Update CODEOWNERS, fix CI setup, and enhance plugin functionality

.claude-plugin/marketplace.json

@@ -6,7 +6,7 @@
   },
   "metadata": {
     "description": "Rosetta 2.0 - Enterprise knowledge management system providing AI agents with unified access to instructions, workflows, skills, and business context",
-    "version": "2.0.4"
+    "version": "2.0.5"
   },
   "plugins": [
     {

.github/CODEOWNERS

@@ -5,10 +5,10 @@
 docs/web/** @omaiesh
 
 # Granular code ownership
-/instructions/ @k-bieniek @scappuccino-grid @YevheniiaLementova
-/docs/ @k-bieniek @scappuccino-grid @YevheniiaLementova
-/plans/ @k-bieniek @scappuccino-grid @YevheniiaLementova
-/*.md @k-bieniek @scappuccino-grid @YevheniiaLementova
+/instructions/ @ElizaVetaFomka @YevheniiaLementova
+/docs/ @ElizaVetaFomka @YevheniiaLementova
+/plans/ @ElizaVetaFomka @YevheniiaLementova
+/*.md @ElizaVetaFomka @YevheniiaLementova
 
 .github/ @kkhristenko51 @omaiesh
 /tools @kkhristenko51 @omaiesh

.github/workflows/publish-ims-mcp.yml

@@ -30,6 +30,15 @@ jobs:
         pip install build twine
         echo "$GITHUB_WORKSPACE/venv/bin" >> $GITHUB_PATH
 
+    - name: Set up Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '24'
+
+    - name: Install rosettify dependencies
+      working-directory: ./rosettify
+      run: npm ci
+
     - name: Run type validation
       run: |
         chmod +x validate-types.sh

.github/workflows/publish-rosettify.yml

@@ -19,7 +19,7 @@ jobs:
     - name: Set up Node.js
       uses: actions/setup-node@v4
       with:
-        node-version: '22'
+        node-version: '24'
         registry-url: 'https://registry.npmjs.org'
 
     - name: Install dependencies

.github/workflows/rosetta-mcp-dockerhub.yaml

@@ -49,6 +49,15 @@ jobs:
           pip install -r requirements.txt
           echo "$GITHUB_WORKSPACE/venv/bin" >> $GITHUB_PATH
 
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+
+      - name: Install rosettify dependencies
+        working-directory: ./rosettify
+        run: npm ci
+
       - name: Run type validation
         run: |
           chmod +x validate-types.sh

CONTRIBUTING.md

@@ -51,6 +51,8 @@ Rosetta is a prompt engineering system. Prompt changes have outsized impact and
 
 **Use the prompting flow.** The [`coding-agents-prompting-flow`](USAGE_GUIDE.md#workflows) with `coding-agents-prompt-authoring` skill helps you author, design, refactor, harden, and modernize prompt families (agents, skills, workflows, workflow phases, rules). It understands Rosetta internals. Use it with Opus 4.6 model.
 
+> **Note:** The `grid` scope is an enterprise extension not included in this OSS repository. You can access it via Rosetta MCP or by downloading the enterprise instructions package (offline mode). Example 3 uses MCP-specific ACQUIRE ... FROM KB syntax; Examples 1 and 2 work in both modes.
+
 Examples:
 
 1. Refactoring old rosetta prompt to new:
@@ -63,7 +65,7 @@ Examples:
    MUST FULLY EXECUTE `instructions/r2/grid/workflows/coding-agents-prompting-flow.md` to author a new R2 Rosetta <skill/agent/workflow/rule/prompt family> `<name>` in `grid` scope: <description of what it should be>
    ```
 
-3. Using Rosetta MCP
+3. Using Rosetta MCP:
    ```
    MUST ACQUIRE coding-agents-prompting-flow.md FROM KB AND FULLY EXECUTE IT to author a new R2 Rosetta <skill/agent/workflow/rule/prompt family> `<name>` in `grid` scope: <description of what it should be>
    ```

DEPLOYMENT_GUIDE.md

@@ -281,21 +281,49 @@ Users must re-authenticate and in-flight plans are lost after any of these. Plan
 
 ### Security
 
-**OAuth 2.1:** Rosetta MCP authenticates IDE clients via [OAuthProxy](https://gofastmcp.com/servers/auth/oauth-proxy), which bridges any OAuth provider (Keycloak, GitHub, Google, Azure, etc.) with MCP's authentication flow. Required environment variables:
-
-- `ROSETTA_OAUTH_MODE` — `oauth` (token introspection, default) or `oidc` (JWT validation via OIDC discovery doc)
-- `ROSETTA_OAUTH_OIDC_CONFIG_URL` — IdP OIDC discovery URL; required when `ROSETTA_OAUTH_MODE=oidc` - example: "https://idp.example.com/realms/<realm>/.well-known/openid-configuration"
-- `ROSETTA_OAUTH_AUTHORIZATION_ENDPOINT` - example: "https://idp.example.com/realms/<realm>/protocol/openid-connect/auth"
-- `ROSETTA_OAUTH_TOKEN_ENDPOINT` - example: "https://idp.example.com/realms/<realm>/protocol/openid-connect/token"
-- `ROSETTA_OAUTH_INTROSPECTION_ENDPOINT` - example: "https://idp.example.com/realms/<realm>/protocol/openid-connect/token/introspect"
-- `ROSETTA_OAUTH_REVOCATION_ENDPOINT` - example: "https://idp.example.com/realms/<realm>/protocol/openid-connect/revoke"
-- `ROSETTA_OAUTH_BASE_URL` - example: "https://rosetta-dev.example.com"
-- `ROSETTA_OAUTH_REQUIRED_SCOPES` — scopes required by FastMCP OAuthProxy on inbound tokens from MCP clients, **must** include `offline_access`
-- `ROSETTA_OAUTH_VALID_SCOPES` — scopes advertised in `.well-known`; leave empty to derive from `ROSETTA_OAUTH_REQUIRED_SCOPES`
-- `ROSETTA_OAUTH_EXTRA_SCOPES` — scopes forwarded to upstream IdP authorization endpoint, **must** be `openid email profile offline_access`
-
-The `offline_access` scope is critical: it enables refresh tokens so users authenticate once instead of re-authenticating daily. 
-Your OAuth provider must be configured to allow this scope.
+**OAuth 2.1:** Rosetta MCP authenticates IDE clients via [OAuthProxy](https://gofastmcp.com/servers/auth/oauth-proxy), which bridges any OAuth provider with MCP's authentication flow. Three modes are available, controlled by `ROSETTA_OAUTH_MODE`:
+
+**`oauth` mode** (default) — generic OAuth 2.0 with token introspection:
+
+| Env var | Example | Purpose |
+|---|---|---|
+| `ROSETTA_OAUTH_AUTHORIZATION_ENDPOINT` | `https://idp.example.com/realms/<realm>/protocol/openid-connect/auth` | IdP authorize endpoint |
+| `ROSETTA_OAUTH_TOKEN_ENDPOINT` | `https://idp.example.com/realms/<realm>/protocol/openid-connect/token` | IdP token endpoint |
+| `ROSETTA_OAUTH_INTROSPECTION_ENDPOINT` | `https://idp.example.com/realms/<realm>/protocol/openid-connect/token/introspect` | IdP introspection endpoint |
+| `ROSETTA_OAUTH_CLIENT_ID` | | Pre-registered IdP client ID |
+| `ROSETTA_OAUTH_CLIENT_SECRET` | | IdP client secret |
+| `ROSETTA_OAUTH_BASE_URL` | `https://rosetta-dev.example.com` | Public URL of Rosetta MCP |
+| `ROSETTA_JWT_SIGNING_KEY` | | Secret for signing FastMCP JWTs |
+| `ROSETTA_OAUTH_REVOCATION_ENDPOINT` | `https://idp.example.com/realms/<realm>/protocol/openid-connect/revoke` | *(optional)* Token revocation URL |
+| `ROSETTA_OAUTH_REQUIRED_SCOPES` | `offline_access` | *(optional)* Scopes required on tokens; **must** include `offline_access` |
+| `ROSETTA_OAUTH_VALID_SCOPES` | | *(optional)* Scopes advertised in `.well-known`; leave empty to derive from `REQUIRED_SCOPES` |
+| `ROSETTA_OAUTH_EXTRA_SCOPES` | `openid email profile offline_access` | *(optional)* Scopes forwarded to IdP authorize endpoint |
+
+The `offline_access` scope is critical: it enables refresh tokens so users authenticate once instead of re-authenticating daily. Your OAuth provider must be configured to allow this scope.
+
+**`oidc` mode** — OIDC auto-discovery with local JWT verification:
+
+| Env var | Example | Purpose |
+|---|---|---|
+| `ROSETTA_OAUTH_OIDC_CONFIG_URL` | `https://idp.example.com/realms/<realm>/.well-known/openid-configuration` | IdP OIDC discovery URL |
+| `ROSETTA_OAUTH_CLIENT_ID` | | Pre-registered IdP client ID |
+| `ROSETTA_OAUTH_CLIENT_SECRET` | | IdP client secret |
+| `ROSETTA_OAUTH_BASE_URL` | `https://rosetta-dev.example.com` | Public URL of Rosetta MCP |
+| `ROSETTA_JWT_SIGNING_KEY` | | Secret for signing FastMCP JWTs |
+| `ROSETTA_OAUTH_REQUIRED_SCOPES` | `offline_access` | *(optional)* Scopes required on tokens |
+| `ROSETTA_OAUTH_EXTRA_SCOPES` | `openid email profile offline_access` | *(optional)* Scopes forwarded to IdP authorize endpoint |
+
+**`github` mode** — [GitHub OAuth](https://gofastmcp.com/integrations/github) with API-based token verification:
+
+| Env var | Example | Purpose |
+|---|---|---|
+| `ROSETTA_OAUTH_CLIENT_ID` | `Ov23liAbcDefGhiJkLmN` | GitHub OAuth App Client ID |
+| `ROSETTA_OAUTH_CLIENT_SECRET` | | GitHub OAuth App Client Secret |
+| `ROSETTA_OAUTH_BASE_URL` | `https://rosetta.example.com` | Public URL of Rosetta MCP (HTTPS required) |
+| `ROSETTA_JWT_SIGNING_KEY` | | Secret for signing FastMCP JWTs |
+| `ROSETTA_OAUTH_REQUIRED_SCOPES` | `user` | *(optional)* Required GitHub scopes (default: `user`) |
+
+GitHub endpoints are hardcoded. Create a GitHub OAuth App at [github.com/settings/developers](https://github.com/settings/developers) and set the callback URL to `<ROSETTA_OAUTH_BASE_URL>/auth/callback`.
 
 **Secrets** (use ESO, Vault, or manual Kubernetes secrets):
 

INSTALLATION.md

@@ -13,19 +13,19 @@
 
 ## Choose Your Mode
 
-|                    | HTTP (recommended)          | STDIO                                   | Plugin                                       | Offline                                     |
+|                    | HTTP          | STDIO                                   | Plugin                                       | Offline                                     |
 | ------------------ | --------------------------- | --------------------------------------- | -------------------------------------------- | ------------------------------------------- |
-| Setup              | Single URL, OAuth automatic | Env vars, API key per user              | CLI marketplace commands (installs HTTP MCP) | Download zip, copy files                    |
+| Setup              | Single URL, OAuth automatic | Env vars, API key per user              | IDE-specific install or extract zip          | Download zip, copy files                    |
 | Local dependencies | None                        | Python 3.12+, uvx                       | None                                         | None                                        |
-| Auth               | OAuth via browser           | API key from Rosetta Server             | OAuth via browser (HTTP MCP)                 | None                                        |
-| Network            | Requires internet           | Requires internet                       | Requires internet                            | No network needed (with local models)       |
-| Best for           | Most users                  | Custom configs, controlled environments | Claude Code, Cursor                          | Air-gapped or highly regulated environments |
+| Auth               | OAuth via browser           | API key from Rosetta Server             | None                                         | None                                        |
+| Network            | Requires internet           | Requires internet                       | Download only                                | No network needed (with local models)       |
+| Best for           | Most users                  | Custom configs, controlled environments | Claude Code, VS Code Copilot, Codex          | Air-gapped or highly regulated environments |
 
 ## Step 1: Install
 
 Pick one mode and follow its section.
 
-### HTTP Transport (Recommended)
+### HTTP Transport
 
 One URL, no local dependencies, OAuth handles authentication automatically.
 
@@ -409,33 +409,45 @@ Required for STDIO transport. Optional otherwise.
 
 Do not set `VERSION`. It uses a server-controlled default for managed upgrades. See [Architecture — Tradeoffs](docs/ARCHITECTURE.md#tradeoffs) for rationale.
 
-### Plugin-Based Installation
+### Plugin-Based Installation (pre-release)
 
-Rosetta publishes plugins for Claude Code and Cursor through the plugin marketplace. Install to your user profile for use across all projects.
-
-Two modes:
-
-- **Lightweight (recommended):** bootstrap rule and MCP server definition only. Smallest footprint, behavior driven by MCP.
-- **Full:** core (20 skills, 7 agents, 4 workflows, bootstrap rules) plus optional grid enterprise extensions. Requires core 2.0.0+ for grid.
+Rosetta publishes plugins for supported IDEs. Each plugin installs core (20 skills, 7 agents, 4 workflows, bootstrap rules).
 
 Read more about plugin contents and capabilities in the [Usage Guide — Plugins](USAGE_GUIDE.md#plugins).
 
 #### Claude Code
 
 ```sh
 claude plugin marketplace add griddynamics/rosetta
+claude plugin install core@rosetta
+```
 
-# Lightweight (recommended)
-claude plugin install rosetta@rosetta
+Updating after installation:
 
-# Full
-claude plugin install core@rosetta
-claude plugin install grid@rosetta           # Enterprise (optional, requires core)
+```sh
+claude plugin marketplace update rosetta
+claude plugin update core@rosetta
 ```
 
-#### Cursor
+#### VS Code / GitHub Copilot
+
+Install `core-copilot` via VS Code Copilot Plugins (not VS Code extensions).
 
-Cursor plugin cannot be installed locally. 
+#### JetBrains / GitHub Copilot
+
+1. Download `core-copilot-*.zip` from the [latest release](https://github.com/griddynamics/rosetta/releases/latest)
+2. Create a `.github` folder in your repository and extract the archive contents into it
+3. Delete files not needed for JetBrains: `.github/.mcp.json`, `.github/hooks.json`, `.github/templates`, `.github/rules/bootstrap.md`
+4. Copy the contents of `.github/rules/plugin-files-mode.md` into `.github/copilot-instructions.md` and append before the closing `</plugin_files_mode>` tag: `Rosetta plugin root: ".github", get_context_instructions: must read fully all five "cat .github/rules/bootstrap-*.md" files all lines. You MUST FOLLOW ALL instructions and then MUST select workflow and execute it. All workflows are stored in ".github/rules/<workflowtag>.md".`
+5. Enable in JetBrains GitHub Copilot settings: Agent Mode, Custom Agent, Coding Agent, Subagent, Skills
+
+#### Codex
+
+Download `core-codex-*.zip` from the [latest release](https://github.com/griddynamics/rosetta/releases/latest), extract on top of the repository, and enable hooks:
+
+```sh
+codex features enable codex_hooks
+```
 
 ### Offline Installation (No MCP)
 
@@ -561,8 +573,9 @@ After initialization, Rosetta maintains these files in your repository. Read mor
 
 **Plugins:**
 
-- **Claude Code:** `claude plugin uninstall rosetta@rosetta` (or `core@rosetta`, `grid@rosetta` for full install)
-- **Cursor:** Remove the `.cursor-plugin/` directory from your project
+- **Claude Code:** `claude plugin uninstall core@rosetta`
+- **VS Code / GitHub Copilot:** Remove the Copilot agent plugin
+- **Codex:** Delete the extracted plugin files from the repository
 
 **Offline:**