From 29ccea334257abb65c15dd500482b05faac274ea Mon Sep 17 00:00:00 2001
From: Mike Stankavich <mike@trakrf.id>
Date: Sat, 16 May 2026 11:48:47 -0500
Subject: [PATCH] =?UTF-8?q?docs(api):=20TRA-748=20F9=20=E2=80=94=20align?=
 =?UTF-8?q?=20Errors=20page=20OPTIONS=20prose=20with=20server-to-server=20?=
 =?UTF-8?q?intent?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Errors page line "OPTIONS is reserved for CORS preflight" implied
OPTIONS is honored for CORS, contradicting both live behavior (405 with
no Access-Control-Allow-* headers) and the canonical http-method-coverage
prose. Replace with framing that matches the authoritative page:
OPTIONS returns 405 like any other unsupported verb; the API is
server-to-server only, no CORS.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 docs/api/errors.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/api/errors.md b/docs/api/errors.md
index 702cab0..45260eb 100644
--- a/docs/api/errors.md
+++ b/docs/api/errors.md
@@ -85,7 +85,7 @@ The hosting edge layer adds a separate **`x-railway-request-id`** response heade
 
 ### HTTP method coverage
 
-The catalog above covers `405 method_not_allowed`. `HEAD` and `OPTIONS` are not enumerated per path in the OpenAPI reference — they're handled uniformly across every endpoint and documented at [HTTP method coverage](./http-method-coverage). The short version: `HEAD` is supported wherever `GET` is declared and behaves identically minus the response body; `OPTIONS` is reserved for CORS preflight; the `Allow` header on a `405` response (mirrored in `error.detail`) is the runtime way to discover what each path supports.
+The catalog above covers `405 method_not_allowed`. `HEAD` and `OPTIONS` are not enumerated per path in the OpenAPI reference — they're handled uniformly across every endpoint and documented at [HTTP method coverage](./http-method-coverage). The short version: `HEAD` is supported wherever `GET` is declared and behaves identically minus the response body; `OPTIONS` is not honored — it returns `405` like any other unsupported verb (the API is server-to-server only, no CORS); the `Allow` header on a `405` response (mirrored in `error.detail`) is the runtime way to discover what each path supports.
 
 ### `validation_error` vs `bad_request`