feat(workspaces): complete milestone 1 with deployment primitives

packages/workspace-manager/.dockerignore

@@ -0,0 +1,5 @@
+node_modules
+dist
+.git
+docker
+terraform

packages/workspace-manager/Dockerfile

@@ -0,0 +1,20 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+# Standard Hub Dockerfile
+FROM node:20-slim
+
+WORKDIR /app
+
+COPY package.json package-lock.json ./
+RUN npm ci
+
+COPY . .
+RUN npm run build
+
+EXPOSE 8080
+
+CMD ["npm", "start"]

packages/workspace-manager/terraform/modules/workspace-hub/main.tf

@@ -0,0 +1,55 @@
+# Copyright 2026 Google LLC
+# SPDX-License-Identifier: Apache-2.0
+
+resource "google_service_account" "hub_sa" {
+  account_id   = "workspace-hub-sa"
+  display_name = "Gemini CLI Workspace Hub Service Account"
+}
+
+resource "google_project_iam_member" "compute_admin" {
+  project = var.project_id
+  role    = "roles/compute.instanceAdmin.v1"
+  member  = "serviceAccount:${google_service_account.hub_sa.email}"
+}
+
+resource "google_project_iam_member" "firestore_user" {
+  project = var.project_id
+  role    = "roles/datastore.user"
+  member  = "serviceAccount:${google_service_account.hub_sa.email}"
+}
+
+resource "google_project_iam_member" "sa_user" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountUser"
+  member  = "serviceAccount:${google_service_account.hub_sa.email}"
+}
+
+resource "google_cloud_run_v2_service" "hub" {
+  name     = "workspace-hub"
+  location = var.region
+  ingress  = "INGRESS_TRAFFIC_ALL"
+
+  template {
+    service_account = google_service_account.hub_sa.email
+    containers {
+      image = var.hub_image_uri
+      env {
+        name  = "GOOGLE_CLOUD_PROJECT"
+        value = var.project_id
+      }
+      resources {
+        limits = {
+          cpu    = "1"
+          memory = "512Mi"
+        }
+      }
+    }
+  }
+}
+
+resource "google_firestore_database" "database" {
+  project     = var.project_id
+  name        = "(default)"
+  location_id = var.region
+  type        = "FIRESTORE_NATIVE"
+}

packages/workspace-manager/terraform/modules/workspace-hub/variables.tf

@@ -0,0 +1,18 @@
+# Copyright 2026 Google LLC
+# SPDX-License-Identifier: Apache-2.0
+
+variable "project_id" {
+  description = "The GCP project ID"
+  type        = string
+}
+
+variable "region" {
+  description = "The GCP region to deploy to"
+  type        = string
+  default     = "us-west1"
+}
+
+variable "hub_image_uri" {
+  description = "The Docker image URI for the Workspace Hub"
+  type        = string
+}