feat(pairing): authorize kind-22242 (NIP-42 AUTH) in spire policy (#52)

bitspire#52 consumer review (2026-06-18) enumerated the kinds the spire
signs as its OWN identity and found NIP-42 relay AUTH (kind 22242) missing
from SPIRE_POLICY_RULES — a silent bunker reject the moment a relay
challenges with AUTH. It must be bunker-signed (AUTH proves control of
spire_pubkey, which only the bunker holds; can't use the local client_nsec).

Adds 22242. Records the confirmed set in the policy comment: live = 21000 +
30078 + 22242; CLINK 21001-21003 dormant but kept; nip04 unused (v1 path is
dead code). New test locks the required-kinds contract so 22242 can't
silently regress.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

tests/test_pairing.py

@@ -305,3 +305,14 @@ def test_revoke_spire_maps_bunker_error():
     bunker.revoke_key_user = _boom
     with pytest.raises(PairingError, match="revoke"):
         asyncio.run(revoke_spire(_machine(), admin_client=bunker))
+
+
+def test_policy_authorizes_required_signing_kinds():
+    # Kinds the spire signs as its OWN identity, confirmed against the
+    # consumer signing sites in bitspire#52 (2026-06-18). A missing kind is a
+    # silent bunker reject. 22242 = NIP-42 relay AUTH (must be bunker-signed —
+    # it proves control of spire_pubkey). nip04 stays out (v1 path is dead).
+    kinds = {r["kind"] for r in SPIRE_POLICY_RULES if r["method"] == "sign_event"}
+    assert {21000, 30078, 22242} <= kinds
+    assert "nip04_encrypt" not in SPIRE_POLICY_METHODS_NO_KIND
+    assert "nip04_decrypt" not in SPIRE_POLICY_METHODS_NO_KIND