Update docs/design/2026_04_24_partial_admin_dashboard.md

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

Author: bootjp

docs/design/2026_04_24_partial_admin_dashboard.md

@@ -17,7 +17,7 @@
 Outstanding open items (kept here so future readers know what is still owed against the original proposal):
 
 - **AdminForward acceptance criterion 5** — rolling-upgrade compatibility flag (`admin.leader_forward_v2`). Deferred behind a cluster-version bump; not blocking dashboard usability today because every node forwards through the same `pb.AdminOperation` enum.
-- **AdminDeleteBucket TOCTOU** — coderabbitai 🔴 / 🟠 on PR #669 caught that AdminDeleteBucket scans `ObjectManifestPrefixForBucket` at readTS but the BucketMetaKey delete carries only that single point key in `ReadKeys`; a concurrent PutObject inserting a manifest key in the scanned prefix between readTS and commit will not conflict and the object is orphaned. Pre-existing race — `adapter/s3.go:deleteBucket` (the SigV4 path) inherits the same shape. Closing the gap requires either (a) bumping `BucketGenerationKey` on every PutObject so it can serve as an OCC token in this read set, or (b) extending `OperationGroup` with `ReadRanges` and teaching the FSM to validate range emptiness atomically with commit. Recorded as a code comment on `AdminDeleteBucket` and tracked here for the future fix; the operator-side workaround documented in `docs/admin_deployment.md` is to pause writes against the target bucket before issuing the admin delete.
+- AdminDeleteBucket TOCTOU — A race condition exists where AdminDeleteBucket scans ObjectManifestPrefixForBucket at readTS, but the transaction only includes the BucketMetaKey in its read set. A concurrent PutObject inserting a manifest key in the scanned prefix between readTS and commitTS will not trigger a conflict, leading to orphaned objects. This pre-existing race is also present in the SigV4 path (adapter/s3.go:deleteBucket). Potential fixes include (a) using a bucket-level version key as an OCC token (noting the significant performance trade-off for write-heavy buckets), or (b) extending OperationGroup with ReadRanges for atomic range validation at commit time. This is tracked for a future fix; while the current operator-side workaround is to pause writes, the design should investigate mitigation strategies like a temporary proxy or bridge mode to avoid service interruption during this state.
 - **S3 object browser** — explicitly called out as "next phase" in Section 2 Non-goals; no work item yet.
 - **Operator-visible TLS cert reload** — out of scope; restart-to-rotate is the documented model in `docs/admin.md`.