diff --git a/dashcaddy-api/routes/auth/index.js b/dashcaddy-api/routes/auth/index.js
index 430d09b..370c957 100644
--- a/dashcaddy-api/routes/auth/index.js
+++ b/dashcaddy-api/routes/auth/index.js
@@ -18,6 +18,7 @@ module.exports = function(ctx) {
     authManager: ctx.authManager,
     credentialManager: ctx.credentialManager,
     totpConfig: ctx.totpConfig,
+    saveTotpConfig: ctx.saveTotpConfig,
     session: ctx.session,
     asyncHandler: ctx.asyncHandler,
     errorResponse: ctx.errorResponse,
diff --git a/dashcaddy-api/routes/auth/totp.js b/dashcaddy-api/routes/auth/totp.js
index 05cb660..0bc6042 100644
--- a/dashcaddy-api/routes/auth/totp.js
+++ b/dashcaddy-api/routes/auth/totp.js
@@ -2,17 +2,29 @@ const express = require('express');
 const { renewCSRFToken } = require('../../csrf-protection');
 const { ValidationError, AuthenticationError } = require('../../errors');
 
-module.exports = function({ authManager, asyncHandler, errorResponse, log }) {
-  const router = express.Router();
 /**
  * Auth TOTP routes factory
  * @param {Object} deps - Explicit dependencies
  * @param {Object} deps.authManager - Auth manager
+ * @param {Object} deps.credentialManager - Credential manager
+ * @param {Object} deps.totpConfig - TOTP configuration
+ * @param {Function} deps.saveTotpConfig - Save TOTP config helper
+ * @param {Object} deps.session - Session context
  * @param {Function} deps.asyncHandler - Async route handler wrapper
  * @param {Function} deps.errorResponse - Error response helper
  * @param {Object} deps.log - Logger instance
  * @returns {express.Router}
  */
+module.exports = function({ authManager, credentialManager, totpConfig, saveTotpConfig, session, asyncHandler, errorResponse, log }) {
+  const router = express.Router();
+  
+  // Ctx shim for backward compatibility
+  const ctx = {
+    credentialManager,
+    totpConfig,
+    saveTotpConfig,
+    session
+  };
 
   // Get current TOTP config (public route)
   router.get('/totp/config', asyncHandler(async (req, res) => {
@@ -181,7 +193,7 @@ module.exports = function({ authManager, asyncHandler, errorResponse, log }) {
   router.post('/totp/config', asyncHandler(async (req, res) => {
     const { sessionDuration } = req.body;
 
-    if (sessionDuration && !ctx.session.durations.hasOwnProperty(sessionDuration)) {
+    if (sessionDuration && !Object.prototype.hasOwnProperty.call(ctx.session.durations, sessionDuration)) {
       throw new ValidationError(`Invalid session duration. Valid options: ${Object.keys(ctx.session.durations).join(', ')}`, 'sessionDuration');
     }
 
diff --git a/fix-ctx-routes.sh b/fix-ctx-routes.sh
new file mode 100644
index 0000000..cf46e86
--- /dev/null
+++ b/fix-ctx-routes.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# Systematically fix ctx.* references in all route files
+
+cd /root/.openclaw/agents/main/workspace/dashcaddy-work/dashcaddy-api
+
+# Find all route files with ctx errors
+echo "Finding routes with ctx errors..."
+for file in $(find routes -name "*.js" -type f | grep -v index.js | grep -v helpers.js); do
+  errors=$(npx eslint "$file" 2>&1 | grep -c "'ctx' is not defined")
+  if [ "$errors" -gt 0 ]; then
+    echo "$errors errors in $file"
+  fi
+done | sort -rn