Public Routes

Purpose

Public routes are frontend delivery contracts. Public does not mean ungoverned.

Route ownership

The addon that owns the frontend feature should register the public route and render the public response. Menu Manager may link to that route, but Menu Manager does not render the target.

Access metadata

When a public route is restricted, declare access metadata for the central route dispatcher. Use the central access evaluator instead of a local frontend permission system.

Public target connection

If admins should be able to pick the route in Menu Manager, expose a public target provider. The target should describe the route, label, state, availability, and access requirements.

Do not do this

• Do not use public routes as admin shortcuts.
• Do not point public navigation at admin URLs.
• Do not hide access rules only inside the render function while target metadata claims nothing.
• Do not let a public route mutate data without CSRF and explicit action handling.

Verification

After changing public routes, verify the public URL returns HTTP 200 and restricted access behaves as expected.