Validate RTC epoch before setting time

- Reject out-of-range DS3231 epochs and log accept/reject under SERIAL_DEBUG_MODE
- Document RTC validation so LoRa TimeSync can recover

src/time_manager.cpp

@@ -8,6 +8,8 @@ static bool g_time_synced = false;
 static bool g_tz_set = false;
 static bool g_rtc_present = false;
 static uint32_t g_last_sync_utc = 0;
+static constexpr uint32_t kMinValidEpoch = 1672531200UL; // 2023-01-01
+static constexpr uint32_t kMaxValidEpoch = 4102444800UL; // 2100-01-01
 
 static void note_last_sync(uint32_t epoch) {
   if (epoch == 0) {
@@ -142,6 +144,16 @@ bool time_try_load_from_rtc() {
   }
   uint32_t epoch = 0;
   if (!rtc_ds3231_read_epoch(epoch) || epoch == 0) {
+    if (SERIAL_DEBUG_MODE) {
+      Serial.println("rtc: read failed");
+    }
+    return false;
+  }
+  bool valid = epoch >= kMinValidEpoch && epoch <= kMaxValidEpoch;
+  if (SERIAL_DEBUG_MODE) {
+    Serial.printf("rtc: epoch=%lu %s\n", static_cast<unsigned long>(epoch), valid ? "accepted" : "rejected");
+  }
+  if (!valid) {
     return false;
   }
   time_set_utc(epoch);