fix: tighten version parsing, propagate HMAC sign failure, add deployment docs

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

firmware/lib/ota_updater/ota_updater.cpp

@@ -79,16 +79,17 @@ void ota_updater_init(const char* server_base, const char* device_id,
     s_last_check_ms = 0; // force first check on next call
 }
 
-static void add_hmac_headers(HTTPClient& http, const char* method, const char* path) {
+static bool add_hmac_headers(HTTPClient& http, const char* method, const char* path) {
     uint32_t ts = (uint32_t)(esp_timer_get_time() / 1000000ULL);
     String sig = hmac_sign(s_hmac_secret, method, path, ts, "");
     if (sig.isEmpty()) {
         log_e("[OTA] HMAC sign failed");
-        return;
+        return false;
     }
     http.addHeader("X-Device-Id",      s_device_id);
     http.addHeader("X-Timestamp",      String(ts));
     http.addHeader("X-HMAC-Signature", sig);
+    return true;
 }
 
 static bool download_and_flash(const char* fw_url, size_t expected_size,
@@ -111,7 +112,12 @@ static bool download_and_flash(const char* fw_url, size_t expected_size,
 
     HTTPClient http;
     http.begin(fw_url);
-    add_hmac_headers(http, "GET", "/ota/firmware");
+    if (!add_hmac_headers(http, "GET", "/ota/firmware")) {
+        log_e("[OTA] Aborting firmware download: HMAC sign failed");
+        mbedtls_sha256_free(&sha_ctx);
+        esp_ota_abort(handle);
+        return false;
+    }
     int code = http.GET();
     if (code != HTTP_CODE_OK) {
         log_e("[OTA] Firmware fetch failed: HTTP %d", code);
@@ -177,7 +183,11 @@ bool ota_updater_check_and_apply() {
 
     HTTPClient http;
     http.begin(check_url);
-    add_hmac_headers(http, "GET", check_path);
+    if (!add_hmac_headers(http, "GET", check_path)) {
+        log_e("[OTA] Aborting check: HMAC sign failed");
+        http.end();
+        return false;
+    }
     int code = http.GET();
     if (code != HTTP_CODE_OK) {
         log_w("[OTA] Check failed: HTTP %d", code);