Add HMAC-SHA256 API authentication to board drivers and edit UI

- Both olimex_esp32_c6_evb and olimex_esp32_c6_evb_pn532 drivers now
  sign every API request with X-Request-Time / X-Request-Sig headers
  using HMAC-SHA256(api_secret, METHOD:path:unix_timestamp)
- Board model gains api_secret column (nullable, default None)
- boards.py edit route saves api_secret from form
- edit.html adds API Secret input with cryptographic Generate button
- If api_secret is empty/None, headers are omitted (backward compat)

app/templates/boards/edit.html

@@ -76,6 +76,21 @@
         {% endfor %}
       </div>
 
+      <!-- API Security -->
+      <h6 class="text-secondary mb-3 text-uppercase small fw-semibold">API Security</h6>
+      <div class="mb-4">
+        <label class="form-label">API Secret <span class="text-secondary small">(HMAC-SHA256 shared secret)</span></label>
+        <div class="input-group">
+          <input type="text" name="api_secret" id="api-secret-input" class="form-control font-monospace"
+                 placeholder="Leave empty to disable API authentication"
+                 value="{{ board.api_secret or '' }}">
+          <button class="btn btn-outline-secondary" type="button" onclick="genSecret()">
+            <i class="bi bi-shuffle me-1"></i>Generate
+          </button>
+        </div>
+        <div class="form-text">Must match <code>API_SECRET</code> in the board's <code>secrets.h</code>.</div>
+      </div>
+
       <div class="d-flex gap-2">
         <button type="submit" class="btn btn-primary"><i class="bi bi-check-lg me-1"></i> Save</button>
         <a href="{{ url_for('boards.board_detail', board_id=board.id) }}" class="btn btn-outline-secondary">Cancel</a>
@@ -84,3 +99,14 @@
   </div>
 </div>
 {% endblock %}
+
+{% block scripts %}
+<script>
+function genSecret() {
+  const buf = new Uint8Array(32);
+  crypto.getRandomValues(buf);
+  document.getElementById('api-secret-input').value =
+    Array.from(buf).map(b => b.toString(16).padStart(2, '0')).join('');
+}
+</script>
+{% endblock %}