fix: confirm and surface proxy mode GITHUB_SERVER_URL support for GHEC (#2676)

Proxy mode already derives the upstream GitHub API URL from
`GITHUB_SERVER_URL` (via `DeriveGitHubAPIURL`), so GHEC support is
already present on the mcpg side — the only missing piece is the
companion gh-aw change to pass `-e GITHUB_SERVER_URL` to the proxy
container.

## Changes

- **`internal/proxy/proxy_test.go`** — Adds the missing
`TestDeriveGitHubAPIURL` case for `GITHUB_SERVER_URL=https://github.com`
→ `https://api.github.com`, explicitly covering the "default behavior
unchanged" acceptance criterion.

- **`internal/cmd/proxy.go`** — Adds `Upstream: <url>` to the proxy
startup stderr banner so operators can immediately confirm which API
base is in use (e.g., `https://copilot-api.tenant.ghe.com` vs
`https://api.github.com`).

```
MCPG GitHub API Proxy
  Listening: https://0.0.0.0:18443
  Upstream:  https://copilot-api.tenant.ghe.com   ← new
  Mode:      filter
  Guard:     /guards/github/00-github-guard.wasm
```

The routing logic (`DeriveGitHubAPIURL` / `deriveAPIFromServerURL`) and
its existing tests already cover the GHEC, GHES, and github.com
derivation cases — no changes needed there.

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build2472017567/b330/launcher.test
/tmp/go-build2472017567/b330/launcher.test
-test.testlogfile=/tmp/go-build2472017567/b330/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true vHWNm7yY1 --local
x_amd64/vet committer.name` (dns block)
> - Triggering command: `/tmp/go-build3855648942/b334/launcher.test
/tmp/go-build3855648942/b334/launcher.test
-test.testlogfile=/tmp/go-build3855648942/b334/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -E -quiet -I .cfg -I
2017567/b165/_cg-unsafeptr=false -imultiarch
xl/AE-lbr-Rh99ynbK5aQF9/VI_-Daq-security` (dns block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build2472017567/b315/config.test
/tmp/go-build2472017567/b315/config.test
-test.testlogfile=/tmp/go-build2472017567/b315/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true go S2YQJddBm
64/pkg/tool/linu-o core.hooksPath` (dns block)
> - Triggering command: `/tmp/go-build3855648942/b319/config.test
/tmp/go-build3855648942/b319/config.test
-test.testlogfile=/tmp/go-build3855648942/b319/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -o g_.a -trimpath x_amd64/compile
-p ernal/middleware-unsafeptr=false ut-1992771932.c x_amd64/compile`
(dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build2472017567/b330/launcher.test
/tmp/go-build2472017567/b330/launcher.test
-test.testlogfile=/tmp/go-build2472017567/b330/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true vHWNm7yY1 --local
x_amd64/vet committer.name` (dns block)
> - Triggering command: `/tmp/go-build3855648942/b334/launcher.test
/tmp/go-build3855648942/b334/launcher.test
-test.testlogfile=/tmp/go-build3855648942/b334/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -E -quiet -I .cfg -I
2017567/b165/_cg-unsafeptr=false -imultiarch
xl/AE-lbr-Rh99ynbK5aQF9/VI_-Daq-security` (dns block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build2472017567/b330/launcher.test
/tmp/go-build2472017567/b330/launcher.test
-test.testlogfile=/tmp/go-build2472017567/b330/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true vHWNm7yY1 --local
x_amd64/vet committer.name` (dns block)
> - Triggering command: `/tmp/go-build3855648942/b334/launcher.test
/tmp/go-build3855648942/b334/launcher.test
-test.testlogfile=/tmp/go-build3855648942/b334/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -E -quiet -I .cfg -I
2017567/b165/_cg-unsafeptr=false -imultiarch
xl/AE-lbr-Rh99ynbK5aQF9/VI_-Daq-security` (dns block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build2472017567/b339/mcp.test
/tmp/go-build2472017567/b339/mcp.test
-test.testlogfile=/tmp/go-build2472017567/b339/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true 64/src/runtime/cgo
core.hooksPath x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build3855648942/b343/mcp.test
/tmp/go-build3855648942/b343/mcp.test
-test.testlogfile=/tmp/go-build3855648942/b343/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -W 2017567/b241/_pkg_.a
/tmp/go-build2472017567/b165/
ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet . --gdwarf2 --64
ache/go/1.25.8/x-importcfg -I /opt/hostedtoolc-s uxII/pTQM0yfdla9-w
x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/github/gh-aw-mcpg/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

Author: lpcox

internal/cmd/proxy.go

@@ -218,6 +218,7 @@ func runProxy(cmd *cobra.Command, args []string) error {
 		// Print connection info
 		fmt.Fprintf(os.Stderr, "\nMCPG GitHub API Proxy\n")
 		fmt.Fprintf(os.Stderr, "  Listening: %s://%s\n", scheme, actualAddr)
+		fmt.Fprintf(os.Stderr, "  Upstream:  %s\n", apiURL)
 		fmt.Fprintf(os.Stderr, "  Mode:      %s\n", proxyDIFCMode)
 		fmt.Fprintf(os.Stderr, "  Guard:     %s\n", proxyGuardWasm)
 		if tlsCfg != nil {

internal/proxy/proxy_test.go

@@ -933,6 +933,11 @@ func TestDeriveGitHubAPIURL(t *testing.T) {
 			envVars:  map[string]string{"GITHUB_SERVER_URL": "https://github.example.com"},
 			expected: "https://github.example.com/api/v3",
 		},
+		{
+			name:     "GITHUB_SERVER_URL=https://github.com falls back to api.github.com",
+			envVars:  map[string]string{"GITHUB_SERVER_URL": "https://github.com"},
+			expected: DefaultGitHubAPIBase,
+		},
 	}
 
 	for _, tt := range tests {