Thank you for your suggestions
unfortunately like you the page was still accessible. Flushed caches and restarted server, same.
Interestingly the default configuration lacked a binding for /status (which your sample did) and also /transStatus
I added both, no change
I then changed require to a nonexistent role which I expected would block everyone, even admin, or force an error
Again no change which suggests the page rendering code is not checking slave-server-config.xml
Do you happen to know where the kettle endpoints are executed/rendered? I suspect it is somewhere in tomcat but trying to save a night of coffee and head scratching!
Could it be a slave server configuration issue? Running V184.108.40.206.428 with a file repository