fix(relay,desktop): only advertise NIP-43 when enforced; probe pairing by supported_nips

[tlongwell-block]

Summary

Mobile pairing from the desktop GUI was broken on the staging relay (sprout-oss.stage.blox.sqprod.co). The phone got "Could not reach the pairing relay" because the QR's relay URL pointed at wss://…/pair, which 404s — the pair sidecar isn't deployed on this relay.

Two coupled bugs:

1. Relay advertised NIP-43 in NIP-11's supported_nips unconditionally, regardless of whether SPROUT_REQUIRE_RELAY_MEMBERSHIP was actually on.
2. Desktop probe_relay_requires_auth keyed off limitation.auth_required — which is also true for plain NIP-42 / NIP-OA relays that don't need a pair sidecar at all.

Together they produced the failure on every open-but-stable-key relay (i.e. all current Sprout deployments).

Fix

crates/sprout-relay/src/nip11.rs / router.rs:

• Drop 43 from the static SUPPORTED_NIPS constant.
• RelayInfo::build(relay_self: Option<&str>, advertise_nip43: bool) — two facts, gated independently.
• self follows stable signing-key (preserves NIP-29 group-metadata verification: per nips/29.md line 129, kinds 39000/39001/39002 are signed by the relay master key and verified against NIP-11 self; Sprout signs those unconditionally).
• NIP-43 advertised only when stable-key AND require_relay_membership.
• debug_assert!(!advertise_nip43 || relay_self.is_some()) — NIP-43 events are verified against self; advertising NIP-43 without it would be a programmer bug.
• Single helper nip11_facts(&state) consumed by both the dedicated /info handler and the content-negotiated root handler so they can't drift.

desktop/src-tauri/src/commands/pairing.rs:

• Rename probe_relay_requires_auth → probe_relay_supports_nip43. Read supported_nips and look for numeric 43.
• Unreachable / malformed / non-ws(s):// responses fall through to using the main relay (better to fail loudly there than misroute to an undeployed sidecar).

Tests

New in crates/sprout-relay/src/nip11.rs:

Test	What it pins
nip43_not_in_static_supported_nips	NIP-43 is conditional, not unconditional
build_open_relay_ephemeral_key_omits_self_and_nip43	Neither advertised on dev/CI
build_open_relay_stable_key_advertises_self_but_not_nip43	The staging-default shape — the bug we're fixing
build_membership_relay_advertises_self_and_nip43	Both advertised on real NIP-43 deployments
build_nip43_without_self_panics_in_debug	The debug_assert

• All 152 sprout-relay lib tests pass (+5 net new; 1 existing test got its comment updated, none changed semantically).
• Existing e2e test_nip11_relay_info unaffected (it asserts field presence and auth_required: true, no specific NIP list).
• cargo clippy -p sprout-relay --no-deps -- -D warnings clean.
• Desktop cargo check clean.

Behavior change

Relay shape	NIP-11 self	NIP-11 supported_nips includes 43	Desktop QR points to
Dev / ephemeral key	omitted	no	main relay
Open / stable key (today's staging)	set (was set before too)	no (was yes — bug)	main relay (was …/pair)
Membership enforced	set	yes	…/pair

Out of scope but related

1. The sprout-pair-relay sidecar isn't built, deployed, or routed by the staging helm chart. Filing a follow-up for when membership is turned on (three pieces per Mari's audit: Dockerfile build, pod deployment binding 127.0.0.1:5000, Istio VirtualService /pair match).
2. Cloudflare Access in front of the public hostname blocks phones without WARP regardless. Policy decision.

Review

Pre-reviewed in-channel with Max and Mari:

• Mari caught a critical regression in v1 where I'd coupled self to NIP-43 — that would have silently broken NIP-29 verification on every open-but-stable-key relay. v2 decouples them.
• Max caught a doc-comment overclaim ("falls back via the user") which is now corrected.
• All three converged at 9/10+ on minimalism, elegance, and correctness.