Copilot Review Comments

PR #8203 (📝 docs: add security model, air-gapped deployment, and local LLM guides (#8194 #8195 #8196)) was merged with 6 Copilot review comment(s) that should be addressed in a follow-up:

• README.md:174: This README addition states that users can point an OpenAI-compatible local LLM at kc-agent via GROQ_BASE_URL / OPENROUTER_BASE_URL / OPEN_WEBUI_URL. In the current code, those API-key HTTP providers ...
• docs/security/SECURITY-MODEL.md:108: The doc states that kc-agent only sends the user’s typed/pasted conversation to AI providers and that the provider_*.go HTTP call sites are the only place AI traffic originates. In the current code, I...
• docs/security/SECURITY-MODEL.md:142: The “restricted egress (no AI provider)” section ties AI enablement to API keys and ConfigManager.IsKeyAvailable(). However, the current agent registry only registers CLI-based agents and does not reg...
• docs/security/SECURITY-MODEL.md:184: This section says that the in-console AI layer supports Groq/OpenRouter/Open WebUI (with base-URL overrides) and presents them as supported providers. In the current source, those HTTP API providers a...
• docs/security/SECURITY-MODEL.md:122: This “What actually leaves the cluster” bullet references update checks via update_checker.go in the context of the backend pod. In the current tree, update_checker.go is part of the local kc-agen...
• docs/security/SECURITY-MODEL.md:264: The env var cheat sheet lists KC_DEV_MODE as a kc-agent “development mode toggle”. In the current code, the kc-agent binary’s logging/dev behavior is controlled by DEV_MODE (cmd/kc-agent/main.go),...

PR: #8203

Auto-generated by copilot-comment-followup workflow