Yes, we removed the API-services and unified the HTML, MQTT and template APIs in the models.
For access control you need to add access checks in the model m_get, m_post and m_delete (last two are optional). You will need these checks anyway, because you can call the APIs also from MQTT and the templates.
By examining the Context you can see if an API is called from a request context, especially by checking the controller handling the request.
In general I advise to be agnostic to the method used for calling the APIs and just check the capabilities of the current user. Maybe in the future we might add other protocols!
Is the process_get/1 mentioned in the release notes or somewhere else?
For handling the old paths, I have to check the options for the new API controller, knowing how we build these things there is probably thought of something :)