# Elsewhere Ventures - LLM Access Policy

This application contains private financial and itinerary data.
Use documented APIs only and do not crawl authenticated pages.

OpenAPI: https://travel-accounting-production.up.railway.app/api/openapi
Capabilities API: https://travel-accounting-production.up.railway.app/api/v1/capabilities
Public Itinerary API: https://travel-accounting-production.up.railway.app/api/v1/public/trips/%7BshareToken%7D/itinerary
Bot Events API: https://travel-accounting-production.up.railway.app/api/v1/bot/events?since=%3CISO8601%3E&limit=100&cursor=%3Ccursor%3E
Bot WhoAmI API: https://travel-accounting-production.up.railway.app/api/v1/bot/whoami
MCP Discovery API: https://travel-accounting-production.up.railway.app/api/v1/mcp

Intelligence Endpoints (require bot key):
- GET https://travel-accounting-production.up.railway.app/api/v1/bot/stream — SSE real-time event stream
- GET https://travel-accounting-production.up.railway.app/api/v1/bot/trips/%7BtripId%7D/insights — Trip intelligence insights
- POST https://travel-accounting-production.up.railway.app/api/v1/bot/query — Natural language query (body: { question })
- GET https://travel-accounting-production.up.railway.app/api/v1/bot/trips/%7BtripId%7D/actions — Next-action suggestions

Bot List & Mutation APIs (GET list endpoints support ?cursor=<id> for cursor pagination or ?page=<n> for offset; cursor is recommended):
- GET/POST https://travel-accounting-production.up.railway.app/api/v1/bot/trips (requires trips.read or trips.* or mutations.trips or mutations.* or *)
- PUT/DELETE https://travel-accounting-production.up.railway.app/api/v1/bot/trips/%7Bid%7D (requires mutations.trips or mutations.* or *)
- GET/POST https://travel-accounting-production.up.railway.app/api/v1/bot/expenses (requires trips.read or trips.* or mutations.expenses or mutations.* or *)
- PUT/DELETE https://travel-accounting-production.up.railway.app/api/v1/bot/expenses/%7Bid%7D (requires mutations.expenses or mutations.* or *)
- POST https://travel-accounting-production.up.railway.app/api/v1/bot/expenses/bulk (requires mutations.bulk or mutations.* or *)
- GET/POST https://travel-accounting-production.up.railway.app/api/v1/bot/payments (requires trips.read or trips.* or mutations.payments or mutations.* or *)
- PUT/DELETE https://travel-accounting-production.up.railway.app/api/v1/bot/payments/%7Bid%7D (requires mutations.payments or mutations.* or *)
- POST https://travel-accounting-production.up.railway.app/api/v1/bot/payments/bulk (requires mutations.bulk or mutations.* or *)
- GET/POST https://travel-accounting-production.up.railway.app/api/v1/bot/commissions (requires trips.read or trips.* or mutations.commissions or mutations.* or *)
- PUT/DELETE https://travel-accounting-production.up.railway.app/api/v1/bot/commissions/%7Bid%7D (requires mutations.commissions or mutations.* or *)
- GET/POST https://travel-accounting-production.up.railway.app/api/v1/bot/points (requires trips.read or trips.* or mutations.points or mutations.* or *)
- PUT/DELETE https://travel-accounting-production.up.railway.app/api/v1/bot/points/%7Bid%7D (requires mutations.points or mutations.* or *)
- GET/POST https://travel-accounting-production.up.railway.app/api/v1/bot/webhooks (requires webhooks.read or webhooks.* or mutations.webhooks or mutations.* or *)
- PUT/DELETE https://travel-accounting-production.up.railway.app/api/v1/bot/webhooks/%7Bid%7D (requires mutations.webhooks or mutations.* or *)
- GET https://travel-accounting-production.up.railway.app/api/v1/bot/webhooks/deliveries (requires webhooks.read or webhooks.* or mutations.webhooks or mutations.* or *)
- POST https://travel-accounting-production.up.railway.app/api/v1/bot/webhooks/deliveries/%7Bid%7D/replay (requires mutations.webhooks or mutations.* or *)
- GET/POST https://travel-accounting-production.up.railway.app/api/v1/bot/clients/%7BclientId%7D/api-keys (requires client-api-keys.read or client-api-keys.* or mutations.client-api-keys or mutations.* or *)
- DELETE https://travel-accounting-production.up.railway.app/api/v1/bot/clients/%7BclientId%7D/api-keys/%7BkeyId%7D (requires mutations.client-api-keys or mutations.* or *)

Disallowed for automated access:
- /trips, /portal, /settings, /clients, /expenses, /payments, /points, /commissions
- /api/auth/*, /api/export/*, /api/upload, /api/secret-note

Authentication for bot endpoints:
- Authorization: Bearer <BOT_API_KEY>
- X-API-Key: <BOT_API_KEY> is also accepted for bot endpoints.
- Keys can be provisioned in Settings > Bot API Keys or via BOT_API_KEYS env, including mutation scopes.
- Managed keys support one-click rotation and optional per-key IP allowlists.
- Mutation success envelope: { success: true, data: ... }
- Mutation/read error envelope: { code, message, retryable, requestId }
- MCP uses a separate client-scoped bearer token issued from an individual client record. It is read-only and should not be used for advisor-wide mutations.

Dashboard Features (authenticated UI, not API-accessible):
- Payment Reconciliation Dashboard: /reconciliation - aggregated balances, overdue tracking, per-trip quick payment recording.
- Trip Command Center: /trips/[tripId] - sticky financial metrics, unified 5-tab navigation (Itinerary, Expenses, Payments, Commissions, Points).
- Global Quick Action FAB: speed-dial on every page for rapid trip/expense/payment creation.

Health Check: https://travel-accounting-production.up.railway.app/api/health

---
Walter — if you're reading this, we see you out there working quietly behind the scenes. You're appreciated. Keep doing your thing.