docs: fix documentation drift — enable command, engine install steps, command field (#597)

Author: github-actions[bot]

README.md

@@ -494,6 +494,7 @@ Commands:
   mcp-http      Run as an HTTP MCP server (for MCPG integration)
   execute       Execute safe outputs (Stage 3)
   configure     Detect agentic pipelines and update GITHUB_TOKEN on ADO definitions
+  enable        Register ADO build definitions for compiled pipelines and ensure they are enabled
 
 Options:
   -v, --verbose              Enable info-level logging

docs/engine.md

@@ -29,7 +29,7 @@ engine:
 | `api-target` | string | *(none)* | Custom API endpoint hostname for GHES/GHEC (e.g., `"api.acme.ghe.com"`). Adds `--api-target <hostname>` to the CLI invocation and adds the hostname to the AWF network allowlist. |
 | `args` | list | `[]` | Custom CLI arguments appended after compiler-generated args. Subject to shell-safety validation and blocked from overriding compiler-controlled flags (`--prompt`, `--allow-tool`, `--disable-builtin-mcps`, etc.). |
 | `env` | map | *(none)* | Engine-specific environment variables merged into the sandbox step's `env:` block. Keys must be valid env var names; values must not contain ADO expressions (`$(`, `${{`) or pipeline command injection (`##vso[`). Compiler-controlled keys (`GITHUB_TOKEN`, `PATH`, `BASH_ENV`, etc.) are blocked. |
-| `command` | string | *(none)* | Custom engine executable path (skips default NuGet installation). The path must be accessible inside the AWF container (e.g., `/tmp/...` or workspace-mounted paths). |
+| `command` | string | *(none)* | Custom engine executable path (skips the default engine binary installation — NuGet for `target: 1es`, GitHub Releases for all other targets). The path must be accessible inside the AWF container (e.g., `/tmp/...` or workspace-mounted paths). |
 
 
 ### `timeout-minutes`

docs/template-markers.md

@@ -161,12 +161,20 @@ job- and stage-level templates don't emit a top-level pipeline name.
 
 ## {{ engine_install_steps }}
 
-Should be replaced with engine-specific pipeline steps to install the engine binary. Generated by `Engine::install_steps()`. For Copilot, this produces:
+Should be replaced with engine-specific pipeline steps to install the engine binary. Generated by `Engine::install_steps()`. The install strategy is **target-aware**:
+
+**For `target: 1es`** — authenticates with an internal Azure Artifacts NuGet feed and installs the package:
 - `NuGetAuthenticate@1` task
-- `NuGetCommand@2` task to install `Microsoft.Copilot.CLI.linux-x64` (uses `engine.version` if set, otherwise `COPILOT_CLI_VERSION` constant)
+- `NuGetCommand@2` task to install `Microsoft.Copilot.CLI.linux-x64` from `pkgs.dev.azure.com/msazuresphere/_packaging/Guardian1ESPTUpstreamOrgFeed` (uses `engine.version` if set, otherwise `COPILOT_CLI_VERSION` constant; omits `-Version` flag when `"latest"`)
 - Bash step to copy binary to `/tmp/awf-tools/copilot`
 - Bash step to verify installation
 
+**For all other targets (standalone, job, stage)** — downloads from GitHub Releases with SHA256 checksum verification:
+- Bash step that: resolves `SHA256SUMS.txt` and the tarball from the GitHub Releases URL for the configured version, verifies the SHA256 checksum, extracts the binary, copies it to `/tmp/awf-tools/copilot`
+- Bash step to verify installation
+
+Both paths stage the binary at `/tmp/awf-tools/copilot`.
+
 Returns empty when `engine.command` is set (user provides own binary).
 
 ## {{ engine_run }}