# Root Cause ## Security Boundary Mismatch The intended trust boundary was: ```text Home Assistant authenticated user -> Supervisor ingress -> add-on root administration route ``` The enforced boundary was effectively: ```text Any peer that can reach the published root route -> add-on root administration route ``` The MCP secret path was not bypassed. It protected a different route family. ## Generalized Pattern This issue is an example of a reusable review pattern: > A handler is safely exposed through one route but unsafely re-exposed through another route with a different caller model. Review similar patterns in: - ingress routes; - webhook routes; - internal callbacks; - health and management endpoints; - sidecar control APIs; - reverse-proxy-only routes; - approval and policy APIs. ## Review Questions - Is the same handler mounted under multiple prefixes? - Does every route pass through the same authentication middleware? - Is an "internal" route validated as internal? - Can a reverse proxy or tunnel change the exposure model? - Are state-changing routes protected against CSRF? - Is the approval API protected at least as strongly as the gated action?