fix: allow autonomous plan/execute/verify/rollback in read-only mode

theo-learner · claude · theo-learner · commit fa364fca8536 · 2026-02-26T12:44:17.000+09:00
All four endpoints were missing from safeEndpoints, causing 403 on Plan click.
Write safety is enforced within each route handler (dry-run default).

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/middleware.ts b/src/middleware.ts
@@ -147,6 +147,10 @@ export function middleware(request: NextRequest) {
         '/api/goal-manager/dispatch', // Dry-run dispatch allowed; write blocked in route
         '/api/mcp',               // MCP invocation (write safety enforced in MCP handler)
         '/api/metrics/seed',      // Demo scenario injection (no real infra changes)
+        '/api/autonomous/plan',   // Autonomous plan (dry-run, no infra write)
+        '/api/autonomous/execute', // Autonomous execute (write safety enforced in handler)
+        '/api/autonomous/verify', // Autonomous verify (read-only)
+        '/api/autonomous/rollback', // Autonomous rollback (write safety enforced in handler)
       ];
 
       if (allowScalerWriteInReadOnlyMode()) {
