I have a strong objection to the changes in error messages introduced in this PR.

The error message should remain unchanged specifically to avoid leaking information to unauthorized users. If the response differs depending on whether a given method or path exists, it allows an attacker to distinguish between “non-existent” and “unauthorized but valid” endpoints. This effectively enables probing and enumeration of the API surface.

Keeping the error message consistent is a deliberate security measure—it ensures that an unauthorized user cannot determine whether a particular path or method actually exists.

Additionally, this change modifies externally observable behavior, which constitutes a breaking change. However, there is no corresponding major version bump, which violates semantic versioning expectations and may negatively impact downstream users.

For these reasons, I cannot approve this PR in its current form.