otto 2.0.2 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fabc1e8d6f7eef1d982b1f298fd0fe68382417aedd4b250ded28e5c7ba39a588
-  data.tar.gz: 02f4509daad92151895100c75339d82e3f8b76106dbcaa04b2db34f7b4d39976
+  metadata.gz: 0616e034fc5859c42ed2eb48e1d123abdd1b36bca93422cf858d51331843c2c9
+  data.tar.gz: 667c3067cdd71ed41ef733c479798836522c32d37044edeb5f78d33c04b14818
 SHA512:
-  metadata.gz: 2c5f1958418f70a429bfc2379f7407387ca4a1a6cdd129160ff6bf3e416f33a637c0d14049bd97ab0c7abce02ab5b11eb943aff330b5c1c0425d55c387ff3351
-  data.tar.gz: '08e5ec5c3278adeced0dd3c1cffb7452129a12ad742c381b29a29bd569be4d013a67a660ad111bfe51631672e21d96cf2c0f39c69ab595758aa0e7e1d562ed32'
+  metadata.gz: c219d4864ffc3090983ee50828279914dc052d0d65f5fd75dbaff812a1fee5d32880c325956d778c9a68e39e396e0f855f271eb3355ddee9d846e186586c57a2
+  data.tar.gz: d32b8d2235fe0d2c95510c4ec5f1623f30a6039bac1a309878af03907458fd9a51ea18f6e5584dfe88754a45cef25469f52ba72bee7847e97b87f2e481672e9d

data/.github/workflows/claude-code-review.yml

@@ -54,7 +54,7 @@ jobs:
       - name: Remove claude-review label
         # Remove label whether success or failure - prevents getting stuck
         if: always() && github.event.action != 'opened'
-        uses: actions/github-script@v8
+        uses: actions/github-script@v9
         with:
           script: |
             try {

data/.github/workflows/code-smells.yml

@@ -71,7 +71,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload Reek report as artifact
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         if: always()
         with:
           name: reek-report

data/.github/workflows/release-gem.yml

@@ -0,0 +1,162 @@
+# Release Gem Workflow
+#
+# Automatically builds and publishes the otto gem to RubyGems.org when a
+# GitHub release is published with a semantic version tag (vMAJOR.MINOR.PATCH,
+# e.g. v0.6.1, v1.2.3).
+#
+# Follows the canonical RubyGems Trusted Publishing workflow:
+#   https://guides.rubygems.org/trusted-publishing/
+#
+# ============================================================================
+# SETUP INSTRUCTIONS (one-time)
+# ============================================================================
+#
+# This workflow uses RubyGems Trusted Publishing (OIDC). No long-lived API
+# key needs to be stored in GitHub.
+#
+# ----------------------------------------------------------------------------
+# 1. Configure the trusted publisher on RubyGems.org
+# ----------------------------------------------------------------------------
+#
+#   a. Sign in to https://rubygems.org and enable MFA on your account
+#      (required for trusted publishing).
+#
+#   b. Open the gem's trusted publisher page (works for both existing gems
+#      and the first-ever publish):
+#        Existing gem: https://rubygems.org/gems/otto/trusted_publishers
+#        First publish: https://rubygems.org/profile/oidc/pending_trusted_publishers/new
+#
+#   c. Click "Create" and fill in:
+#        Publisher type:    GitHub Actions
+#        Repository owner:  delano
+#        Repository name:   otto
+#        Workflow filename: release-gem.yml
+#        Environment:       rubygems.org   (must match `environment.name` below)
+#
+#   d. Save. RubyGems will now accept short-lived OIDC tokens issued by this
+#      workflow running in this repository.
+#
+# ----------------------------------------------------------------------------
+# 2. Configure the GitHub environment
+# ----------------------------------------------------------------------------
+#
+#   a. In GitHub: Settings -> Environments -> New environment
+#      Name: `rubygems.org`   (must match `environment.name` below)
+#
+#   b. Under "Deployment branches and tags", restrict to tags matching:
+#        v*.*.*
+#      This prevents the environment (and its OIDC token) from being used
+#      from any branch or non-release tag.
+#
+#   c. Optional but recommended: add required reviewers to gate publishes
+#      behind manual approval.
+#
+#   No GitHub secrets are required - OIDC handles authentication.
+#
+# ----------------------------------------------------------------------------
+# 3. Cutting a release
+# ----------------------------------------------------------------------------
+#
+#   a. Bump Otto::VERSION in lib/otto/version.rb (semver: MAJOR.MINOR.PATCH).
+#   b. Update CHANGELOG.md and commit on main.
+#   c. On GitHub, draft a Release with tag `vX.Y.Z` (matching the constant)
+#      and publish it. This workflow runs automatically: it verifies the tag
+#      matches the gemspec version, builds the gem, and pushes it.
+#
+# ----------------------------------------------------------------------------
+# Fallback: API key (only if Trusted Publishing isn't an option)
+# ----------------------------------------------------------------------------
+#
+#   1. Create an API key at https://rubygems.org/profile/api_keys with scope
+#      "Push rubygem" restricted to the `otto` gem.
+#   2. Store it as a repo secret named `RUBYGEMS_API_KEY`.
+#   3. Drop the `id-token: write` permission and `environment:` block, and
+#      replace the `rubygems/release-gem` step with:
+#
+#        - name: Publish to RubyGems
+#          env:
+#            GEM_HOST_API_KEY: ${{ secrets.RUBYGEMS_API_KEY }}
+#          run: gem push otto-*.gem
+#
+# ----------------------------------------------------------------------------
+# Action provenance (SHA pins)
+# ----------------------------------------------------------------------------
+#
+# All third-party actions below are pinned to a full commit SHA, per GitHub's
+# secure-use guidance for release-critical workflows. The accompanying
+# comment records the tag the SHA was resolved from so renovate/dependabot
+# can keep them current.
+#
+#   actions/checkout      - official GitHub action
+#   ruby/setup-ruby       - official Ruby org action (GitHub-verified creator)
+#   rubygems/release-gem  - official RubyGems action for trusted publishing
+#
+# ============================================================================
+
+name: Release Gem
+
+on:
+  release:
+    types: [published]
+
+# Coarse default. Each job re-declares the narrowest permissions it needs.
+permissions:
+  contents: read
+
+# Don't allow two release runs to race - one published tag, one publish.
+concurrency:
+  group: release-gem-${{ github.event.release.tag_name }}
+  cancel-in-progress: false
+
+jobs:
+  release:
+    name: Build and push gem
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    environment:
+      name: rubygems.org
+      url: https://rubygems.org/gems/otto
+
+    permissions:
+      contents: write   # rubygems/release-gem attaches built .gem to the GitHub release
+      id-token: write   # OIDC token for RubyGems Trusted Publishing
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
+        with:
+          bundler-cache: true
+          # Pinned to 3.3 (oldest non-experimental Ruby in the CI matrix).
+          # Latest stable (4.0) ships ipaddr 1.2.8 as a default gem, which
+          # bundler 2.7.x cannot override with the lockfile's 1.2.9 - the
+          # same reason Ruby 4.0 is `experimental: true` in ci.yml.
+          ruby-version: "3.3"
+
+      - name: Verify release tag matches Otto::VERSION
+        env:
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+        run: |
+          set -euo pipefail
+          case "${RELEASE_TAG}" in
+            v[0-9]*.[0-9]*.[0-9]*) ;;
+            *)
+              echo "Release tag '${RELEASE_TAG}' is not a vMAJOR.MINOR.PATCH semver tag." >&2
+              exit 1
+              ;;
+          esac
+          tag_version="${RELEASE_TAG#v}"
+          gem_version="$(ruby -r ./lib/otto/version.rb -e 'print Otto::VERSION')"
+          if [ "${tag_version}" != "${gem_version}" ]; then
+            echo "Release tag ${RELEASE_TAG} (${tag_version}) != Otto::VERSION (${gem_version})." >&2
+            exit 1
+          fi
+          echo "Releasing otto ${gem_version} from tag ${RELEASE_TAG}"
+
+      - name: Build and push gem to RubyGems
+        uses: rubygems/release-gem@6317d8d1f7e28c24d28f6eff169ea854948bd9f7 # v1.2.0

data/{CLAUDE.md → AGENTS.md}

@@ -1,6 +1,6 @@
-# CLAUDE.md
+# AGENTS.md
 
-This file provides essential guidance to Claude Code when working with Otto.
+This file provides essential guidance to AI agents when working with Otto.
 
 ## Error Handler Registration
 

data/CHANGELOG.rst

@@ -7,6 +7,43 @@ The format is based on `Keep a Changelog <https://keepachangelog.com/en/1.1.0/>`
 
    <!--scriv-insert-here-->
 
+.. _changelog-2.2.0:
+
+2.2.0 — 2026-06-09
+==================
+
+Added
+-----
+
+- Added ``AuthorizationFailure`` result type for auth strategies to signal 403 Forbidden distinct from 401 Unauthorized. Strategies that perform combined authentication and authorization in one pass can now return ``authorization_failure(reason)`` when a valid credential is denied a permission, allowing ``RouteAuthWrapper`` to map the result to a proper 403 response rather than collapsing it to 401.
+- Added ``#authorization_failure`` helper to ``AuthStrategy`` base class for consistent error signaling across strategy implementations.
+- Extracted ``#strategy_auth_method`` private helper to handle anonymous strategy classes (common in tests) that have a nil ``#name``.
+
+.. _changelog-2.1.0:
+
+2.1.0 — 2026-05-27
+==================
+
+- Add ``Otto#on_route_matched`` lifecycle hook. Callbacks fire after a
+  route matches but before the handler dispatches, with signature
+  ``(env, route_definition)``. Mirrors ``on_request_complete`` for
+  registration and freezing, but exceptions raised from a callback
+  propagate through ``handle_error`` rather than being swallowed, so
+  consumers can route custom error classes through
+  ``register_error_handler`` for short-circuit gating. Skipped for
+  static file routes and the 404 fallback; fires on both literal and
+  dynamic matches. Per-instance state, zero overhead when no callbacks
+  are registered. (#129)
+
+- Add ``Otto#register_handler_wrapper`` API for per-request handler
+  composition. Registers factory blocks composed around each route
+  handler at request time; wrappers nest outermost-first in
+  registration order, with ``RouteAuthWrapper`` preserved as the
+  innermost wrapper so consumers see ``env['otto.strategy_result']``.
+  ``freeze_configuration!`` now exercises every registered wrapper
+  against every loaded route, surfacing ``TypeError`` and factory bugs
+  at boot rather than on the first matching request. (#130)
+
 .. _changelog-2.0.2:
 
 2.0.2 — 2026-04-15

data/Gemfile

@@ -27,7 +27,7 @@ group :development do
   gem 'benchmark'
   gem 'debug'
   gem 'rackup' # Used to boot examples/ apps; not needed by specs
-  gem 'rubocop', '~> 1.81.7', require: false
+  gem 'rubocop', '~> 1.86.2', require: false
   gem 'rubocop-performance', require: false
   gem 'rubocop-rspec', require: false
   gem 'rubocop-thread_safety', require: false

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    otto (2.0.2)
+    otto (2.2.0)
       concurrent-ruby (~> 1.3, < 2.0)
       ipaddr (~> 1, < 2.0)
       logger (~> 1, < 2.0)
@@ -18,8 +18,8 @@ GEM
     bigdecimal (4.1.1)
     concurrent-ruby (1.3.6)
     crass (1.0.6)
-    date (3.4.1)
-    debug (1.11.0)
+    date (3.5.1)
+    debug (1.11.1)
       irb (~> 1.10)
       reline (>= 0.3.8)
     diff-lcs (1.6.2)
@@ -52,15 +52,16 @@ GEM
       dry-inflector (~> 1.0)
       dry-logic (~> 1.4)
       zeitwerk (~> 2.6)
-    erb (5.1.1)
+    erb (6.0.4)
     hana (1.3.7)
-    io-console (0.8.1)
-    ipaddr (1.2.8)
-    irb (1.15.2)
+    io-console (0.8.2)
+    ipaddr (1.2.9)
+    irb (1.18.0)
       pp (>= 0.6.0)
+      prism (>= 1.3.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
-    json (2.19.3)
+    json (2.19.5)
     json_schemer (2.5.0)
       bigdecimal
       hana (~> 1.3)
@@ -100,7 +101,7 @@ GEM
     prettier_print (1.2.1)
     prettyprint (0.2.0)
     prism (1.9.0)
-    psych (5.2.6)
+    psych (5.3.1)
       date
       stringio
     racc (1.8.1)
@@ -118,7 +119,7 @@ GEM
       logger
       prism (>= 1.6.0)
       tsort
-    rdoc (6.15.0)
+    rdoc (7.2.0)
       erb
       psych (>= 4.0.0)
       tsort
@@ -129,7 +130,7 @@ GEM
       rainbow (>= 2.0, < 4.0)
       rexml (~> 3.1)
     regexp_parser (2.12.0)
-    reline (0.6.2)
+    reline (0.6.3)
       io-console (~> 0.5)
     rexml (3.4.4)
     rspec (3.13.2)
@@ -145,15 +146,15 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
     rspec-support (3.13.7)
-    rubocop (1.81.7)
+    rubocop (1.86.2)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
-      parallel (~> 1.10)
+      parallel (>= 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 2.9.3, < 3.0)
-      rubocop-ast (>= 1.47.1, < 2.0)
+      rubocop-ast (>= 1.49.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 4.0)
     rubocop-ast (1.49.1)
@@ -176,8 +177,8 @@ GEM
       rbs (>= 3, < 5)
     ruby-progressbar (1.13.0)
     simpleidn (0.2.3)
-    stackprof (0.2.27)
-    stringio (3.1.7)
+    stackprof (0.2.28)
+    stringio (3.2.0)
     syntax_tree (6.3.0)
       prettier_print (>= 1.2.0)
     tryouts (3.7.1)
@@ -219,7 +220,7 @@ DEPENDENCIES
   rackup
   reek (~> 6.5)
   rspec (~> 3.13)
-  rubocop (~> 1.81.7)
+  rubocop (~> 1.86.2)
   rubocop-performance
   rubocop-rspec
   rubocop-thread_safety

data/lib/otto/core/configuration.rb

@@ -170,6 +170,11 @@ class Otto
         deep_freeze_value(@auth_config) if @auth_config
         deep_freeze_value(@option) if @option
 
+        # Validate registered handler-wrapper factories against every loaded
+        # route before locking the config. Surfaces TypeError / factory bugs
+        # at boot instead of on the first request that happens to match.
+        validate_handler_wrappers!
+
         # Deep freeze route structures (prevent modification of nested hashes/arrays)
         deep_freeze_value(@routes) if @routes
         deep_freeze_value(@routes_literal) if @routes_literal
@@ -207,6 +212,35 @@ class Otto
         # Only check the new middleware stack as the single source of truth
         @middleware&.includes?(middleware_class)
       end
+
+      # Walk every loaded route and exercise the registered handler-wrapper
+      # factories against a sentinel inner handler. Each factory must return a
+      # callable; HandlerFactory.apply_handler_wrappers raises TypeError
+      # otherwise. The constructed chain is discarded — this is a fail-fast
+      # validation pass, not memoization.
+      #
+      # Iterates @routes (covers MCP routes added directly) uniquified by
+      # identity. No-op if no wrappers are registered or no routes are loaded.
+      #
+      # @api private
+      # @return [void]
+      def validate_handler_wrappers!
+        return unless @routes && @route_handler_factory
+        return if @handler_wrappers.nil? || @handler_wrappers.empty?
+
+        sentinel = ->(_env, _extra = {}) { [200, {}, []] }
+        seen = {}.compare_by_identity
+        @routes.each_value do |routes_for_verb|
+          routes_for_verb.each do |route|
+            next if seen[route]
+
+            seen[route] = true
+            Otto::RouteHandlers::HandlerFactory.apply_handler_wrappers(
+              sentinel, route.route_definition, self
+            )
+          end
+        end
+      end
     end
   end
 end

data/lib/otto/core/lifecycle_hooks.rb

@@ -58,6 +58,86 @@ class Otto
       def request_complete_callbacks
         @request_complete_callbacks
       end
+
+      # Register a callback fired after a route matches but before the handler dispatches.
+      #
+      # The callback receives two arguments:
+      # - env: the Rack environment hash
+      # - route_definition: the matched Otto::RouteDefinition
+      #
+      # Unlike on_request_complete, exceptions raised inside on_route_matched callbacks
+      # are NOT swallowed: they propagate to Otto#handle_error so consumers can route
+      # custom error classes through register_error_handler.
+      #
+      # Does not fire for static-file routes or for the 404 fallback route.
+      #
+      # @example
+      #   otto.on_route_matched do |env, route_definition|
+      #     raise MyApp::Maintenance if maintenance? && route_definition.auth_requirement
+      #   end
+      #
+      # @yield [env, route_definition] Block to execute after route match
+      # @yieldparam env [Hash] The Rack environment
+      # @yieldparam route_definition [Otto::RouteDefinition] The matched route definition
+      # @return [self] Returns self for method chaining
+      # @raise [FrozenError] if called after configuration is frozen
+      def on_route_matched(&block)
+        ensure_not_frozen!
+        @route_matched_callbacks << block if block_given?
+        self
+      end
+
+      # Get registered route matched callbacks (for internal use)
+      #
+      # @api private
+      # @return [Array<Proc>] Array of registered callback blocks
+      def route_matched_callbacks
+        @route_matched_callbacks
+      end
+
+      # Register a wrapper factory that composes around each route handler.
+      #
+      # The block is invoked once per request, identical to RouteAuthWrapper
+      # instantiation, with the route's definition and the inner (already
+      # wrapped) handler. It must return either the original inner_handler (to
+      # opt out for that route) or a new object responding to :call(env).
+      # Wrappers compose outermost-first in registration order:
+      #
+      #   request -> wrapper_1 -> wrapper_2 -> ... -> RouteAuthWrapper -> base_handler
+      #
+      # RouteAuthWrapper always stays innermost so env['otto.strategy_result'] is set
+      # before any consumer wrapper sees the request.
+      #
+      # Factory blocks are exercised once against every loaded route during
+      # freeze_configuration! (see validate_handler_wrappers!) so factories that
+      # raise unconditionally or return non-callables surface at boot rather
+      # than on the first request that happens to match.
+      #
+      # @example Gate a route by an option set in the routes file
+      #   otto.register_handler_wrapper do |route_definition, inner_handler|
+      #     next inner_handler unless route_definition.option(:scope) == 'canonical'
+      #     MyApp::CanonicalOnlyWrapper.new(inner_handler, route_definition)
+      #   end
+      #
+      # @yield [route_definition, inner_handler] Factory invoked per request
+      # @yieldparam route_definition [Otto::RouteDefinition] The route being wrapped
+      # @yieldparam inner_handler [#call] The handler to wrap (RouteAuthWrapper or base)
+      # @yieldreturn [#call] A callable wrapper, or inner_handler unchanged to skip
+      # @return [self] Returns self for method chaining
+      # @raise [FrozenError] if called after configuration is frozen
+      def register_handler_wrapper(&block)
+        ensure_not_frozen!
+        @handler_wrappers << block if block_given?
+        self
+      end
+
+      # Get registered handler wrapper factories (for internal use)
+      #
+      # @api private
+      # @return [Array<Proc>] Array of registered wrapper factory blocks
+      def handler_wrappers
+        @handler_wrappers
+      end
     end
   end
 end

data/lib/otto/core/router.rb

@@ -110,6 +110,10 @@ class Otto
               handler: route.route_definition.definition,
               auth_strategy: route.route_definition.auth_requirement || 'none'
             ))
+          # Fire route matched hooks before dispatch; raises propagate to handle_error
+          unless @route_matched_callbacks.empty?
+            @route_matched_callbacks.each { |cb| cb.call(env, route.route_definition) }
+          end
           route.call(env)
         elsif static_route && http_verb == :GET && safe_file?(path_info)
           Otto.structured_log(:debug, 'Route matched',
@@ -180,6 +184,12 @@ class Otto
               Otto::LoggingHelpers.request_context(env).merge(
                 fallback_to: '404_route'
               ))
+          else
+            # Fire route matched hooks before dispatch; suppressed for 404 fallback.
+            # Raises propagate to handle_error so custom error classes can be registered.
+            unless @route_matched_callbacks.empty?
+              @route_matched_callbacks.each { |cb| cb.call(env, found_route.route_definition) }
+            end
           end
           found_route.call env, extra_params
         else

data/lib/otto/route_handlers/factory.rb

@@ -37,6 +37,23 @@ class Otto
           )
         end
 
+        apply_handler_wrappers(handler, route_definition, otto_instance)
+      end
+
+      # Compose registered wrappers outermost-first. Built innermost-out so
+      # reverse_each yields a final order of: w1(w2(...(RouteAuthWrapper(base)))).
+      def self.apply_handler_wrappers(handler, route_definition, otto_instance)
+        wrappers = otto_instance&.handler_wrappers
+        return handler if wrappers.nil? || wrappers.empty?
+
+        wrappers.reverse_each do |factory|
+          wrapped = factory.call(route_definition, handler)
+          unless wrapped.respond_to?(:call)
+            raise TypeError,
+                  "handler wrapper must return an object responding to :call, got #{wrapped.class}"
+          end
+          handler = wrapped
+        end
         handler
       end
     end

data/lib/otto/security/authentication/auth_strategy.rb

@@ -31,20 +31,47 @@ class Otto
           Otto::Security::Authentication::StrategyResult.new(
             session: session,
             user: user,
-            auth_method: auth_method || self.class.name.split('::').last,
+            auth_method: auth_method || strategy_auth_method,
             metadata: metadata,
             strategy_name: nil # Will be set by RouteAuthWrapper
           )
         end
 
         # Helper for authentication failure - return AuthFailure
+        #
+        # Use for a missing, invalid, or expired credential. RouteAuthWrapper maps
+        # this to 401 Unauthorized. For a VALID credential that is not permitted,
+        # use #authorization_failure instead (403 Forbidden).
         def failure(reason = nil)
           Otto.logger.debug "[#{self.class}] Authentication failed: #{reason}" if reason
           Otto::Security::Authentication::AuthFailure.new(
             failure_reason: reason || 'Authentication failed',
-            auth_method: self.class.name.split('::').last
+            auth_method: strategy_auth_method
+          )
+        end
+
+        # Helper for authorization failure - return AuthorizationFailure
+        #
+        # Use when the credential is valid but the authenticated subject is not
+        # permitted (wrong role, missing permission). RouteAuthWrapper maps this to
+        # 403 Forbidden, letting clients distinguish "authenticate again" (401) from
+        # "you lack this permission" (403). See AuthorizationFailure.
+        def authorization_failure(reason = nil)
+          Otto.logger.debug "[#{self.class}] Authorization denied: #{reason}" if reason
+          Otto::Security::Authentication::AuthorizationFailure.new(
+            failure_reason: reason || 'Authorization denied',
+            auth_method: strategy_auth_method
           )
         end
+
+        private
+
+        # Short auth_method label from the strategy class name. Anonymous strategy
+        # classes (Class.new(...), common in tests) have a nil #name, so fall back
+        # to a generic label rather than raising on nil#split.
+        def strategy_auth_method
+          (self.class.name || 'AuthStrategy').split('::').last
+        end
       end
     end
   end

data/lib/otto/security/authentication/authorization_failure.rb

@@ -0,0 +1,56 @@
+# lib/otto/security/authentication/authorization_failure.rb
+#
+# frozen_string_literal: true
+
+class Otto
+  module Security
+    module Authentication
+      # Result for AUTHORIZATION failures (authenticated, but not permitted).
+      #
+      # This is distinct from AuthFailure, which represents an AUTHENTICATION
+      # failure (no/invalid/expired credential). A strategy that performs both
+      # authentication and authorization in one pass (e.g. a token strategy that
+      # also enforces a role/permission encoded in the route requirement) returns:
+      #
+      #   * AuthFailure          -> credential missing/invalid  -> 401 Unauthorized
+      #   * AuthorizationFailure -> credential valid, but denied -> 403 Forbidden
+      #
+      # Without this type a combined strategy could only return AuthFailure, and
+      # RouteAuthWrapper would collapse an authorization denial to 401 — leaving a
+      # client unable to distinguish "authenticate again" from "you lack this
+      # permission." The wrapper maps this type to ResponseBuilder#forbidden (403);
+      # see RouteAuthWrapper#handle_all_strategies_failed.
+      #
+      # NOTE: Otto's built-in Layer-1 role check (RoleAuthorization, driven by the
+      # `role=` route token) already yields 403 for role mismatches on a successful
+      # StrategyResult. This type covers the complementary case: a strategy that
+      # owns authorization itself (including permission tiers, which Layer-1 does
+      # not model) and needs to signal a 403 directly.
+      AuthorizationFailure = Data.define(:failure_reason, :auth_method) do
+        # Authorization failures are not an authenticated request state. The
+        # request never reaches the handler, so handler-facing predicates report
+        # the same "no user context" shape AuthFailure does.
+        #
+        # @return [Boolean] False
+        def authenticated?
+          false
+        end
+
+        # @return [Boolean] True (no user context attached to a denial)
+        def anonymous?
+          true
+        end
+
+        # @return [Hash] Empty hash
+        def user_context
+          {}
+        end
+
+        # @return [String] Debug representation
+        def inspect
+          "#<AuthorizationFailure reason=#{failure_reason.inspect} method=#{auth_method}>"
+        end
+      end
+    end
+  end
+end

data/lib/otto/security/authentication/route_auth_wrapper.rb

@@ -106,11 +106,18 @@ class Otto
                                         duration, total_start_time, failed_strategies)
             end
 
-            # Handle authentication failure - continue to next strategy
-            next unless result.is_a?(AuthFailure)
+            # Handle a failure (authentication OR authorization) - record it and
+            # continue to the next strategy (OR logic; a later success still wins).
+            # AuthorizationFailure (valid credential, denied) is tagged so the
+            # final response is 403 instead of 401. See handle_all_strategies_failed.
+            next unless result.is_a?(AuthFailure) || result.is_a?(AuthorizationFailure)
 
             log_strategy_failure(env, strategy_name, result, duration, auth_requirements, requirement)
-            failed_strategies << { strategy: strategy_name, reason: result.failure_reason }
+            failed_strategies << {
+              strategy: strategy_name,
+              reason: result.failure_reason,
+              authorization: result.is_a?(AuthorizationFailure),
+            }
           end
 
           # All strategies failed
@@ -156,6 +163,14 @@ class Otto
             strategy_name: failure_strategy_name
           )
 
+          # Authorization denial wins over authentication failure: if any strategy
+          # authenticated the subject but denied authorization (wrong role/missing
+          # permission), respond 403 Forbidden rather than 401 — the subject IS
+          # authenticated, they simply lack access. A bare 401 would (incorrectly)
+          # tell a logged-in client to re-authenticate.
+          authz_denial = failed_strategies.find { |f| f[:authorization] }
+          return @response_builder.forbidden(env, authz_denial[:reason]) if authz_denial
+
           last_failure = if failed_strategies.any?
                            AuthFailure.new(
                              failure_reason: failed_strategies.last[:reason],

data/lib/otto/security/authentication.rb

@@ -8,6 +8,7 @@
 require_relative 'authentication/auth_strategy'
 require_relative 'authentication/strategy_result'
 require_relative 'authentication/auth_failure'
+require_relative 'authentication/authorization_failure'
 require_relative 'authentication/route_auth_wrapper'
 
 # Load all strategies
@@ -31,4 +32,5 @@ class Otto
   # Top-level backward compatibility aliases
   StrategyResult = Security::Authentication::StrategyResult
   AuthFailure = Security::Authentication::AuthFailure
+  AuthorizationFailure = Security::Authentication::AuthorizationFailure
 end

data/lib/otto/version.rb

@@ -3,5 +3,5 @@
 # frozen_string_literal: true
 
 class Otto
-  VERSION = '2.0.2'
+  VERSION = '2.2.0'
 end

data/lib/otto.rb

@@ -170,7 +170,9 @@ class Otto
     @security          = Otto::Security::Configurator.new(@security_config, @middleware, @auth_config)
     @app               = nil # Pre-built middleware app (built after initialization)
     @request_complete_callbacks = [] # Instance-level request completion callbacks
-    @error_handlers    = {} # Registered error handlers for expected errors
+    @route_matched_callbacks    = [] # Instance-level route matched callbacks
+    @handler_wrappers           = [] # Instance-level handler wrapper factories
+    @error_handlers             = {} # Registered error handlers for expected errors
 
     # Initialize helper module registries
     @request_helper_modules = []

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: otto
 version: !ruby/object:Gem::Version
-  version: 2.0.2
+  version: 2.2.0
 platform: ruby
 authors:
 - Delano Mandelbaum
@@ -142,14 +142,15 @@ files:
 - ".github/workflows/claude-code-review.yml"
 - ".github/workflows/claude.yml"
 - ".github/workflows/code-smells.yml"
+- ".github/workflows/release-gem.yml"
 - ".gitignore"
 - ".pre-commit-config.yaml"
 - ".pre-push-config.yaml"
 - ".reek.yml"
 - ".rspec"
 - ".rubocop.yml"
+- AGENTS.md
 - CHANGELOG.rst
-- CLAUDE.md
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -280,6 +281,7 @@ files:
 - lib/otto/security/authentication.rb
 - lib/otto/security/authentication/auth_failure.rb
 - lib/otto/security/authentication/auth_strategy.rb
+- lib/otto/security/authentication/authorization_failure.rb
 - lib/otto/security/authentication/route_auth_wrapper.rb
 - lib/otto/security/authentication/route_auth_wrapper/response_builder.rb
 - lib/otto/security/authentication/route_auth_wrapper/role_authorization.rb