The hand-curated /settings endpoints (GET, PUT, PUT /security) duplicate what the new dotted-key /config API already exposes through reflection. Every new config field today still requires editing both, and the two surfaces will drift.
Plan: deprecate /settings, point existing clients (the UI settings page, the setup wizard, security settings forms) at /config, then remove the hand-curated handlers. Sensitive fields stay masked, runtime-applicable keys retain their appliers, and any non-config state currently returned by /settings moves to its own endpoint.
The hand-curated /settings endpoints (GET, PUT, PUT /security) duplicate what the new dotted-key /config API already exposes through reflection. Every new config field today still requires editing both, and the two surfaces will drift.
Plan: deprecate /settings, point existing clients (the UI settings page, the setup wizard, security settings forms) at /config, then remove the hand-curated handlers. Sensitive fields stay masked, runtime-applicable keys retain their appliers, and any non-config state currently returned by /settings moves to its own endpoint.