Module admin 

Admin management API dispatcher (issue #672, Layer 6). Layer 6 admin dispatcher (issue #672).

Subscribes to astrid.v1.admin.* and routes every variant of [AdminRequestKind] through the same capability-enforcement preamble introduced in issue #670 (Layer 5). On allow, the mutating handlers in [handlers] acquire Kernel::admin_write_lock before touching profile.toml / groups.toml, then atomically replace the resolved config on the ArcSwap backing Kernel::groups and/or invalidate the matching PrincipalProfileCache entry.

Audit trail

Every admin topic — allow or deny — appends an AuditAction::AdminRequest entry. method is the wire name ("admin.agent.create", etc.); target_principal is Some for variants that operate on another principal and None otherwise. params captures the full request payload (capabilities granted, quotas set, group definition) for forensic replay without diffing profile.toml snapshots.

Functions

admin_request_method

Stable wire-name identifier for an AdminRequestKind — used as the method field on every [AuditAction::AdminRequest] entry.

admin_target_principal

Borrow the target principal for audit purposes — Some only when the request operates on a principal distinct from the caller.

required_capability_for_admin_request

Static capability string required to satisfy req under scope.

resolve_admin_scope

Return the authority scope req exercises for caller.