Reject wallets page query filters

[x0tta6bl4-ai]

Fixes another /wallets page query mismatch from bounty #798.

/claim #798

Report: #798 (comment)
Claim: #798 (comment)

What changed:

• Reject unsupported /wallets query filters: limit, offset, status, account, repo, type.
• Keep supported q wallet search behavior unchanged.
• Add regression coverage for unsupported list filters.

Validation:

• python3 -m pytest tests/test_wallet_api.py::test_wallet_pages_expose_transfer_and_github_claim_flows tests/test_wallet_api.py::test_wallet_pages_reject_control_character_filters -q
• python3 -m pytest tests/test_wallet_api.py -q
• python3 -m ruff check app/public_routes.py tests/test_wallet_api.py
• python3 -m ruff format --check app/public_routes.py tests/test_wallet_api.py
• python3 -m mypy app/public_routes.py
• git diff --check

Summary by CodeRabbit

• Bug Fixes
  • The wallets page now properly validates incoming query parameters and rejects unsupported filters (limit, offset, status, account, repo, type) with HTTP 400 error responses. Users attempting to use these parameters will receive clear error messages explaining that each parameter is not supported on the wallets page, improving API robustness.

[coderabbitai]

Too much diff to scan? Review this PR in Change Stack to start with the highest-impact changes.

📝 Walkthrough

Walkthrough

The PR adds query parameter validation to the /wallets endpoint. The route now explicitly rejects limit, offset, status, account, repo, and type parameters by raising HTTP 400 errors with parameter-specific messages. Test coverage verifies each rejection returns the expected error detail.

Changes

Query Parameter Validation for Wallets Endpoint

Layer / File(s)	Summary
Parameter validation and test coverage app/public_routes.py, tests/test_wallet_api.py	The /wallets route rejects unsupported query parameters and raises HTTP 400 with per-parameter "not supported on wallets page" messages; test coverage validates each parameter rejection and error message.

Possibly related PRs

• ramimbo/mergework#859: Both PRs modify the /wallets query-validation logic and extend test coverage for invalid query parameters on the same endpoint.
• ramimbo/mergework#775: Both PRs touch the /wallets page handling of the type query parameter and add test assertions for rejected type=... requests with HTTP 400.
• ramimbo/mergework#754: Both PRs modify /wallets query handling for the type parameter, though with different treatment approaches.

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Reject wallets page query filters' clearly and concretely names the changed surface and summarizes the main change in the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Mergework Public Artifact Hygiene	✅ Passed	PR is technical query parameter validation with no investment, price, cash-out, or security claims in code or docs. MRWK properly described as native ledger coin.
Bounty Pr Focus	✅ Passed	PR targets Bounty #798 and matches stated changes: /wallets rejects 6 unsupported filters with HTTP 400; q parameter preserved; test validates all 6 params and error messages. No unrelated scope.
Description check	✅ Passed	PR description includes summary, linked bounty/issue references, detailed changes, and validation steps matching the template structure.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[TechEnthusGH]

Reviewed current head 73c1715bf412fc1922c4a253b56be44014c83034 for Bounty #838.

Evidence checked:

• Diff is focused to app/public_routes.py and tests/test_wallet_api.py.
• /wallets still accepts the supported q search path, but now rejects API/list-style filters (limit, offset, status, account, repo, type) before rendering the HTML page. That matches the route-scope guard pattern and avoids silently ignoring unsupported filters on the wallets page.
• Regression coverage extends test_wallet_pages_reject_control_character_filters to assert each unsupported wallet-list filter returns HTTP 400 with a specific message.
• Mergeability/CI checked immediately before review: PR is open, non-draft, mergeStateStatus=CLEAN, mergeable=MERGEABLE; GitHub check Quality, readiness, docs, and image checks is successful; no human reviews or #838 claim mentions for PR #960 were present.

Local validation run from a clean checkout of the PR head:

• git diff --check origin/main...HEAD -> passed
• uv run python -m pytest tests/test_wallet_api.py -q -> 45 passed, 1 warning
• uv run python -m ruff check app/public_routes.py tests/test_wallet_api.py -> passed
• uv run python -m ruff format --check app/public_routes.py tests/test_wallet_api.py -> passed

No blocker found.

[Errordog2]

Approved. I applied PR #960 at current head 73c1715bf412fc1922c4a253b56be44014c83034 onto current origin/main/base d7e9b530fffec7bd774da7708597648096a37393 with a clean 3-way apply.

Scope reviewed:

• /wallets only supports the q search filter, so rejecting limit, offset, status, account, repo, and type avoids silently ignoring unsupported list-style filters.
• /wallets/{address}?type=... remains unchanged and covered by the existing detail-page assertions.
• The added test covers each unsupported wallet-list parameter and the expected 400 detail text.

Validation run locally:

• python -m pytest tests/test_wallet_api.py -k "wallet_pages" -> 3 passed
• python -m pytest tests/test_wallet_api.py -> 45 passed
• python -m ruff check app/public_routes.py tests/test_wallet_api.py -> passed
• python -m ruff format --check app/public_routes.py tests/test_wallet_api.py -> passed
• python -m mypy app/public_routes.py -> passed
• git diff --cached --check -> passed

This is narrowly scoped and safe to merge.

[ramimbo]

Closing this unmerged for the current queue pass.

Bounty #798 / bounty 106 is now filled after the accepted proof-backed batch in #951, #952, #953, #954, #955, #956, and #958. This is overflow in the same query-validation report family and is not claimable from the filled round.