mcu update: minimal hardening and proof

[lePereT]

This minimal PR is deliberately small in production code:

• 10 production files changed, about 169 lines added and 12 removed; the rest is test coverage:
• about 2,369 test lines added and 1 removed

The production changes are limited to explicit update-stage deadlines, disabling hidden lua-bus timeouts for long component/Fabric calls, Device’s default Fabric transfer-manager client, explicit upload auth configuration, and the BigBox UART/update timeout config. The tests add a devhost path that drives upload with curl, runs CM5 and MCU as separate Lua processes, uses real HAL UART drivers on both sides over PTYs, verifies Fabric hello/hello_ack session establishment on both sides, injects a standalone malformed JSONL line without corrupting valid frames, stages the artifact, commits, reboots both sides, and reconciles to succeeded; the latest run shows both the short-timeout cancellation case and the successful transfer case passing.

This proves the Fabric no-corruption path because the test does not pair the services in memory or fake the session: both Fabric instances discover each other over the UART byte stream, establish sessions with the expected peer nodes, then transfer through the real bridge/transfer-manager surfaces. The success log shows phase=established on CM5 and MCU, transfer status moving to ok, a staged digest matching the payload digest, then commit and restart reconciliation succeeding. It also shows that a malformed whole JSONL line is tolerated, while avoiding byte corruption inside a valid frame, so the claim is specifically “valid UART stream with fragmentation, pauses, and isolated bad lines”, not arbitrary corrupt-UART recovery. That will require a protocol change (if necessary, though hopefully jangala-dev/devicecode-go#43 will fix the problems on the Go side).