admin: P1 foundation (auth, router, cluster, listener) — no writes yet (#623)

## Summary

First PR toward the admin dashboard designed in
`docs/design/2026_04_24_proposed_admin_dashboard.md` (merged as #611).
Introduces the **read-only foundation**: listener wiring, auth, router,
middleware, cluster info / healthz endpoints. No write endpoints are
included — per the design doc P1 DoD they ship together with
`AdminForward` and the 3.3.2 acceptance criteria in a follow-up.

### What is in scope
- `internal/admin/` package: config validation, JWT (HS256 + 2-key
rotation), strict-prefix router, middleware chain (body limit, session
auth, role gate, CSRF double-submit, audit slog), login/logout with
per-IP rate limiter, cluster + healthz handlers, `Server` facade.
- `main_admin.go`: flag wiring, config-to-`admin.Config` translation,
TLS and loopback enforcement, errgroup lifecycle registration.
- Full unit tests and two in-process integration tests (plaintext
listener + self-signed TLS).

### What is NOT in scope (deferred to follow-up PRs)
- `AdminForward` internal gRPC RPC and follower→leader forwarding
(Section 3.3.2 acceptance criteria 1–6).
- Adapter internal entrypoints taking `AuthPrincipal` (DynamoDB
`CreateTable`/`DeleteTable`, S3
`CreateBucket`/`DeleteBucket`/`PutBucketAcl`).
- Any write endpoint on the admin surface.
- React SPA + `go:embed` (design P3).

This keeps the first PR focused and reviewable; the DoD remains
respected because no write endpoint ships without the acceptance
criteria being green.

### Security posture
- Admin is **off by default** (`-adminEnabled=false`), default bind is
loopback.
- Non-loopback bind without TLS is a **hard startup failure** unless the
explicit opt-out flag is set.
- Session cookie: `HttpOnly` + `Secure` + `SameSite=Strict` +
`Path=/admin` + `Max-Age=3600`.
- CSRF: double-submit cookie; `localStorage` is never used.
- Role overlap between `read_only_access_keys` and `full_access_keys` is
a hard startup failure (no silent last-writer-wins).
- JWT signing key is cluster-shared and rotatable (primary + previous);
missing key with admin enabled is a hard startup failure.
- Login is rate-limited to 5 req/min per IP, constant-time secret
comparison.
- POST/PUT bodies are capped at 64 KiB via `http.MaxBytesReader`.
- Every state-changing admin request is logged with `admin_audit` slog
attributes.

## Test plan

- [x] `go test -race ./internal/admin/... .` — green
- [x] `golangci-lint run ./... --timeout=5m` — 0 issues
- [x] In-process boot of admin listener over plaintext; `/admin/healthz`
returns `ok`
- [x] In-process boot with self-signed TLS; `/admin/healthz` over HTTPS
returns `ok`
- [x] Invalid config (non-loopback without TLS, missing signing key,
duplicate role assignment, wrong-length base64 key) rejected at startup
with a descriptive error
- [x] Login happy path issues both cookies with the hardened attributes
verified via regex
- [x] Rate-limiter test: 6th login attempt from the same IP returns
`429` + `Retry-After: 60`; different IPs are independent
- [x] JWT verifier accepts tokens signed by the previous key during
rotation and rejects them after rotation completes
- [ ] Follow-up PR: AdminForward + write endpoints + acceptance-criteria
test matrix

## Related
- Design doc: #611 (merged)
- Follow-up tracks AdminForward + write endpoints + SPA.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Optional admin HTTP API server with secure session tokens, CSRF
protection, and audit logging
* /admin/api/v1/auth/login and /admin/api/v1/auth/logout with hardened
cookies and rate limiting
* /admin/api/v1/cluster for cluster/status queries, /admin/healthz and
static asset/SPA serving
* Role-based access (read-only vs full) and support for signing-key
rotation

* **Tests**
* Extensive end-to-end and unit tests covering auth, CSRF, rate
limiting, routing, config validation, and JWT handling
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: bootjp

internal/admin/auth_audit_test.go

@@ -0,0 +1,115 @@
+package admin
+
+import (
+	"bytes"
+	"context"
+	"log/slog"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+func newAuthServiceWithAudit(t *testing.T) (*AuthService, *bytes.Buffer) {
+	t.Helper()
+	clk := fixedClock(time.Unix(1_700_000_000, 0).UTC())
+	signer := newSignerForTest(t, 1, clk)
+
+	creds := MapCredentialStore{
+		"AKIA_ADMIN": "ADMIN_SECRET",
+	}
+	roles := map[string]Role{
+		"AKIA_ADMIN": RoleFull,
+	}
+	buf := &bytes.Buffer{}
+	logger := slog.New(slog.NewJSONHandler(buf, &slog.HandlerOptions{Level: slog.LevelInfo}))
+	svc := NewAuthService(signer, creds, roles, AuthServiceOpts{
+		Clock:  clk,
+		Logger: logger,
+	})
+	return svc, buf
+}
+
+func TestAudit_LoginSuccessRecordsActor(t *testing.T) {
+	svc, buf := newAuthServiceWithAudit(t)
+	req := postJSON(t, loginRequest{AccessKey: "AKIA_ADMIN", SecretKey: "ADMIN_SECRET"})
+	rec := httptest.NewRecorder()
+	svc.HandleLogin(rec, req)
+
+	require.Equal(t, http.StatusOK, rec.Code)
+	out := buf.String()
+	require.Contains(t, out, `"msg":"admin_audit"`)
+	require.Contains(t, out, `"action":"login"`)
+	require.Contains(t, out, `"actor":"AKIA_ADMIN"`)
+	require.Contains(t, out, `"claimed_actor":"AKIA_ADMIN"`)
+	require.Contains(t, out, `"status":200`)
+}
+
+func TestAudit_LoginFailureRecordsClaimedActor(t *testing.T) {
+	svc, buf := newAuthServiceWithAudit(t)
+	req := postJSON(t, loginRequest{AccessKey: "AKIA_ADMIN", SecretKey: "WRONG"})
+	rec := httptest.NewRecorder()
+	svc.HandleLogin(rec, req)
+
+	require.Equal(t, http.StatusUnauthorized, rec.Code)
+	out := buf.String()
+	require.Contains(t, out, `"action":"login"`)
+	// We did NOT authenticate, so actor is empty.
+	require.Contains(t, out, `"actor":""`)
+	// But the claimed actor is still logged so operators can track
+	// which access key was targeted by brute-force attempts.
+	require.Contains(t, out, `"claimed_actor":"AKIA_ADMIN"`)
+	require.Contains(t, out, `"status":401`)
+}
+
+func TestAudit_LogoutReadsActorFromContext(t *testing.T) {
+	svc, buf := newAuthServiceWithAudit(t)
+
+	// HandleLogout reads the principal from the request context (the
+	// production wiring puts SessionAuth in front of it). Mirror that
+	// here by injecting a principal directly so we can exercise the
+	// audit branch without standing up the full router.
+	req := httptest.NewRequest(http.MethodPost, "/admin/api/v1/auth/logout", nil)
+	req.RemoteAddr = "127.0.0.1:1"
+	ctx := context.WithValue(req.Context(), ctxKeyPrincipal,
+		AuthPrincipal{AccessKey: "AKIA_ADMIN", Role: RoleFull})
+	req = req.WithContext(ctx)
+
+	rec := httptest.NewRecorder()
+	svc.HandleLogout(rec, req)
+
+	require.Equal(t, http.StatusNoContent, rec.Code)
+	out := buf.String()
+	require.Contains(t, out, `"action":"logout"`)
+	require.Contains(t, out, `"actor":"AKIA_ADMIN"`)
+}
+
+func TestAudit_LogoutWithoutCookieEmptyActor(t *testing.T) {
+	svc, buf := newAuthServiceWithAudit(t)
+	req := httptest.NewRequest(http.MethodPost, "/admin/api/v1/auth/logout", nil)
+	req.RemoteAddr = "127.0.0.1:1"
+	rec := httptest.NewRecorder()
+	svc.HandleLogout(rec, req)
+
+	require.Equal(t, http.StatusNoContent, rec.Code)
+	out := buf.String()
+	require.Contains(t, out, `"action":"logout"`)
+	require.Contains(t, out, `"actor":""`)
+}
+
+func TestAudit_LoginLengthTimingHashed(t *testing.T) {
+	// Same-length secret mismatch and different-length secret mismatch
+	// must both reach the failure path without short-circuiting on
+	// length. We cannot time them precisely in a unit test, but we can
+	// at least verify both paths emit the same failure response.
+	svc, _ := newAuthServiceWithAudit(t)
+	for _, secret := range []string{"x", "much-longer-wrong-secret-value-here"} {
+		req := postJSON(t, loginRequest{AccessKey: "AKIA_ADMIN", SecretKey: secret})
+		rec := httptest.NewRecorder()
+		svc.HandleLogin(rec, req)
+		require.Equal(t, http.StatusUnauthorized, rec.Code)
+		require.Contains(t, rec.Body.String(), "invalid_credentials")
+	}
+}