diff --git a/internal/api/security_regression_test.go b/internal/api/security_regression_test.go
index d2a9eec29..a4c30fd01 100644
--- a/internal/api/security_regression_test.go
+++ b/internal/api/security_regression_test.go
@@ -18,6 +18,7 @@ import (
 	"github.com/rcourtman/pulse-go-rewrite/internal/agentexec"
 	"github.com/rcourtman/pulse-go-rewrite/internal/config"
 	"github.com/rcourtman/pulse-go-rewrite/internal/monitoring"
+	"github.com/rcourtman/pulse-go-rewrite/internal/servicediscovery"
 	pulsews "github.com/rcourtman/pulse-go-rewrite/internal/websocket"
 	"github.com/rcourtman/pulse-go-rewrite/pkg/auth"
 )
@@ -1645,48 +1646,6 @@ func TestConfigImportRequiresSettingsWriteScope(t *testing.T) {
 	}
 }
 
-func TestConfigExportRejectsProxyNonAdmin(t *testing.T) {
-	cfg := newTestConfigWithTokens(t)
-	cfg.ProxyAuthSecret = "proxy-secret"
-	cfg.ProxyAuthUserHeader = "X-Remote-User"
-	cfg.ProxyAuthRoleHeader = "X-Remote-Roles"
-	cfg.ProxyAuthAdminRole = "admin"
-
-	router := NewRouter(cfg, nil, nil, nil, nil, "1.0.0")
-
-	req := httptest.NewRequest(http.MethodPost, "/api/config/export", strings.NewReader(`{}`))
-	req.RemoteAddr = "127.0.0.1:1234"
-	req.Header.Set("X-Proxy-Secret", cfg.ProxyAuthSecret)
-	req.Header.Set("X-Remote-User", "viewer-user")
-	req.Header.Set("X-Remote-Roles", "viewer")
-	rec := httptest.NewRecorder()
-	router.Handler().ServeHTTP(rec, req)
-	if rec.Code != http.StatusForbidden {
-		t.Fatalf("expected 403 for non-admin proxy export, got %d", rec.Code)
-	}
-}
-
-func TestConfigImportRejectsProxyNonAdmin(t *testing.T) {
-	cfg := newTestConfigWithTokens(t)
-	cfg.ProxyAuthSecret = "proxy-secret"
-	cfg.ProxyAuthUserHeader = "X-Remote-User"
-	cfg.ProxyAuthRoleHeader = "X-Remote-Roles"
-	cfg.ProxyAuthAdminRole = "admin"
-
-	router := NewRouter(cfg, nil, nil, nil, nil, "1.0.0")
-
-	req := httptest.NewRequest(http.MethodPost, "/api/config/import", strings.NewReader(`{}`))
-	req.RemoteAddr = "127.0.0.1:1234"
-	req.Header.Set("X-Proxy-Secret", cfg.ProxyAuthSecret)
-	req.Header.Set("X-Remote-User", "viewer-user")
-	req.Header.Set("X-Remote-Roles", "viewer")
-	rec := httptest.NewRecorder()
-	router.Handler().ServeHTTP(rec, req)
-	if rec.Code != http.StatusForbidden {
-		t.Fatalf("expected 403 for non-admin proxy import, got %d", rec.Code)
-	}
-}
-
 func TestConfigExportRejectsShortPassphrase(t *testing.T) {
 	rawToken := "config-export-pass-token-123.12345678"
 	record := newTokenRecord(t, rawToken, []string{config.ScopeSettingsRead}, nil)
@@ -1987,6 +1946,29 @@ func TestDiscoverySettingsRequiresSettingsWriteScope(t *testing.T) {
 	}
 }
 
+func TestDiscoverySettingsRejectsProxyNonAdmin(t *testing.T) {
+	cfg := newTestConfigWithTokens(t)
+	cfg.ProxyAuthSecret = "proxy-secret"
+	cfg.ProxyAuthUserHeader = "X-Remote-User"
+	cfg.ProxyAuthRoleHeader = "X-Remote-Roles"
+	cfg.ProxyAuthAdminRole = "admin"
+
+	router := NewRouter(cfg, nil, nil, nil, nil, "1.0.0")
+	service := servicediscovery.NewService(nil, nil, nil, servicediscovery.DefaultConfig())
+	router.SetDiscoveryService(service)
+
+	req := httptest.NewRequest(http.MethodPost, "/api/discovery/settings", strings.NewReader(`{"max_discovery_age_days":5}`))
+	req.Header.Set("X-Proxy-Secret", cfg.ProxyAuthSecret)
+	req.Header.Set("X-Remote-User", "viewer-user")
+	req.Header.Set("X-Remote-Roles", "viewer")
+	rec := httptest.NewRecorder()
+	router.Handler().ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusForbidden {
+		t.Fatalf("expected 403 for non-admin proxy discovery settings, got %d", rec.Code)
+	}
+}
+
 func TestNotificationsRequireProxyAdmin(t *testing.T) {
 	cfg := newTestConfigWithTokens(t)
 	cfg.ProxyAuthSecret = "proxy-secret"