Authorization response filtering fails with Content-Length mismatch for SSE transport

[ChandraMohan0316]

Description

When using authorization middleware (Cedar policies) with streamable-http transport, the response filtering for list operations (tools/list, prompts/list, resources/list) fails with errors.

Environment

• Transport: streamable-http
• Authorization: Cedar policies configured via MCPRemoteProxy
• Client: Claude Desktop

Error Messages

{"level":"ERROR","msg":"error writing filtered response","error":"http: wrote more than the declared Content-Length"}

{"level":"DEBUG","msg":"processSSEResponseToBuffer: failed to decode JSON-RPC message","error":"unmarshaling jsonrpc message: unexpected end of JSON input"}

Root Cause

The ResponseFilteringWriter in pkg/authz/response_filter.go has two issues:

1. Content-Length mismatch: The original Content-Length header is forwarded, but the filtered response has a different size, causing HTTP layer errors.

2. Chunked SSE data: SSE responses arrive in multiple network chunks. The middleware attempts to parse incomplete JSON before the full SSE event is received.

Expected Behavior

• Tools list should be filtered according to Cedar policies and displayed correctly in Claude Desktop
• No Content-Length mismatch errors

Actual Behavior

• Empty tool list shown in Claude Desktop
• Errors logged in proxy pod

Reproduction Steps

1. Deploy MCPRemoteProxy with Cedar authorization policies
2. Use streamable-http transport
3. Connect Claude Desktop to the proxy
4. Observe empty tool list and errors in logs

Proposed Solution

• Delete Content-Length header before writing filtered responses
• Buffer SSE data until complete event (ending with \n\n) before processing
• Forward WriteHeader immediately for SSE streaming support