We permit unauthenticated SENDMEs exactly when we shouldn't.

When calling CircHop::add_hop, we say

        let hop = crate::circuit::reactor::CircHop::new(
            supports_flowctrl_1,
            params.initial_send_window(),
        );

But the first argument to CircHop::new is auth_sendme_optional: it should be true when it's okay for the relay to omit the SENDME authentication.

That doesn't match supports_flowctrl_1: The relays that support the FlowCtrl=1 subprotocol are those that will send unauthenticated SENDMEs.

This logic is inverted. That suggests that bool was the wrong type here.