I think some logic is broken around the exits. When you remove an exit you see the client send
{"id":31,"method":"call.core.char.XXX.ctrl.deleteExit","params":{"exitId":"YYY"}}
but after that the client will keep spamming
{"id":32,"method":"subscribe.core.exit.YYY.details"}
and getting access denied errors.