Summary

Fixes #3235 — Missing Authorization header returned 400 (Bad Request) instead of a meaningful auth failure response. /claim #3235

Changes:

• Default auth failure response is now 404 (Not Found) — most secure, doesn’t reveal whether the resource exists (same approach as GitHub)
• New .unauthorizedStatus(Status) builder method on Endpoint for customization:

  endpoint.auth(AuthType.Bearer).unauthorizedStatus(Status.Unauthorized) // RFC-compliant 401
  

• When status is 401, WWW-Authenticate header is automatically included per RFC 7235
• MissingHeader("authorization") errors are now correctly routed to the auth failure handler (previously fell through to generic 400)
• OpenAPI spec generation reflects the configured auth failure status
• Closed community PRs #3948, #3614, #3945 with explanation

Files Changed

• AuthType.scala — Added unauthorizedStatus, withUnauthorizedStatus, WithStatus case class
• Endpoint.scala — Added builder method, configurable auth failure response, MissingHeader catch
• OpenAPIGen.scala — Added authResponse helper, WithStatus handling in security schemes
• MimaSettings.scala — Binary compatibility filters for new trait methods
• AuthSpec.scala — Updated existing test + 3 new tests for configurable status
• OpenAPIGenSpec.scala — Updated 7 existing auth tests + 1 new test for custom 401 status