Harden web UI auth, input handling, and SD path validation

- Add optional Basic Auth with NVS-backed credentials and STA/AP flags; protect status, wifi, history, and download routes

- Stop pre-filling WiFi/MQTT/Web UI password fields; keep stored secrets on blank and add clear-password checkboxes

- Add HTML escaping + URL encoding helpers and apply to user-controlled strings; add unit test

- Harden /sd/download path validation (prefix, length, dotdot, slashes) and log rejections

- Enforce protocol version in LoRa receive and release GPIO14 before SD init

- Update README security, SD, and GPIO sharing notes

include/config.h

@@ -87,6 +87,10 @@ constexpr uint16_t SD_HISTORY_MAX_BINS = 4000;
 constexpr uint16_t SD_HISTORY_TIME_BUDGET_MS = 10;
 constexpr const char *AP_SSID_PREFIX = "DD3-Bridge-";
 constexpr const char *AP_PASSWORD = "changeme123";
+constexpr bool WEB_AUTH_REQUIRE_STA = true;
+constexpr bool WEB_AUTH_REQUIRE_AP = false;
+constexpr const char *WEB_AUTH_DEFAULT_USER = "admin";
+constexpr const char *WEB_AUTH_DEFAULT_PASS = "admin";
 
 constexpr uint8_t NUM_SENDERS = 1;
 inline constexpr uint16_t EXPECTED_SENDER_IDS[NUM_SENDERS] = {

include/html_util.h

@@ -0,0 +1,6 @@
+#pragma once
+
+#include <Arduino.h>
+
+String html_escape(const String &input);
+String url_encode_component(const String &input);

include/wifi_manager.h

@@ -12,6 +12,8 @@ struct WifiMqttConfig {
   String mqtt_pass;
   String ntp_server_1;
   String ntp_server_2;
+  String web_user;
+  String web_pass;
   bool valid;
 };