From a70c13af4c0d7dc1af332957a9956a6c70f7dc5c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 28 Apr 2026 00:41:41 +0000
Subject: [PATCH 1/2] Initial plan


From 6c383c972ee96da654e3a2bbf5e0934c33ad35f0 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 28 Apr 2026 00:46:24 +0000
Subject: [PATCH 2/2] chore: disable admin API by default, require --admin-api
 to opt in

Agent-Logs-Url: https://github.com/counterfact/api-simulator/sessions/061011a6-c471-4200-ae9e-f1e99b4b1f95
---
 .changeset/admin-api-default-off.md | 5 +++++
 docs/reference.md                   | 2 +-
 src/cli/run.ts                      | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 .changeset/admin-api-default-off.md

diff --git a/.changeset/admin-api-default-off.md b/.changeset/admin-api-default-off.md
new file mode 100644
index 000000000..f09ecb01d
--- /dev/null
+++ b/.changeset/admin-api-default-off.md
@@ -0,0 +1,5 @@
+---
+"counterfact": minor
+---
+
+Admin API is now disabled by default. Use the `--admin-api` flag to opt in.
diff --git a/docs/reference.md b/docs/reference.md
index 396f9aa6c..c4ad606c3 100644
--- a/docs/reference.md
+++ b/docs/reference.md
@@ -312,7 +312,7 @@ npx counterfact@latest [spec] [output] [options]
 | `--watch-routes` | `false` | Watch and regenerate routes only |
 | `--always-fake-optionals` | `false` | Include optional fields in random responses |
 | `--prune` | `false` | Remove route files that no longer exist in the spec |
-| `--no-admin-api` | — | Disable the Admin API at `/_counterfact/api/*` |
+| `--admin-api` | `false` | Enable the Admin API at `/_counterfact/api/*` |
 | `--admin-api-token <token>` | _(none)_ | Bearer token required for Admin API endpoints |
 | `--no-update-check` | — | Disable the npm update check on startup |
 | `--config <path>` | `counterfact.yaml` | Path to a config file |
diff --git a/src/cli/run.ts b/src/cli/run.ts
index e7b2ac0ad..354744f39 100644
--- a/src/cli/run.ts
+++ b/src/cli/run.ts
@@ -394,7 +394,7 @@ function buildProgram(version: string, taglines: string[]): Command {
       "-b, --build-cache",
       "builds the cache of compiled routes and types",
     )
-    .option("--no-admin-api", "disable the admin API at /_counterfact/api/*")
+    .option("--admin-api", "enable the admin API at /_counterfact/api/*")
     .option("-r, --repl", "start the REPL")
     .option("--proxy-url <string>", "proxy URL")
     .option(