admin: harden forwarded delete (NUL + slash) (Codex P2 ×2)

Two related findings on PR #635 / forward_server.go's
handleDelete:

- NUL-byte smuggling: handleDelete decoded with goccy/go-json
  but skipped the explicit NUL scan that decodeCreateTableRequest
  applies. Same vector as the #634 fix — `{"name":"users"}\x00{"extra":1}`
  passes dec.More() because goccy treats NUL as end-of-input.
  Add the same pre-decode NUL rejection.

- Slash-in-name divergence: the HTTP handleDelete and
  handleDescribe both reject `/` in the table name with 404, but
  the forwarded delete just passed body.Name straight through to
  AdminDeleteTable. A forwarded call could therefore act on
  slash-bearing tables that a leader-direct call would 404. Reject
  symmetrically before invoking the source.

Tests: two new ForwardServer cases — NUL payload + slash name.
Both confirm the source is never invoked when the precondition
fails (defence in depth — an asymmetric stub source would still
make the test green if we only checked the response code).

Author: bootjp

internal/admin/forward_server.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"log/slog"
 	"net/http"
+	"strings"
 
 	pb "github.com/bootjp/elastickv/proto"
 	"github.com/goccy/go-json"
@@ -171,6 +172,14 @@ func (s *ForwardServer) handleDelete(ctx context.Context, principal AuthPrincipa
 		return rejectForward(http.StatusRequestEntityTooLarge, "payload_too_large",
 			"forwarded payload exceeds the 64 KiB admin limit")
 	}
+	// Mirror decodeCreateTableRequest's NUL-byte guard: goccy/go-json
+	// treats raw NUL as end-of-input so dec.More() would otherwise
+	// miss `{"name":"users"}\x00{"extra":1}` payloads. Codex P2 on
+	// PR #635 flagged this as the same smuggling vector that the
+	// HTTP create path already covers.
+	if bytes.IndexByte(payload, 0) >= 0 {
+		return rejectForward(http.StatusBadRequest, "invalid_body", "delete payload contains a NUL byte")
+	}
 	dec := json.NewDecoder(bytes.NewReader(payload))
 	dec.DisallowUnknownFields()
 	var body struct {
@@ -185,6 +194,14 @@ func (s *ForwardServer) handleDelete(ctx context.Context, principal AuthPrincipa
 	if body.Name == "" {
 		return rejectForward(http.StatusBadRequest, "invalid_body", "delete payload missing name")
 	}
+	// Reject slash-bearing names symmetrically with the HTTP
+	// handleDelete and handleDescribe paths. Without this, a
+	// forwarded call could act on `foo/bar` while a leader-direct
+	// call would 404 — divergent behaviour Codex P2 flagged on
+	// PR #635.
+	if strings.ContainsRune(body.Name, '/') {
+		return rejectForward(http.StatusBadRequest, "invalid_body", "delete payload name must not contain '/'")
+	}
 	if err := s.source.AdminDeleteTable(ctx, principal, body.Name); err != nil {
 		return forwardErrorResponse(err), nil
 	}

internal/admin/forward_server_test.go

@@ -151,6 +151,43 @@ func TestForwardServer_DeleteTable_MissingReturns404(t *testing.T) {
 	require.Equal(t, int32(http.StatusNotFound), resp.GetStatusCode())
 }
 
+// TestForwardServer_DeleteTable_RejectsNULBytePayload exercises
+// the same Codex P2 vector that the create-table path covers:
+// goccy/go-json treats raw NUL as end-of-input, so a body like
+// `{"name":"users"}\x00{"extra":1}` would otherwise pass dec.More()
+// undetected. The handler now scans for NUL before decoding.
+func TestForwardServer_DeleteTable_RejectsNULBytePayload(t *testing.T) {
+	src := &stubTablesSource{tables: map[string]*DynamoTableSummary{"users": {Name: "users"}}}
+	srv := newForwardServerForTest(src, fullPrincipalRoleStore())
+	resp, err := srv.Forward(context.Background(), &pb.AdminForwardRequest{
+		Principal: &pb.AdminPrincipal{AccessKey: "AKIA_FULL", Role: "full"},
+		Operation: pb.AdminOperation_ADMIN_OP_DELETE_TABLE,
+		Payload:   []byte("{\"name\":\"users\"}\x00{\"extra\":1}"),
+	})
+	require.NoError(t, err)
+	require.Equal(t, int32(http.StatusBadRequest), resp.GetStatusCode())
+	require.Contains(t, string(resp.GetPayload()), "NUL byte")
+	// Source must not be reached — the table still exists in the
+	// stub map after the rejection.
+	require.Contains(t, src.tables, "users")
+}
+
+// TestForwardServer_DeleteTable_RejectsSlashInName mirrors the
+// HTTP path's slash rejection on forwarded delete requests so the
+// two surfaces cannot diverge (Codex P2).
+func TestForwardServer_DeleteTable_RejectsSlashInName(t *testing.T) {
+	src := &stubTablesSource{tables: map[string]*DynamoTableSummary{}}
+	srv := newForwardServerForTest(src, fullPrincipalRoleStore())
+	resp, err := srv.Forward(context.Background(), &pb.AdminForwardRequest{
+		Principal: &pb.AdminPrincipal{AccessKey: "AKIA_FULL", Role: "full"},
+		Operation: pb.AdminOperation_ADMIN_OP_DELETE_TABLE,
+		Payload:   []byte(`{"name":"foo/bar"}`),
+	})
+	require.NoError(t, err)
+	require.Equal(t, int32(http.StatusBadRequest), resp.GetStatusCode())
+	require.Contains(t, string(resp.GetPayload()), "must not contain")
+}
+
 func TestForwardServer_UnknownOperationRejected(t *testing.T) {
 	srv := newForwardServerForTest(&stubTablesSource{tables: map[string]*DynamoTableSummary{}}, fullPrincipalRoleStore())
 	resp, err := srv.Forward(context.Background(), &pb.AdminForwardRequest{