feat(auth): require signed NIP-42 event for Nostr login

Closes a security flaw where the server trusted any pubkey the client
sent. The frontend now signs a per-session, time-bound challenge
(kind-22242 event) that the backend verifies with swentel/nostr-php
before establishing the session.

- NostrAuth: issueChallenge() + loginWithSignedEvent() with full
  schnorr/id verification, TTL window, and idempotent re-entry for
  concurrent Livewire listeners.
- auth-button: mounts a fresh challenge, exposes it via data-attribute
  + requestNostrChallenge() fallback, renders a full-viewport AAA-style
  loading overlay while the wallet signs.
- NostrSessionGuard: override logout() to drop the cookie-jar dep so
  programmatic logout works in any context.

app/Livewire/Traits/WithNostrAuth.php

@@ -18,7 +18,7 @@ trait WithNostrAuth
     public bool $canEdit = false;
 
     #[On('nostrLoggedIn')]
-    public function handleNostrLogin(string $pubkey): void
+    public function handleNostrLogin($signedEvent = null): void
     {
         $executed = RateLimiter::attempt(
             'nostr-login:'.request()->ip(),
@@ -30,7 +30,7 @@ trait WithNostrAuth
             abort(429, 'Too many login attempts.');
         }
 
-        NostrAuth::login($pubkey);
+        $pubkey = NostrAuth::loginWithSignedEvent($signedEvent);
 
         $this->currentPubkey = $pubkey;
         $this->currentPleb = EinundzwanzigPleb::query()