"As a System Administrator, I want to enable or disable the core development endpoints in the REST API, to manage the risk of new endpoints being exposed from my production servers."
This is a user story for a single server configuration option to control whether the /coredev/v0/ endpoints are enabled or not, since we're concerned about introducing risk during a time when the production servers need to be as stable as possible.
A configuration option $wgEnableDevelopmentEndpoints default is false. If it's true, /coredev/v0/ routes are loaded; if not, then they're not (and just return 404).