Route Protection Matrix
ReformCode uses a centralized route protection matrix to decide which pages and APIs are public, session-protected, admin-only, webhook-facing, or API-key capable.
The implementation lives in lib/security/route-protection.ts, and proxy.ts enforces it before requests reach pages or route handlers.
Access Levels
| Access | Used For | Enforcement |
|---|---|---|
public | Marketing pages, docs, auth entry, public score/trust surfaces, health/search APIs, partner widgets, evidence ingest | Allowed through proxy |
authenticated | CODE, REFORM, account, workspace, deploy, GitHub proxy, sandbox, billing, and history surfaces | Requires a session cookie |
admin | Admin dashboard and operational APIs | Requires a session cookie at proxy and an admin role check in the handler |
webhook | Stripe and GitHub webhook ingress | Allowed through proxy; handler verifies the provider signature |
api_key | Versioned developer-platform streaming APIs | Requires a session cookie or API credential header |
Launch Contract
Every app/**/page.tsx and app/**/route.ts file must match an explicit rule. The regression test at __tests__/lib/security/route-protection.test.ts inventories the App Router tree and fails if a new route is not classified.
Unknown API routes default to authenticated access. Unknown page routes stay public so Next.js can still render public pages and 404s naturally.
API Credentials
API-key routes currently accept either:
Authorization: Bearer rc_example_token
or:
x-api-key: rc_example_token
The server auth layer resolves valid hashed Developer API keys and legacy VS Code/API tokens from the token table, which lets versioned API routes support non-browser clients while preserving the existing session-based web app.
API keys are managed from Settings → Developers and through the session-protected /api/account/api-keys account API. New developer-platform endpoints should update the route matrix, OpenAPI spec, and developer docs in the same change.