Much work.

config/routes.rb

@@ -1,4 +1,16 @@
 Rails.application.routes.draw do
+  # Registration only allowed when no users exist
+  resource :registration, only: [:new, :create]
+  resource :session
+  resources :passwords, param: :token
+
+  # OIDC authentication routes
+  get "/auth/failure", to: "omniauth_callbacks#failure"
+  get "/auth/:provider/callback", to: "omniauth_callbacks#oidc"
+
+  # Admin user management (admin only)
+  resources :users, only: [:index, :show, :edit, :update]
+
   # Define your application routes per the DSL in https://guides.rubyonrails.org/routing.html
 
   # Reveal health status on /up that returns 200 if the app boots with no exceptions, otherwise 500.
@@ -7,10 +19,11 @@ Rails.application.routes.draw do
 
   # WAF API
   namespace :api, defaults: { format: :json } do
-    # Event ingestion
+    # Event ingestion (PRIMARY method - includes rule updates in response)
     post ":project_id/events", to: "events#create"
 
-    # Rule synchronization
+    # Rule synchronization (SECONDARY - for admin/debugging only)
+    # Note: Agents should use event responses for rule synchronization
     get ":public_key/rules/version", to: "rules#version"
     get ":public_key/rules", to: "rules#index"
   end