internal/admin: wire AdminPeekQueue + AdminPurgeQueue HTTP endpoints (Phase 4)

internal/admin/principal.go

@@ -15,6 +15,17 @@ func (r Role) AllowsWrite() bool {
 	return r == RoleFull
 }
 
+// AllowsRead reports whether the role may execute sensitive read
+// operations that surface payload content (e.g. SQS AdminPeekQueue,
+// which exposes message bodies and attributes). Both RoleReadOnly and
+// RoleFull satisfy the gate; the zero value (unauthenticated /
+// role-less principal) does not. List / Describe endpoints use the
+// looser session-auth gate because their output is metadata; peek
+// diverges because the payload is the stored message itself.
+func (r Role) AllowsRead() bool {
+	return r == RoleReadOnly || r == RoleFull
+}
+
 // AuthPrincipal is the authenticated caller derived from a session cookie or,
 // in the future, a follower→leader forwarded request. The admin handler and
 // adapter internal entrypoints pass it around instead of a raw HTTP request