@scap one more thing - I've been thinking about is and think we might want to change the security filter order, so it runs the standard filter first, then Security, then an optional post security filter. This would allow things like auditing, monitoring and request context setup to happen first. It would be a breaking change to the API, but I think it's a much better model. Thoughts - or can anyone think of a case where this would be a bad thing?

I think this would be good I think I can refactor our code easily to fit in with this. @dave

Cool. I’ll release these changes later today then along with the PR for the routes.