Invalidate token-scope cache context when authorization token changes

[davidahmann]

Problem

Scope decisions can become stale if previously cached token scopes are reused after the active auth token changes, leading to incorrect tool visibility.

Why now

Token churn is common in developer sessions. Scope filtering is a governance boundary, so stale reuse must fail closed and recompute for the active token.

Expected behavior

When the active token differs from the token used to populate scope context, scope lookups must be recomputed and context updated for the new token.

Claim-to-codepath map

• pkg/context/token.go
• pkg/http/middleware/token.go
• pkg/http/middleware/pat_scope.go
• pkg/http/handler.go

Validation requirements

• Bind cached scopes to token identity in context helpers.
• Update PAT scope middleware/filter paths to ignore mismatched cached scopes.
• Add regression tests covering token swap with pre-populated scope context.

Evidence packet

• Commit under test: $(git -C /Users/davidahmann/Projects/agent-ecosystem/github-mcp-server rev-parse HEAD)
• Runtime: Go test harness on macOS
• Minimal repro: request context preloaded with scopes for token A, then token B becomes active; filter should not reuse token A scopes.

[SamMorrowDrums]

We don't do this. Our http/remote server checks scopes on every request without cache.