Document primaryUpstreamProvider in vMCP prose docs

Addresses #5199 review body (doc-strategy question):
- docs/operator/virtualmcpserver-api.md: expand the authzConfig field
  description to document the full InlineAuthzConfig/ConfigMapAuthzRef
  shape, including primaryUpstreamProvider with its precondition
  (multiple upstreamProviders configured) and rejection behavior.
- docs/operator/virtualmcpserver-kubernetes-guide.md: add a brief
  callout in the Authorization Policy Errors section explaining when
  to pin a specific upstream IDP via primaryUpstreamProvider.

Author: tgrunnagle

docs/operator/virtualmcpserver-api.md

@@ -83,6 +83,17 @@ Configures authentication for clients connecting to the Virtual MCP server. Reus
   - `audience` (string, required): Must be unique per server to prevent token replay
   - `scopes` ([]string, optional): Defaults to `["openid"]`
 - `authzConfig` (AuthzConfigRef, optional): Authorization policy configuration
+  - `type` (string, required): `inline` or `configMap`
+  - `inline` (InlineAuthzConfig, required when type=inline): Inline Cedar policies
+    - `policies` ([]string, required): Cedar policy strings
+    - `entitiesJson` (string, optional): Cedar entities (JSON)
+    - `primaryUpstreamProvider` (string, optional): Names the upstream IDP whose
+      access token claims Cedar should evaluate. Only meaningful when
+      `spec.authServerConfig` is set with multiple upstreamProviders. When
+      empty, the controller defaults to the first upstream. Must match a
+      configured upstream name; the VirtualMCPServer is rejected with
+      `AuthServerConfigValidated=False` otherwise.
+  - `configMap` (ConfigMapAuthzRef, required when type=configMap): Reference to a ConfigMap holding policies
 
 **Important**: The `type` field must always be explicitly specified. When no authentication is required, use `type: anonymous`.
 

docs/operator/virtualmcpserver-kubernetes-guide.md

@@ -625,6 +625,20 @@ Then gradually add restrictions. Common Cedar policy issues:
 - Verify attribute names match token claims
 - Test policies with different user roles
 
+**Multiple upstream IDPs**: when `spec.authServerConfig` declares more than
+one `upstreamProviders` entry, Cedar evaluates claims from the first one by
+default. Pin a specific provider explicitly via
+`authzConfig.inline.primaryUpstreamProvider`:
+
+```yaml
+authzConfig:
+  type: inline
+  inline:
+    primaryUpstreamProvider: okta   # must match one of the configured upstreams
+    policies:
+      - 'permit(principal, action, resource);'
+```
+
 ### Backend Discovery Issues
 
 #### Backends Not Discovered