I'm not saying tha REST is the right way to go. Just that it would be nice if a client to request POW (over a websocket is fine) without having to implement the auth nip.

And I can't imagine how a deep dependency graph could ever be a good thing. Modularity is one of the most important principles of design. You should be able to pick and chose which nips you implement without having to parse through a tree of interdependencies.