Add HMAC-SHA256 API auth, NTP sync, NFC access control improvements

Security:
- Add verifyAPIRequest(): accepts valid Digest Auth (browser) OR valid
  HMAC-SHA256 signature (driver) — fixes browser UI being blocked by auth
- All 11 API endpoints require verifyAPIRequest()
- /register exempt (bootstrap handshake, secret not yet exchanged)
- Credentials moved to secrets.h (gitignored); secrets.h.example added

NTP:
- Sync time on boot for HMAC replay-prevention timestamp window (±60s)
- server.collectHeaders() registers X-Request-Time / X-Request-Sig

NFC:
- Full NFC access control: auth UID, relay trigger, absent timeout
- Live UID display, copy-to-auth button, save/clear settings from UI
- Access state: idle / granted / denied with colour feedback

esp32_arduino/secrets.h.example

@@ -0,0 +1,15 @@
+// ── Board secrets (EXAMPLE — copy to secrets.h and fill in your values) ───────
+// DO NOT commit secrets.h to version control.
+//
+// API_SECRET — shared secret for HMAC-SHA256 API request authentication.
+//   Generate a strong random value with:
+//     python3 -c "import secrets; print(secrets.token_hex(32))"
+//   Then paste the same value into the board's Edit page in the Location
+//   Management server.
+//
+// WEB_USER / WEB_PASSWORD — credentials for the browser control panel.
+// ─────────────────────────────────────────────────────────────────────────────
+
+#define API_SECRET   "REPLACE_WITH_OUTPUT_OF_python3_-c_import_secrets_token_hex_32"
+#define WEB_USER     "your_username"
+#define WEB_PASSWORD "your_password"