Reconcile guard-policy tags with docs and clarify stdin config behavior in Quick Start

[Copilot]

Nightly docs reconciliation flagged two high-impact mismatches: guard policy structs advertised PascalCase TOML tags while docs/examples use kebab-case, and Quick Start implied stdin JSON works universally without clarifying the direct awmg requirement for --config-stdin. This PR aligns configuration metadata with documented keys and removes ambiguity in direct vs containerized startup behavior.

• Guard policy tag normalization (internal/config/guard_policy.go)

  • Updated TOML tags from PascalCase to documented kebab-case/lowercase keys:
    • AllowOnly → allow-only
    • WriteSink → write-sink
    • Accept → accept
    • MinIntegrity → min-integrity
    • plus all related allow-only subfields (blocked-users, approval-labels, etc.)
  • Result: struct metadata now matches docs/examples and future direct TOML decoding expectations.

• README Quick Start clarification (README.md)

  • Added a callout that run_containerized.sh injects --config-stdin automatically.
  • Added explicit direct-CLI guidance that piped JSON requires --config-stdin.
  • Added a concise cross-reference for containerized-only env vars (MCP_GATEWAY_HOST, MCP_GATEWAY_MODE) to docs/ENVIRONMENT_VARIABLES.md.

• Focused test fixture update (internal/config/config_guardpolicies_test.go)

  • Updated TOML write-sink fixture/assertion key from Accept to accept to match normalized tags and documented config shape.

[servers.safeoutputs.guard_policies.write-sink]
accept = ["private:github/gh-aw*"]