feat: per-client NAT filtering via LWIP_HOOK_IP4_CANFORWARD

- Add lwip_tollgate_hooks.h defining LWIP_HOOK_IP4_CANFORWARD macro
- Inject hook into lwIP build via CMakeLists.txt ESP_IDF_LWIP_HOOK_FILENAME
- Filter forwarded packets by source IP against firewall allowed list
- Only filter packets from AP subnet (10.192.45.0/24), allow all others
- Fix byte order bug: use network byte order for firewall_is_client_allowed
- NAT always enabled, removed global NAT toggle functions
- Remove spent-secret tracking from session.c (mint is authority)
- Remove unused get_ap_netif() function
- Reduce API server stack from 32KB to 16KB (fixes ESP_ERR_HTTPD_TASK)
- Add esp_random.h stub for unit tests
- All 186 unit tests passing
- Verified on hardware: block->pay->allow->revoke->block E2E works

1 files changed, 2 insertions, 8 deletions

diff --git a/main/session.h b/main/session.h
index 6282f5a..ea5b476 100644
--- a/main/session.h
+++ b/main/session.h
@@ -16,17 +16,13 @@ typedef struct {
     uint64_t allotment_bytes;
     uint64_t bytes_consumed;
     bool active;
-    char spent_secrets[5][65];
-    int spent_secret_count;
 } session_t;
 
 esp_err_t session_manager_init(void);
 
-session_t *session_create(uint32_t client_ip, uint64_t allotment_ms,
-                          const char *spent_secrets[], int secret_count);
+session_t *session_create(uint32_t client_ip, uint64_t allotment_ms);
 
-session_t *session_create_bytes(uint32_t client_ip, uint64_t allotment_bytes,
-                                const char *spent_secrets[], int secret_count);
+session_t *session_create_bytes(uint32_t client_ip, uint64_t allotment_bytes);
 
 void session_add_bytes(uint32_t client_ip, uint64_t bytes);
 
@@ -37,8 +33,6 @@ void session_extend(session_t *session, uint64_t additional_ms);
 
 bool session_is_expired(const session_t *session);
 
-bool session_is_secret_spent(const char *secret);
-
 void session_check_expiry(void);
 
 void session_revoke(session_t *session);