Pairing module attestation_sink.export() bypasses atomic write path

[bordumb]

Problem

crates/auths-sdk/src/pairing/mod.rs:531 calls attestation_sink.export() directly, bypassing the atomic write path (AtomicWriteBatch + try_stage_anchor + commit_batch).

This means device attestations created through the pairing flow are written to Git without a corresponding ixn seal in the KEL. The check-anchor-discipline xtask does not currently scan the pairing/ directory.

Current state

• Line 531: ctx.attestation_sink.export(&VerifiedAttestation::dangerous_from_unchecked(...))
• No AtomicWriteBatch usage
• No try_stage_anchor call
• The pairing flow completes device enrollment without KEL anchoring

Fix

Replace the .export() call with the same pattern used in link_device:

let mut batch = AtomicWriteBatch::new();
batch.stage_attestation(attestation.clone());
if let Ok(prefix) = parse_did_keri(identity_did.as_str()) {
    let _ = try_stage_anchor(backend, signer, alias, provider, &prefix, &attestation, &mut batch);
}
backend.commit_batch(&batch)?;

Also add crates/auths-sdk/src/pairing/ to the check-anchor-discipline xtask's BANNED_WRITE_PATHS to prevent regression.

Files

• crates/auths-sdk/src/pairing/mod.rs — replace .export() with atomic batch
• crates/xtask/src/check_anchor_discipline.rs — add pairing path to banned write paths