NTS-KE server should only select among offered algorithms
RFC 8915: 4.1.5. AEAD Algorithm Negotiation says:
When included in a response, this record denotes which algorithm the server chooses to use. It is empty if the server supports none of the algorithms offered.
AEAD_AES_SIV_CMAC_256 is only required to be implemented by the server - not the client!
I guess this is (wrongly) implemented here:
It should instead send an empty AEAD algorithm list and no cookies.
(If this gets fixed algorithm probing gets "cleaner", and also the server doesn't have to do expensive crypto for something the client doesn't want anyway.)