When SamplingTool.from_callable_tool() wraps a FunctionTool or TransformedTool for use in sampling contexts (ctx.sample / ctx.sample_step), the generated wrapper calls tool.run() directly without running the tool's auth checks. The server's HTTP dispatcher applies run_auth_checks before every tool call, but the sampling wrapper bypassed this entirely -- creating a privilege escalation path where an LLM could invoke auth-protected tools through sampling without proper authorization.

The fix adds the same auth enforcement logic inside the from_callable_tool wrapper that the server dispatcher uses: check tool.auth, resolve the current transport and access token, and run run_auth_checks before delegating to tool.run(). STDIO transport skips auth checks as it does everywhere else. A tool without auth set is unaffected.

# Before: auth-protected tool could be invoked via sampling without checks
protected = FunctionTool.from_function(secret_fn, auth=require_scopes("admin"))
sampling_tool = SamplingTool.from_callable_tool(protected)
await sampling_tool.run({})  # succeeded without any token

# After: raises AuthorizationError when token lacks required scopes
await sampling_tool.run({})  # AuthorizationError: insufficient permissions

Co-authored-by: Claude [email protected]