# Remediation Analysis The public fix introduced an `_ingress_only()` wrapper around bare-root add-on routes. ## Intended Behavior ```text Supervisor ingress transport peer -> bare-root route -> allowed Other transport peer -> bare-root route -> HTTP 403 Secret-path route -> existing supported behavior ``` ## Why Transport Peer Matters The fix uses the transport peer instead of trusting a client-supplied forwarding header. Headers such as `X-Forwarded-For` can be unreliable when proxy trust is not explicitly configured. A caller-validation control should be based on a signal that the untrusted caller cannot freely choose. ## Defensive Design Lessons - define the intended caller for every route family; - enforce the caller at the route boundary; - preserve supported access paths; - explicitly reject unintended access paths; - log rejections; - add regression tests for both success and failure cases.