diff --git a/__tests__/proxy/demo-guard.test.ts b/__tests__/proxy/demo-guard.test.ts
index f229a8f..1ae94a2 100644
--- a/__tests__/proxy/demo-guard.test.ts
+++ b/__tests__/proxy/demo-guard.test.ts
@@ -30,6 +30,26 @@ beforeEach(() => {
 })
 
 describe('proxy demo-guard', () => {
+  it('demo + POST /api/ideas → 403 (M12)', async () => {
+    mockUnsealData.mockResolvedValue({ userId: 'demo-user', isDemo: true })
+    const req = makeRequest('POST', '/api/ideas', true)
+    const res = await proxy(req)
+    expect(res?.status).toBe(403)
+  })
+
+  it('demo + PATCH /api/ideas/abc → 403 (M12)', async () => {
+    mockUnsealData.mockResolvedValue({ userId: 'demo-user', isDemo: true })
+    const req = makeRequest('PATCH', '/api/ideas/abc', true)
+    const res = await proxy(req)
+    expect(res?.status).toBe(403)
+  })
+
+  it('demo + GET /api/ideas → passthrough (M12)', async () => {
+    const req = makeRequest('GET', '/api/ideas', true)
+    const res = await proxy(req)
+    expect(res?.status).not.toBe(403)
+  })
+
   it('demo + POST /api/todos → 403', async () => {
     mockUnsealData.mockResolvedValue({ userId: 'demo-user', isDemo: true })
     const req = makeRequest('POST', '/api/todos', true)
diff --git a/proxy.ts b/proxy.ts
index afbfd55..24fc34d 100644
--- a/proxy.ts
+++ b/proxy.ts
@@ -3,7 +3,7 @@ import type { NextRequest } from 'next/server'
 import { unsealData } from 'iron-session'
 import { sessionOptions, type SessionData } from '@/lib/session'
 
-const protectedRoutes = ['/dashboard', '/products', '/todos', '/settings', '/solo']
+const protectedRoutes = ['/dashboard', '/products', '/todos', '/ideas', '/settings', '/solo']
 const authRoutes = ['/login', '/register']
 
 const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS'])