docs: document trusted-users, --trusted-bots/--trusted-users flags, and PORT fallback

[Copilot]

Three fields/flags present in code were missing from user-facing docs, discovered by nightly reconciliation.

Changes

• README.md + docs/CONFIGURATION.md — Document trusted-users in the allow-only guard policy section alongside blocked-users and approval-labels. The field elevates specific GitHub usernames to approved integrity without lowering min-integrity globally:

  "allow-only": {
    "repos": ["myorg/*"],
    "min-integrity": "approved",
    "blocked-users": ["spam-bot"],
    "approval-labels": ["human-reviewed"],
    "trusted-users": ["alice", "trusted-contributor"]
  }

• docs/PROXY_MODE.md — Add --trusted-bots and --trusted-users to the flags table (both registered in internal/cmd/proxy.go but absent from the table).

• docs/ENVIRONMENT_VARIABLES.md — Extend the PORT/HOST/MODE note to mention that run.sh falls back to bare PORT when MCP_GATEWAY_PORT is unset.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

Updates user-facing documentation to cover previously undocumented guard-policy fields and proxy flags, aligning docs with implemented configuration behavior in the gateway and proxy tooling.

Changes:

• Document trusted-users under the allow-only guard policy, including JSON examples.
• Add --trusted-bots and --trusted-users to the proxy mode flags table.
• Clarify run.sh environment behavior: fallback to PORT when MCP_GATEWAY_PORT is unset.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
docs/PROXY_MODE.md	Adds missing proxy CLI flags to the documented flags table.
docs/ENVIRONMENT_VARIABLES.md	Documents run.sh’s PORT fallback behavior alongside HOST/MODE.
docs/CONFIGURATION.md	Documents allow-only policy fields: blocked-users, approval-labels, and trusted-users.
README.md	Adds trusted-users to the guard policy quick reference and example.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The blocked-users description says it cannot be overridden by approval-labels, but with trusted-users now documented it would be clearer to also state that blocked-users takes precedence over trusted-users as well (this matches guard behavior: blocked-users overrides trusted-users). Otherwise readers may assume trusted-users can re-approve a blocked login.

[Copilot]

In the flags table, the --github-api-url default is shown as https://api.github.com, but the actual behavior is: empty by default, then auto-derived from GITHUB_API_URL/GITHUB_SERVER_URL, and only then falls back to https://api.github.com (see internal/cmd/proxy.go flag help + runProxy resolution). Update the Default column to reflect this auto-derive behavior so the table matches runtime behavior.