feat: Add HMAC command auth, deauth flood detection, sign all tools

Firmware:
- HMAC-SHA256 command authentication (AUTH command, NVS persisted)
- Deauth flood detection with ring buffer and aggregate ALERT_DATA
- FLOODTHRESH command (count + window, NVS persisted)
- New STATUS fields: auth=on/off, flood_thresh=5/10
- mbedtls dependency in CMakeLists.txt, rx_buf increased to 192

Tools:
- esp-cmd/esp-fleet/esp-ota import sign_command from esp_ctl.auth
- Commands auto-signed when ESP_CMD_SECRET env var is set

Docs:
- CHEATSHEET: AUTH, FLOODTHRESH, HMAC auth, OUI, watch, osint sections
- TASKS: v1.3 completed section with all new features

tools/esp-fleet

@@ -7,6 +7,8 @@ import socket
 import subprocess
 import sys
 
+from esp_ctl.auth import sign_command
+
 DEFAULT_PORT = 5501
 TIMEOUT = 2.0
 
@@ -41,6 +43,7 @@ Examples:
 
 def query(name, host, cmd):
     """Send command to one sensor, return (name, reply_or_error)."""
+    cmd = sign_command(cmd)
     try:
         info = socket.getaddrinfo(host, DEFAULT_PORT, socket.AF_INET, socket.SOCK_DGRAM)
         ip = info[0][4][0]