fix: HMAC format — match server POST\npath\ntimestamp\nsha256(body) scheme

- hmac_sign now takes method+path instead of device_id; builds message as
  method\npath\ntimestamp\nhex(sha256(body)) per server verify_device_hmac
- reporter: header renamed X-HMAC-Signature → X-Signature; passes "POST"+path
- test vector regenerated against new message format; timestamp-diff test updated
- .size() → .length() throughout (Arduino String has no size())

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

firmware/lib/hmac/hmac.h

@@ -11,6 +11,10 @@ using HString = String;
 #endif
 
 // Returns lowercase hex-encoded HMAC-SHA256 signature.
-// Message signed: device_id + ":" + timestamp_str + ":" + hex(sha256(body))
-HString hmac_sign(const HString& secret_hex, const HString& device_id,
-                  uint32_t timestamp, const HString& body);
+// Message signed: method + "\n" + path + "\n" + timestamp_str + "\n" + hex(sha256(body))
+// Matches server verify_device_hmac format: POST\n{path}\n{timestamp}\n{sha256(body)}
+HString hmac_sign(const HString& secret_hex,
+                  const HString& method,
+                  const HString& path,
+                  uint32_t timestamp,
+                  const HString& body);