fix: validate saved credential payloads

[uxjulia]

Summary

• add a validated wrapper around newly saved obfuscated credential payloads
• resave readable legacy credential payloads into the validated format
• ignore unreadable copied/corrupted WiFi passwords instead of treating them as usable saved credentials
• document the device-specific saved-password behavior

Root Cause

Saved passwords were only XOR-obfuscated with the device MAC and base64 encoded. Reads could verify that the JSON/base64 shape was parseable, but not that the decoded password belonged to the current reader or was uncorrupted. A copied SD card from another device could therefore produce non-empty garbage and be treated like a saved password.

Validation

• pio run -e simulator
• pio run -e tiny

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b06c87ffb2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Distinguish validated format without colliding with legacy blobs

The version marker is checked on the raw base64-decoded bytes (hasValidatedPrefix(result)) before legacy XOR deobfuscation, so a legacy payload whose first 4 ciphertext bytes happen to be CPV1 is misclassified as "validated" and then rejected by checksum instead of being decoded as legacy. On upgrade, those credentials are silently lost (for WiFi, the entry is skipped in loadWifi), even though the stored password was valid for that device. Consider making the marker part of the XORed payload (or decoding legacy first and then checking an internal version field) so legacy data cannot be falsely rejected.

Useful? React with 👍 / 👎.