Address safety review findings for the dual-interface (WiFi + USB serial)
architecture running on the ESP32-S3's two Xtensa LX7 cores:
- Protect sweep state with std::atomic (acquire/release ordering)
- Add Attenuator::getSnapshot() for consistent multi-field reads
- Add advanceStep()/persistCurrent() to eliminate TOCTOU races
- Switch to StaticSemaphore_t (compile-time mutex, can't fail)
- Accumulate web server POST bodies before parsing (chunked TCP fix)
- Backport USB serial input validation to web server handlers
- Auto-stop sweep on manual set (prevents silent overwrite)
- Validate WiFi TX power against known-good levels
- Add OTA password authentication support
- Check NVS write return values, log failures
- Reset USB serial buffer on reconnect (stale overflow fix)
- Rename sweep.h to app.h (declares more than sweep functions)
Line-based JSON protocol over the ESP32-S3 native USB OTG port,
providing deterministic sub-millisecond attenuator control without
WiFi interference. Runs alongside the existing REST API.
Commands: identify, status, config, set, sweep, sweep_stop
Protocol: usb-serial-json-v1 (one JSON object per \n-terminated line)
Also addresses pre-existing reliability issues found during review:
- Thread safety: FreeRTOS mutex in Attenuator class (web server
callbacks run on async_tcp task, not loop())
- NVS flash wear: skip persist during sweep, save on stop
- WiFi credentials: moved to gitignored platformio_local.ini
- Shared header: sweep.h replaces duplicated extern declarations
