I'm not an expert at this, and I might have missed what you were trying to do.
My thought was:
create a .tcl/.adp (or a package) that allows a user to enter a password that would add the userid to the group allowed to access the subsite. This would require them to enter the password once, the user would be added to the group that has permissions to view that subsite. Upon subsequent logins to the site, they would still have access to the subsite.
In this case, you could write a simple package or just the .tcl and .adp file to accomplish what you want.
Since permissions seem to be handled through acs-subsite, I don't know that you would need to modify acs-subsite at all.
If you have your own .tcl/.adp pair or your own package, moving your changes to another site would be pretty easy. If it was a package, and other people needed the same capability, or you needed it on another installation, you could easily install the package from your local repository. All of this without changing any of the core code.
I don't know what the procedure is to get changes into core -- someone else would need to answer that.
