Admin routes are protected feature entry points. They are not random PHP files that the sidebar happens to include.
Declare admin routes in `routes/routes.php` through the addon route contract. Include route key, surface, method, path, handler, legacy view when needed, and permission metadata.
Admin routes should require `admin.access` plus the addon-specific permission for the screen or action. The route and the handler should agree on the permission boundary.
The addon renders the inner admin content. The Admin layer owns the shell, navigation, identity display, breadcrumbs, notices container, and page frame.
Do not render a second admin shell inside an addon. Nested admin shells are how interfaces start looking like a hallway full of doors to the same room.
POST routes must validate CSRF and permissions before mutating data. Keep actions explicit and scoped to addon-owned records.
After changing admin routes, verify the admin page returns HTTP 200 and that denied users cannot perform protected actions.
Updated: 2026-05-07 02:18:09