Enforce Cedar policies on optimizer find_tool and call_tool (#4385)

* Enforce Cedar policies on optimizer find_tool and call_tool

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Enforce Cedar policies on optimizer call_tool via authz middleware

Move Cedar authorization enforcement for the optimizer meta-tools out of
the vmcp session layer and into the authz HTTP middleware, keeping the
changes isolated to pkg/authz and the composition root (commands.go).

The previous approach threaded an authorizers.Authorizer through five
layers (incoming.go → commands.go → server.go → sessionmanager →
factory → decorator), creating coupling between the optimizer decorator
and the authorization system.

New approach:
- authz middleware intercepts tools/call for pass-through meta-tools:
  call_tool extracts the inner toolName from arguments and authorizes
  that backend tool; find_tool is allowed through as a discovery op.
- commands.go builds passThroughTools (find_tool, call_tool) when the
  optimizer is enabled and passes it to NewIncomingAuthMiddleware.
- incoming.go returns authzMw directly (as on main) instead of a raw
  authorizer; accepts passThroughTools to configure the middleware.
- server.go, sessionmanager, and the optimizer decorator revert to their
  main-branch signatures with no knowledge of the authorizer.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Enforce Cedar policies on optimizer find_tool response

find_tool calls were allowed through the authz middleware with no
response filtering, letting callers discover tool names, descriptions,
and schemas for tools they are not authorized to call.

- Add filterFindToolResponse to ResponseFilteringWriter: intercepts the
  find_tool CallToolResult, identifies the FindToolOutput payload by
  attempting to unmarshal each TextContent item (stronger than checking
  the type string), filters output.Tools through Cedar policy, and
  populates the annotation cache from the unfiltered list so subsequent
  call_tool Cedar when-clauses evaluate correctly
- Extend requiresResponseFiltering (renamed from isListOperation) and
  filterListResponse to dispatch find_tool responses through the new
  method, reusing all existing buffering, flush, and SSE logic
- Update handleToolsCall to wrap find_tool with NewResponseFilteringWriter
  instead of passing through unfiltered
- Unexport FilterToolsByPolicy and AuthorizeToolCall; move tool_filter_test
  to package authz to match
- Expand TestFindToolResponseFilter with sub-tests covering Cedar filtering,
  isError pass-through, missing/non-FindToolOutput content pass-through,
  and annotation cache population from the unfiltered tool list

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: aponcedeleonch

cmd/vmcp/app/commands.go

@@ -39,6 +39,7 @@ import (
 	vmcprouter "github.com/stacklok/toolhive/pkg/vmcp/router"
 	vmcpserver "github.com/stacklok/toolhive/pkg/vmcp/server"
 	vmcpsession "github.com/stacklok/toolhive/pkg/vmcp/session"
+	"github.com/stacklok/toolhive/pkg/vmcp/session/optimizerdec"
 	vmcpstatus "github.com/stacklok/toolhive/pkg/vmcp/status"
 )
 
@@ -506,13 +507,6 @@ func runServe(cmd *cobra.Command, _ []string) error {
 
 	slog.Info(fmt.Sprintf("Setting up incoming authentication (type: %s)", cfg.IncomingAuth.Type))
 
-	authMiddleware, authzMiddleware, authInfoHandler, err := factory.NewIncomingAuthMiddleware(ctx, cfg.IncomingAuth)
-	if err != nil {
-		return fmt.Errorf("failed to create authentication middleware: %w", err)
-	}
-
-	slog.Info(fmt.Sprintf("Incoming authentication configured: %s", cfg.IncomingAuth.Type))
-
 	// Create server configuration with flags
 	// Cobra validates flag types at parse time, so these values are safe to use directly
 	host, _ := cmd.Flags().GetString("host")
@@ -582,6 +576,26 @@ func runServe(cmd *cobra.Command, _ []string) error {
 		return err
 	}
 
+	// When the optimizer is enabled, its meta-tools (find_tool, call_tool) must pass
+	// through the authz response filter so they appear in tools/list. Authorization
+	// for the underlying backend tools is enforced by the middleware's call_tool
+	// interception. See: https://github.com/stacklok/toolhive/issues/4373
+	var passThroughTools map[string]struct{}
+	if optCfg != nil {
+		passThroughTools = map[string]struct{}{
+			optimizerdec.FindToolName: {},
+			optimizerdec.CallToolName: {},
+		}
+	}
+
+	authMiddleware, authzMiddleware, authInfoHandler, err :=
+		factory.NewIncomingAuthMiddleware(ctx, cfg.IncomingAuth, passThroughTools)
+	if err != nil {
+		return fmt.Errorf("failed to create authentication middleware: %w", err)
+	}
+
+	slog.Info(fmt.Sprintf("Incoming authentication configured: %s", cfg.IncomingAuth.Type))
+
 	serverCfg := &vmcpserver.Config{
 		Name:                    cfg.Name,
 		Version:                 getVersion(),