feat(mining): Bitcoin mining-for-bandwidth payment system

New modules:
- mining_payment.c/h: hashprice calc (nbits->difficulty->sat/GH/s/day),
  share validation, client stats, allotment conversion (ms + bytes)
- stratum_client.c/h: SV1 upstream pool connection (subscribe/authorize/submit)
- stratum_proxy.c/h: Local SV1 TCP server for downstream miners, job broadcast
- sw_miner.c/h: Software SHA256d miner (ESP32 CPU fallback)
- asic_miner.c/h: ASIC detection stub (BM1366/BM1368 SPI)

Config:
- config.h/c: mining_payout_mode_t enum (auto/pool/upstream/proxy_only),
  stratum pool settings, mining port, hashprice override, sandbox mint access
- Defaults fill nostr_seed_relays (8/8) and nostr_relays (4/4) with fast relays

Integration into existing modules:
- session.h/c: payment_method_t enum (CASHU/MINING/BYTES)
- firewall.h/c: firewall_set_mining_port(), firewall_set_sandbox_mint_access()
- tollgate_api.c: GET /mining/job, POST /mining/share, GET /mining/stats
- tollgate_client.h/c: TG_CLIENT_MINING state, mining discovery tag parsing
- tollgate_main.c: mining init in start_services(), stratum_client_tick() in loop
- captive_portal.c: tabbed Cashu/Mine UI with live hashrate polling

Unit tests (69 new assertions across 4 suites):
- test_mining_payment (23 tests): nbits->difficulty, hashprice, client stats, allotment
- test_stratum_proxy (21 tests): job set/get, stats, type validation
- test_session_payment_method (12 tests): PAYMENT_METHOD enum, bytes/cashu methods
- test_tollgate_client_mining (20 tests): mining tag parsing, discovery struct
- test_firewall_sandbox (16 tests): client grant/revoke, max clients, setters

Enhanced test stubs:
- BaseType_t/pdPASS in freertos/task.h
- lwip: sockets.h, etharp.h, prot/ip.h, prot/ip4.h, prot/tcp.h, netif.h
- dns_server.h, esp_wifi_ap_get_sta_list.h

Build fixes:
- cvm_server.c: replace esp_timer_get_time() with xTaskGetTickCount(),
  fix process_relay_message() 3-arg call to 2-arg, add WS keepalive ping
- stratum_proxy.c: widen task_name buffer 16->20
- sw_miner.c: add missing #include esp_random.h
- nucula_src: save_proofs() moved to public in wallet.hpp

Nostr relay updates:
- nostr_seed_relays: +relay.anzenkodo.workers.dev, +nostr.koning-degraaf.nl,
  +knostr.neutrine.com, +nostr.einundzwanzig.space (8/8 slots)
- nostr_relays: +relay.anzenkodo.workers.dev, +nostr.koning-degraaf.nl (4/4 slots)

Squash-merge of feature/mining-payment (5 commits: c75230e..9d98ba1)

1 files changed, 94 insertions, 0 deletions

diff --git a/tests/unit/test_firewall_sandbox.c b/tests/unit/test_firewall_sandbox.c
new file mode 100644
index 0000000..66a491b
--- /dev/null
+++ b/tests/unit/test_firewall_sandbox.c
@@ -0,0 +1,94 @@
+#include "test_framework.h"
+#include "../../main/firewall.h"
+#include <stdio.h>
+#include <string.h>
+
+int main(void)
+{
+    printf("=== test_firewall_sandbox ===\n");
+
+    printf("\n--- FW_MAX_MAC_LEN is 18 ---\n");
+    {
+        ASSERT_EQ_INT(18, FW_MAX_MAC_LEN, "MAC length is 18 (17 chars + null)");
+    }
+
+    printf("\n--- esp_ip4_addr_t available ---\n");
+    {
+        esp_ip4_addr_t ip;
+        ip.addr = 0x0102A8C0;
+        ASSERT(ip.addr == 0x0102A8C0, "ip4_addr stores value");
+    }
+
+    printf("\n--- firewall_set_mining_port / set_sandbox_mint_access compile ---\n");
+    {
+        firewall_set_mining_port(3333);
+        firewall_set_mining_port(4033);
+        firewall_set_sandbox_mint_access(true);
+        firewall_set_sandbox_mint_access(false);
+        ASSERT(true, "setters compile and run without crash");
+    }
+
+    printf("\n--- firewall_init + client management ---\n");
+    {
+        esp_ip4_addr_t ap_ip = { .addr = 0x012FA80A };
+        esp_err_t ret = firewall_init(ap_ip);
+        ASSERT_EQ_INT(ESP_OK, (int)ret, "firewall_init succeeds");
+        ASSERT_EQ_INT(0, firewall_client_count(), "no clients after init");
+
+        firewall_grant_access(0x0201A8C0);
+        ASSERT_EQ_INT(1, firewall_client_count(), "1 client after grant");
+        ASSERT(firewall_is_client_allowed(0x0201A8C0), "client is allowed");
+
+        firewall_revoke_access(0x0201A8C0);
+        ASSERT_EQ_INT(0, firewall_client_count(), "0 clients after revoke");
+        ASSERT(!firewall_is_client_allowed(0x0201A8C0), "client not allowed after revoke");
+    }
+
+    printf("\n--- grant same IP twice ---\n");
+    {
+        esp_ip4_addr_t ap_ip = { .addr = 0x012FA80A };
+        firewall_init(ap_ip);
+
+        firewall_grant_access(0x0301A8C0);
+        firewall_grant_access(0x0301A8C0);
+        ASSERT_EQ_INT(1, firewall_client_count(), "duplicate grant does not double count");
+    }
+
+    printf("\n--- revoke non-existent ---\n");
+    {
+        firewall_revoke_access(0x99999999);
+        ASSERT_EQ_INT(1, firewall_client_count(), "revoke non-existent no effect");
+    }
+
+    printf("\n--- revoke_all ---\n");
+    {
+        firewall_grant_access(0x0401A8C0);
+        firewall_grant_access(0x0501A8C0);
+        ASSERT_EQ_INT(3, firewall_client_count(), "3 clients");
+        firewall_revoke_all();
+        ASSERT_EQ_INT(0, firewall_client_count(), "0 after revoke_all");
+    }
+
+    printf("\n--- max clients (10) ---\n");
+    {
+        esp_ip4_addr_t ap_ip = { .addr = 0x012FA80A };
+        firewall_init(ap_ip);
+
+        for (int i = 0; i < 10; i++) {
+            firewall_grant_access(0x0A000000 + i);
+        }
+        ASSERT_EQ_INT(10, firewall_client_count(), "10 clients at max");
+
+        firewall_grant_access(0x0A000100);
+        ASSERT_EQ_INT(10, firewall_client_count(), "still 10 after exceeding max");
+    }
+
+    printf("\n--- is_mac_allowed (no MACs resolved in stub) ---\n");
+    {
+        firewall_init((esp_ip4_addr_t){ .addr = 0x012FA80A });
+        firewall_grant_access(0x0601A8C0);
+        ASSERT(!firewall_is_mac_allowed(""), "empty MAC not allowed");
+    }
+
+    TEST_SUMMARY();
+}