Add warpctrl specs and core foundation

[zachlloyd]

Description

Combines the Warp Control CLI specs with the bottom implementation foundation branch so the first review covers the product/security contract together with the protocol, settings, bridge, and CLI scaffolding that enforce it.

This PR introduces:

• specs/warp-control-cli product, technical, and security specs for warpctrl.
• Shared local_control protocol/catalog/discovery/auth scaffolding.
• warpctrl CLI skeleton, parsing/output/completion wiring, and bundle-script artifact hooks.
• Settings > Scripting local-control gates with granular permission categories.
• App-side local-control bridge/server skeleton and initial metadata/action handling.
• Minimum tab.create smoke path for end-to-end app-state mutation validation.

Stacking note: this is now the bottom branch in the review stack. The old separate zach/warp-cli-specs branch is migration-source/history only; higher branches have been rebased so the spec strategy change is present throughout the stack.

Plan artifact: https://staging.warp.dev/drive/notebook/te3sARuytLc0FH9djXbiuV
Conversation: https://staging.warp.dev/conversation/0a915911-cf6f-4186-99e7-754dd9982156

Linked Issue

• The linked issue is labeled ready-to-spec or ready-to-implement.
• Where appropriate, screenshots or a short video of the implementation are included below (especially for user-visible or UI changes).

Testing

• cargo check --manifest-path /Users/zach/Projects/warp_2/Cargo.toml -p local_control -p warp_cli

• cargo check --manifest-path /Users/zach/Projects/warp_2/Cargo.toml -p warp --features warp_control_cli

• cargo nextest run --manifest-path /Users/zach/Projects/warp_2/Cargo.toml --no-fail-fast --workspace local_control (22/22 passed after foundation hardening)

• git diff --check

• I have manually tested my changes locally with ./script/run

Screenshots / Videos

Not included for this foundation PR. End-to-end visual verification is documented as a follow-up review-readiness requirement in the spec before broader command-family PRs are considered complete.

Agent Mode

• Warp Agent Mode - This PR was created via Warp's AI Agent Mode

CHANGELOG-NONE

Co-Authored-By: Oz oz-agent@warp.dev

[oz-for-oss]

@zachlloyd

I'm starting a first review of this pull request.

You can view the conversation on Warp.

I completed the review and no human review was requested for this pull request.

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

[oz-for-oss]

Overview

This PR adds the initial warpctrl foundation: specs, a shared local-control protocol/auth/discovery crate, app-side bridge/server scaffolding, Settings > Scripting controls, CLI command wiring, and packaging hooks.

Concerns

• [SECURITY] The authoritative local-control enablement and permission gates are ordinary private settings, which does not meet the protected-storage requirement for preventing external same-user tools from silently enabling outside-Warp control.
• The CLI always requests an OutsideWarp credential, so the default inside-Warp-enabled path cannot actually be used and default warpctrl invocations from Warp are denied while outside-Warp remains disabled.
• The PR turns on dogfood/runtime exposure for the new listener and Settings UI without the required screenshots or screen recording; the description explicitly says visual evidence is not included.
• The diff also enables RemoteCodeReview in dogfood flags, which is unrelated to the warpctrl foundation and should not ship as part of this PR unless it is intentional and validated here.

Security

• The local-control settings need a protected app-owned backend (for example, Keychain/DPAPI or equivalent) before outside-Warp grants can rely on them as authoritative. private: true only keeps them out of the public settings file; it does not by itself satisfy the security contract described in the PR's own specs.

Verdict

Found: 0 critical, 4 important, 0 suggestions

Request changes

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

[oz-for-oss]

⚠️ [IMPORTANT] [SECURITY] private: true still routes these gates through the normal private preferences backend, so an external same-user process can flip LocalControlAllowOutsideWarp without using Settings > Scripting. The security contract requires protected app-owned storage for the authoritative enablement and permission gates; use that backend here or keep outside-Warp credential issuance unavailable until it exists.

[oz-for-oss]

⚠️ [IMPORTANT] warpctrl always requests an OutsideWarp grant, so commands launched inside Warp are denied by the default OutsideWarp=false setting and never use the inside-Warp defaults/proof path. Detect Warp-terminal invocation and attach a verified proof, or do not advertise/default-enable the inside-Warp path until the CLI can request it.

[oz-for-oss]

⚠️ [IMPORTANT] This unrelated RemoteCodeReview dogfood rollout is being introduced by the warpctrl foundation PR. Remove it from this diff unless this PR intentionally owns that rollout and includes its validation.

[oz-for-oss]

⚠️ [IMPORTANT] This enables the new local-control listener and Settings > Scripting UI for all dogfood users, but the PR description says no screenshots/videos are included and the protected-storage gate is still missing. Keep WarpControlCli out of DOGFOOD_FLAGS until the visual/E2E and security rollout criteria are satisfied.