Phases 5, 6, 8: OCI pull/push paths and admin REST API

Phase 5 (OCI pull): internal/oci/ package with manifest GET/HEAD by
tag/digest, blob GET/HEAD with repo membership check, tag listing with
OCI pagination, catalog listing. Multi-segment repo names via
parseOCIPath() right-split routing. DB query layer in
internal/db/repository.go.

Phase 6 (OCI push): blob uploads (monolithic and chunked) with
uploadManager tracking in-progress BlobWriters, manifest push
implementing full ARCHITECTURE.md §5 flow in a single SQLite
transaction (create repo, upsert manifest, populate manifest_blobs,
atomic tag move). Digest verification on both blob commit and manifest
push-by-digest.

Phase 8 (admin REST): /v1 endpoints for auth (login/logout/health),
repository management (list/detail/delete), policy CRUD with engine
reload, audit log listing with filters, GC trigger/status stubs.
RequireAdmin middleware, platform-standard error format.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/server/admin_repo.go

@@ -0,0 +1,94 @@
+package server
+
+import (
+	"errors"
+	"net/http"
+	"strconv"
+
+	"github.com/go-chi/chi/v5"
+
+	"git.wntrmute.dev/kyle/mcr/internal/auth"
+	"git.wntrmute.dev/kyle/mcr/internal/db"
+)
+
+// AdminListReposHandler handles GET /v1/repositories.
+func AdminListReposHandler(database *db.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		limit := 50
+		offset := 0
+		if n := r.URL.Query().Get("n"); n != "" {
+			if v, err := strconv.Atoi(n); err == nil && v > 0 {
+				limit = v
+			}
+		}
+		if o := r.URL.Query().Get("offset"); o != "" {
+			if v, err := strconv.Atoi(o); err == nil && v >= 0 {
+				offset = v
+			}
+		}
+
+		repos, err := database.ListRepositoriesWithMetadata(limit, offset)
+		if err != nil {
+			writeAdminError(w, http.StatusInternalServerError, "internal error")
+			return
+		}
+		if repos == nil {
+			repos = []db.RepoMetadata{}
+		}
+		writeJSON(w, http.StatusOK, repos)
+	}
+}
+
+// AdminGetRepoHandler handles GET /v1/repositories/*.
+func AdminGetRepoHandler(database *db.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		name := chi.URLParam(r, "*")
+		if name == "" {
+			writeAdminError(w, http.StatusBadRequest, "repository name required")
+			return
+		}
+
+		detail, err := database.GetRepositoryDetail(name)
+		if err != nil {
+			if errors.Is(err, db.ErrRepoNotFound) {
+				writeAdminError(w, http.StatusNotFound, "repository not found")
+				return
+			}
+			writeAdminError(w, http.StatusInternalServerError, "internal error")
+			return
+		}
+		writeJSON(w, http.StatusOK, detail)
+	}
+}
+
+// AdminDeleteRepoHandler handles DELETE /v1/repositories/*.
+// Requires admin role (enforced by RequireAdmin middleware).
+func AdminDeleteRepoHandler(database *db.DB, auditFn AuditFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		name := chi.URLParam(r, "*")
+		if name == "" {
+			writeAdminError(w, http.StatusBadRequest, "repository name required")
+			return
+		}
+
+		if err := database.DeleteRepository(name); err != nil {
+			if errors.Is(err, db.ErrRepoNotFound) {
+				writeAdminError(w, http.StatusNotFound, "repository not found")
+				return
+			}
+			writeAdminError(w, http.StatusInternalServerError, "internal error")
+			return
+		}
+
+		if auditFn != nil {
+			claims := auth.ClaimsFromContext(r.Context())
+			actorID := ""
+			if claims != nil {
+				actorID = claims.Subject
+			}
+			auditFn("repo_deleted", actorID, name, "", r.RemoteAddr, nil)
+		}
+
+		w.WriteHeader(http.StatusNoContent)
+	}
+}