docs: update Learning Hub for MCP config locations, folder trust, and CLI settings (v1.0.6-v1.0.10) (#1137)

- understanding-mcp-servers.md: document multiple config file locations
  (.mcp.json, .vscode/mcp.json, devcontainer.json), folder trust security
  requirement for workspace MCP servers, and experimental MCP_ALLOWLIST

- copilot-configuration-basics.md: document new camelCase CLI config
  settings (includeCoAuthoredBy, effortLevel, autoUpdatesChannel,
  statusLine), plus include_gitignored and extension_mode options

Sources: github/copilot-cli releases v1.0.6 through v1.0.10 (2026-03-16 to 2026-03-20)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: github-actions[bot]

website/src/content/docs/learning-hub/copilot-configuration-basics.md

@@ -3,7 +3,7 @@ title: 'Copilot Configuration Basics'
 description: 'Learn how to configure GitHub Copilot at user, workspace, and repository levels to optimize your AI-assisted development experience.'
 authors:
   - GitHub Copilot Learning Hub Team
-lastUpdated: 2025-11-28
+lastUpdated: 2026-03-23
 estimatedReadingTime: '10 minutes'
 tags:
   - configuration
@@ -344,6 +344,19 @@ Configuration file: `~/.copilot-cli/config.json`
 }
 ```
 
+CLI settings use **camelCase** naming. Key settings added in recent releases:
+
+| Setting | Description |
+|---------|-------------|
+| `includeCoAuthoredBy` | Include Co-authored-by trailer in commits |
+| `effortLevel` | Default reasoning effort level (`low`, `medium`, `high`) |
+| `autoUpdatesChannel` | Update channel (`stable`, `preview`) |
+| `statusLine` | Show status line in the terminal UI |
+| `include_gitignored` | Include gitignored files in `@` file search |
+| `extension_mode` | Control extensibility (agent tools and plugins) |
+
+> **Note**: Older snake_case names (e.g., `include_gitignored`, `auto_updates_channel`) are still accepted for backward compatibility, but camelCase is now the preferred format.
+
 ## Common Questions
 
 **Q: How do I disable Copilot for specific files?**

website/src/content/docs/learning-hub/understanding-mcp-servers.md

@@ -3,7 +3,7 @@ title: 'Understanding MCP Servers'
 description: 'Learn how Model Context Protocol servers extend GitHub Copilot with access to external tools, databases, and APIs.'
 authors:
   - GitHub Copilot Learning Hub Team
-lastUpdated: 2026-02-26
+lastUpdated: 2026-03-23
 estimatedReadingTime: '8 minutes'
 tags:
   - mcp
@@ -61,7 +61,17 @@ GitHub Copilot provides several **built-in tools** that are always available:
 
 ## Configuring MCP Servers
 
-MCP servers are configured per-workspace in `.vscode/mcp.json`:
+MCP servers are configured per-workspace. GitHub Copilot CLI discovers server definitions from several locations (loaded in order):
+
+| File | Scope | Notes |
+|------|-------|-------|
+| `.mcp.json` | Repository root | Preferred for repo-shared configuration |
+| `.vscode/mcp.json` | VS Code workspace | VS Code–compatible workspace config |
+| `devcontainer.json` | Dev container | Available when running inside a container |
+
+> **Security**: Workspace MCP servers are loaded **only after folder trust is confirmed**. If you haven't explicitly trusted a folder, servers defined in its config files won't start — protecting you from malicious MCP server configurations in untrusted repositories.
+
+Example `.mcp.json` or `.vscode/mcp.json`:
 
 ```json
 {
@@ -193,8 +203,9 @@ MCP server SDKs are available in [Python](https://github.com/modelcontextprotoco
 - **Principle of least privilege**: Only give MCP servers the minimum access they need. Use read-only database connections for analysis agents.
 - **Keep secrets out of config files**: Use `${input:variableName}` for API keys and connection strings, or load from environment variables.
 - **Document your servers**: Add comments or a README explaining which MCP servers your project uses and why.
-- **Version control carefully**: Commit `.vscode/mcp.json` for shared server configurations, but use `.gitignore` for any files containing credentials.
+- **Version control carefully**: Commit `.mcp.json` or `.vscode/mcp.json` for shared server configurations, but use `.gitignore` for any files containing credentials.
 - **Test server connectivity**: Verify MCP servers start correctly before relying on them in agent workflows.
+- **Use the MCP allowlist (experimental)**: In high-security environments, the `MCP_ALLOWLIST` feature flag lets you validate MCP servers against a configured registry, blocking unrecognized servers from loading. This is an experimental feature for enterprise environments requiring strict control over which MCP servers are permitted.
 
 ## Common Questions