We won’t respond to ANYTHING else unless you answer the AUTH. Otherwise the websocket is completely ignored.

This is one of the many things completely ignored in the NIP-42 spec is how to address the REQs that get sent before/simultaneous to an AUTH req being sent. The timing of the AUTH events isn’t defined either so clients have to be ready to answer them at all times (apparently).