no, if you want to require auth you should close the connection and respond with `auth-required` to make it explicit that you won't let them pass until they AUTH

there's an in-between state (in which I am and why I ask) in which I want to allow people to AUTH but not require it.

We already have these as separate verbs so the protocol allows for this expressivity, but I doubt clients will not interpret AUTH as an possibility to auth rather than a requirement