admin: nosniff header + drop dead nil-check (Claude review)

Two minor items from Claude's review on PR #633:

- Add X-Content-Type-Options: nosniff to both writeJSONError and
  writeAdminJSON. The admin surface is JSON-only, so MIME sniffing
  is never useful and the header guards against XSS-via-sniffing on
  any payload that ever reaches the response writer through an
  unexpected path. Cookie-gated admin endpoints already constrain
  attack surface, but this is cheap defence in depth.

- Remove the dead `if resp.Tables == nil { resp.Tables = []string{} }`
  guard from handleList. paginateDynamoTableNames is total over its
  input — the "cursor past end" branch returns []string{} and every
  other branch returns a real sub-slice, both non-nil. Replace the
  guard with a comment that documents the producer-side invariant
  so future readers don't assume the function can return nil.

Author: bootjp

internal/admin/dynamo_handler.go

@@ -163,11 +163,12 @@ func (h *DynamoHandler) handleList(w http.ResponseWriter, r *http.Request) {
 	if next != "" {
 		resp.NextToken = encodeDynamoNextToken(next)
 	}
-	// Tables is an array contract; mint an empty slice rather than
-	// emitting JSON `null` when the cluster has no tables yet.
-	if resp.Tables == nil {
-		resp.Tables = []string{}
-	}
+	// paginateDynamoTableNames is total over its input — it always
+	// returns a non-nil slice (an empty []string{} on the
+	// "cursor past end" branch, a real sub-slice otherwise) so the
+	// JSON shape is always `"tables": []` rather than `null` even
+	// without an explicit nil-check here. The Tables array
+	// contract is enforced at the producer.
 	writeAdminJSON(w, r.Context(), h.logger, resp)
 }
 
@@ -288,6 +289,13 @@ func writeAdminJSON(w http.ResponseWriter, ctx context.Context, logger *slog.Log
 		return
 	}
 	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	// Defence-in-depth: tell the browser not to MIME-sniff the
+	// response body. The admin surface is JSON-only, so a sniffed
+	// "this might be HTML" guess is never useful and could enable
+	// XSS-via-sniffing on a hostile payload that somehow reached
+	// here. Cookie-gated admin endpoints + a single static
+	// Content-Type make this cheap and standard.
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("Cache-Control", "no-store")
 	w.WriteHeader(http.StatusOK)
 	if _, werr := w.Write(payload); werr != nil {

internal/admin/router.go

@@ -277,6 +277,11 @@ func writeJSONNotFound(w http.ResponseWriter, _ *http.Request) {
 
 func writeJSONError(w http.ResponseWriter, status int, code, msg string) {
 	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	// Defence-in-depth header: the admin surface is JSON-only, so
+	// declare nosniff to prevent a misbehaving browser from
+	// content-sniffing an error body into something executable.
+	// Cheap and standard for cookie-gated admin endpoints.
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("Cache-Control", "no-store")
 	w.WriteHeader(status)
 	_ = json.NewEncoder(w).Encode(errorResponse{Error: code, Message: msg})