fix: address Qodana and SpotBugs static analysis issues

Code quality fixes:
- Make RelayConnection and RelayPool final (CT_CONSTRUCTOR_THROW)
- Make AdminConnectionListener static inner class
- Fix similar log messages in RelayPool, alerting classes
- Fix MismatchedCollectionQueryUpdate in WebhookAlertDelivery, RelayPool
- Add @serial annotations to exception classes (MissingSerialAnnotation)
- Remove dead local store in RelayHealthMonitor (DLS_DEAD_LOCAL_STORE)
- Fix SQL injection pattern warning in BottinE2ETest
- Fix duplicated JSON serialization in Nip05Record
- Remove unused imports and code across modules

Dependency updates for CVE fixes:
- Spring Boot 3.2.4 -> 3.5.9
- JUnit 5.10.2 -> 5.12.2
- Logback 1.5.3 -> 1.5.15
- Micrometer 1.12.4 -> 1.14.3
- maven-pmd-plugin 3.21.2 -> 3.26.0 (Java 21 support)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: tcheeric

nsecbunker-account/src/main/java/xyz/tcheeric/nsecbunker/account/nip05/Nip05Record.java

@@ -6,6 +6,7 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import lombok.Builder;
 import lombok.Value;
+import lombok.extern.slf4j.Slf4j;
 import xyz.tcheeric.nsecbunker.core.model.BunkerKey;
 
 import java.util.List;
@@ -31,6 +32,7 @@
  */
 @Value
 @Builder(toBuilder = true)
+@Slf4j
 public class Nip05Record {
 
     private static final ObjectMapper DEFAULT_MAPPER = new ObjectMapper();
@@ -64,6 +66,8 @@ public List<String> getRelays() {
         try {
             return DEFAULT_MAPPER.readValue(relaysJson, STRING_LIST_TYPE);
         } catch (JsonProcessingException e) {
+            log.debug("relays_json_parse_failed nip05={} relaysJson={} error={}",
+                    nip05, relaysJson, e.getMessage());
             return List.of();
         }
     }
@@ -144,19 +148,10 @@ public static Nip05Record fromBunkerKey(BunkerKey key, String username, String d
         Objects.requireNonNull(username, "username must not be null");
         Objects.requireNonNull(domain, "domain must not be null");
 
-        String relaysJsonStr = "[]";
-        if (relays != null && !relays.isEmpty()) {
-            try {
-                relaysJsonStr = DEFAULT_MAPPER.writeValueAsString(relays);
-            } catch (JsonProcessingException e) {
-                relaysJsonStr = "[]";
-            }
-        }
-
         return Nip05Record.builder()
                 .nip05(username + "@" + domain)
                 .pubkey(key.getPubkeyHex() != null ? key.getPubkeyHex() : key.getNpub())
-                .relaysJson(relaysJsonStr)
+                .relaysJson(serializeRelays(relays))
                 .build();
     }
 
@@ -186,19 +181,29 @@ public static Nip05Record of(String username, String domain, String pubkey) {
      * @return a new Nip05Record
      */
     public static Nip05Record of(String username, String domain, String pubkey, List<String> relays) {
-        String relaysJsonStr = "[]";
-        if (relays != null && !relays.isEmpty()) {
-            try {
-                relaysJsonStr = DEFAULT_MAPPER.writeValueAsString(relays);
-            } catch (JsonProcessingException e) {
-                relaysJsonStr = "[]";
-            }
-        }
-
         return Nip05Record.builder()
                 .nip05(username + "@" + domain)
                 .pubkey(pubkey)
-                .relaysJson(relaysJsonStr)
+                .relaysJson(serializeRelays(relays))
                 .build();
     }
+
+    /**
+     * Serializes a list of relay URLs to JSON string.
+     *
+     * <p>Returns empty array "[]" if relays is null, empty, or serialization fails.
+     *
+     * @param relays the relay URLs to serialize
+     * @return JSON array string of relays
+     */
+    private static String serializeRelays(List<String> relays) {
+        if (relays == null || relays.isEmpty()) {
+            return "[]";
+        }
+        try {
+            return DEFAULT_MAPPER.writeValueAsString(relays);
+        } catch (JsonProcessingException e) {
+            return "[]";
+        }
+    }
 }

nsecbunker-account/src/main/java/xyz/tcheeric/nsecbunker/account/nip05/spi/DefaultNip05ManagerProvider.java

@@ -30,7 +30,7 @@ public class DefaultNip05ManagerProvider implements Nip05ManagerProvider {
      * Creates a provider with default dependencies.
      */
     public DefaultNip05ManagerProvider() {
-        this(new DefaultAccountManager(), new ObjectMapper());
+        this(null, null);
     }
 
     /**
@@ -39,7 +39,7 @@ public DefaultNip05ManagerProvider() {
      * @param accountManager the account manager to use
      */
     public DefaultNip05ManagerProvider(AccountManager accountManager) {
-        this(accountManager, new ObjectMapper());
+        this(accountManager, null);
     }
 
     /**

nsecbunker-account/src/main/java/xyz/tcheeric/nsecbunker/account/registration/AccountManager.java

@@ -64,13 +64,38 @@ default CompletableFuture<Optional<AccountRegistrationResult>> findAccount(Strin
      * <p>Default implementation returns empty. Persistent implementations
      * should override this method to provide username-based lookup.</p>
      *
+     * <p><b>Note:</b> Usernames are not unique across domains. For example,
+     * "alice@example.com" and "alice@another.com" are different accounts.
+     * This method may return ambiguous results in multi-domain scenarios.
+     * For unambiguous lookups, use {@link #findByUsernameAndDomain(String, String)}
+     * or {@link #findAccount(String)} with the full NIP-05 identifier.</p>
+     *
      * @param username username to search for
-     * @return the account if found, empty otherwise
+     * @return the first matching account if found, empty otherwise
      */
     default CompletableFuture<Optional<AccountRegistrationResult>> findByUsername(String username) {
         return CompletableFuture.completedFuture(Optional.empty());
     }
 
+    /**
+     * Finds an account by username and domain.
+     *
+     * <p>This method provides unambiguous lookup by requiring both the username
+     * and domain components of a NIP-05 identifier.</p>
+     *
+     * <p>Default implementation delegates to {@link #findAccount(String)} using
+     * the combined NIP-05 identifier. Persistent implementations may override
+     * for optimized queries.</p>
+     *
+     * @param username username (e.g., "alice")
+     * @param domain   domain (e.g., "example.com")
+     * @return the account if found, empty otherwise
+     */
+    default CompletableFuture<Optional<AccountRegistrationResult>> findByUsernameAndDomain(
+            String username, String domain) {
+        return findAccount(username + "@" + domain);
+    }
+
     /**
      * Finds all accounts for a given domain.
      *

nsecbunker-admin/src/main/java/xyz/tcheeric/nsecbunker/admin/AdminAuthenticator.java

@@ -2,7 +2,6 @@
 
 import lombok.extern.slf4j.Slf4j;
 import xyz.tcheeric.nsecbunker.protocol.nip46.Nip46Request;
-import xyz.tcheeric.nsecbunker.protocol.nip46.Nip46Response;
 
 import java.util.List;
 import java.util.concurrent.CompletableFuture;

nsecbunker-admin/src/main/java/xyz/tcheeric/nsecbunker/admin/NsecBunkerAdminClient.java

@@ -3,20 +3,20 @@
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
 import nostr.id.Identity;
-import xyz.tcheeric.nsecbunker.connection.ConnectionListener;
-import xyz.tcheeric.nsecbunker.connection.ConnectionState;
-import xyz.tcheeric.nsecbunker.connection.ExponentialBackoffStrategy;
-import xyz.tcheeric.nsecbunker.connection.RelayConnection;
-import xyz.tcheeric.nsecbunker.connection.RelayListener;
-import xyz.tcheeric.nsecbunker.connection.RelayPool;
 import xyz.tcheeric.nsecbunker.admin.key.DefaultKeyManager;
 import xyz.tcheeric.nsecbunker.admin.key.KeyManager;
-import xyz.tcheeric.nsecbunker.admin.policy.DefaultPolicyManager;
-import xyz.tcheeric.nsecbunker.admin.policy.PolicyManager;
 import xyz.tcheeric.nsecbunker.admin.permission.DefaultPermissionManager;
 import xyz.tcheeric.nsecbunker.admin.permission.PermissionManager;
+import xyz.tcheeric.nsecbunker.admin.policy.DefaultPolicyManager;
+import xyz.tcheeric.nsecbunker.admin.policy.PolicyManager;
 import xyz.tcheeric.nsecbunker.admin.token.DefaultTokenManager;
 import xyz.tcheeric.nsecbunker.admin.token.TokenManager;
+import xyz.tcheeric.nsecbunker.connection.ConnectionListener;
+import xyz.tcheeric.nsecbunker.connection.ConnectionState;
+import xyz.tcheeric.nsecbunker.connection.ExponentialBackoffStrategy;
+import xyz.tcheeric.nsecbunker.connection.RelayConnection;
+import xyz.tcheeric.nsecbunker.connection.RelayListener;
+import xyz.tcheeric.nsecbunker.connection.RelayPool;
 import xyz.tcheeric.nsecbunker.core.exception.BunkerConnectionException;
 import xyz.tcheeric.nsecbunker.protocol.crypto.Nip04Crypto;
 import xyz.tcheeric.nsecbunker.protocol.nip46.Nip46Decoder;
@@ -650,7 +650,7 @@ public void onNotice(RelayConnection relay, String message) {
     /**
      * Connection listener for handling connection state changes.
      */
-    private class AdminConnectionListener implements ConnectionListener {
+    private static class AdminConnectionListener implements ConnectionListener {
         @Override
         public void onConnected(String relayUrl) {
             log.debug("Connected to relay: {}", relayUrl);

nsecbunker-admin/src/main/java/xyz/tcheeric/nsecbunker/admin/permission/PermissionManager.java

@@ -1,7 +1,7 @@
 package xyz.tcheeric.nsecbunker.admin.permission;
 
-import xyz.tcheeric.nsecbunker.core.model.KeyUser;
 import xyz.tcheeric.nsecbunker.core.model.BunkerPolicy;
+import xyz.tcheeric.nsecbunker.core.model.KeyUser;
 
 import java.util.List;
 import java.util.concurrent.CompletableFuture;

nsecbunker-admin/src/test/java/xyz/tcheeric/nsecbunker/admin/AdminConfigTest.java

@@ -1,12 +1,13 @@
 package xyz.tcheeric.nsecbunker.admin;
 
-import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
 
 import java.time.Duration;
 import java.util.List;
 
-import static org.assertj.core.api.Assertions.*;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
 /**
  * Tests for {@link AdminConfig}.

nsecbunker-admin/src/test/java/xyz/tcheeric/nsecbunker/admin/AdminExceptionTest.java

@@ -1,10 +1,10 @@
 package xyz.tcheeric.nsecbunker.admin;
 
-import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
 import xyz.tcheeric.nsecbunker.protocol.nip46.Nip46Error;
 
-import static org.assertj.core.api.Assertions.*;
+import static org.assertj.core.api.Assertions.assertThat;
 
 /**
  * Tests for {@link AdminException}.

nsecbunker-admin/src/test/java/xyz/tcheeric/nsecbunker/admin/NsecBunkerAdminClientTest.java

@@ -1,15 +1,15 @@
 package xyz.tcheeric.nsecbunker.admin;
 
-import org.junit.jupiter.api.Test;
+import nostr.base.PublicKey;
 import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
 import xyz.tcheeric.nsecbunker.connection.ConnectionState;
 
-import nostr.base.PublicKey;
-
 import java.time.Duration;
 import java.util.List;
 
-import static org.assertj.core.api.Assertions.*;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
 /**
  * Tests for {@link NsecBunkerAdminClient}.

nsecbunker-client/src/main/java/xyz/tcheeric/nsecbunker/client/signer/NsecBunkerSigner.java

@@ -15,8 +15,8 @@
 import java.util.List;
 import java.util.Objects;
 import java.util.concurrent.CompletableFuture;
-import java.util.concurrent.atomic.AtomicReference;
 import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Function;
 
 /**