admin: AdminForward integration for S3 admin ops (P2 slice 2b)

[bootjp]

P2 slice 2b: a follower-side S3 admin write (POST /buckets, PUT /buckets/{name}/acl, DELETE /buckets/{name}) now hands off to the leader transparently, completing the same end-to-end forwarding contract Dynamo writes received in #644 + #648.

Stacked on #669 (P2 slice 2a). Once #669 merges, this rebases cleanly onto main.

Summary

• Proto — three new ADMIN_OP enum values (CREATE_BUCKET / DELETE_BUCKET / PUT_BUCKET_ACL) appended after the Dynamo block so existing wire integers stay stable. Regenerated with the pinned protoc 29.3 / protoc-gen-go 1.36.11 / protoc-gen-go-grpc 1.6.1.
• Leader-side — ForwardServer.WithBucketsSource lets deployments wire the S3 dispatcher optionally; Dynamo-only builds keep it nil and the new operations return 501. Three new dispatch arms mirror the leader-direct HTTP path's payload contract (NUL-byte rejection, 64 KiB limit, DisallowUnknownFields, trailing-token rejection, slash-in-name rejection). forwardBucketsErrorResponse mirrors forwardErrorResponse: ErrBucketsForbidden / NotLeader / NotFound / AlreadyExists / NotEmpty + *ValidationError each map to the same HTTP status writeBucketsError produces, so forwarded and leader-direct responses are byte-identical from the SPA's view.
• Follower-side — LeaderForwarder interface gains ForwardCreateBucket / ForwardDeleteBucket / ForwardPutBucketAcl. ForwardPutBucketAcl carries both the bucket name (URL path) and the new ACL (request body) in one JSON payload — same approach ForwardDeleteTable takes for the table name.
• Handler integration — S3Handler.WithLeaderForwarder + tryForwardCreateBucket / tryForwardPutBucketAcl / tryForwardDeleteBucket gated on ErrBucketsNotLeader && forwarder != nil. writeForwardResult / writeForwardFailure mirror the Dynamo handler's pattern (nosniff + Cache-Control:no-store + Retry-After:1 on 503).
• Wiring — runtimeServerRunner.start() now creates *adapter.S3Server before startRaftServers so the leader-side ForwardServer registration sees both adapters. adminForwardServerDeps.buckets is wired through registerAdminForwardServer. ServerDeps.Forwarder now plumbs into S3Handler too.

What is NOT in this PR

• Rolling-upgrade compatibility flag (criterion 5) — still deferred behind a cluster-version bump.

Test plan

• go build ./...
• go vet ./...
• golangci-lint run (admin + main + adapter + proto: 0 issues)
• go test ./internal/admin/ -count=1 -race — full admin suite passes (19 new tests across forward_server / forward_client / s3_handler integration)
• go test . -count=1 -race — main package passes
• Targeted adapter tests pass
• Full ./adapter/ times out due to a pre-existing flake (verified earlier on PRs admin: AdminForward Phase 3 — register gRPC server + wire follower-side bridge #648 / admin: read-only S3 bucket endpoints (P2 slice 1) #658 / admin: S3 bucket write endpoints (P2 slice 2a) #669 — unrelated to this branch)
• End-to-end smoke against a 3-node cluster — manual exercise after admin: S3 bucket write endpoints (P2 slice 2a) #669 + this land

Acceptance criteria coverage (Section 3.3.2 + 4.1)

#	Criterion	Status
1	Leader direct write	✓ for S3 (#669 / slice 2a)
2	Follower forwards transparently	✅ for S3 (this PR)
3	Election-period 503 + retry	✅ for S3 (this PR — same fallback as Dynamo)
4	Leader demotes stale full role	✅ for S3 (existing validatePrincipal runs before bucket dispatch)
5	Rolling-upgrade compat flag	⏳ deferred (cluster-version bump)
6	forwarded_from in audit log	✅ for S3 (this PR — leader-side audit log carries it)

Self-review (5 lenses)

1. Data loss: No FSM / Raft / Pebble path changes. The leader-side dispatcher reuses the same BucketsSource interface that the leader-direct HTTP path uses; the only new code path is the JSON envelope + principal re-validation.
2. Concurrency: New methods on gRPCForwardClient reuse the existing forward() helper, so connection-cache reuse and ErrLeaderUnavailable signalling behave identically across resource types. The runtimeServerRunner.start() reorder is safe — each adapter listens on its own address and the raft TCP listeners are independent.
3. Performance: One additional gRPC round-trip on follower-side admin writes; identical to Dynamo's path.
4. Data consistency: Leader-side dispatcher applies the same strict body decode the leader-direct HTTP path does (NUL-byte rejection, trailing-token rejection, slash-in-name rejection). forwardBucketsErrorResponse produces byte-identical envelopes to writeBucketsError so forwarded and leader-direct responses are indistinguishable.
5. Test coverage: 19 new tests — 9 forward-server (happy paths, 501 no-source, bad-JSON, already-exists, not-empty, slash-in-name, missing-acl, payload-too-large sweep), 4 forward-client (3 happy-path payload shapes + ErrLeaderUnavailable for all three), 6 handler-integration (forwarded create/delete/put-acl happy + leader-unavailable + transport-error + 3-axis non-NotLeader gate sweep).

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 55c6909f-52ca-421c-a18b-656a628f3029

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/admin-s3-forward

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[bootjp]

@claude review

[claude]

Claude finished @bootjp's task in 4m 3s —— View job

---

PR Review: admin: AdminForward integration for S3 admin ops (P2 slice 2b)

Todo

• Read changed files and gather context
• Review proto changes
• Review forward_server.go changes
• Review forward_client.go changes
• Review s3_handler.go changes
• Review wiring (main.go, main_admin_forward.go, server.go)
• Review test coverage
• Post final review summary

---

Summary

The PR correctly implements follower→leader forwarding for the three S3 admin write operations, faithfully mirrors the Dynamo forwarding contract, and includes a solid test suite (19 new tests). The wiring change in main.go is correct and well-justified. A few issues worth addressing before landing:

---

Issues Found

1. logUnexpectedSourceError logs bucket name under the "table" slog key — misleading for operators

File: internal/admin/forward_server.go:511

func (s *ForwardServer) logUnexpectedSourceError(ctx context.Context, op, table, forwardedFrom string, err error) {
    // ...
    s.logger.LogAttrs(ctx, slog.LevelError, "admin_forward_"+op+"_failed",
        slog.String("table", table),  // ← "table" key, bucket name value

When called for bucket operations (create_bucket, delete_bucket, put_bucket_acl), the slog field key is "table" but the value is a bucket name. Any log query on table= would find spurious bucket-operation entries, and queries for bucket= would miss the error logs entirely. A simple fix: rename the parameter to resource and use that as the log key.

Fix this →

2. handleCreateBucket skips the whitespace-padding validation that validateCreateBucketRequest performs

File: internal/admin/forward_server.go:264

The HTTP handleCreate path calls validateCreateBucketRequest(body) which includes two checks:

1. strings.TrimSpace(in.BucketName) == "" — catches empty/whitespace-only names
2. in.BucketName != strings.TrimSpace(in.BucketName) — rejects "bucket " or " bucket"

The forward handler only performs check (1). A bucket name like "bucket " would be accepted by the forward server, then rejected by the adapter's validateS3BucketName (spaces aren't in isValidS3BucketRune), but the error message would be the generic "bucket name contains unsupported characters" instead of the clearer "bucket_name must not have leading or trailing whitespace". This is a validation parity gap between the forwarded and leader-direct paths.

Fix: call validateCreateBucketRequest(body) after decoding in handleCreateBucket, exactly as handleCreate delegates to decodeCreateTableRequest for the full validation.

Fix this →

3. TestForwardServer_CreateBucket_NoBucketsSourceReturns501 does not cover DELETE and PUT_ACL

File: internal/admin/forward_server_test.go:477

The nil-source 501 path exists in all three bucket handlers, but only CREATE_BUCKET is tested. DELETE_BUCKET and PUT_BUCKET_ACL have identical if s.buckets == nil guards that are untested. A table-driven test covering all three operations (like TestForwardServer_BucketOps_PayloadTooLargeReturns413 already does for payload size) would lock these down.

Fix this →

---

Observations (non-blocking)

Proto version change (v7.34.0 → v5.29.3): This is a correction. protoc v5.29.3 is the same as libprotoc 29.3 specified in CLAUDE.md. The base branch had wrong generated files; this PR fixes them to the pinned toolchain. ✓

RetryAfterSeconds dropped in ForwardResult conversion (forward_client.go:214-218): resp.GetRetryAfterSeconds() is not carried into ForwardResult; the follower infers Retry-After: 1 solely from status code 503. Since the leader only ever sets RetryAfterSeconds = 1 today, this works correctly — but if the value diverges, the follower silently ignores it. This is a pre-existing pattern from the Dynamo handler (not introduced here), but worth a follow-up issue.

writeForwardResult / writeForwardFailure duplication (s3_handler.go:544-580, dynamo_handler.go:470-514): The two methods are near-identical. Extracting to package-level helpers would reduce the drift surface as the forwarding contract evolves. Low priority; the current mirroring is explicit and documented.

Startup order change in main.go: Correct and well-explained. Moving startS3Server before startRaftServers is required for the adminForwardServerDeps.buckets field to be non-nil when registerAdminForwardServer runs. ✓

---

Test coverage assessment

The 19 new tests cover the happy paths and the major error arms well. The TestForwardServer_BucketOps_PayloadTooLargeReturns413 table-driven sweep across all three operations is particularly good. The gaps noted above (issue #3, plus no forwarded-path test for ErrBucketsNotLeader racing mid-leader-dispatch) are the only missing cases.

---

[gemini-code-assist]

Code Review

This pull request introduces S3 bucket administrative operation forwarding, enabling follower nodes to delegate bucket creation, deletion, and ACL modifications to the leader via gRPC. The implementation includes updates to the gRPC client and server, Protobuf definitions, and the S3 HTTP handler. Feedback was provided to align the validation and decoding logic in the handleCreateBucket handler with the existing HTTP path to ensure consistency.

[gemini-code-assist]

The validation and decoding logic in handleCreateBucket diverges from the leader-direct HTTP path (handleCreate in s3_handler.go). Reusing the existing validation helper ensures consistency. Additionally, ensure the request body size is limited using http.MaxBytesReader to prevent Denial of Service attacks from oversized payloads, as required by repository security rules.

Suggested change

	if bytes.IndexByte(payload, 0) >= 0 {
	return rejectForward(http.StatusBadRequest, "invalid_body",
	"create-bucket payload contains a NUL byte")
	}
	dec := json.NewDecoder(bytes.NewReader(payload))
	dec.DisallowUnknownFields()
	var body CreateBucketRequest
	if err := dec.Decode(&body); err != nil {
	return rejectForward(http.StatusBadRequest, "invalid_body",
	"create-bucket payload is not valid JSON")
	}
	if dec.More() {
	return rejectForward(http.StatusBadRequest, "invalid_body",
	"create-bucket payload has trailing data")
	}
	if strings.TrimSpace(body.BucketName) == "" {
	return rejectForward(http.StatusBadRequest, "invalid_body",
	"bucket_name is required")
	}
	if bytes.IndexByte(payload, 0) >= 0 {
	return rejectForward(http.StatusBadRequest, "invalid_body", "request body contains a NUL byte")
	}
	dec := json.NewDecoder(bytes.NewReader(payload))
	dec.DisallowUnknownFields()
	var body CreateBucketRequest
	if err := dec.Decode(&body); err != nil {
	return rejectForward(http.StatusBadRequest, "invalid_body", "request body is not valid JSON")
	}
	if dec.More() {
	return rejectForward(http.StatusBadRequest, "invalid_body", "request body has trailing data after the first JSON value")
	}
	if err := validateCreateBucketRequest(body); err != nil {
	return rejectForward(http.StatusBadRequest, "invalid_body", err.Error())
	}

References

1. When handling HTTP requests, always limit the size of the request body (e.g., using http.MaxBytesReader) to prevent Denial of Service attacks from oversized payloads.

[bootjp]

@claude review

e5ef0a9 (rebased onto the updated #669 branch) addresses all three findings:

1. Issue 1: logUnexpectedSourceError parameter + slog key renamed from table → resource so log queries work uniformly across Dynamo + S3.
2. Gemini security-high + Claude Issue 2: handleCreateBucket now calls validateCreateBucketRequest(body) for parity with the HTTP path. Whitespace-padded bucket names produce the same 400 leading or trailing whitespace message as a leader-direct call. New TestForwardServer_CreateBucket_RejectsWhitespacePaddedName pins the fix.
3. Issue 3: replaced the single-op TestForwardServer_CreateBucket_NoBucketsSourceReturns501 with a table-driven TestForwardServer_BucketOps_NoBucketsSourceReturns501 sweeping CREATE / DELETE / PUT_ACL.

Build / vet / lint / admin tests all clean.

[claude]

Claude finished @bootjp's task in 1m 52s —— View job

---

Follow-up Review: Verifying fixes from e5ef0a9

Todo

• Read current state of changed files
• Verify Issue 1: logUnexpectedSourceError table → resource rename
• Verify Issue 2: handleCreateBucket validation parity + TestForwardServer_CreateBucket_RejectsWhitespacePaddedName
• Verify Issue 3: Table-driven TestForwardServer_BucketOps_NoBucketsSourceReturns501
• Inspect code for any remaining concerns

---

All three findings from the previous review are correctly addressed in e5ef0a9.

Issue 1 — slog key table → resource ✅

logUnexpectedSourceError (line 518) now takes a resource parameter and emits slog.String("resource", resource). The comment at lines 514–517 explains the rationale for future readers. Both Dynamo and S3 call-sites pass the right value.

Issue 2 — validateCreateBucketRequest parity + new test ✅

handleCreateBucket (line 271) calls validateCreateBucketRequest(body) immediately after the trailing-token check, so whitespace-padded names get the same "bucket_name must not have leading or trailing whitespace" 400 that the leader-direct path returns. TestForwardServer_CreateBucket_RejectsWhitespacePaddedName (line 520) pins this with a Contains("leading or trailing whitespace") assertion. The parity is tight — the test exercises exactly the second branch of validateCreateBucketRequest.

Note: handleDeleteBucket and handlePutBucketAcl don't apply the same whitespace check on the bucket name, but that's intentional and correct — for those two operations the name is extracted from the URL path parameter on the follower side, which the HTTP router already percent-decodes/normalises; whitespace padding in a path segment isn't a realistic source of ambiguity there.

Issue 3 — table-driven 501 sweep ✅

TestForwardServer_BucketOps_NoBucketsSourceReturns501 (line 477) is now a three-case table covering CREATE_BUCKET, DELETE_BUCKET, and PUT_BUCKET_ACL. Each case asserts StatusNotImplemented + payload contains "not_implemented". The comment at lines 483–484 calls out the original single-op gap.

---

Additional pass on the diff

Nothing new to flag. A few minor observations (all non-blocking, no action needed):

• handleDeleteBucket and handlePutBucketAcl both call logUnexpectedSourceError with the corrected resource parameter (lines 329, 388). ✓
• The validateCreateBucketRequest helper is package-internal (func validateCreateBucketRequest) so the forward_server can call it directly without any cross-package coupling. ✓
• The comment on logUnexpectedSourceError (lines 504–517) now describes both Dynamo and S3 usage and explicitly records the "table" → "resource" rationale — this is a good pattern for a shared helper that serves multiple resource families.

LGTM. The PR correctly closes all three review findings and the code is in good shape to land.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 70213e047c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Register AdminForward for S3-only deployments

This S3 wiring block is unreachable whenever Dynamo is disabled because readyForRegistration() still requires tables != nil; in a cluster started with --dynamoAddr empty but S3 enabled, leaders never register AdminForward, so follower-side S3 writes now attempt forwarding and consistently fail with gRPC Unimplemented (surfacing as 503) instead of transparently reaching the leader. Allow registration when roles exist and at least one source (tables or buckets) is present, and keep unsupported ops returning 501.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Enforce create-bucket validation parity on forwarded calls

The forwarded create-bucket handler only checks TrimSpace(bucket_name) == "" and skips validateCreateBucketRequest, so requests with leading/trailing whitespace can take a different path than leader-direct HTTP (which rejects them as invalid_body before hitting the source). This breaks the stated follower/leader response parity and can become a functional divergence if a BucketsSource implementation is less strict than the current adapter.

Useful? React with 👍 / 👎.

[bootjp]

Rebased onto updated feat/admin-s3-writes (which now has #669 review fixes + a main rebase to absorb #661 keyviz). No code change in this push, just absorbing the new base.

[bootjp]

@claude review

Addressed the Codex P1 finding on main_admin_forward.go:96:

• readyForRegistration now allows S3-only deployments. Previously gated on tables != nil, so a cluster started with --dynamoAddr empty but S3 enabled never registered the AdminForward gRPC service at all — follower S3 writes hit Unimplemented / 503. Predicate is now roles != nil && (tables != nil || buckets != nil). Symmetric three-line assertion added in TestAdminForwardServerDeps_ReadyForRegistration (S3-only registers, missing roles still rejected, both-sources still registers).
• Dispatch handles either source being nil. Pulled the source-availability check into checkOpAvailability and added TestForwardServer_DynamoOps_NoTablesSourceReturns501 — the symmetric counterpart of the existing bucket version. With nil source, CREATE_TABLE / DELETE_TABLE now return 501 cleanly instead of panicking on the source deref.
• Refactored to keep lint quiet. decodeNamedPayload factors the {name} JSON shape shared by handleDelete + handleDeleteBucket (NUL guard, DisallowUnknownFields, dec.More(), name validation). auditDeleteSuccess factors the audit-log emission. notImplementedForwardResponse factors the 501 construction.

The gemini security-high finding on forward_server.go:273 (handleCreateBucket validation parity) — current code already calls validateCreateBucketRequest after the NUL / DisallowUnknownFields / dec.More() guards (added in cafac05). The suggestion's code matches what's there.

Latest commit: f3e9278.

go test -race ./internal/admin/ . — passes.
golangci-lint run — 0 issues.

[claude]

Claude finished @bootjp's task in 2m 12s —— View job

---

Follow-up Review: Verifying Codex P1 fix (f3e9278)

Todo

• Read changed files and gather context
• Verify readyForRegistration S3-only predicate fix
• Verify checkOpAvailability nil-source panic guard + TestForwardServer_DynamoOps_NoTablesSourceReturns501
• Verify refactors: decodeNamedPayload, auditDeleteSuccess, notImplementedForwardResponse
• Inspect for any new concerns introduced by the refactor
• Post final review summary

---

All three changes from the trigger comment are correctly implemented. Details:

Codex P1 — readyForRegistration S3-only predicate ✅

main_admin_forward.go:755: predicate changed from d.tables != nil && d.roles != nil to d.roles != nil && (d.tables != nil || d.buckets != nil). The new dummyBucketsSource stub in main_admin_forward_test.go is minimal and correct — it panics on every method so the gate test cannot accidentally let real dispatch slip through. TestAdminForwardServerDeps_ReadyForRegistration now covers all six meaningful combinations: empty bundle, tables-only-no-roles, buckets-only-no-roles, roles-only (no sources), Dynamo-only, S3-only, and full bundle. Message strings on each require call make failures self-describing. ✓

nil-source panic guard via checkOpAvailability ✅

forward_server.go:94–113: the availability check is centralised — Dynamo ops gate on s.source != nil, bucket ops gate on s.buckets != nil, ADMIN_OP_UNSPECIFIED falls through to ok=true so the existing 400 branch in dispatchForward stays canonical. The no-default case in checkOpAvailability is intentional and safe: a future op that is added to the enum but not yet to this switch will pass the gate, hit dispatchForward's default branch, and return a 400 "unknown admin operation" — the fail-safe direction.

NewForwardServer(nil, roles, nil).WithBucketsSource(...) is now the S3-only construction pattern (explicit in TestForwardServer_DynamoOps_NoTablesSourceReturns501). This works correctly because checkOpAvailability gates the Dynamo ops before any dereference of s.source. Minor doc gap: the NewForwardServer comment says deployments without S3 pass nil via WithBucketsSource but doesn't say the inverse (pass nil source for S3-only builds). Non-blocking — the tests are the living documentation.

TestForwardServer_DynamoOps_NoTablesSourceReturns501 sweeps both CREATE_TABLE and DELETE_TABLE with source=nil and asserts 501 + "not_implemented". Symmetric with the existing bucket 501 sweep. ✓

Refactors ✅

• decodeNamedPayload: correctly extracted from handleDelete; used by both handleDelete (opLabel="delete") and handleDeleteBucket (opLabel="delete-bucket"). All four guards — 64 KiB cap, NUL byte, DisallowUnknownFields+trailing-token, empty+slash name — are present. The return signature (string, *pb.AdminForwardResponse, error) is unusual but the comment explains why, and callers guard with rejection != nil || err != nil which is the defensive right thing.
• auditDeleteSuccess: the resourceField parameter ("table" vs "bucket") is passed as the slog key name, which matches the audit schema.
• notImplementedForwardResponse: the surface argument ("DynamoDB" vs "S3") ends up in the user-visible message, which is correct.

handlePutBucketAcl inline decode (not using decodeNamedPayload) is correct — it needs both name and acl fields, so the helper that only decodes {"name": "..."} can't be reused directly. The inline code applies the same guard sequence (size, NUL, DisallowUnknownFields, trailing, empty name, slash-in-name) so there's no parity gap.

---

LGTM. The Codex P1 finding is fully addressed; the refactors are clean and well-covered. No new concerns.