Phases 5, 6, 8: OCI pull/push paths and admin REST API

Phase 5 (OCI pull): internal/oci/ package with manifest GET/HEAD by
tag/digest, blob GET/HEAD with repo membership check, tag listing with
OCI pagination, catalog listing. Multi-segment repo names via
parseOCIPath() right-split routing. DB query layer in
internal/db/repository.go.

Phase 6 (OCI push): blob uploads (monolithic and chunked) with
uploadManager tracking in-progress BlobWriters, manifest push
implementing full ARCHITECTURE.md §5 flow in a single SQLite
transaction (create repo, upsert manifest, populate manifest_blobs,
atomic tag move). Digest verification on both blob commit and manifest
push-by-digest.

Phase 8 (admin REST): /v1 endpoints for auth (login/logout/health),
repository management (list/detail/delete), policy CRUD with engine
reload, audit log listing with filters, GC trigger/status stubs.
RequireAdmin middleware, platform-standard error format.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/server/admin_auth_test.go

@@ -0,0 +1,116 @@
+package server
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/go-chi/chi/v5"
+
+	"git.wntrmute.dev/kyle/mcr/internal/auth"
+)
+
+func TestAdminHealthHandler(t *testing.T) {
+	database := openAdminTestDB(t)
+	router, _ := buildAdminRouter(t, database)
+
+	// Health endpoint does not require auth.
+	rr := adminReq(t, router, "GET", "/v1/health", "")
+	if rr.Code != 200 {
+		t.Fatalf("status: got %d, want 200", rr.Code)
+	}
+
+	var resp map[string]string
+	if err := json.NewDecoder(rr.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode: %v", err)
+	}
+	if resp["status"] != "ok" {
+		t.Fatalf("status field: got %q, want %q", resp["status"], "ok")
+	}
+}
+
+func TestAdminLoginSuccess(t *testing.T) {
+	database := openAdminTestDB(t)
+	router, _ := buildAdminRouter(t, database)
+
+	body := `{"username":"admin","password":"secret"}`
+	rr := adminReq(t, router, "POST", "/v1/auth/login", body)
+	if rr.Code != 200 {
+		t.Fatalf("status: got %d, want 200; body: %s", rr.Code, rr.Body.String())
+	}
+
+	var resp adminLoginResponse
+	if err := json.NewDecoder(rr.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode: %v", err)
+	}
+	if resp.Token != "test-token" {
+		t.Fatalf("token: got %q, want %q", resp.Token, "test-token")
+	}
+	if resp.ExpiresAt == "" {
+		t.Fatal("expires_at: expected non-empty")
+	}
+}
+
+func TestAdminLoginInvalidCreds(t *testing.T) {
+	database := openAdminTestDB(t)
+
+	validator := &fakeValidator{
+		claims: &auth.Claims{Subject: "admin-uuid", AccountType: "human", Roles: []string{"admin"}},
+	}
+	login := &fakeLoginClient{err: auth.ErrUnauthorized}
+	reloader := &fakePolicyReloader{}
+	gcState := &GCState{}
+
+	r := chi.NewRouter()
+	MountAdminRoutes(r, validator, "mcr-test", AdminDeps{
+		DB:      database,
+		Login:   login,
+		Engine:  reloader,
+		AuditFn: nil,
+		GCState: gcState,
+	})
+
+	body := `{"username":"admin","password":"wrong"}`
+	rr := adminReq(t, r, "POST", "/v1/auth/login", body)
+	if rr.Code != 401 {
+		t.Fatalf("status: got %d, want 401", rr.Code)
+	}
+
+	var errResp adminErrorResponse
+	if err := json.NewDecoder(rr.Body).Decode(&errResp); err != nil {
+		t.Fatalf("decode: %v", err)
+	}
+	if errResp.Error != "authentication failed" {
+		t.Fatalf("error: got %q, want %q", errResp.Error, "authentication failed")
+	}
+}
+
+func TestAdminLoginMissingFields(t *testing.T) {
+	database := openAdminTestDB(t)
+	router, _ := buildAdminRouter(t, database)
+
+	body := `{"username":"admin"}`
+	rr := adminReq(t, router, "POST", "/v1/auth/login", body)
+	if rr.Code != 400 {
+		t.Fatalf("status: got %d, want 400", rr.Code)
+	}
+}
+
+func TestAdminLoginBadJSON(t *testing.T) {
+	database := openAdminTestDB(t)
+	router, _ := buildAdminRouter(t, database)
+
+	rr := adminReq(t, router, "POST", "/v1/auth/login", "not json")
+	if rr.Code != 400 {
+		t.Fatalf("status: got %d, want 400", rr.Code)
+	}
+}
+
+func TestAdminLogout(t *testing.T) {
+	database := openAdminTestDB(t)
+	router, _ := buildAdminRouter(t, database)
+
+	rr := adminReq(t, router, "POST", "/v1/auth/logout", "")
+	if rr.Code != 204 {
+		t.Fatalf("status: got %d, want 204", rr.Code)
+	}
+}