rake-gem-maintenance 0.1.7 → 0.2.0

data/lib/rake/gem/maintenance/install_tasks.rb

@@ -2,13 +2,13 @@
 
 require_relative "../maintenance"
 
-Rake::GemMaintenance::Repos.rubygems_api_key_env_var = "GEM_HOST_API_KEY"
-Rake::GemMaintenance::Repos.rubygems_otp_seed_env_var = "RUBYGEMS_OTP_SEED"
+Rake::Gem::Maintenance::Repos.rubygems_api_key_env_var = "GEM_HOST_API_KEY"
+Rake::Gem::Maintenance::Repos.rubygems_otp_seed_env_var = "RUBYGEMS_OTP_SEED"
 
-Rake::GemMaintenance::UpgradeTask.new
-Rake::GemMaintenance::VersionBumpTask.new
+Rake::Gem::Maintenance::UpgradeTask.new
+Rake::Gem::Maintenance::VersionBumpTask.new
 
-Rake::GemMaintenance::CredentialStore.new.apply_to_env(
+Rake::Gem::Maintenance::CredentialStore.new.apply_to_env(
   username_env_var: "RUBYGEMS_USERNAME",
   api_key_env_var: "GEM_HOST_API_KEY"
 )

data/lib/rake/gem/maintenance/otp_provider.rb

@@ -1,44 +1,46 @@
 # frozen_string_literal: true
 
 module Rake
-  module GemMaintenance
-    # Resolves a 2FA OTP code for gem push, either from the environment or interactively.
-    # Resolution order for otp_for:
-    #   1. RUBYGEMS_OTP env var set → use raw code (works in CI and locally)
-    #   2. otp_seed_env_var provided and env var set → generate TOTP code (works in CI and locally)
-    #   3. CI environment → nil (gate only interactive prompt)
-    #   4. Interactive prompt
-    class OtpProvider
-      def initialize(ci_environment: CIEnvironment, input: $stdin)
-        @ci_environment = ci_environment
-        @input = input
-      end
+  module Gem
+    module Maintenance
+      # Resolves a 2FA OTP code for gem push, either from the environment or interactively.
+      # Resolution order for otp_for:
+      #   1. RUBYGEMS_OTP env var set → use raw code (works in CI and locally)
+      #   2. otp_seed_env_var provided and env var set → generate TOTP code (works in CI and locally)
+      #   3. CI environment → nil (gate only interactive prompt)
+      #   4. Interactive prompt
+      class OtpProvider
+        def initialize(ci_environment: CIEnvironment, input: $stdin)
+          @ci_environment = ci_environment
+          @input = input
+        end
 
-      def otp_for(repository_name, otp_seed_env_var: nil)
-        env_otp = ENV.fetch("RUBYGEMS_OTP", nil)
-        return env_otp if env_otp && !env_otp.empty?
+        def otp_for(repository_name, otp_seed_env_var: nil)
+          env_otp = ENV.fetch("RUBYGEMS_OTP", nil)
+          return env_otp if env_otp && !env_otp.empty?
 
-        if otp_seed_env_var
-          seed = ENV.fetch(otp_seed_env_var, nil)
-          return generate_totp(seed) if seed && !seed.empty?
-        end
+          if otp_seed_env_var
+            seed = ENV.fetch(otp_seed_env_var, nil)
+            return generate_totp(seed) if seed && !seed.empty?
+          end
 
-        return nil if @ci_environment.ci?
+          return nil if @ci_environment.ci?
 
-        prompt_for_otp(repository_name)
-      end
+          prompt_for_otp(repository_name)
+        end
 
-      private
+        private
 
-      def generate_totp(seed)
-        require "rotp"
-        ::ROTP::TOTP.new(seed).now
-      end
+        def generate_totp(seed)
+          require "rotp"
+          ::ROTP::TOTP.new(seed).now
+        end
 
-      def prompt_for_otp(repository_name)
-        print "Enter OTP for #{repository_name} (blank to skip): "
-        value = @input.gets&.chomp
-        value&.empty? ? nil : value
+        def prompt_for_otp(repository_name)
+          print "Enter OTP for #{repository_name} (blank to skip): "
+          value = @input.gets&.chomp
+          value&.empty? ? nil : value
+        end
       end
     end
   end

data/lib/rake/gem/maintenance/renew_api_key_task.rb

@@ -5,134 +5,136 @@ require "rake/tasklib"
 require_relative "credential_store"
 
 module Rake
-  module GemMaintenance
-    # Generates a new rubygems.org API key via the rubygems.org API and stores
-    # it in a Woodpecker CI org-level secret. Intended for local developer use only.
-    #
-    # Creates: <namespace>:renew_api_key
-    #
-    # Reads WOODPECKER_SERVER and WOODPECKER_TOKEN (or ~/.config/woodpecker/token)
-    # from the environment.
-    class RenewApiKeyTask < ::Rake::TaskLib
-      attr_accessor :namespace_name, :host, :api_key_env_var, :ci_environment,
-                    :woodpecker_server, :woodpecker_org, :woodpecker_secret_name,
-                    :username_env_var, :password_env_var, :credential_store
-
-      def initialize(namespace_name = :upgrade)
-        super()
-        apply_defaults(namespace_name)
-        define_tasks
-      end
+  module Gem
+    module Maintenance
+      # Generates a new rubygems.org API key via the rubygems.org API and stores
+      # it in a Woodpecker CI org-level secret. Intended for local developer use only.
+      #
+      # Creates: <namespace>:renew_api_key
+      #
+      # Reads WOODPECKER_SERVER and WOODPECKER_TOKEN (or ~/.config/woodpecker/token)
+      # from the environment.
+      class RenewApiKeyTask < ::Rake::TaskLib
+        attr_accessor :namespace_name, :host, :api_key_env_var, :ci_environment,
+                      :woodpecker_server, :woodpecker_org, :woodpecker_secret_name,
+                      :username_env_var, :password_env_var, :credential_store
+
+        def initialize(namespace_name = :upgrade)
+          super()
+          apply_defaults(namespace_name)
+          define_tasks
+        end
 
-      private
-
-      def apply_defaults(namespace_name)
-        @namespace_name = namespace_name
-        @host = "https://rubygems.org"
-        @api_key_env_var = "GEM_HOST_API_KEY"
-        @ci_environment = CIEnvironment
-        @woodpecker_server = ENV.fetch("WOODPECKER_SERVER", nil)
-        @woodpecker_org = ENV.fetch("WOODPECKER_ORG", "cbp-org")
-        @woodpecker_secret_name = "rubygems_api_key"
-        @username_env_var = "RUBYGEMS_USERNAME"
-        @password_env_var = "RUBYGEMS_PASSWORD"
-        @credential_store = CredentialStore.new
-      end
+        private
+
+        def apply_defaults(namespace_name)
+          @namespace_name = namespace_name
+          @host = "https://rubygems.org"
+          @api_key_env_var = "GEM_HOST_API_KEY"
+          @ci_environment = CIEnvironment
+          @woodpecker_server = ENV.fetch("WOODPECKER_SERVER", nil)
+          @woodpecker_org = ENV.fetch("WOODPECKER_ORG", "cbp-org")
+          @woodpecker_secret_name = "rubygems_api_key"
+          @username_env_var = "RUBYGEMS_USERNAME"
+          @password_env_var = "RUBYGEMS_PASSWORD"
+          @credential_store = CredentialStore.new
+        end
 
-      def define_tasks
-        task_instance = self
-        namespace namespace_name do
-          desc "Generate a new rubygems.org API key and store it in Woodpecker CI"
-          task(:renew_api_key) { task_instance.send(:run_renewal) }
+        def define_tasks
+          task_instance = self
+          namespace namespace_name do
+            desc "Generate a new rubygems.org API key and store it in Woodpecker CI"
+            task(:renew_api_key) { task_instance.send(:run_renewal) }
+          end
         end
-      end
 
-      def run_renewal
-        credential_store.apply_to_env(username_env_var: username_env_var, api_key_env_var: api_key_env_var)
-        abort_if_ci
-        username, password = prompt_credentials
-        prompt_otp_seed_if_missing
-        api_key = generate_api_key(username, password)
-        save_and_distribute(username, api_key)
-      end
+        def run_renewal
+          credential_store.apply_to_env(username_env_var: username_env_var, api_key_env_var: api_key_env_var)
+          abort_if_ci
+          username, password = prompt_credentials
+          prompt_otp_seed_if_missing
+          api_key = generate_api_key(username, password)
+          save_and_distribute(username, api_key)
+        end
 
-      def generate_api_key(username, password)
-        otp = OtpProvider.new.otp_for("rubygems", otp_seed_env_var: "RUBYGEMS_OTP_SEED")
-        RubyGemsApiKeyCreator.new(host: host).create(username, password, otp: otp)
-      end
+        def generate_api_key(username, password)
+          otp = OtpProvider.new.otp_for("rubygems", otp_seed_env_var: "RUBYGEMS_OTP_SEED")
+          RubyGemsApiKeyCreator.new(host: host).create(username, password, otp: otp)
+        end
 
-      def save_and_distribute(username, api_key)
-        puts "\n[INFO] New API key generated."
-        credential_store.update(username: username, api_key: api_key, api_key_env_var: api_key_env_var)
-        store_in_woodpecker(api_key)
-      end
+        def save_and_distribute(username, api_key)
+          puts "\n[INFO] New API key generated."
+          credential_store.update(username: username, api_key: api_key, api_key_env_var: api_key_env_var)
+          store_in_woodpecker(api_key)
+        end
 
-      def abort_if_ci
-        return unless ci_environment.ci?
+        def abort_if_ci
+          return unless ci_environment.ci?
 
-        missing = [username_env_var, password_env_var].select { |v| env_credential(v).nil? }
-        return if missing.empty?
+          missing = [username_env_var, password_env_var].select { |v| env_credential(v).nil? }
+          return if missing.empty?
 
-        abort "[ERROR] Set #{missing.join(' and ')} CI secrets to run renewal unattended."
-      end
+          abort "[ERROR] Set #{missing.join(' and ')} CI secrets to run renewal unattended."
+        end
 
-      def prompt_otp_seed_if_missing
-        return if (seed = ENV.fetch("RUBYGEMS_OTP_SEED", nil)) && !seed.empty?
+        def prompt_otp_seed_if_missing
+          return if (seed = ENV.fetch("RUBYGEMS_OTP_SEED", nil)) && !seed.empty?
 
-        print "rubygems.org OTP seed (TOTP secret, not a code): "
-        seed = $stdin.gets&.chomp
-        ENV["RUBYGEMS_OTP_SEED"] = seed if seed && !seed.empty?
-      end
-
-      def prompt_credentials
-        username = env_credential(username_env_var) || prompt_username
-        password = env_credential(password_env_var) || read_password("rubygems.org password: ")
-        [username, password]
-      end
+          print "rubygems.org OTP seed (TOTP secret, not a code): "
+          seed = $stdin.gets&.chomp
+          ENV["RUBYGEMS_OTP_SEED"] = seed if seed && !seed.empty?
+        end
 
-      def env_credential(env_var)
-        value = ENV.fetch(env_var, nil)
-        value&.empty? ? nil : value
-      end
+        def prompt_credentials
+          username = env_credential(username_env_var) || prompt_username
+          password = env_credential(password_env_var) || read_password("rubygems.org password: ")
+          [username, password]
+        end
 
-      def prompt_username
-        print "rubygems.org username: "
-        value = $stdin.gets&.chomp
-        abort "[ERROR] No username provided." if value.nil? || value.empty?
-        value
-      end
+        def env_credential(env_var)
+          value = ENV.fetch(env_var, nil)
+          value&.empty? ? nil : value
+        end
 
-      def read_password(prompt)
-        require "io/console"
-        print prompt
-        password = $stdin.noecho(&:gets)&.chomp
-        puts
-        password
-      rescue LoadError
-        print prompt
-        $stdin.gets&.chomp
-      end
+        def prompt_username
+          print "rubygems.org username: "
+          value = $stdin.gets&.chomp
+          abort "[ERROR] No username provided." if value.nil? || value.empty?
+          value
+        end
 
-      def store_in_woodpecker(api_key)
-        unless woodpecker_server
-          puts "[INFO] Set WOODPECKER_SERVER to auto-store the key in Woodpecker CI."
-          puts "[INFO] New API key (store as secret '#{woodpecker_secret_name}'): #{api_key}"
-          return
+        def read_password(prompt)
+          require "io/console"
+          print prompt
+          password = $stdin.noecho(&:gets)&.chomp
+          puts
+          password
+        rescue LoadError
+          print prompt
+          $stdin.gets&.chomp
         end
 
-        token = read_woodpecker_token
-        abort "[ERROR] No Woodpecker token. Set WOODPECKER_TOKEN or run woodpecker-cli setup." unless token
+        def store_in_woodpecker(api_key)
+          unless woodpecker_server
+            puts "[INFO] Set WOODPECKER_SERVER to auto-store the key in Woodpecker CI."
+            puts "[INFO] New API key (store as secret '#{woodpecker_secret_name}'): #{api_key}"
+            return
+          end
 
-        WoodpeckerSecretStore.new(server: woodpecker_server, org: woodpecker_org, token: token)
-                             .store(woodpecker_secret_name, api_key)
-        puts "[SUCCESS] API key stored in Woodpecker secret '#{woodpecker_secret_name}'."
-      end
+          token = read_woodpecker_token
+          abort "[ERROR] No Woodpecker token. Set WOODPECKER_TOKEN or run woodpecker-cli setup." unless token
 
-      def read_woodpecker_token
-        ENV.fetch("WOODPECKER_TOKEN", nil) ||
-          File.read(File.expand_path("~/.config/woodpecker/token")).strip
-      rescue Errno::ENOENT
-        nil
+          WoodpeckerSecretStore.new(server: woodpecker_server, org: woodpecker_org, token: token)
+                               .store(woodpecker_secret_name, api_key)
+          puts "[SUCCESS] API key stored in Woodpecker secret '#{woodpecker_secret_name}'."
+        end
+
+        def read_woodpecker_token
+          ENV.fetch("WOODPECKER_TOKEN", nil) ||
+            File.read(File.expand_path("~/.config/woodpecker/token")).strip
+        rescue Errno::ENOENT
+          nil
+        end
       end
     end
   end

data/lib/rake/gem/maintenance/repos.rb

@@ -1,93 +1,95 @@
 # frozen_string_literal: true
 
 module Rake
-  module GemMaintenance
-    # Pre-configured gem repository configurations for common setups.
-    #
-    # @example Use internal-only repos
-    #   Rake::GemMaintenance::UpgradeTask.new do |t|
-    #     t.gem_repositories = Rake::GemMaintenance::Repos.internal
-    #   end
-    #
-    # @example Use both rubygems.org and internal repos
-    #   Rake::GemMaintenance::UpgradeTask.new do |t|
-    #     t.gem_repositories = Rake::GemMaintenance::Repos.all
-    #   end
-    #
-    # @example Use local geminabox only
-    #   Rake::GemMaintenance::GeminaboxUpgradeTask.new
-    #
-    # @example Dual publishing: geminabox + rubygems.org
-    #   Rake::GemMaintenance::UpgradeTask.new do |t|
-    #     t.gem_repositories = Rake::GemMaintenance::Repos.geminabox +
-    #                          Rake::GemMaintenance::Repos.rubygems
-    #   end
-    #
-    # @example Reconfigure internal URL
-    #   Rake::GemMaintenance::Repos.internal_url = "https://my-internal-gem.example.com"
-    #
-    # @example Configure API key and TOTP seed env vars
-    #   Rake::GemMaintenance::Repos.rubygems_api_key_env_var = "GEM_HOST_API_KEY"
-    #   Rake::GemMaintenance::Repos.rubygems_otp_seed_env_var = "RUBYGEMS_OTP_SEED"
-    #   Rake::GemMaintenance::Repos.geminabox_url = "http://localhost:9292"
-    module Repos
-      @internal_url = "https://gems.cbp-org.internal"
-      @rubygems_url = "https://rubygems.org"
-      @geminabox_url = "http://localhost:9292"
+  module Gem
+    module Maintenance
+      # Pre-configured gem repository configurations for common setups.
+      #
+      # @example Use internal-only repos
+      #   Rake::Gem::Maintenance::UpgradeTask.new do |t|
+      #     t.gem_repositories = Rake::Gem::Maintenance::Repos.internal
+      #   end
+      #
+      # @example Use both rubygems.org and internal repos
+      #   Rake::Gem::Maintenance::UpgradeTask.new do |t|
+      #     t.gem_repositories = Rake::Gem::Maintenance::Repos.all
+      #   end
+      #
+      # @example Use local geminabox only
+      #   Rake::Gem::Maintenance::GeminaboxUpgradeTask.new
+      #
+      # @example Dual publishing: geminabox + rubygems.org
+      #   Rake::Gem::Maintenance::UpgradeTask.new do |t|
+      #     t.gem_repositories = Rake::Gem::Maintenance::Repos.geminabox +
+      #                          Rake::Gem::Maintenance::Repos.rubygems
+      #   end
+      #
+      # @example Reconfigure internal URL
+      #   Rake::Gem::Maintenance::Repos.internal_url = "https://my-internal-gem.example.com"
+      #
+      # @example Configure API key and TOTP seed env vars
+      #   Rake::Gem::Maintenance::Repos.rubygems_api_key_env_var = "GEM_HOST_API_KEY"
+      #   Rake::Gem::Maintenance::Repos.rubygems_otp_seed_env_var = "RUBYGEMS_OTP_SEED"
+      #   Rake::Gem::Maintenance::Repos.geminabox_url = "http://localhost:9292"
+      module Repos
+        @internal_url = "https://gems.cbp-org.internal"
+        @rubygems_url = "https://rubygems.org"
+        @geminabox_url = "http://localhost:9292"
 
-      @rubygems_api_key_env_var = nil
-      @internal_api_key_env_var = nil
-      @geminabox_api_key_env_var = nil
+        @rubygems_api_key_env_var = nil
+        @internal_api_key_env_var = nil
+        @geminabox_api_key_env_var = nil
 
-      @rubygems_otp_seed_env_var = nil
-      @internal_otp_seed_env_var = nil
-      @geminabox_otp_seed_env_var = nil
+        @rubygems_otp_seed_env_var = nil
+        @internal_otp_seed_env_var = nil
+        @geminabox_otp_seed_env_var = nil
 
-      class << self
-        attr_accessor :internal_url, :rubygems_url, :geminabox_url,
-                      :rubygems_api_key_env_var, :internal_api_key_env_var,
-                      :geminabox_api_key_env_var,
-                      :rubygems_otp_seed_env_var, :internal_otp_seed_env_var,
-                      :geminabox_otp_seed_env_var
-      end
+        class << self
+          attr_accessor :internal_url, :rubygems_url, :geminabox_url,
+                        :rubygems_api_key_env_var, :internal_api_key_env_var,
+                        :geminabox_api_key_env_var,
+                        :rubygems_otp_seed_env_var, :internal_otp_seed_env_var,
+                        :geminabox_otp_seed_env_var
+        end
 
-      # Publish only to internal repository
-      # @return [Array<Hash>] repository configuration
-      def self.internal
-        base = { name: "cbp-org", url: internal_url }
-        base[:api_key_env_var] = internal_api_key_env_var if internal_api_key_env_var
-        base[:otp_seed_env_var] = internal_otp_seed_env_var if internal_otp_seed_env_var
-        [base]
-      end
+        # Publish only to internal repository
+        # @return [Array<Hash>] repository configuration
+        def self.internal
+          base = { name: "cbp-org", url: internal_url }
+          base[:api_key_env_var] = internal_api_key_env_var if internal_api_key_env_var
+          base[:otp_seed_env_var] = internal_otp_seed_env_var if internal_otp_seed_env_var
+          [base]
+        end
 
-      # Publish to both rubygems.org and internal repository
-      # @return [Array<Hash>] repository configuration
-      def self.all
-        rubygems + internal
-      end
+        # Publish to both rubygems.org and internal repository
+        # @return [Array<Hash>] repository configuration
+        def self.all
+          rubygems + internal
+        end
 
-      # Publish only to rubygems.org (the default)
-      # @return [Array<Hash>] repository configuration
-      def self.rubygems
-        base = { name: "rubygems", url: rubygems_url }
-        base[:api_key_env_var] = rubygems_api_key_env_var if rubygems_api_key_env_var
-        base[:otp_seed_env_var] = rubygems_otp_seed_env_var if rubygems_otp_seed_env_var
-        [base]
-      end
+        # Publish only to rubygems.org (the default)
+        # @return [Array<Hash>] repository configuration
+        def self.rubygems
+          base = { name: "rubygems", url: rubygems_url }
+          base[:api_key_env_var] = rubygems_api_key_env_var if rubygems_api_key_env_var
+          base[:otp_seed_env_var] = rubygems_otp_seed_env_var if rubygems_otp_seed_env_var
+          [base]
+        end
 
-      # Publish only to a local geminabox instance
-      # @return [Array<Hash>] repository configuration
-      def self.geminabox
-        base = { name: "geminabox", url: geminabox_url }
-        base[:api_key_env_var] = geminabox_api_key_env_var if geminabox_api_key_env_var
-        base[:otp_seed_env_var] = geminabox_otp_seed_env_var if geminabox_otp_seed_env_var
-        [base]
-      end
+        # Publish only to a local geminabox instance
+        # @return [Array<Hash>] repository configuration
+        def self.geminabox
+          base = { name: "geminabox", url: geminabox_url }
+          base[:api_key_env_var] = geminabox_api_key_env_var if geminabox_api_key_env_var
+          base[:otp_seed_env_var] = geminabox_otp_seed_env_var if geminabox_otp_seed_env_var
+          [base]
+        end
 
-      # Default configuration: rubygems.org only
-      # @return [Array<Hash>] repository configuration
-      def self.default
-        rubygems
+        # Default configuration: rubygems.org only
+        # @return [Array<Hash>] repository configuration
+        def self.default
+          rubygems
+        end
       end
     end
   end

data/lib/rake/gem/maintenance/ruby_gems_api_key_creator.rb

@@ -1,49 +1,51 @@
 # frozen_string_literal: true
 
 module Rake
-  module GemMaintenance
-    # Creates a new scoped API key on rubygems.org via the v2 API.
-    # Handles OTP header injection and maps HTTP error codes to actionable messages.
-    class RubyGemsApiKeyCreator
-      def initialize(host: "https://rubygems.org")
-        @host = host
-      end
+  module Gem
+    module Maintenance
+      # Creates a new scoped API key on rubygems.org via the v2 API.
+      # Handles OTP header injection and maps HTTP error codes to actionable messages.
+      class RubyGemsApiKeyCreator
+        def initialize(host: "https://rubygems.org")
+          @host = host
+        end
 
-      def create(username, password, otp: nil)
-        require "net/http"
+        def create(username, password, otp: nil)
+          require "net/http"
 
-        request = build_request(username, password, otp)
-        response = http_client.request(request)
-        parse_response(response)
-      end
+          request = build_request(username, password, otp)
+          response = http_client.request(request)
+          parse_response(response)
+        end
 
-      private
+        private
 
-      def build_request(username, password, otp)
-        uri = URI("#{@host}/api/v1/api_key")
-        key_name = "rake-gem-maintenance-ci-#{Time.now.strftime('%Y%m%d')}"
-        req = Net::HTTP::Post.new(uri)
-        req.basic_auth(username, password)
-        req["OTP"] = otp if otp
-        req["Content-Type"] = "application/x-www-form-urlencoded"
-        req.body = "name=#{key_name}&push_rubygem=true"
-        req
-      end
+        def build_request(username, password, otp)
+          uri = URI("#{@host}/api/v1/api_key")
+          key_name = "rake-gem-maintenance-ci-#{Time.now.strftime('%Y%m%d')}"
+          req = Net::HTTP::Post.new(uri)
+          req.basic_auth(username, password)
+          req["OTP"] = otp if otp
+          req["Content-Type"] = "application/x-www-form-urlencoded"
+          req.body = "name=#{key_name}&push_rubygem=true"
+          req
+        end
 
-      def http_client
-        uri = URI(@host)
-        http = Net::HTTP.new(uri.hostname, uri.port)
-        http.use_ssl = true
-        http
-      end
+        def http_client
+          uri = URI(@host)
+          http = Net::HTTP.new(uri.hostname, uri.port)
+          http.use_ssl = true
+          http
+        end
 
-      def parse_response(response)
-        case response.code.to_i
-        when 200, 201 then response.body.strip
-        when 401 then abort "[ERROR] Invalid credentials for #{@host}."
-        when 403 then abort "[ERROR] Forbidden. Check your MFA settings on #{@host}."
-        when 449 then abort "[ERROR] OTP required by #{@host}. Set RUBYGEMS_OTP_SEED and retry."
-        else abort "[ERROR] #{@host} returned #{response.code}: #{response.body.strip}"
+        def parse_response(response)
+          case response.code.to_i
+          when 200, 201 then response.body.strip
+          when 401 then abort "[ERROR] Invalid credentials for #{@host}."
+          when 403 then abort "[ERROR] Forbidden. Check your MFA settings on #{@host}."
+          when 449 then abort "[ERROR] OTP required by #{@host}. Set RUBYGEMS_OTP_SEED and retry."
+          else abort "[ERROR] #{@host} returned #{response.code}: #{response.body.strip}"
+          end
         end
       end
     end