Architecture cleanup. Retired the legacy DELETE /admin/tenants/:id/cafe-config
endpoint (Starter-safe, NOT Pro-safe) and the dead Vue function that referenced it.
POST /unlink-pause (Slice P 2026-05-19) is now the ONLY unlink path —
safe on every tier. Cpanel UI was already using it; this is the cleanup that closes
the foot-gun for any external caller.
nix-outdoor-sales-backend/src/admin/cafe.config.router.ts — removed the router.delete('/') block (~15 LOC) + the 'cafe_config.deleted' audit event. Header docblock updated to reflect the new route surface and document the U12 removal. Surviving /unlink-pause endpoint untouched (still clears creds + flips masters + bypasses Odoo POS + keeps row).nix-outdoor-sales-admin/src/views/TenantDetailView.vue — removed the dead deleteCafeConfig async function (~17 LOC). Unlink button at line 622 unchanged — already wired to pauseCafeConfig. Comment block updated to note the U12 cleanup.| ✓ | DELETE /admin/tenants/:id/cafe-config → 401 (admin middleware blocks anonymous before route lookup) |
| ✓ | POST /admin/tenants/:id/cafe-config/unlink-pause → 401 (auth gate intact) |
| ✓ | GET /admin/tenants/:id/cafe-config → 401 (sibling endpoint sanity) |
| ✓ | PATCH /admin/tenants/:id/cafe-config → 401 (sibling endpoint sanity) |
Test-design note: router.use(adminAuthMiddleware) is mounted at the router level, so the auth middleware fires BEFORE route lookup. An anonymous DELETE probe can't distinguish "endpoint removed" from "endpoint exists, auth required" — both return 401. Gate 1's source-grep is the load-bearing evidence the handler is gone. The prod test just confirms the backend deployed cleanly and the request still passes through the expected middleware layer for all 4 verbs.
| test-phase1-prod.mjs | 11/11 |
| test-phase2-sso-outdoor-prod.mjs | 6/6 |
| test-m1-prod.mjs | 10/10 |
| test-r7-prod.mjs | 14/14 |
| test-r8-prod.mjs | 4/4 |
| test-phase2-cafe-multishop-prod.mjs (solo) | 6/6 |