Feat: NWA auth for self-hosted hubs

[rolznz]

Closes #328 #1107

TODOs:

• budget might still make sense if you have superuser access (new apps can be created to bypass the permission) - but users need to understand that other apps can be created with larger budgets, circumventing it. - If someone installs a malicious version of Alby Go it could drain a user's funds.
• Limit superuser scope to Alby Go for now
• TODOs in feat: nwc create_connection command (WIP) #907
• Instead of adding the create connection method to the normal create connection UI, make Alby Go a custom detail page
• Use standard NWC info event instead of new NWA event
• Ensure superuser permission cannot be included as part of standard deeplink flow and NWA flow - an attacker could take advantage of this - how do we explicitly limit it to Alby Go?
• User needs to be very clearly warned to be careful with this connection secret and not put them in other apps
• create_connection: no spec for now
• Alby detail page: give a default budget of 100K sats, editable after the connection is created
• Remove "superuser" from standard connection card
• Remove "superuser" text from permissions on view app connection page
• Replace checkbox with "One tap connections" card and copy
• NWA changes in JS SDK for testing - feat: NWA js-sdk#298
• confirm way of passing lud16 as tag info event (but lightning addresses in profile metadata are leaked anyway in nostr and it's generally considered public info? the Alby relay does not allow crawling info events but this will not apply to other relays.)

Next steps:

• review UX with Jakub
• NWA in bitcoin connect - feat: NWA & Alby Go bitcoin-connect#279
• UI for accepting a connection in Alby Go (MVP: show all the settings, and Alby Go can only choose yes or no. Ensure connection secret with create_connection method cannot be exported OR remove export function completely!) - feat: NWA + NWC deep linking go#272

Notes for spec later:

• p tag added to NWC info event
• lud16 field added to get_info
• NWA:
  • no new NWA event - app subscribes to info event by p tag (same style as command responses - + no relay changes necessary)
  • no NWA secret
  • parameter changes: naming kept consistent with http flow

[im-adithya]

tACK 🎉