6c723aeb8c
Data REST was auto-exposing raw JPA repository endpoints (/appUsers, /documents, /persons, /userGroups, etc.) that completely bypass the @RequirePermission AOP checks — effectively making the entire database readable and writable without authentication. All API needs are covered by the custom controllers. The generated api.ts is reverted to the stub until npm run generate:api is re-run against the cleaned backend. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>