fix(network): return mainnet-only 404 before method gate on prefixed routes

[andriypolanski]

Summary

• Evaluate isMainnetOnlyApiPath before the read-only method gate in handleNetworkScopedRequest.
• Network-prefixed POST/PUT/etc. to mainnet-only paths return the same 404 + meta.network as GET.

Closes #2190

Why

Agents probing /api/v1/testnet/graphql with POST see 405 instead of the documented mainnet-only 404, diverging from sibling GET routes and from bare mainnet behavior.

Test plan

• npm test -- tests/network-routing.test.mjs
• POST /api/v1/testnet/graphql → 404, mainnet-only message, meta.network === "testnet"
• GET on same path unchanged (404 mainnet-only)
• Registry routes under testnet still 200 for GET

[superagent-security]

Superagent didn't find any vulnerabilities or security issues in this PR.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.23%. Comparing base (a3c4230) to head (70d97bc).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2191      +/-   ##
==========================================
- Coverage   93.25%   93.23%   -0.02%     
==========================================
  Files          51       52       +1     
  Lines        8076     8127      +51     
  Branches     2962     2981      +19     
==========================================
+ Hits         7531     7577      +46     
- Misses         92       96       +4     
- Partials      453      454       +1     

Files with missing lines	Coverage Δ
workers/api.mjs	94.27% <100.00%> (-0.31%)	⬇️

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gittensory-orb]

Tip

🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩

✅ Gittensory review — safe to merge

2 files · 1 AI reviewers · no blockers · readiness 55/100 · CI green · clean

✅ Approved — safe to merge

Review summary
The PR correctly hoists the `isMainnetOnlyApiPath` guard ahead of the read-only method gate in `handleNetworkScopedRequest` (`workers/api.mjs`), so POST/PUT/DELETE to mainnet-only prefixed paths (e.g., `/api/v1/testnet/graphql`) now return 404 + `meta.network` instead of 405. The `isApiPath` extraction is a clean DRY improvement. Test coverage for the targeted fix is solid: GET and POST mainnet-only → 404, POST non-mainnet-only → 405.

Signal	Result	Evidence
Code review	✅ No blockers	1 reviewers, synthesized
Linked issue	✅ Linked	#2190
Related work	⚠️ 2 scoped overlaps	Top overlaps are listed below; lower-confidence bulk is hidden.
Review load	❌ 8/20	Readiness component derived from cached public PR metadata and labels.
Validation evidence	❌ 5/25	Cached preflight status is hold.
Open PR queue	❌ 3/10	15 open PR(s), 13 likely reviewable, 2 unlinked.
Contributor context	✅ Confirmed Gittensor contributor	andriypolanski; Gittensor profile; 76 PR(s), 7 issue(s).
Gate result	✅ Passing	No configured blocker found.

Nits — 5 non-blocking

• The early guard includes `network.id !== "local"`, so `POST /api/v1/local/<mainnet-only-path>` still returns 405 while `GET` on the same path returns 404 via the later branch — no test documents or pins this asymmetry; add a case in `tests/network-routing.test.mjs` for local+POST to a mainnet-only path.
• The `isMainnetOnlyApiPath` branch inside the later `if (isApiPath)` block (`workers/api.mjs`) is now dead code for every non-local network since the early return already covers it; a brief inline comment (e.g. `// local only — non-local caught above`) would explain why the branch is preserved.
• Add `['POST', '/api/v1/local/graphql']` to the new test loop (or a dedicated case) to explicitly assert the intended 404-vs-405 behavior for the local network, documenting the `network.id !== 'local'` design decision.
• Verify whether the `network.id !== 'local'` exclusion is intentional: if local is mainnet-equivalent and mainnet-only paths ARE live there, 405 is correct and the guard is right; if local should mirror testnet semantics (paths unavailable), the guard should be removed and the now-redundant later branch can be deleted.
• PR author also opened the linked issue — Link an issue that was opened by a different contributor, or provide a rationale for why this self-authored issue represents genuine discovery work.

Review context

• Author: andriypolanski
• Role context: outside_contributor
• Public audience mode: oss maintainer
• Lane context: Repository registration is not available in the local Gittensory cache.
• Public profile languages: not available
• Official Gittensor activity: 76 PR(s), 7 issue(s).
• Related work: Items reference the same linked issue Network-prefixed POST to mainnet-only routes returns 405 instead of mainnet-only 404 #2190. (issue #2190)
• Related work: Open PR work references issue Network-prefixed POST to mainnet-only routes returns 405 instead of mainnet-only 404 #2190. (issue #2190)

Contributor next steps

• Review top overlaps.
• Add scope summary.
• Fix blocker.
• Expect slower review.
• Refresh registry data or choose a registered active repo.
• Check active issues and PRs before submitting.

Signal definitions

• Related work = same linked issue, overlapping active PRs, or title/path similarity.
• Review load = cached public PR metadata such as size labels, changed paths, and preflight status.
• Open PR queue = repo-wide review pressure; it is not a PR quality failure.
• Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

Review details

Generated from public PR metadata and the diff. Advisory only; deterministic signals remain authoritative.

The PR correctly hoists the `isMainnetOnlyApiPath` guard ahead of the read-only method gate in `handleNetworkScopedRequest` (`workers/api.mjs`), so POST/PUT/DELETE to mainnet-only prefixed paths (e.g., `/api/v1/testnet/graphql`) now return 404 + `meta.network` instead of 405. The `isApiPath` extraction is a clean DRY improvement. Test coverage for the targeted fix is solid: GET and POST mainnet-only → 404, POST non-mainnet-only → 405.

Nits (4)

• The early guard includes `network.id !== "local"`, so `POST /api/v1/local/<mainnet-only-path>` still returns 405 while `GET` on the same path returns 404 via the later branch — no test documents or pins this asymmetry; add a case in `tests/network-routing.test.mjs` for local+POST to a mainnet-only path.
• The `isMainnetOnlyApiPath` branch inside the later `if (isApiPath)` block (`workers/api.mjs`) is now dead code for every non-local network since the early return already covers it; a brief inline comment (e.g. `// local only — non-local caught above`) would explain why the branch is preserved.
• Add `['POST', '/api/v1/local/graphql']` to the new test loop (or a dedicated case) to explicitly assert the intended 404-vs-405 behavior for the local network, documenting the `network.id !== 'local'` design decision.
• Verify whether the `network.id !== 'local'` exclusion is intentional: if local is mainnet-equivalent and mainnet-only paths ARE live there, 405 is correct and the guard is right; if local should mirror testnet semantics (paths unavailable), the guard should be removed and the now-redundant later branch can be deleted.

_{🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed}

---

💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

• Re-run Gittensory review