Gateway: enforce allowed-tools filtering server-side on tools/list and tools/call (#3334)

Agents with raw HTTP access to the gateway could bypass client-side
`--allowed-tools` filters by directly sending `tools/call` JSON-RPC
requests for tools they shouldn't be able to call. The existing `tools`
field in `StdinServerConfig`/`ServerConfig` was parsed but never
enforced at runtime.

## Changes

### Pre-computed allowed-tools sets (`unified.go`)
- Added `allowedToolSets map[string]map[string]bool` to `UnifiedServer`,
built once at init via `buildAllowedToolSets(cfg)` for O(1) per-call
lookup
- Added `isToolAllowed(serverID, toolName)` — returns `true` when no
list is configured (unrestricted)

### Enforcement in `callBackendTool` (`unified.go`)
Before any DIFC/guard work, rejects calls for tools not in the allowed
set:
- Returns `IsError: true` `CallToolResult` with a descriptive message
- Sets OTEL span HTTP status to 403
- Logs at WARN with `logger.LogWarn("client", ...)` including the server
ID

### tools/list defense-in-depth (`tool_registry.go`)
During backend tool registration, non-allowed tools are filtered out —
they never appear in `tools/list` responses and are never registered
with the SDK server.

### Lint fix
- Removed unused `sendUnifiedMCPRequest` and `parseSSEBody` helper
functions from `allowed_tools_integration_test.go` (golangci-lint
`unused` violations)

Author: lpcox

internal/server/allowed_tools_integration_test.go

@@ -10,13 +10,10 @@ package server
 //   - No restriction when Tools list is absent
 
 import (
-	"bytes"
 	"context"
 	"encoding/json"
-	"io"
 	"net/http"
 	"net/http/httptest"
-	"strings"
 	"testing"
 	"time"
 
@@ -80,52 +77,6 @@ func newMockMCPBackendWithTools(t *testing.T, serverID string, toolNames []strin
 	}))
 }
 
-// sendUnifiedMCPRequest sends a JSON-RPC request to the unified /mcp endpoint
-// and returns the parsed JSON response. It follows the SSE envelope if present.
-func sendUnifiedMCPRequest(t *testing.T, serverURL string, payload map[string]interface{}) map[string]interface{} {
-	t.Helper()
-	data, err := json.Marshal(payload)
-	require.NoError(t, err)
-
-	req, err := http.NewRequest("POST", serverURL+"/mcp", bytes.NewBuffer(data))
-	require.NoError(t, err)
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Accept", "application/json, text/event-stream")
-	req.Header.Set("Authorization", "test-token")
-
-	client := &http.Client{Timeout: 5 * time.Second}
-	resp, err := client.Do(req)
-	require.NoError(t, err)
-	defer resp.Body.Close()
-
-	body, err := io.ReadAll(resp.Body)
-	require.NoError(t, err)
-
-	bodyStr := string(body)
-	ct := resp.Header.Get("Content-Type")
-	if strings.Contains(ct, "text/event-stream") {
-		return parseSSEBody(t, bodyStr)
-	}
-	var result map[string]interface{}
-	require.NoError(t, json.Unmarshal(body, &result), "failed to parse response: %s", bodyStr)
-	return result
-}
-
-// parseSSEBody extracts the first JSON payload from an SSE-encoded response body.
-func parseSSEBody(t *testing.T, body string) map[string]interface{} {
-	t.Helper()
-	for _, line := range strings.Split(body, "\n") {
-		if strings.HasPrefix(line, "data: ") {
-			var result map[string]interface{}
-			if err := json.Unmarshal([]byte(strings.TrimPrefix(line, "data: ")), &result); err == nil {
-				return result
-			}
-		}
-	}
-	t.Fatalf("no JSON data line found in SSE body: %s", body)
-	return nil
-}
-
 // ----- tools/list filtering integration tests -----------------------------
 
 // TestAllowedTools_ToolsListFiltered_UnifiedServer verifies that tools NOT in the