fix: HMAC format — match server POST\npath\ntimestamp\nsha256(body) scheme

- hmac_sign now takes method+path instead of device_id; builds message as
  method\npath\ntimestamp\nhex(sha256(body)) per server verify_device_hmac
- reporter: header renamed X-HMAC-Signature → X-Signature; passes "POST"+path
- test vector regenerated against new message format; timestamp-diff test updated
- .size() → .length() throughout (Arduino String has no size())

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

firmware/src/reporter.cpp

@@ -25,7 +25,7 @@ static bool post_json(const DeviceConfig& cfg, const char* path, const String& b
     uint32_t ts  = now_ts();
     // Reject if NTP hasn't synced yet (timestamp would be near epoch 0)
     if (ts < 1700000000UL) return false; // pre-2023 → clock not valid
-    String   sig = hmac_sign(cfg.hmac_secret, cfg.device_id, ts, body);
+    String   sig = hmac_sign(cfg.hmac_secret, "POST", path, ts, body);
     if (sig.isEmpty()) return false; // HMAC failed
 
     HTTPClient http;
@@ -36,9 +36,9 @@ static bool post_json(const DeviceConfig& cfg, const char* path, const String& b
     // Acceptable for this deployment: devices operate on store WiFi, not public internet.
     http.begin(url);
     http.addHeader("Content-Type", "application/json");
-    http.addHeader("X-Device-Id",       cfg.device_id);
-    http.addHeader("X-Timestamp",        String(ts));
-    http.addHeader("X-HMAC-Signature",   sig);
+    http.addHeader("X-Device-Id",  cfg.device_id);
+    http.addHeader("X-Timestamp",  String(ts));
+    http.addHeader("X-Signature",  sig);
 
     int code = http.POST(body);
     http.end();