bootjp · bootjp · Apr 25, 2026 · Apr 25, 2026 · Apr 25, 2026 · Apr 25, 2026
diff --git a/adapter/dynamodb_admin.go b/adapter/dynamodb_admin.go
diff --git a/adapter/dynamodb_admin_test.go b/adapter/dynamodb_admin_test.go
diff --git a/internal/admin/dynamo_handler.go b/internal/admin/dynamo_handler.go
diff --git a/internal/admin/dynamo_handler_test.go b/internal/admin/dynamo_handler_test.go
diff --git a/internal/admin/role_store.go b/internal/admin/role_store.go
@@ -0,0 +1,31 @@
+package admin
+
+// RoleStore is the live access-key → Role lookup the admin handlers
+// re-evaluate on every state-changing request. Embedding the role
+// in the JWT alone is insufficient: a token minted under role
+// `full` would otherwise keep mutating tables for the rest of its
+// 1-hour TTL even if an operator revoked or downgraded the access
+// key in the cluster's role configuration. Codex P1 on PR #635
+// flagged the gap; the leader-side ForwardServer already does this
+// re-evaluation, the HTTP path now does it too so leader-direct
+// writes match the forwarded path's authorisation contract.
+type RoleStore interface {
+	// LookupRole returns the role for an access key as understood
+	// by the local node's view of cluster configuration. The bool
+	// is false when the access key is not in the admin role index
+	// — a session whose key has been removed must not be able to
+	// perform any admin write, even if its JWT is still within
+	// its issued validity window.
+	LookupRole(accessKey string) (Role, bool)
+}
+
+// MapRoleStore is the trivial in-memory implementation, sufficient
+// for tests and for the production wiring (which already keeps the
+// role map in memory).
+type MapRoleStore map[string]Role
+
+// LookupRole implements RoleStore.
+func (m MapRoleStore) LookupRole(accessKey string) (Role, bool) {
+	r, ok := m[accessKey]
+	return r, ok
+}
diff --git a/internal/admin/router.go b/internal/admin/router.go
@@ -277,6 +277,11 @@ func writeJSONNotFound(w http.ResponseWriter, _ *http.Request) {
 
 func writeJSONError(w http.ResponseWriter, status int, code, msg string) {
 	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	// Defence-in-depth header: the admin surface is JSON-only, so
+	// declare nosniff to prevent a misbehaving browser from
+	// content-sniffing an error body into something executable.
+	// Cheap and standard for cookie-gated admin endpoints.
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("Cache-Control", "no-store")
 	w.WriteHeader(status)
 	_ = json.NewEncoder(w).Encode(errorResponse{Error: code, Message: msg})

diff --git a/internal/admin/server.go b/internal/admin/server.go
@@ -5,6 +5,7 @@ import (
 	"log/slog"
 	"net/http"
 	"reflect"
+	"strings"
 )
 
 // ServerDeps bundles the collaborators the admin HTTP surface needs. All
@@ -31,6 +32,13 @@ type ServerDeps struct {
 	// ClusterInfo describes the local node's Raft state.
 	ClusterInfo ClusterInfoSource
 
+	// Tables is the DynamoDB admin source — covers list, describe,
+	// create, and delete via TablesSource. Optional: a nil value
+	// disables /admin/api/v1/dynamo/tables{,/{name}} (the mux
+	// answers them with 404). This lets a build that ships only the
+	// cluster page deploy without standing up the dynamo bridge.
+	Tables TablesSource
+
 	// StaticFS is the embed.FS (or any fs.FS) backing the SPA. May be
 	// nil during early development; the router renders 404 for
 	// /admin/assets/* and the SPA fallback in that case.
@@ -92,7 +100,21 @@ func NewServer(deps ServerDeps) (*Server, error) {
 	}
 	auth := NewAuthService(deps.Signer, deps.Credentials, deps.Roles, authOpts)
 	cluster := NewClusterHandler(deps.ClusterInfo).WithLogger(logger)
-	mux := buildAPIMux(auth, deps.Verifier, cluster, logger)
+	var dynamo http.Handler
+	if deps.Tables != nil {
+		// Re-evaluate the principal's role on every state-
+		// changing request against the live role map (Codex P1
+		// on PR #635). MapRoleStore wraps the same map the auth
+		// layer uses for login, so a config reload that updates
+		// deps.Roles does NOT automatically propagate here —
+		// operators must restart the listener for revocation to
+		// take effect, but the JWT no longer extends a revoked
+		// key past the next request.
+		dynamo = NewDynamoHandler(deps.Tables).
+			WithLogger(logger).
+			WithRoleStore(MapRoleStore(deps.Roles))
+	}
+	mux := buildAPIMux(auth, deps.Verifier, cluster, dynamo, logger)
 	router := NewRouter(mux, deps.StaticFS)
 	return &Server{deps: deps, router: router, auth: auth, mux: mux}, nil
 }
@@ -119,15 +141,23 @@ func (s *Server) APIHandler() http.Handler {
 //
 // Layout:
 //
-//	POST   /admin/api/v1/auth/login     (no auth, rate-limited)
-//	POST   /admin/api/v1/auth/logout    (no auth required)
-//	GET    /admin/api/v1/cluster        (auth required)
+//	POST   /admin/api/v1/auth/login                 (no auth, rate-limited)
+//	POST   /admin/api/v1/auth/logout                (auth required)
+//	GET    /admin/api/v1/cluster                    (auth required)
+//	GET    /admin/api/v1/dynamo/tables              (auth required)
+//	POST   /admin/api/v1/dynamo/tables              (auth required, full role)
+//	GET    /admin/api/v1/dynamo/tables/{name}       (auth required)
+//	DELETE /admin/api/v1/dynamo/tables/{name}       (auth required, full role)
 //
 // Body limit applies uniformly. CSRF and Audit middleware apply to
 // write-capable protected endpoints; login and logout carry their own
 // audit path inside AuthService because the generic Audit middleware
 // cannot see the claimed actor at that point in the chain.
-func buildAPIMux(auth *AuthService, verifier *Verifier, clusterHandler http.Handler, logger *slog.Logger) http.Handler {
+//
+// dynamoHandler may be nil; in that case the dynamo paths fall through
+// to the unknown-endpoint 404, matching the behaviour of any other
+// unregistered admin path.
+func buildAPIMux(auth *AuthService, verifier *Verifier, clusterHandler, dynamoHandler http.Handler, logger *slog.Logger) http.Handler {
 	loginHandler := http.HandlerFunc(auth.HandleLogin)
 	logoutHandler := http.HandlerFunc(auth.HandleLogout)
 
@@ -177,15 +207,27 @@ func buildAPIMux(auth *AuthService, verifier *Verifier, clusterHandler http.Hand
 	loginChain := publicAuth(loginHandler)
 	logoutChain := protectNoAudit(logoutHandler)
 	clusterChain := protect(clusterHandler)
+	// Dynamo endpoints (reads and writes) share the protect chain
+	// so a missing session or CSRF token 401s/403s the same way
+	// regardless of method. The Audit middleware is a no-op for
+	// GET (it only logs state-changing methods) so dashboard polls
+	// don't flood the audit log, while POST/DELETE always do.
+	var dynamoChain http.Handler
+	if dynamoHandler != nil {
+		dynamoChain = protect(dynamoHandler)
+	}
 
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		switch r.URL.Path {
-		case "/admin/api/v1/auth/login":
+		switch {
+		case r.URL.Path == "/admin/api/v1/auth/login":
 			loginChain.ServeHTTP(w, r)
-		case "/admin/api/v1/auth/logout":
+		case r.URL.Path == "/admin/api/v1/auth/logout":
 			logoutChain.ServeHTTP(w, r)
-		case "/admin/api/v1/cluster":
+		case r.URL.Path == "/admin/api/v1/cluster":
 			clusterChain.ServeHTTP(w, r)
+		case dynamoChain != nil && (r.URL.Path == pathDynamoTables ||
+			strings.HasPrefix(r.URL.Path, pathPrefixDynamoTables)):
+			dynamoChain.ServeHTTP(w, r)
 		default:
 			writeJSONError(w, http.StatusNotFound, "unknown_endpoint",
 				"no admin API handler is registered for this path")