Make subscription_type, username, and years optional on POST /v1/admin/users

- subscription_type defaults to lifetime when omitted; validated when provided
- years is only required (and enforced) when subscription_type is yearly
- username uniqueness check and validation are skipped when username is empty
- Update OpenAPI spec to reflect pubkey as the only required field

internal/http/handlers/admin_users.go

@@ -42,22 +42,28 @@ func (h *AdminUsers) Add(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	sub := user.SubscriptionType(body.SubscriptionType)
-	if !sub.Valid() {
+	if body.SubscriptionType == "" {
+		sub = user.SubLifetime
+	} else if !sub.Valid() {
 		WriteError(w, http.StatusBadRequest, "ValidationError", "invalid subscription_type")
 		return
 	}
+
 	years := body.Years
-	if years <= 0 {
-		years = 1
+	if sub == user.SubYearly && years <= 0 {
+		WriteError(w, http.StatusBadRequest, "ValidationError", "years is required for yearly subscription")
+		return
 	}
 
 	if existing, err := h.Users.Repo().GetByPubkey(r.Context(), hexpk); err == nil && existing != nil {
 		WriteError(w, http.StatusConflict, "Conflict", "user already exists")
 		return
 	}
-	if existing, err := h.Users.Repo().GetByUsername(r.Context(), user.NormalizeUsername(body.Username)); err == nil && existing != nil {
-		WriteError(w, http.StatusConflict, "Conflict", "username taken")
-		return
+	if body.Username != "" {
+		if existing, err := h.Users.Repo().GetByUsername(r.Context(), user.NormalizeUsername(body.Username)); err == nil && existing != nil {
+			WriteError(w, http.StatusConflict, "Conflict", "username taken")
+			return
+		}
 	}
 
 	u, err := h.Users.CreateOrActivate(r.Context(), hexpk, body.Username, sub, years, true)