# API Phase 8 Move Log

Date: 2026-03-17  
Scope: Move `admin` and `site-access` endpoints out of `api/src/server.ts` into dedicated route modules.

## Route Registration Changes
- Added site-access route import in [server.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/server.ts:24)
- Added admin route import in [server.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/server.ts:25)
- Registered site-access routes in [server.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/server.ts:946)
- Registered admin routes in [server.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/server.ts:960)
- New canonical route modules:
  - [site-access.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/site-access.ts:29)
  - [admin.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/admin.ts:10)
- Removed inline route blocks from `server.ts` to avoid duplicate registration:
  - `GET /site-access/status`
  - `POST /site-access/unlock`
  - `POST /site-access/lock`
  - `POST /admin/rollover`

## Endpoint Movements

1. `GET /site-access/status`
- Original: `server.ts` line 946
- Moved to [site-access.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/site-access.ts:30)
- References:
  - [siteAccess.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/api/siteAccess.ts:10)
  - [BetaGate.tsx](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/components/BetaGate.tsx:20)
  - [BetaAccessPage.tsx](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/pages/BetaAccessPage.tsx:22)

2. `POST /site-access/unlock`
- Original: `server.ts` line 957
- Moved to [site-access.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/site-access.ts:41)
- References:
  - [siteAccess.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/api/siteAccess.ts:14)
  - [BetaAccessPage.tsx](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/pages/BetaAccessPage.tsx:40)

3. `POST /site-access/lock`
- Original: `server.ts` line 994
- Moved to [site-access.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/site-access.ts:78)
- References:
  - [siteAccess.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/api/siteAccess.ts:18)
  - [BetaAccessPage.tsx](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/pages/BetaAccessPage.tsx:59)

4. `POST /admin/rollover`
- Original: `server.ts` line 1045
- Moved to [admin.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/admin.ts:11)
- References:
  - [access-control.admin-rollover.test.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/tests/access-control.admin-rollover.test.ts:44)

## Helper Ownership in Phase 8
- Shared helper injection from `server.ts`:
  - `authRateLimit`
  - `mutationRateLimit`
  - `hasSiteAccessBypass`
  - `safeEqual`
  - `isInternalClientIp`
  - runtime config flags and cookie settings (`UNDER_CONSTRUCTION`, break-glass, cookie domain/secure, etc.)
- Route-local helpers/schemas:
  - `site-access.ts`: unlock payload schema
  - `admin.ts`: rollover payload schema
- Retained in `server.ts` by design for global hook behavior:
  - site-access bypass token derivation and onRequest maintenance-mode enforcement

## Verification
1. Build
- `cd api && npm run build` ✅

2. Focused tests
- `cd api && npm run test -- tests/access-control.admin-rollover.test.ts tests/security-misconfiguration.test.ts`
- Result: blocked by local DB connectivity (`127.0.0.1:5432` unavailable), suite skipped/failed before endpoint assertions.