fix: remove dead code and document passwordless endpoint requirements

Simplify unreachable ternary in registerNewUserAccount — the null guard
already throws before line 275, so the null branch can never execute.
Add JavaDoc note that /user/registration/passwordless must be in
unprotectedURIs for deny-by-default apps. Add local testing workflow
with demo app to CLAUDE.md including playwright-test profile requirement.

Author: devondragon

CLAUDE.md

@@ -34,6 +34,40 @@ Spring User Framework is a reusable Spring Boot library (not an application) tha
 ./gradlew publishLocal
 ```
 
+## Local Testing with Demo App
+
+The [SpringUserFrameworkDemoApp](https://github.com/devondragon/SpringUserFrameworkDemoApp) is a Spring Boot app that consumes this library for testing and demonstration. It is typically checked out alongside this repo at `../SpringUserFrameworkDemoApp`.
+
+### Workflow
+
+1. **Publish the library locally:**
+   ```bash
+   ./gradlew publishLocal
+   ```
+   This publishes the current SNAPSHOT version (from `gradle.properties`) to your local Maven repository.
+
+2. **Update the demo app dependency** (if needed):
+   In `../SpringUserFrameworkDemoApp/build.gradle`, ensure the dependency version matches the SNAPSHOT:
+   ```groovy
+   implementation 'com.digitalsanctuary:ds-spring-user-framework:X.Y.Z-SNAPSHOT'
+   ```
+   Check `gradle.properties` for the current version.
+
+3. **Start the demo app:**
+   ```bash
+   cd ../SpringUserFrameworkDemoApp
+   ./gradlew bootRun --args='--spring.profiles.active=local,playwright-test'
+   ```
+   The app runs on `http://localhost:8080` by default. The `playwright-test` profile activates `TestDataController` and `TestApiSecurityConfig`, which the Playwright tests require for test data setup/teardown. Omit `playwright-test` if only doing manual browser testing.
+
+4. **Run Playwright tests:**
+   ```bash
+   cd ../SpringUserFrameworkDemoApp/playwright
+   npx playwright test --project=chromium
+   ```
+
+5. **Manual browser testing** can be done with Playwright MCP tools or directly in Chrome at `http://localhost:8080`.
+
 ## Architecture
 
 ### Package Structure

src/main/java/com/digitalsanctuary/spring/user/api/UserAPI.java

@@ -380,6 +380,10 @@ public ResponseEntity<JSONResponse> getAuthMethods(@AuthenticationPrincipal DSUs
 	/**
 	 * Registers a new passwordless user account (passkey-only).
 	 *
+	 * <p><strong>Note:</strong> Consuming applications using {@code user.security.defaultAction: deny}
+	 * must add {@code /user/registration/passwordless} to their {@code user.security.unprotectedURIs}
+	 * configuration to allow unauthenticated access to this endpoint.
+	 *
 	 * @param dto the passwordless registration DTO
 	 * @param request the HTTP servlet request
 	 * @return a ResponseEntity containing a JSONResponse with the registration result

src/main/java/com/digitalsanctuary/spring/user/service/UserService.java

@@ -272,7 +272,7 @@ public User registerNewUserAccount(final UserDto newUserDto) {
 		User user = new User();
 		user.setFirstName(newUserDto.getFirstName());
 		user.setLastName(newUserDto.getLastName());
-		user.setPassword(newUserDto.getPassword() != null ? passwordEncoder.encode(newUserDto.getPassword()) : null);
+		user.setPassword(passwordEncoder.encode(newUserDto.getPassword()));
 		user.setEmail(newUserDto.getEmail().toLowerCase());
 		user.setRoles(Arrays.asList(roleRepository.findByName(USER_ROLE_NAME)));