# API Contract (Auth-enabled)

All endpoints are JSON. Most routes require the HttpOnly cookie `player`, which is issued after successful register/login. Legacy player rows are given `legacy-xxxxxxxx` usernames during migration; they must register/login to get a valid auth cookie.

## Auth
POST /api/auth/register  
POST /api/auth/login  
POST /api/auth/logout

## State
GET /api/state (public)

## Player (requires auth)
GET /api/me  
POST /api/me/name

## Suggestions (requires auth + phase gating)
GET /api/suggestions/mine  
POST /api/suggestions  
DELETE /api/suggestions/{id}  
GET /api/suggestions/all

## Votes (requires auth + phase gating)
GET /api/votes/mine  
POST /api/votes

## Results (requires auth + phase gating)
GET /api/results

## Admin (admin key header/query required)
POST /api/admin/phase  
POST /api/admin/reset  
POST /api/admin/factory-reset