fix: handle null passphrase in key management methods

- Normalize null or blank passphrases to empty string for create, unlock, and rotate key operations to allow unencrypted keys.
- Remove `requirePassphrase` validation and add `normalizePassphrase` method.
- Fix MockWebServer lifecycle issues in `RelayConnectionChaosTest` by implementing proper WebSocket event handling.

Author: tcheeric

nsecbunker-admin/src/main/java/xyz/tcheeric/nsecbunker/admin/key/DefaultKeyManager.java

@@ -58,20 +58,22 @@ public DefaultKeyManager(NsecBunkerAdminClient adminClient, ObjectMapper objectM
     @Override
     public CompletableFuture<BunkerKey> createKey(String name, String nsec, String passphrase) {
         validateName(name);
-        requirePassphrase(passphrase);
         if (nsec == null || nsec.isBlank()) {
             throw new IllegalArgumentException("nsec must not be null or blank");
         }
 
-        return sendForKey(METHOD_CREATE_NEW_KEY, List.of(name, passphrase, nsec), name);
+        // Empty passphrase is allowed - nsecbunkerd will store the key unencrypted
+        String normalizedPassphrase = normalizePassphrase(passphrase);
+        return sendForKey(METHOD_CREATE_NEW_KEY, List.of(name, normalizedPassphrase, nsec), name);
     }
 
     @Override
     public CompletableFuture<BunkerKey> createKey(String name, String passphrase) {
         validateName(name);
-        requirePassphrase(passphrase);
 
-        return sendForKey(METHOD_CREATE_NEW_KEY, List.of(name, passphrase), name);
+        // Empty passphrase is allowed - nsecbunkerd will store the key unencrypted
+        String normalizedPassphrase = normalizePassphrase(passphrase);
+        return sendForKey(METHOD_CREATE_NEW_KEY, List.of(name, normalizedPassphrase), name);
     }
 
     @Override
@@ -83,9 +85,10 @@ public CompletableFuture<List<BunkerKey>> listKeys() {
     @Override
     public CompletableFuture<Boolean> unlockKey(String name, String passphrase) {
         validateName(name);
-        requirePassphrase(passphrase);
 
-        return sendForResult(METHOD_UNLOCK_KEY, List.of(name, passphrase), "unlock key " + name)
+        // Empty passphrase is allowed - for keys stored without encryption
+        String normalizedPassphrase = normalizePassphrase(passphrase);
+        return sendForResult(METHOD_UNLOCK_KEY, List.of(name, normalizedPassphrase), "unlock key " + name)
                 .thenApply(ignored -> Boolean.TRUE);
     }
 
@@ -108,9 +111,9 @@ public CompletableFuture<BunkerKey> getKeyDetails(String name) {
     public CompletableFuture<BunkerKey> rotateKey(String oldName, String newName, String passphrase) {
         validateName(oldName);
         validateName(newName);
-        requirePassphrase(passphrase);
 
-        return sendForKey(METHOD_ROTATE_KEY, List.of(oldName, newName, passphrase), newName);
+        String normalizedPassphrase = normalizePassphrase(passphrase);
+        return sendForKey(METHOD_ROTATE_KEY, List.of(oldName, newName, normalizedPassphrase), newName);
     }
 
     private CompletableFuture<String> sendForResult(String method, List<String> params, String description) {
@@ -185,9 +188,14 @@ private void validateName(String name) {
         }
     }
 
-    private void requirePassphrase(String passphrase) {
-        if (passphrase == null || passphrase.isBlank()) {
-            throw new IllegalArgumentException("Passphrase must not be null or blank");
-        }
+    /**
+     * Normalizes a passphrase to an empty string if null or blank.
+     * This allows creating/unlocking keys without encryption.
+     *
+     * @param passphrase the passphrase to normalize
+     * @return the passphrase or empty string if null/blank
+     */
+    private String normalizePassphrase(String passphrase) {
+        return passphrase != null && !passphrase.isBlank() ? passphrase : "";
     }
 }

nsecbunker-admin/src/test/java/xyz/tcheeric/nsecbunker/admin/key/DefaultKeyManagerTest.java

@@ -213,6 +213,45 @@ void shouldRotateKey() throws Exception {
         assertThat(request.getParams()).containsExactlyElementsOf(List.of("cashu-old", "cashu-rotated", TEST_PASSPHRASE));
     }
 
+    /**
+     * Ensures creating a key with null passphrase normalizes it to empty string.
+     */
+    @Test
+    void shouldCreateKeyWithNullPassphraseNormalizedToEmpty() {
+        // Arrange
+        String npub = "npub1nopwd";
+        ArgumentCaptor<Nip46Request> requestCaptor = ArgumentCaptor.forClass(Nip46Request.class);
+        when(adminClient.sendRequest(requestCaptor.capture()))
+                .thenReturn(CompletableFuture.completedFuture(Nip46Response.success("1", npub)));
+
+        // Act
+        BunkerKey result = keyManager.createKey("key-no-passphrase", null).join();
+
+        // Assert
+        assertThat(result.getName()).isEqualTo("key-no-passphrase");
+        Nip46Request request = requestCaptor.getValue();
+        assertThat(request.getParams()).containsExactlyElementsOf(List.of("key-no-passphrase", ""));
+    }
+
+    /**
+     * Ensures unlocking a key with null passphrase normalizes it to empty string.
+     */
+    @Test
+    void shouldUnlockKeyWithNullPassphraseNormalizedToEmpty() {
+        // Arrange
+        ArgumentCaptor<Nip46Request> requestCaptor = ArgumentCaptor.forClass(Nip46Request.class);
+        when(adminClient.sendRequest(requestCaptor.capture()))
+                .thenReturn(CompletableFuture.completedFuture(Nip46Response.success("1", "ok")));
+
+        // Act
+        boolean result = keyManager.unlockKey("key-unencrypted", null).join();
+
+        // Assert
+        assertThat(result).isTrue();
+        Nip46Request request = requestCaptor.getValue();
+        assertThat(request.getParams()).containsExactlyElementsOf(List.of("key-unencrypted", ""));
+    }
+
     /**
      * Ensures NIP-46 errors are surfaced as AdminException through the future.
      */

nsecbunker-tests/nsecbunker-chaos/src/test/java/xyz/tcheeric/nsecbunker/chaos/RelayConnectionChaosTest.java

@@ -89,9 +89,34 @@ void shouldStopAfterMaxReconnectAttempts() throws Exception {
     }
 
     /**
-     * No-op WebSocket listener for MockWebServer upgrades.
+     * WebSocket listener for MockWebServer upgrades that properly handles lifecycle.
+     *
+     * <p>A completely empty listener causes NPE in OkHttp's RealWebSocket.loopReader
+     * because the reader loop expects proper lifecycle handling. This implementation
+     * handles onOpen, onMessage, and onClosing to prevent the MockWebServer crash.
      */
     private static final class NoopWebSocketListener extends okhttp3.WebSocketListener {
+
+        @Override
+        public void onOpen(okhttp3.WebSocket webSocket, okhttp3.Response response) {
+            // Connection opened - no action needed for test
+        }
+
+        @Override
+        public void onMessage(okhttp3.WebSocket webSocket, String text) {
+            // Message received - no action needed for test
+        }
+
+        @Override
+        public void onClosing(okhttp3.WebSocket webSocket, int code, String reason) {
+            // Server closing - echo back close to complete handshake
+            webSocket.close(code, reason);
+        }
+
+        @Override
+        public void onFailure(okhttp3.WebSocket webSocket, Throwable t, okhttp3.Response response) {
+            // Connection failed - no action needed for test
+        }
     }
 
     /**