feat(dynamodb): expand dashboard management UI (#10)

* feat(dynamodb): expand dashboard inspection tools

* chore(dynamodb): add dashboard management autoloop

* feat(dynamodb): add dashboard management flows

* feat(dynamodb): add advanced dashboard management UI

Author: simota

.agents/nexus.md

@@ -3,3 +3,4 @@
 | 2026-05-02 | Nexus | drafted SQS compatibility design | `docs/design-sqs-compat.md` | scoped as design-only groundwork for SQS local compatibility server |
 | 2026-05-02 | Nexus | drafted Google Cloud Pub/Sub compatibility design | `docs/design-pubsub-compat.md` | keeps Pub/Sub on shared Message Core with SQS-compatible delivery streams |
 | 2026-05-04 | Nexus | drafted Amazon Redshift compatibility design | `docs/design-redshift-compat.md` | aligns PostgreSQL wire protocol, Data API, management API, and shared Query Engine phases |
+| 2026-05-05 | Nexus | routed DynamoDB dashboard management UI upgrade | `web/dashboard/src/app/services/dynamodb/`, `web/dashboard/src/styles/globals.css` | selected explorer + local implementation; non-destructive UI metadata/detail expansion |

.agents/orbit.md

@@ -12,3 +12,5 @@
 | 2026-05-05 | Orbit | split remaining Redshift PostgreSQL default-backend tasks into a Codex autoloop | `scripts/redshift-remaining-autoloop/`, `.gitignore` | ready for bounded default backend flip, docs status, and full-remaining gates |
 | 2026-05-05 | Orbit | split Redshift dashboard SQL query runner UI into a Codex autoloop | `scripts/redshift-query-runner-ui-autoloop/`, `.gitignore` | ready for bounded Redshift query runner UI, frontend, dashboard API, e2e, and full-query-runner-ui gates |
 | 2026-05-05 | Orbit | split Redshift advanced compatibility into a Codex autoloop | `scripts/redshift-advanced-compat-autoloop/`, `.gitignore` | ready for staged extended protocol, advanced SQL, serverless metadata, snapshots, introspection, procedures, dashboard/e2e, and full-advanced gates |
+| 2026-05-05 | Orbit | split DynamoDB dashboard management UI tasks into a Codex autoloop | `scripts/dynamodb-dashboard-management-autoloop/`, `.gitignore` | ready for guarded operations UI, Query/Scan UI, E2E, docs, and full-management-ui gates |
+| 2026-05-06 | Orbit | split DynamoDB dashboard advanced UI tasks into a Codex autoloop | `scripts/dynamodb-dashboard-advanced-autoloop/`, `.gitignore` | ready for pagination, saved/recent operations, table wizard, validation, delete confirmation, e2e, docs, and full-advanced-ui gates |

.gitignore

@@ -35,6 +35,28 @@ scripts/dynamodb-autoloop/progress.md
 scripts/dynamodb-autoloop/done.md
 scripts/dynamodb-autoloop/iteration-*.out
 scripts/dynamodb-autoloop/prompt-*.*
+scripts/dynamodb-dashboard-management-autoloop/.run-loop.lock
+scripts/dynamodb-dashboard-management-autoloop/.circuit-state
+scripts/dynamodb-dashboard-management-autoloop/runner.jsonl
+scripts/dynamodb-dashboard-management-autoloop/runner.log
+scripts/dynamodb-dashboard-management-autoloop/state.env
+scripts/dynamodb-dashboard-management-autoloop/state.env.sha256
+scripts/dynamodb-dashboard-management-autoloop/progress.md
+scripts/dynamodb-dashboard-management-autoloop/done.md
+scripts/dynamodb-dashboard-management-autoloop/iteration-*.out
+scripts/dynamodb-dashboard-management-autoloop/verify-*.out
+scripts/dynamodb-dashboard-management-autoloop/prompt-*.*
+scripts/dynamodb-dashboard-advanced-autoloop/.run-loop.lock
+scripts/dynamodb-dashboard-advanced-autoloop/.circuit-state
+scripts/dynamodb-dashboard-advanced-autoloop/runner.jsonl
+scripts/dynamodb-dashboard-advanced-autoloop/runner.log
+scripts/dynamodb-dashboard-advanced-autoloop/state.env
+scripts/dynamodb-dashboard-advanced-autoloop/state.env.sha256
+scripts/dynamodb-dashboard-advanced-autoloop/progress.md
+scripts/dynamodb-dashboard-advanced-autoloop/done.md
+scripts/dynamodb-dashboard-advanced-autoloop/iteration-*.out
+scripts/dynamodb-dashboard-advanced-autoloop/verify-*.out
+scripts/dynamodb-dashboard-advanced-autoloop/prompt-*.*
 scripts/bigquery-autoloop/.run-loop.lock
 scripts/bigquery-autoloop/.circuit-state
 scripts/bigquery-autoloop/runner.jsonl

README.md

@@ -293,6 +293,8 @@ Legend:
 | Real capacity accounting/throttling | No | Local deterministic behavior, not AWS capacity simulation. |
 | IAM condition enforcement | No | Not implemented. |
 
+DynamoDB dashboard management is available under `/dashboard/dynamodb` and the local `/api/dynamodb/*` dashboard API. The dashboard can inspect tables, items, indexes, TTL, and streams, and can run guarded local management flows for `CreateTable`, `PutItem`, `UpdateItem`, `UpdateTimeToLive`, `DeleteItem`, `DeleteTable`, `Query`, and `Scan`. Query and Scan expose result pagination with count, scanned count, next/previous controls, and selected result item JSON. Recent operation history is stored only in browser `localStorage` as metadata; it does not persist item payloads, credentials, full request payloads, or pagination keys. Dashboard mutation endpoints forward through the local DynamoDB JSON protocol path instead of editing storage directly. Destructive `DeleteItem` and `DeleteTable` flows require confirmation text matching the selected table name, and disabled DynamoDB services do not expose active mutation controls.
+
 ### Google Cloud Pub/Sub-Compatible API
 
 | Feature | Status | Notes |
@@ -349,7 +351,7 @@ Pub/Sub dashboard actions are available under `/dashboard/pubsub`:
 | Mail messages API | Yes | List, fetch detail/raw, delete. |
 | S3 dashboard API | Yes | Bucket/object listing, download links. |
 | GCS dashboard API | Yes | Bucket/object/upload-session inspection. |
-| DynamoDB dashboard API | Yes | Status, tables, table detail, indexes, TTL, streams, items. |
+| DynamoDB dashboard API | Yes | Status, tables, table detail, indexes, TTL, streams, items, guarded management operations, Query, and Scan. |
 | SQS dashboard API | Yes | Status, queues, messages, leases, DLQ, and purge. |
 | Pub/Sub dashboard API | Yes | Status, topics, subscriptions, publish, pull, ack, and message metadata. |
 | Redshift dashboard API | Yes | Status, clusters, catalog, table detail, query runner, and statement history. |

…d/assets/react/assets/index-Jon0rN-z.css …d/assets/react/assets/index-BbvjViDt.cssinternal/dashboard/assets/react/assets/index-Jon0rN-z.css renamed to internal/dashboard/assets/react/assets/index-BbvjViDt.css internal/dashboard/assets/react/assets/index-Jon0rN-z.css renamed to internal/dashboard/assets/react/assets/index-BbvjViDt.css

@@ -4,8 +4,8 @@
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>devcloud Dashboard</title>
-    <script type="module" crossorigin src="/dashboard/assets/index-BvaRNLFE.js"></script>
-    <link rel="stylesheet" crossorigin href="/dashboard/assets/index-Jon0rN-z.css">
+    <script type="module" crossorigin src="/dashboard/assets/index-CmaHHuQ1.js"></script>
+    <link rel="stylesheet" crossorigin href="/dashboard/assets/index-BbvjViDt.css">
   </head>
   <body>
     <div id="root"></div>

internal/dashboard/assets/react/assets/index-BvaRNLFE.js

@@ -1,6 +1,7 @@
 package dashboard
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
@@ -1251,25 +1252,24 @@ func (s *Server) handleDynamoDBStatus(w http.ResponseWriter, r *http.Request) {
 }
 
 func (s *Server) handleDynamoDBTables(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodGet {
-		methodNotAllowed(w, "GET")
-		return
-	}
 	if s.dynamo == nil {
 		http.Error(w, "dynamodb service is disabled", http.StatusServiceUnavailable)
 		return
 	}
-	snapshot := s.dynamo.Snapshot()
-	writeJSON(w, map[string]any{
-		"tables": snapshot.Tables,
-	})
+	switch r.Method {
+	case http.MethodGet:
+		snapshot := s.dynamo.Snapshot()
+		writeJSON(w, map[string]any{
+			"tables": snapshot.Tables,
+		})
+	case http.MethodPost:
+		s.forwardDynamoDBDashboardOperation(w, r, "CreateTable", "")
+	default:
+		methodNotAllowed(w, "GET, POST")
+	}
 }
 
 func (s *Server) handleDynamoDBTable(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodGet {
-		methodNotAllowed(w, "GET")
-		return
-	}
 	if s.dynamo == nil {
 		http.Error(w, "dynamodb service is disabled", http.StatusServiceUnavailable)
 		return
@@ -1285,6 +1285,39 @@ func (s *Server) handleDynamoDBTable(w http.ResponseWriter, r *http.Request) {
 		http.NotFound(w, r)
 		return
 	}
+	if hasSuffix {
+		switch suffix {
+		case "items":
+			if r.Method == http.MethodPost {
+				s.forwardDynamoDBDashboardOperation(w, r, "PutItem", tableName)
+				return
+			}
+		case "items/update":
+			s.forwardDynamoDBDashboardOperation(w, r, "UpdateItem", tableName)
+			return
+		case "items/delete":
+			s.forwardDynamoDBDashboardOperationWithConfirmation(w, r, "DeleteItem", tableName, tableName)
+			return
+		case "ttl":
+			if r.Method == http.MethodPost {
+				s.forwardDynamoDBDashboardOperation(w, r, "UpdateTimeToLive", tableName)
+				return
+			}
+		case "query":
+			s.forwardDynamoDBDashboardOperation(w, r, "Query", tableName)
+			return
+		case "scan":
+			s.forwardDynamoDBDashboardOperation(w, r, "Scan", tableName)
+			return
+		case "delete":
+			s.forwardDynamoDBDashboardOperationWithConfirmation(w, r, "DeleteTable", tableName, tableName)
+			return
+		}
+	}
+	if r.Method != http.MethodGet {
+		methodNotAllowed(w, "GET")
+		return
+	}
 	table, found := s.dynamo.TableSnapshot(tableName)
 	if !found {
 		http.NotFound(w, r)
@@ -1345,6 +1378,73 @@ func (s *Server) handleDynamoDBTable(w http.ResponseWriter, r *http.Request) {
 	})
 }
 
+type dashboardDynamoDBOperationRequest struct {
+	Input        json.RawMessage `json:"input"`
+	Confirmation string          `json:"confirmation"`
+}
+
+func (s *Server) forwardDynamoDBDashboardOperation(w http.ResponseWriter, r *http.Request, operation string, tableName string) {
+	s.forwardDynamoDBDashboardOperationWithConfirmation(w, r, operation, tableName, "")
+}
+
+func (s *Server) forwardDynamoDBDashboardOperationWithConfirmation(w http.ResponseWriter, r *http.Request, operation string, tableName string, requiredConfirmation string) {
+	if r.Method != http.MethodPost {
+		methodNotAllowed(w, "POST")
+		return
+	}
+	var request dashboardDynamoDBOperationRequest
+	if err := json.NewDecoder(r.Body).Decode(&request); err != nil {
+		http.Error(w, "invalid json request", http.StatusBadRequest)
+		return
+	}
+	if requiredConfirmation != "" && request.Confirmation != requiredConfirmation {
+		http.Error(w, "confirmation must match table name", http.StatusBadRequest)
+		return
+	}
+	input, err := normalizeDynamoDBDashboardInput(request.Input, tableName)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	req := r.Clone(r.Context())
+	req.Method = http.MethodPost
+	req.URL = &url.URL{Path: "/"}
+	req.RequestURI = ""
+	req.Body = io.NopCloser(bytes.NewReader(input))
+	req.ContentLength = int64(len(input))
+	req.Header = make(http.Header)
+	req.Header.Set("Content-Type", "application/x-amz-json-1.0")
+	req.Header.Set("X-Amz-Target", "DynamoDB_20120810."+operation)
+	s.dynamo.ServeHTTP(w, req)
+}
+
+func normalizeDynamoDBDashboardInput(raw json.RawMessage, tableName string) ([]byte, error) {
+	if len(raw) == 0 {
+		return nil, errors.New("input is required")
+	}
+	var input map[string]any
+	if err := json.Unmarshal(raw, &input); err != nil {
+		return nil, errors.New("input must be valid JSON")
+	}
+	if input == nil {
+		return nil, errors.New("input must be a JSON object")
+	}
+	if tableName != "" {
+		if existing, ok := input["TableName"]; ok {
+			if existingName, ok := existing.(string); !ok || existingName != tableName {
+				return nil, errors.New("input TableName must match the selected table")
+			}
+		} else {
+			input["TableName"] = tableName
+		}
+	}
+	encoded, err := json.Marshal(input)
+	if err != nil {
+		return nil, errors.New("input could not be encoded")
+	}
+	return encoded, nil
+}
+
 func (s *Server) handleGCSUploadSessions(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
 		methodNotAllowed(w, "GET")