admin: drop migration side-effect from describe + tighten list doc

Two findings from Gemini's third review pass on PR #633.

- adapter/dynamodb_admin.go: AdminDescribeTable used to invoke
  ensureLegacyTableMigration on every call, which writes to the
  cluster (Raft-coordinated key-encoding migration) as a side
  effect of a read-only dashboard endpoint. Drop the call. The
  admin describe is now strictly a snapshot read; legacy-format
  tables migrate lazily on the next SigV4 read or write of the
  same table, which is the existing behaviour for everything else
  that touches that path.

- internal/admin/dynamo_handler.go: strengthen the handleList
  doc comment to spell out the worst-case memory bound (255 B
  per name × 10k tables ≈ 2.5 MiB) and to call out that this
  matches the SigV4 listTables path which has shipped fine.
  Streaming the metadata scan is a separate adapter-level
  refactor — bolting one on top of the materialised slice would
  be cosmetic.

Author: bootjp

adapter/dynamodb_admin.go

@@ -38,10 +38,18 @@ func (d *DynamoDBServer) AdminListTables(ctx context.Context) ([]string, error)
 // (result, present, error) lets admin callers distinguish a genuine
 // "not found" from a storage error without sniffing sentinels: when
 // the table is missing the function returns (nil, false, nil).
+//
+// Unlike the SigV4 describeTable handler, AdminDescribeTable does
+// NOT invoke ensureLegacyTableMigration. The admin dashboard is a
+// strictly read-only surface (Gemini medium review on PR #633), so
+// triggering Raft-coordinated key-encoding migrations as a side
+// effect of routine polling would (a) violate the read-only
+// contract and (b) cause every dashboard refresh to write to the
+// cluster. Migration still runs lazily on the next SigV4 read or
+// write of the same table — the schema we return here is just a
+// snapshot for display, not a guarantee that the table is
+// up-to-date for serving.
 func (d *DynamoDBServer) AdminDescribeTable(ctx context.Context, name string) (*AdminTableSummary, bool, error) {
-	if err := d.ensureLegacyTableMigration(ctx, name); err != nil {
-		return nil, false, err
-	}
 	schema, exists, err := d.loadTableSchema(ctx, name)
 	if err != nil {
 		return nil, false, err

internal/admin/dynamo_handler.go

@@ -131,17 +131,23 @@ func (h *DynamoHandler) handleList(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// AdminListTables materialises the full table-name list before
-	// paginate-and-slice. The adapter's listTableNames already
-	// scans the entire metadata prefix in one shot for the SigV4
-	// listTables path, so streaming here would not change the
-	// adapter's memory profile; the dashboard's bounded `limit`
-	// (default 100, hard max 1000) and the lex-sorted name list
-	// keep the per-request slice small enough that this is the
-	// pragmatic shape rather than the limiting factor. If a future
-	// admin-cluster scale ever changes that calculus, the fix is to
-	// teach the adapter to stream, then plumb that through here —
-	// not to add a streaming layer on top of the materialised list.
+	// AdminListTables returns the full lex-sorted name list that
+	// the adapter's metadata prefix scan produces; we then slice
+	// to the requested page. The adapter's listTableNames already
+	// materialises the same list for the SigV4 listTables path
+	// (adapter/dynamodb.go:1146), which has been in production
+	// since DynamoDB-compat shipped — admin's memory profile is
+	// strictly the SigV4 path's, not a regression on top of it.
+	//
+	// Worst-case bound: a Dynamo table name caps at 255 bytes, so
+	// 1k tables ≈ 256 KiB and 10k tables ≈ 2.5 MiB of name
+	// strings on the heap during a single list call. That is well
+	// inside the per-request budget the admin listener targets.
+	// Beyond that scale the right fix is to teach the adapter to
+	// stream the metadata scan via a callback (and plumb it
+	// through here), not to bolt a streaming layer on top of the
+	// already-materialised slice. Tracked separately; this
+	// endpoint is not the limiting factor.
 	names, err := h.source.AdminListTables(r.Context())
 	if err != nil {
 		h.logger.LogAttrs(r.Context(), slog.LevelError, "admin dynamo list tables failed",