Feat: NWA auth for self-hosted hubs

[rolznz]

Closes #328

TODOs:

• budget might still make sense if you have superuser access (new apps can be created to bypass the permission) - but users need to understand that other apps can be created with larger budgets, circumventing it. - If someone installs a malicious version of Alby Go it could drain a user's funds.
• Limit superuser scope to Alby Go for now
• TODOs in feat: nwc create_connection command (WIP) #907
• Instead of adding the create connection method to the normal create connection UI, make Alby Go a custom detail page
• Use standard NWC info event instead of new NWA event
• Ensure superuser permission cannot be included as part of standard deeplink flow and NWA flow - an attacker could take advantage of this - how do we explicitly limit it to Alby Go?
• User needs to be very clearly warned to be careful with this connection secret and not put them in other apps
• create_connection: no spec for now
• NWA changes - first implement in Bitcoin Connect. Make it as simple as possible for a library to be implemented on different platforms
• confirm way of passing lud16 as tag info event (but lightning addresses in profile metadata are leaked anyway in nostr and it's generally considered public info? the Alby relay does not allow crawling info events but this will not apply to other relays.)

Next steps:

• review UX with Jakub
• NWA in bitcoin connect
• UI for accepting a connection in Alby Go (MVP: show all the settings, and Alby Go can only choose yes or no. Ensure connection secret with create_connection method cannot be exported OR remove export function completely!)

Notes for spec later:

• p tag added to NWC info event
• lud16 tag added to NWC info event
• NWA:
  • no new NWA event - app subscribes to info event by p tag (same style as command responses - + no relay changes necessary)
  • no NWA secret
  • parameter changes: