Enforce current roots on every git tool call

[davidahmann]

Problem

The git server refreshes client roots when listing repositories, but tool execution validates repo_path only against the optional command-line repository restriction. If roots change at runtime, a repo path that used to be reachable can still be used in later tool calls.

Why now

The git server is a reference implementation for safe repository access. Root changes need to revoke access deterministically instead of relying on an undefined reconnect/restart boundary.

Version under test

• Commit: b60eca1b3bfcd12e2afe7000882db363a1b89f6e (origin/main on 2026-03-17)
• Runtime: Python 3.14.0, macOS darwin/arm64

Minimal repro

1. Start the git MCP server with roots support enabled and no fixed --repository argument.
2. Expose repo A through roots and successfully call a git tool against it.
3. Update the client roots so repo A is no longer allowed.
4. Reuse the old repo_path in another git tool call.

Expected behavior

The second call should be rejected based on the current roots.

Actual behavior

call_tool() only validates against the command-line repository restriction, so root-based access is not re-enforced during tool execution.

Code paths

• src/git/src/mcp_server_git/server.py
• src/git/tests/test_server.py
• src/filesystem/roots-utils.ts
• src/git/README.md

Validation target

Changing roots at runtime should revoke access to repositories that are no longer within the allowed set without requiring a restart.