feat(admin): React + Vite SPA for the admin dashboard (P3)

[bootjp]

Summary

Phase P3 of docs/design/2026_04_24_proposed_admin_dashboard.md. The Go side (auth / JWT / cluster handler / dynamo handler / follower→leader forwarding / embed.go skeleton) shipped in earlier PRs (#644 et al.) but StaticFS was wired as nil, so /admin/* answered 404 for any non-API path. This PR ships the React bundle and flips StaticFS on.

• React 18 + TypeScript + Vite, Tailwind CSS for tokens (Section 5.1). No UI framework dependency — bundle stays at ~60 KB gzip vs the doc's 150 KB ceiling (Section 7.2).
• vite.config.ts writes its build output straight into internal/admin/dist/ so npm run build && go build produces a single-binary release.
• Five pages per Section 5.2: Login, Dashboard, DynamoDB list/detail (with Create + Delete dialogs), S3 list/detail (placeholder — endpoints not yet wired, the SPA renders a soft "endpoint pending" notice on the 404).
• Cookie-based session (Section 6): admin_session (HttpOnly) handled by the browser; admin_csrf value echoed in X-Admin-CSRF for every POST/PUT/DELETE per the double-submit pattern. Read-only sessions hide write affordances; backend re-evaluates the role.
• .gitignore keeps the placeholder internal/admin/dist/index.html committed (so //go:embed all:dist always has a match in a fresh clone) and excludes the hashed Vite asset outputs and npm/vite caches — committed bundles drift from source.

Test plan

• cd web/admin && npm install && npm run build — 192 KB JS / 60 KB gzip + 14 KB CSS
• cd web/admin && npm run lint — tsc --strict --noUnusedLocals --noUncheckedSideEffectImports
• go build ./... — clean (placeholder + built bundle both compile)
• go test -race -count=1 ./internal/admin/...
• golangci-lint run ./internal/admin/...
• Manual smoke: start admin listener with --adminEnabled --adminAllowInsecureDevCookie --adminListen 127.0.0.1:8080, visit http://127.0.0.1:8080/admin/, log in with a SigV4 access key, confirm dashboard / dynamo list / dynamo detail / dynamo create / dynamo delete + see graceful "endpoint pending" on the S3 pages.

Notes

• Self-review (5 lenses) — these changes only ship UI + 1 line of Go wiring (StaticFS activation). No replication, MVCC, OCC, or HLC code paths touched. Lenses 1 (data loss) / 2 (concurrency) / 4 (consistency) → no impact. Lens 3 (perf) → +1 cold read of embed.FS per startup, ~1 MB binary growth (under the doc's 1–2 MB target). Lens 5 (test coverage) → SPA-side Vitest is documented as a P4 follow-up in the design doc; this PR does not regress any existing Go test.
• The S3 admin endpoints, follower→leader forwarding for write paths, and the design-doc lifecycle rename (proposed_ → partial_) are out of scope here and are tracked elsewhere.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[coderabbitai]

Warning

Rate limit exceeded

@bootjp has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 17 minutes and 23 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 17 minutes and 23 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ab981fdf-d75e-4974-80f8-3208e9b4dbfc

📥 Commits

Reviewing files that changed from the base of the PR and between 76cb788 and e3b9555.

⛔ Files ignored due to path filters (2)

• internal/admin/dist/index.html is excluded by !**/dist/**
• web/admin/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (29)

• .gitignore
• internal/admin/embed.go
• main_admin.go
• web/admin/.gitignore
• web/admin/index.html
• web/admin/package.json
• web/admin/postcss.config.js
• web/admin/src/App.tsx
• web/admin/src/api/client.ts
• web/admin/src/auth.tsx
• web/admin/src/components/Layout.tsx
• web/admin/src/components/Modal.tsx
• web/admin/src/components/RequireAuth.tsx
• web/admin/src/lib/useApi.ts
• web/admin/src/main.tsx
• web/admin/src/pages/Dashboard.tsx
• web/admin/src/pages/DynamoDetail.tsx
• web/admin/src/pages/DynamoList.tsx
• web/admin/src/pages/Login.tsx
• web/admin/src/pages/NotFound.tsx
• web/admin/src/pages/S3Detail.tsx
• web/admin/src/pages/S3List.tsx
• web/admin/src/styles.css
• web/admin/src/vite-env.d.ts
• web/admin/tailwind.config.js
• web/admin/tsconfig.app.json
• web/admin/tsconfig.json
• web/admin/tsconfig.node.json
• web/admin/vite.config.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/admin-dashboard-spa

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[bootjp]

@claude review

[gemini-code-assist]

Code Review

This pull request introduces a new React-based administrative dashboard for the elastickv service, which is embedded into the Go binary for distribution. The dashboard provides interfaces for cluster monitoring, DynamoDB table management, and S3 bucket administration. The review feedback highlights several opportunities to improve network efficiency and code maintainability, specifically by ensuring that AbortSignal is consistently passed through the API client to support request cancellation. Additionally, the review recommends removing the redundant safe helper function in the dashboard, as its logic is already handled by the useApiQuery hook.

[gemini-code-assist]

The API methods in the api object should accept an optional AbortSignal and pass it to apiFetch. This allows hooks like useApiQuery to cancel pending network requests when a component unmounts or dependencies change, improving efficiency and preventing state updates on unmounted components.

[gemini-code-assist]

Pass the signal directly to the API calls instead of using the safe wrapper. This ensures that the network requests are actually aborted when the component unmounts.

[gemini-code-assist]

The safe helper function is redundant and its comment is misleading. It doesn't actually catch 404 errors (which are already handled gracefully by the SummaryCard component via the error state from useApiQuery). Furthermore, the manual signal check is unnecessary as useApiQuery already handles abort logic. This helper should be removed.

[gemini-code-assist]

Pass the signal to api.describeTable to allow request cancellation.

[gemini-code-assist]

Pass the signal to api.listTables to allow request cancellation.

[gemini-code-assist]

Pass the signal to api.describeBucket to allow request cancellation.

[gemini-code-assist]

Pass the signal to api.listBuckets to allow request cancellation.

[claude]

Claude finished @bootjp's task in 2m 44s —— View job

---

Code Review — feat(admin): React + Vite SPA for the admin dashboard (P3)

• Gather context and read changed files
• Review API client (web/admin/src/api/client.ts)
• Review auth and hooks (auth.tsx, useApi.ts)
• Review pages (Dashboard.tsx, DynamoList.tsx, DynamoDetail.tsx, S3List.tsx, S3Detail.tsx)
• Review Go embedding (internal/admin/embed.go, main_admin.go)
• Review security posture (CSRF, cookies, session)
• Compile findings and post review

---

Overall this is a well-structured SPA. The Go side is clean, the auth model is sound, and the useApiQuery hook has good lifecycle semantics. Two concrete bugs in the signal-propagation path and a few smaller notes below.

Bug — safe() in Dashboard.tsx is a no-op that silently drops AbortSignal

Dashboard.tsx lines 6–7:

const tables = useApiQuery((signal) => safe(() => api.listTables(), signal), []);
const buckets = useApiQuery((signal) => safe(() => api.listBuckets(), signal), []);

safe() receives signal but never passes it to fn() (line 130–133):

function safe<T>(fn: () => Promise<T>, signal?: AbortSignal): Promise<T> {
  if (signal?.aborted) return Promise.reject(new ApiError(0, "aborted", ""));
  return fn();  // signal is discarded here
}

The early-abort check is also redundant — useApiQuery already handles that via its cancelled flag. More importantly, the comment says safe prevents 404 from "cancelling the dashboard render", but that suppression is already handled by SummaryCard testing error?.status === 404 && pendingMessage. The function has no real effect.

Recommendation: Remove safe entirely. The two loaders become:

const tables = useApiQuery((signal) => api.listTables(undefined, signal), []);
const buckets = useApiQuery((signal) => api.listBuckets(undefined, signal), []);

…which also requires the fix below.

Fix this →

---

Bug — AbortSignal not wired for listTables, describeTable, listBuckets, describeBucket

client.ts lines 205–215: unlike cluster (which correctly accepts signal?: AbortSignal), the four read methods don't:

cluster: (signal?: AbortSignal) =>
  apiFetch<ClusterInfo>("/cluster", { signal }),          // ✓ correct

listTables: (next_token?: string) =>
  apiFetch<DynamoTableList>("/dynamo/tables", { … }),     // ✗ no signal

describeTable: (name: string) =>
  apiFetch<DynamoTable>(…),                               // ✗ no signal

listBuckets: (next_token?: string) =>
  apiFetch<S3BucketList>("/s3/buckets", { … }),           // ✗ no signal

describeBucket: (name: string) =>
  apiFetch<S3Bucket>(…),                                  // ✗ no signal

All four page-level hooks receive the signal from useApiQuery but silently discard it ((_signal) => api.xxx(…)). The cancelled flag in useApiQuery prevents stale state updates after unmount, but the requests still run to completion, wasting network bandwidth and server connections.

Recommendation: Mirror the cluster signature on all four methods:

listTables: (next_token?: string, signal?: AbortSignal) =>
  apiFetch<DynamoTableList>("/dynamo/tables", { query: { next_token }, signal }),
describeTable: (name: string, signal?: AbortSignal) =>
  apiFetch<DynamoTable>(`/dynamo/tables/${encodeURIComponent(name)}`, { signal }),
listBuckets: (next_token?: string, signal?: AbortSignal) =>
  apiFetch<S3BucketList>("/s3/buckets", { query: { next_token }, signal }),
describeBucket: (name: string, signal?: AbortSignal) =>
  apiFetch<S3Bucket>(`/s3/buckets/${encodeURIComponent(name)}`, { signal }),

Then update the four call sites in DynamoList.tsx:10, DynamoDetail.tsx:11, S3List.tsx:10, S3Detail.tsx:11 to pass signal through.

Fix this →

---

Minor — markUnauthorized in useApiQuery dep array could cause spurious re-fetches

useApi.ts line 58:

}, [...deps, tick, markUnauthorized]);

markUnauthorized is a useCallback from AuthProvider and is currently stable across renders. However, if AuthProvider ever remounts (e.g. React Fast Refresh during development, or a future wrapping change), its identity changes and every active useApiQuery on the page fires a fresh network request. The loader itself is already exempted from the dep array via loaderRef for exactly this reason. Consider the same treatment:

const markUnauthorizedRef = useRef(markUnauthorized);
markUnauthorizedRef.current = markUnauthorized;
// then inside the effect, call markUnauthorizedRef.current(...)
// and remove markUnauthorized from the deps array

---

Minor — Modal has no focus trap and is missing aria-modal

Modal.tsx uses Escape and backdrop-click but doesn't trap focus or declare aria-modal="true" / role="dialog". Screen-reader users can navigate to background content while the modal is open. For an internal operator tool this is low urgency, but calling it out so it's tracked.

---

Minor — Secret key not trimmed on login submit

Login.tsx line 28:

await login(accessKey.trim(), secretKey);  // secretKey not trimmed

accessKey is trimmed but secretKey is not. A developer who accidentally pastes a key with trailing whitespace will get a cryptic 401. SigV4 secret keys never contain whitespace, so .trim() on secretKey is safe and would improve UX.

---

Go side — looks clean

internal/admin/embed.go: the //go:embed all:dist is correct — the all: prefix is needed because Vite may emit dot-prefixed files (.vite/manifest.json). The graceful fallback comment (placeholder vs full bundle) is accurate. The fs.Sub error wrapping uses errors.Join which is idiomatic.

main_admin.go: the one-line StaticFS activation (staticFS wired into ServerDeps) is the minimal change it should be. The dynamoTablesBridge separation that keeps internal/admin free of adapter imports is excellent architectural hygiene. The isLeaderChurnError refactor to HasSuffix (instead of Contains) correctly handles the false-positive scenario documented in the comment.

.gitignore / web/admin/.gitignore: committing only the placeholder index.html and excluding the hashed Vite outputs is the right call. The convention prevents stale bundles drifting in git while ensuring a fresh clone can still go build.

---

Summary

The two AbortSignal bugs (the safe dead-code wrapper and the four methods missing signal) are the only functional issues; everything else is polish. The auth, CSRF, session-expiry, and Go wiring are all solid. Addressing the signal propagation would make this ready to merge.

[bootjp]

Pushed fb8085cf addressing the converging findings from the Claude review and Gemini Code Assist:

Bugs (fixed):

• api.listTables / describeTable / listBuckets / describeBucket now accept and pass through signal?: AbortSignal (mirroring api.cluster). All 4 page-level useApiQuery callsites updated to pass the signal.
• Removed the safe() wrapper in Dashboard.tsx — it was a no-op that received the signal and discarded it; the 404 "endpoint pending" handling it claimed is already done by SummaryCard checking error?.status === 404.

Drive-by polish (also from the reviews):

• useApiQuery no longer puts markUnauthorized in the effect deps; it's read via markUnauthorizedRef so an AuthProvider remount (Fast Refresh in dev) doesn't invalidate every active query. Mirrors the existing loaderRef pattern.
• Login.tsx now .trim()s secretKey in addition to accessKey (SigV4 secrets never contain whitespace).

Out of scope (low-priority follow-up):

• Modal a11y (focus trap, aria-modal, role="dialog") — flagged as polish for an internal operator tool; will land separately so this PR stays focused.

npm run build + npm run lint (strict TS) clean; go build ./... clean.

@claude review

[claude]

Claude finished @bootjp's task in 1m 26s —— View job

---

Code Review — follow-up on fb8085cf

• Gather context
• Verify AbortSignal wiring in client.ts + all 4 call sites
• Verify safe() removed in Dashboard.tsx
• Verify markUnauthorized dep removal in useApi.ts
• Verify secretKey.trim() in Login.tsx
• Check for any new issues introduced
• Post findings

---

All four issues from the previous review are cleanly resolved. Verified against the current branch state:

AbortSignal wiring (client.ts:205–216) — listTables, describeTable, listBuckets, describeBucket now all accept signal?: AbortSignal and forward it to apiFetch, matching the existing cluster signature. Mutations (createTable, deleteTable, etc.) correctly don't take a signal since they're user-initiated, not query-style calls.

All 4 call sites pass signal through correctly:

• DynamoList.tsx:10 — api.listTables(undefined, signal) ✓
• DynamoDetail.tsx:11 — api.describeTable(name, signal) ✓
• S3List.tsx:10 — api.listBuckets(undefined, signal) ✓
• S3Detail.tsx:11 — api.describeBucket(name, signal) ✓

safe() wrapper removed (Dashboard.tsx) — Gone entirely. The three useApiQuery calls on lines 6–8 all now pass signal directly. The 404 "endpoint pending" path is correctly handled by SummaryCard's pending check.

markUnauthorizedRef pattern (useApi.ts:31–32, 67) — The ref is assigned and kept current, markUnauthorized no longer appears in the useEffect dep array (line 67 reads [...deps, tick]). The comment on lines 27–30 explains the rationale clearly.

secretKey.trim() (Login.tsx:31) — Both sides now trimmed; the comment explains why it's safe for SigV4 secrets.

One small observation — not blocking, just noting for completeness: in useApi.ts the catch block checks both cancelled (line 47) and ctrl.signal.aborted (line 48). Since the cleanup always sets cancelled = true before calling ctrl.abort(), the ctrl.signal.aborted check is redundant. It's a harmless belt-and-suspenders pattern and the logic is sound either way.

Deferred item (Modal a11y: focus trap, aria-modal, role="dialog") is a reasonable call to leave for a follow-up PR — it has zero impact on functional correctness for this operator tool.

This is ready to merge. The signal propagation is now complete across all read paths, and the rest of the auth/CSRF/session wiring from the first review remains solid.

[bootjp]

Thanks for the thorough re-review on fb8085cf. With your "This is ready to merge" verdict, all four findings (AbortSignal plumbing across 4 read methods, safe() removal, markUnauthorized ref pattern, secretKey.trim()) verified resolved, and CI green on every shipped check, the loop has reached its exit condition. Stopping the periodic check now; please merge at your convenience.

The harmless redundancy you noted in useApi.ts (cancelled + ctrl.signal.aborted belt-and-suspenders) and the deferred Modal a11y item (focus trap / aria-modal / role=dialog) remain as low-priority follow-ups.

[bootjp]

@claude review

Rebased onto main (e3b9555). The conflict was in main_admin.go's admin.NewServer(admin.ServerDeps{...}) block — main now has Forwarder: forwarder from #648, and this branch had StaticFS: staticFS. Resolved by keeping both. Build / vet / lint / admin + main tests all pass.

[claude]

Claude finished @bootjp's task in 1m 45s —— View job

---

Code Review — post-rebase check (onto main @ 76cb788)

• Gather context on rebase
• Read main_admin.go to verify conflict resolution
• Diff origin/main...HEAD for unexpected changes
• Verify previously-fixed items are intact
• Post findings

---

The rebase is clean. No regressions, no unexpected changes.

Conflict resolution in main_admin.go — verified correct. The resolution kept both fields that came from separate branches:

// lines 448–460 after rebase:
staticFS, err := admin.StaticFS()
if err != nil {
    return nil, errors.Wrap(err, "open embedded admin SPA")
}
server, err := admin.NewServer(admin.ServerDeps{
    ...
    Forwarder:   forwarder,   // ← from #648 on main
    StaticFS:    staticFS,    // ← from this branch (was nil)
    ...
})

origin/main had Forwarder: forwarder + StaticFS: nil; this branch introduced StaticFS: staticFS. The resolution correctly keeps both — the staticFS initialization block is inserted immediately before admin.NewServer, which is the right placement.

All round-2 fixes remain intact:

• client.ts — listTables, describeTable, listBuckets, describeBucket all accept signal?: AbortSignal and forward it to apiFetch ✓
• All 4 page call sites pass signal through (DynamoList.tsx:10, DynamoDetail.tsx:11, S3List.tsx:10, S3Detail.tsx:11) ✓
• Dashboard.tsx — safe() gone; useApiQuery calls pass signal directly ✓
• useApi.ts — markUnauthorizedRef pattern in place, markUnauthorized absent from deps array ✓
• Login.tsx — secretKey.trim() present ✓

embed.go — unchanged and correct. StaticFS() does fs.Sub(distFS, "dist") with proper error wrapping; the all:dist embed directive handles dot-prefixed Vite outputs.

This is ready to merge.