feat(delegate-job): add subscriber auto-reconnect (FW-01) + HMAC-SHA256 event signing (FW-05)

FW-01: job_subscriber.py now has on_disconnect callback (5-arg paho v2
  signature), reconnect_delay_set(1,16) for exponential backoff, and
  with_retry-wrapped initial connect (5 attempts). paho loop_start()
  handles auto-reconnect internally.

FW-05: publish_event.py signs payloads with HMAC-SHA256 using auth_token
  as key (replaces plaintext token in wire). mqtt_common.py adds
  verify_hmac() helper using hmac.compare_digest (timing-safe).
  job_subscriber.py validates incoming events via verify_hmac.
  PoC mode (auth_token=None) skips verification — backward compatible.

Reviewed by agy-existing (PASS) and claude-existing (FAIL: on_disconnect
  4-arg signature → fixed to 5-arg matching paho v2 CallbackAPIVersion).

skills/tmux-agent-orchestrate-delegate-job/scripts/mqtt_common.py

@@ -16,6 +16,8 @@ values, never code (see references/mqtt-broker-setup.md).
 from __future__ import annotations
 
 import functools
+import hashlib
+import hmac
 import json
 import logging
 import os
@@ -193,6 +195,20 @@ def reason_code_value(rc: Any) -> int:
     return int(getattr(rc, "value", rc))
 
 
+def verify_hmac(payload: dict, auth_token: Optional[str]) -> bool:
+    """Verify HMAC-SHA256 signature. Returns True if valid or no token set."""
+    if not auth_token:
+        return True  # PoC mode — no auth
+    sig = payload.get("data", {}).get("hmac_sig")
+    if not sig:
+        return False
+    sign_payload = {k: v for k, v in payload.items() if k != "data"}
+    sign_payload["data"] = {k: v for k, v in payload.get("data", {}).items() if k != "hmac_sig"}
+    msg = json.dumps(sign_payload, sort_keys=True, separators=(",", ":")).encode()
+    expected = hmac.new(auth_token.encode(), msg, hashlib.sha256).hexdigest()
+    return hmac.compare_digest(sig, expected)
+
+
 def topic_prefix_for(job_id: str, root: str = DEFAULT_TOPIC_ROOT) -> str:
     return f"{root}/{job_id}"