admin: oversized create-table body returns 413, not 400 (Codex P2)

decodeCreateTableRequest used to surface every read/parse failure
as the same generic "invalid_body" string, so handleCreate mapped
all of them to 400 — including the BodyLimit/MaxBytesReader
overflow that should produce 413 payload_too_large.

The middleware contract in internal/admin/middleware.go promises
413 on oversized bodies (WriteMaxBytesError lives in that file
exactly for this purpose). Codex P2 on PR #634 flagged the
write path as the only handler that broke that contract: callers
and retry logic could not distinguish "body too big" from "body
malformed", and oversize requests would be retried as if a
caller-side fix was possible.

Fix: introduce errCreateBodyTooLarge as a sentinel returned only
when io.ReadAll trips MaxBytesReader. handleCreate matches the
sentinel via errors.Is and routes to WriteMaxBytesError, which
emits the canonical 413 + payload_too_large body. All other
decode paths still produce 400 invalid_body unchanged.

Test: TestDynamoHandler_CreateTable_OversizedBodyReturns413
wraps the request body in MaxBytesReader (mirroring what the
real BodyLimit middleware does) and confirms the response is
413 with a payload_too_large code. Also asserts the stub source
is not touched on rejection.

Author: bootjp

internal/admin/dynamo_handler.go

@@ -133,6 +133,15 @@ var (
 	ErrTablesAlreadyExists = errors.New("admin tables: table already exists")
 )
 
+// errCreateBodyTooLarge is returned by decodeCreateTableRequest
+// when the request body trips the BodyLimit middleware's
+// MaxBytesReader. The handler matches this sentinel to map the
+// failure to 413 payload_too_large rather than the generic 400
+// invalid_body — the BodyLimit/middleware contract documented in
+// internal/admin/middleware.go (Codex P2 on PR #634 flagged the
+// previous always-400 behaviour as a regression).
+var errCreateBodyTooLarge = errors.New("request body exceeds the 64 KiB admin limit")
+
 // ValidationError is what the source returns when the input fails
 // adapter-side validation. Surfaces a sanitised message back to the
 // SPA — adapter-internal err.Error() output is never sent verbatim.
@@ -280,6 +289,10 @@ func (h *DynamoHandler) handleCreate(w http.ResponseWriter, r *http.Request) {
 	}
 	body, err := decodeCreateTableRequest(r.Body)
 	if err != nil {
+		if errors.Is(err, errCreateBodyTooLarge) {
+			WriteMaxBytesError(w)
+			return
+		}
 		writeJSONError(w, http.StatusBadRequest, "invalid_body", err.Error())
 		return
 	}
@@ -362,7 +375,9 @@ func decodeCreateTableRequest(body io.Reader) (CreateTableRequest, error) {
 	raw, err := io.ReadAll(body)
 	if err != nil {
 		if IsMaxBytesError(err) {
-			return CreateTableRequest{}, errors.New("request body exceeds the 64 KiB admin limit")
+			// Sentinel so handleCreate can map to 413 rather than
+			// the generic 400 invalid_body.
+			return CreateTableRequest{}, errCreateBodyTooLarge
 		}
 		return CreateTableRequest{}, errors.New("request body could not be read")
 	}

internal/admin/dynamo_handler_test.go

@@ -487,6 +487,34 @@ func TestDynamoHandler_CreateTable_RejectsMissingPrincipal(t *testing.T) {
 	require.Equal(t, http.StatusUnauthorized, rec.Code)
 }
 
+// TestDynamoHandler_CreateTable_OversizedBodyReturns413 confirms a
+// body that trips BodyLimit's MaxBytesReader surfaces as 413
+// payload_too_large rather than the generic 400 invalid_body
+// (Codex P2 on PR #634). The middleware contract in
+// internal/admin/middleware.go is that oversized bodies map to
+// 413; the previous wholesale "decode failure → 400" path
+// silently broke that for this endpoint.
+func TestDynamoHandler_CreateTable_OversizedBodyReturns413(t *testing.T) {
+	src := &stubTablesSource{tables: map[string]*DynamoTableSummary{}}
+	h := newDynamoHandlerForTest(src)
+	// Build a body just over the limit. Padding a real-shape
+	// JSON object with whitespace keeps the structure valid up
+	// to the cap so the test isolates the size-rejection path.
+	oversize := `{"table_name":"u","partition_key":{"name":"id","type":"S"}` +
+		strings.Repeat(" ", int(defaultBodyLimit)+1) + "}"
+	req := httptest.NewRequest(http.MethodPost, pathDynamoTables, strings.NewReader(oversize))
+	req = withWritePrincipal(req)
+	// The router applies BodyLimit at the outer wrap; emulate
+	// that here so MaxBytesReader is in play during ReadAll.
+	req.Body = http.MaxBytesReader(httptest.NewRecorder(), req.Body, defaultBodyLimit)
+	rec := httptest.NewRecorder()
+	h.ServeHTTP(rec, req)
+
+	require.Equal(t, http.StatusRequestEntityTooLarge, rec.Code)
+	require.Contains(t, rec.Body.String(), "payload_too_large")
+	require.Empty(t, src.lastCreateInput.TableName, "source must not be touched on oversized body")
+}
+
 func TestDynamoHandler_CreateTable_RejectsBadJSON(t *testing.T) {
 	src := &stubTablesSource{tables: map[string]*DynamoTableSummary{}}
 	h := newDynamoHandlerForTest(src)