DB Proxy Routes
DB proxy routes are wire-protocol tunnels that let agents connect to a migrated database through KnoxCall using alocalhost:<port> listener. They can be created for any migration the reviewer owns — the committed_secret_id must reference an existing tenant secret, but no particular migration status is required. Routes are removed only via DELETE /admin/migrations/:id/db-proxy-routes/:routeId; cancelling the migration does not delete them.
The write endpoints (POST and DELETE) require migration_reviewer permission + 5-minute step-up. The GET (list) endpoint requires only tenant access to the migration — no migration_reviewer role or step-up.
POST /admin/migrations/:id/db-proxy-routes
Create a new wire-protocol proxy route for a migration. Auth:migration_reviewer + 5-minute step-up
Request body
Returns
409 if local_port is already in use for the same agent.
Response
201 Created.
GET /admin/migrations/:id/db-proxy-routes
List all proxy routes for a migration. Auth: tenant access to the migration (nomigration_reviewer role or step-up required)
Response
DELETE /admin/migrations/:id/db-proxy-routes/:routeId
Remove a proxy route. The agent tunnel is torn down immediately. Auth:migration_reviewer + 5-minute step-up
Response
404 if the route is not found for this migration and tenant.