp-cmd/esp-fleet/esp-ota import sign_command from esp_ctl.auth
- Commands auto-signed when ESP_CMD_SECRET env var is set

Docs:
- CHEATSHEET: AUTH, FLOODTHRESH, HMAC auth, OUI, watch, osint sections
- TASKS: v1.3 completed section with all new features

tools/esp-cmd

@@ -4,6 +4,8 @@
 import socket
 import sys
 
+from esp_ctl.auth import sign_command
+
 DEFAULT_PORT = 5501
 TIMEOUT = 2.0
 
@@ -41,7 +43,7 @@ def main():
         sys.exit(0 if sys.argv[1:] and sys.argv[1] in ("-h", "--help") else 2)
 
     host = sys.argv[1]
-    cmd = " ".join(sys.argv[2:]).strip()
+    cmd = sign_command(" ".join(sys.argv[2:]).strip())
     ip = resolve(host)
 
     sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)