feat: implement and harden LNURL-auth (LUD-04/LUD-05) flow

[juanchi]

Summary

Implements LNURL-auth support in Blink wallet and hardens the full auth path after manual end-to-end validation.

What Changed

• Added tag=login parsing and LNURL-auth destination typing/routing.
• Added dedicated LNURL-auth confirmation screen with explicit confirm/cancel + retry UX.
• Added linking key derivation and challenge signing utilities.
• Hardened callback validation:
  • strict k1 validation
  • callback/domain checks including safe subdomain support
  • HTTPS requirement with localhost exception for local dev
• Improved runtime robustness:
  • handle getParams failures gracefully
  • avoid unsafe casts in parser/scanner flow
  • fallback persisted LNURL-auth seed when mnemonic credentials are unavailable
  • fixed mobile DER signature hex serialization interoperability issue

Tests

• yarn test tests/utils/lnurl-auth.spec.ts --watchAll=false
• yarn test tests/payment-destination/lnurl.spec.ts --watchAll=false
• yarn tsc --noEmit

All passing locally.

Manual Verification

Android emulator end-to-end validated:

• scan or paste LNURL-auth
• consent screen appears before signing
• cancel path works
• confirm path succeeds with successful authentication response

iOS runtime verification is pending due to no local Mac/Xcode environment.

Related

Fixes #3215

[juanchi]

Posting latest verification update:\n\n- Android emulator LNURL-auth flow is now verified end-to-end (including satsai.tools success path).\n- Final hardening commit also addresses mobile signature serialization and mnemonic-unavailable fallback seed handling.\n- Test checks run locally and pass: utils spec, payment-destination spec, and tsc --noEmit.\n- iOS runtime verification is still pending due to no local Mac/Xcode environment.\n\nWould appreciate reviewer attention on the crypto/signature and callback-domain validation portions in .

[juanchi]

(Clarification) Please focus review on app/utils/lnurl-auth/lnurl-auth.ts for key derivation, signature formatting, and callback-domain validation logic.

[juanchi]

Contribution compliance check against CONTRIBUTING.MD:

• Fork + feature branch flow: complete
• PR target: juanchi/feature/blink-lnurl-auth -> blinkbitcoin/main
• Conventional PR title: complete
• Local verification rerun today (in feature worktree): yarn tsc --noEmit, yarn test tests/utils/lnurl-auth.spec.ts --watchAll=false, yarn test tests/payment-destination/lnurl.spec.ts --watchAll=false (all passing)
• Android runtime verification: complete
• iOS runtime verification: pending (no local Mac/Xcode environment)

Reviewer focus remains app/utils/lnurl-auth/lnurl-auth.ts for derivation/signature/callback-domain rules and app/screens/lnurl-auth-screen/lnurl-auth-screen.tsx for confirmation flow.