Authorization errors silently swallowed during list response filtering

[jhrozek]

Summary

The response filtering code silently ignores errors from authorization checks when filtering tools, prompts, and resources from list responses. This makes debugging authorization issues difficult and creates inconsistent behavior.

Current Behavior

In pkg/authz/response_filter.go, all three filter methods swallow errors:

// filterToolsResponse (lines 271-274)
if err != nil {
    // If there's an error checking authorization, skip this tool
    continue
}

// filterPromptsResponse (lines 323-326) - same pattern
// filterResourcesResponse (lines 375-378) - same pattern

Errors that get lost

• ErrMissingPrincipal - identity/JWT claims not in context
• ErrMissingAction / ErrMissingResource - empty action or resource
• Entity parsing/creation failures
• Cedar policy evaluation errors
• Unsupported feature/operation combinations

Inconsistency

Non-list operations properly return errors to clients:

// middleware.go:177-189
if err != nil || !authorized {
    handleUnauthorized(w, parsedRequest.ID, err)
    return
}

But list operations silently hide errors, making debugging hard.

Impact

• Users see empty or partial lists with no indication something went wrong
• Administrators have no visibility into filtering failures
• Policy misconfigurations are invisible

Suggested Fix

At minimum, log the errors:

if err != nil {
    logger.Warnf("Authorization check failed for tool %q: %v", tool.Name, err)
    continue
}