Add HMAC-SHA256 API auth, NTP sync, NFC access control improvements

Security:
- Add verifyAPIRequest(): accepts valid Digest Auth (browser) OR valid
  HMAC-SHA256 signature (driver) — fixes browser UI being blocked by auth
- All 11 API endpoints require verifyAPIRequest()
- /register exempt (bootstrap handshake, secret not yet exchanged)
- Credentials moved to secrets.h (gitignored); secrets.h.example added

NTP:
- Sync time on boot for HMAC replay-prevention timestamp window (±60s)
- server.collectHeaders() registers X-Request-Time / X-Request-Sig

NFC:
- Full NFC access control: auth UID, relay trigger, absent timeout
- Live UID display, copy-to-auth button, save/clear settings from UI
- Access state: idle / granted / denied with colour feedback

.gitignore

@@ -11,3 +11,5 @@ icon.png
 # OS
 .DS_Store
 Thumbs.db
+/esp32_arduino/secrets.h
+