feat: Serial console AUTH + NVS provisioning tool

- Add serial_task: UART console for AUTH management with physical access
  AUTH shows full secret, AUTH <secret> sets, AUTH OFF clears
- Add esp-provision tool: provision auth secret via serial or NVS flash
  Supports auto-generate, custom secrets, --serial and --generate-only
- Fix esp-ota uptime cache: avoid firmware rate limiter on consecutive
  udp_cmd calls by caching uptime_s for 3s

get-started/csi_recv_router/main/app_main.c

@@ -2553,6 +2553,68 @@ static int cmd_handle(const char *cmd, char *reply, size_t reply_size, bool auth
     return strlen(reply);
 }
 
+/* ── Serial console (UART0) — AUTH management with physical access ─── */
+
+static void serial_task(void *arg)
+{
+    char line[128];
+    ESP_LOGI(TAG, "Serial console ready (type HELP for commands)");
+
+    while (1) {
+        if (fgets(line, sizeof(line), stdin) == NULL) {
+            vTaskDelay(pdMS_TO_TICKS(100));
+            continue;
+        }
+
+        /* Trim trailing whitespace */
+        size_t len = strlen(line);
+        while (len > 0 && (line[len - 1] == '\n' || line[len - 1] == '\r' || line[len - 1] == ' '))
+            line[--len] = '\0';
+        if (len == 0) continue;
+
+        if (strcasecmp(line, "AUTH") == 0) {
+            if (s_auth_secret[0])
+                printf("OK AUTH on secret=%s\n", s_auth_secret);
+            else
+                printf("OK AUTH off\n");
+        } else if (strncasecmp(line, "AUTH ", 5) == 0) {
+            const char *arg = line + 5;
+            if (strcasecmp(arg, "OFF") == 0) {
+                s_auth_secret[0] = '\0';
+                config_erase_key("auth_secret");
+                printf("OK AUTH off (cleared)\n");
+            } else {
+                size_t alen = strlen(arg);
+                if (alen < 8 || alen > 64) {
+                    printf("ERR secret length 8-64 chars\n");
+                } else {
+                    strncpy(s_auth_secret, arg, sizeof(s_auth_secret) - 1);
+                    s_auth_secret[sizeof(s_auth_secret) - 1] = '\0';
+                    config_save_str("auth_secret", s_auth_secret);
+                    printf("OK AUTH on secret=%s\n", s_auth_secret);
+                }
+            }
+        } else if (strcasecmp(line, "STATUS") == 0) {
+            const esp_app_desc_t *desc = esp_app_get_description();
+            printf("OK hostname=%s uptime_s=%lld heap=%lu auth=%s version=%s\n",
+                   s_hostname,
+                   (long long)(esp_timer_get_time() / 1000000LL),
+                   (unsigned long)esp_get_free_heap_size(),
+                   s_auth_secret[0] ? "on" : "off",
+                   desc->version);
+        } else if (strcasecmp(line, "HELP") == 0) {
+            printf("Serial commands:\n"
+                   "  AUTH          Show auth secret\n"
+                   "  AUTH <secret> Set auth secret (8-64 chars)\n"
+                   "  AUTH OFF      Clear auth secret\n"
+                   "  STATUS        Show basic status\n"
+                   "  HELP          This help\n");
+        } else {
+            printf("ERR unknown serial command (type HELP)\n");
+        }
+    }
+}
+
 static void cmd_task(void *arg)
 {
     int sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
@@ -2782,6 +2844,7 @@ void app_main()
 
     xTaskCreate(cmd_task, "cmd_task", 6144, NULL, 5, NULL);
     xTaskCreate(adaptive_task, "adaptive", 3072, NULL, 3, NULL);
+    xTaskCreate(serial_task, "serial", 3072, NULL, 2, NULL);
 
     /* OTA rollback: mark firmware valid if we got this far */
     const esp_partition_t *running = esp_ota_get_running_partition();