feat(api): admin authority management (create + list by kind)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

crates/api/tests/admin_catalog.rs

@@ -176,3 +176,86 @@ async fn vocabulary_create_requires_auth(pool: PgPool) {
         .unwrap();
     assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
 }
+
+async fn app2_get(app: &axum::Router, cookie: &str, uri: &str) -> StatusCode {
+    app.clone()
+        .oneshot(
+            Request::builder()
+                .uri(uri)
+                .header(header::COOKIE, cookie)
+                .body(Body::empty())
+                .unwrap(),
+        )
+        .await
+        .unwrap()
+        .status()
+}
+
+#[sqlx::test(migrations = "../db/migrations")]
+async fn create_and_list_authorities_by_kind(pool: PgPool) {
+    migrate_sessions(&db::Db::from_pool(pool.clone()))
+        .await
+        .unwrap();
+
+    seed_user(&pool, "ed@example.com", "pw-editor-123", Role::Editor).await;
+
+    let app = build_app(state(pool));
+    let cookie = login(&app, "ed@example.com", "pw-editor-123").await;
+
+    let created = app
+        .clone()
+        .oneshot(
+            Request::builder()
+                .method("POST")
+                .uri("/api/admin/authorities")
+                .header(header::COOKIE, &cookie)
+                .header(header::CONTENT_TYPE, "application/json")
+                .body(Body::from(
+                    r#"{"kind":"person","external_uri":null,"labels":[{"lang":"en","label":"Ada Lovelace"}]}"#,
+                ))
+                .unwrap(),
+        )
+        .await
+        .unwrap();
+    assert_eq!(created.status(), StatusCode::CREATED);
+
+    // list by kind
+    let list = app
+        .clone()
+        .oneshot(
+            Request::builder()
+                .uri("/api/admin/authorities?kind=person")
+                .header(header::COOKIE, &cookie)
+                .body(Body::empty())
+                .unwrap(),
+        )
+        .await
+        .unwrap();
+    assert_eq!(list.status(), StatusCode::OK);
+
+    let json: serde_json::Value =
+        serde_json::from_slice(&list.into_body().collect().await.unwrap().to_bytes()).unwrap();
+    assert_eq!(json.as_array().unwrap().len(), 1);
+    assert_eq!(json[0]["kind"], "person");
+
+    // a different kind is empty
+    let places = app
+        .clone()
+        .oneshot(
+            Request::builder()
+                .uri("/api/admin/authorities?kind=place")
+                .header(header::COOKIE, &cookie)
+                .body(Body::empty())
+                .unwrap(),
+        )
+        .await
+        .unwrap();
+
+    let places_json: serde_json::Value =
+        serde_json::from_slice(&places.into_body().collect().await.unwrap().to_bytes()).unwrap();
+    assert!(places_json.as_array().unwrap().is_empty());
+
+    // bad kind → 422
+    let bad = app2_get(&app, &cookie, "/api/admin/authorities?kind=alien").await;
+    assert_eq!(bad, StatusCode::UNPROCESSABLE_ENTITY);
+}