admin: CreateTable / DeleteTable write endpoints (P1, leader-only) (#634)

Stacked on #633 (the read-only chunk). Writes are limited to the leader
node for now; follower-side `AdminForward` RPC (design Section 3.3
acceptance criteria 1-6) ships in a follow-up PR. Mergeable on its own —
followers respond `503 leader_unavailable` + `Retry-After: 1`.

## Summary

- `POST /admin/api/v1/dynamo/tables` and `DELETE
/admin/api/v1/dynamo/tables/{name}` both go through the existing protect
chain (BodyLimit → SessionAuth → Audit → CSRF). The handler also
enforces `RoleFull` so a read-only key cannot create or delete even with
a valid CSRF token.
- Adapter side: `AdminCreateTable` / `AdminDeleteTable` take an
`AdminPrincipal` and re-validate the role at the adapter layer even when
a higher tier already enforced it. Preserves the design's *adapter side
is the source of truth for authz* invariant (Section 3.2). Two sentinel
errors (`ErrAdminNotLeader`, `ErrAdminForbidden`) signal the structured
failure modes.
- Bridge in `main_admin.go` translates adapter errors to admin sentinels
(`ErrTablesNotLeader` to 503 + `Retry-After: 1`, `ErrTablesForbidden` to
403, `ResourceInUse` to 409, `ResourceNotFound` to 404,
`ValidationException` to 400). Raw adapter error text is never surfaced
to clients; everything else falls through to a generic 500 with the
original message logged at error level.
- Strict JSON decoding (`DisallowUnknownFields`); each validation
message is plain English so the SPA can render it directly.
- Two summary structs (`adapter.AdminCreateTableInput` /
`admin.CreateTableRequest`) stay independent so neither package imports
the other; the bridge keeps them in sync and any drift breaks the build
there.

## Test plan

- [x] `go build ./...`
- [x] `go vet ./...`
- [x] `golangci-lint run` (admin, adapter, root: 0 issues)
- [x] `go test ./internal/admin/ -count=1` (49 tests pass — 14 new
write-handler unit tests, 4 new server-level integration tests)
- [x] `go test ./adapter/ -count=1 -run 'TestDynamoDB_Admin'` (14 tests
pass — 9 new write-path tests including duplicate rejection, role
enforcement at adapter, validation errors, delete missing to
ResourceNotFound, etc.)
- [ ] Manual smoke against a running node:
- `curl -X POST .../dynamo/tables` with full-role cookies + CSRF header
to 201 + JSON summary
  - same against a follower to 503 + `Retry-After: 1`
  - `DELETE` on a non-existent table to 404 `not_found`

## Stacked roadmap

1. **#633** read-only `GET /tables` + `GET /tables/{name}` (in review)
2. **THIS PR** — `POST` + `DELETE` (leader-only)
3. AdminForward RPC + follower-leader forwarding (Section 3.3 acceptance
criteria 1-6)
4. S3 read-only endpoints
5. S3 write endpoints
6. SPA (React + Vite, embed.FS)

Author: bootjp

adapter/dynamodb_admin.go

@@ -0,0 +1,31 @@
+package admin
+
+// RoleStore is the live access-key → Role lookup the admin handlers
+// re-evaluate on every state-changing request. Embedding the role
+// in the JWT alone is insufficient: a token minted under role
+// `full` would otherwise keep mutating tables for the rest of its
+// 1-hour TTL even if an operator revoked or downgraded the access
+// key in the cluster's role configuration. Codex P1 on PR #635
+// flagged the gap; the leader-side ForwardServer already does this
+// re-evaluation, the HTTP path now does it too so leader-direct
+// writes match the forwarded path's authorisation contract.
+type RoleStore interface {
+	// LookupRole returns the role for an access key as understood
+	// by the local node's view of cluster configuration. The bool
+	// is false when the access key is not in the admin role index
+	// — a session whose key has been removed must not be able to
+	// perform any admin write, even if its JWT is still within
+	// its issued validity window.
+	LookupRole(accessKey string) (Role, bool)
+}
+
+// MapRoleStore is the trivial in-memory implementation, sufficient
+// for tests and for the production wiring (which already keeps the
+// role map in memory).
+type MapRoleStore map[string]Role
+
+// LookupRole implements RoleStore.
+func (m MapRoleStore) LookupRole(accessKey string) (Role, bool) {
+	r, ok := m[accessKey]
+	return r, ok
+}

adapter/dynamodb_admin_test.go

@@ -277,6 +277,11 @@ func writeJSONNotFound(w http.ResponseWriter, _ *http.Request) {
 
 func writeJSONError(w http.ResponseWriter, status int, code, msg string) {
 	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	// Defence-in-depth header: the admin surface is JSON-only, so
+	// declare nosniff to prevent a misbehaving browser from
+	// content-sniffing an error body into something executable.
+	// Cheap and standard for cookie-gated admin endpoints.
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("Cache-Control", "no-store")
 	w.WriteHeader(status)
 	_ = json.NewEncoder(w).Encode(errorResponse{Error: code, Message: msg})

internal/admin/dynamo_handler.go

@@ -5,6 +5,7 @@ import (
 	"log/slog"
 	"net/http"
 	"reflect"
+	"strings"
 )
 
 // ServerDeps bundles the collaborators the admin HTTP surface needs. All
@@ -31,6 +32,13 @@ type ServerDeps struct {
 	// ClusterInfo describes the local node's Raft state.
 	ClusterInfo ClusterInfoSource
 
+	// Tables is the DynamoDB admin source — covers list, describe,
+	// create, and delete via TablesSource. Optional: a nil value
+	// disables /admin/api/v1/dynamo/tables{,/{name}} (the mux
+	// answers them with 404). This lets a build that ships only the
+	// cluster page deploy without standing up the dynamo bridge.
+	Tables TablesSource
+
 	// StaticFS is the embed.FS (or any fs.FS) backing the SPA. May be
 	// nil during early development; the router renders 404 for
 	// /admin/assets/* and the SPA fallback in that case.
@@ -92,7 +100,21 @@ func NewServer(deps ServerDeps) (*Server, error) {
 	}
 	auth := NewAuthService(deps.Signer, deps.Credentials, deps.Roles, authOpts)
 	cluster := NewClusterHandler(deps.ClusterInfo).WithLogger(logger)
-	mux := buildAPIMux(auth, deps.Verifier, cluster, logger)
+	var dynamo http.Handler
+	if deps.Tables != nil {
+		// Re-evaluate the principal's role on every state-
+		// changing request against the live role map (Codex P1
+		// on PR #635). MapRoleStore wraps the same map the auth
+		// layer uses for login, so a config reload that updates
+		// deps.Roles does NOT automatically propagate here —
+		// operators must restart the listener for revocation to
+		// take effect, but the JWT no longer extends a revoked
+		// key past the next request.
+		dynamo = NewDynamoHandler(deps.Tables).
+			WithLogger(logger).
+			WithRoleStore(MapRoleStore(deps.Roles))
+	}
+	mux := buildAPIMux(auth, deps.Verifier, cluster, dynamo, logger)
 	router := NewRouter(mux, deps.StaticFS)
 	return &Server{deps: deps, router: router, auth: auth, mux: mux}, nil
 }
@@ -119,15 +141,23 @@ func (s *Server) APIHandler() http.Handler {
 //
 // Layout:
 //
-//	POST   /admin/api/v1/auth/login     (no auth, rate-limited)
-//	POST   /admin/api/v1/auth/logout    (no auth required)
-//	GET    /admin/api/v1/cluster        (auth required)
+//	POST   /admin/api/v1/auth/login                 (no auth, rate-limited)
+//	POST   /admin/api/v1/auth/logout                (auth required)
+//	GET    /admin/api/v1/cluster                    (auth required)
+//	GET    /admin/api/v1/dynamo/tables              (auth required)
+//	POST   /admin/api/v1/dynamo/tables              (auth required, full role)
+//	GET    /admin/api/v1/dynamo/tables/{name}       (auth required)
+//	DELETE /admin/api/v1/dynamo/tables/{name}       (auth required, full role)
 //
 // Body limit applies uniformly. CSRF and Audit middleware apply to
 // write-capable protected endpoints; login and logout carry their own
 // audit path inside AuthService because the generic Audit middleware
 // cannot see the claimed actor at that point in the chain.
-func buildAPIMux(auth *AuthService, verifier *Verifier, clusterHandler http.Handler, logger *slog.Logger) http.Handler {
+//
+// dynamoHandler may be nil; in that case the dynamo paths fall through
+// to the unknown-endpoint 404, matching the behaviour of any other
+// unregistered admin path.
+func buildAPIMux(auth *AuthService, verifier *Verifier, clusterHandler, dynamoHandler http.Handler, logger *slog.Logger) http.Handler {
 	loginHandler := http.HandlerFunc(auth.HandleLogin)
 	logoutHandler := http.HandlerFunc(auth.HandleLogout)
 
@@ -177,15 +207,27 @@ func buildAPIMux(auth *AuthService, verifier *Verifier, clusterHandler http.Hand
 	loginChain := publicAuth(loginHandler)
 	logoutChain := protectNoAudit(logoutHandler)
 	clusterChain := protect(clusterHandler)
+	// Dynamo endpoints (reads and writes) share the protect chain
+	// so a missing session or CSRF token 401s/403s the same way
+	// regardless of method. The Audit middleware is a no-op for
+	// GET (it only logs state-changing methods) so dashboard polls
+	// don't flood the audit log, while POST/DELETE always do.
+	var dynamoChain http.Handler
+	if dynamoHandler != nil {
+		dynamoChain = protect(dynamoHandler)
+	}
 
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		switch r.URL.Path {
-		case "/admin/api/v1/auth/login":
+		switch {
+		case r.URL.Path == "/admin/api/v1/auth/login":
 			loginChain.ServeHTTP(w, r)
-		case "/admin/api/v1/auth/logout":
+		case r.URL.Path == "/admin/api/v1/auth/logout":
 			logoutChain.ServeHTTP(w, r)
-		case "/admin/api/v1/cluster":
+		case r.URL.Path == "/admin/api/v1/cluster":
 			clusterChain.ServeHTTP(w, r)
+		case dynamoChain != nil && (r.URL.Path == pathDynamoTables ||
+			strings.HasPrefix(r.URL.Path, pathPrefixDynamoTables)):
+			dynamoChain.ServeHTTP(w, r)
 		default:
 			writeJSONError(w, http.StatusNotFound, "unknown_endpoint",
 				"no admin API handler is registered for this path")