feat(workspaces): complete milestone 1 with deployment primitives

packages/workspace-manager/.dockerignore

@@ -0,0 +1,5 @@
+node_modules
+dist
+.git
+docker
+terraform

packages/workspace-manager/Dockerfile

@@ -0,0 +1,20 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+# Standard Hub Dockerfile
+FROM node:20-slim
+
+WORKDIR /app
+
+COPY package.json package-lock.json ./
+RUN npm ci
+
+COPY . .
+RUN npm run build
+
+EXPOSE 8080
+
+CMD ["npm", "start"]

packages/workspace-manager/terraform/modules/workspace-hub/main.tf

@@ -0,0 +1,55 @@
+# Copyright 2026 Google LLC
+# SPDX-License-Identifier: Apache-2.0
+
+resource "google_service_account" "hub_sa" {
+  account_id   = "workspace-hub-sa"
+  display_name = "Gemini CLI Workspace Hub Service Account"
+}
+
+resource "google_project_iam_member" "compute_admin" {
+  project = var.project_id
+  role    = "roles/compute.instanceAdmin.v1"
+  member  = "serviceAccount:${google_service_account.hub_sa.email}"
+}
+
+resource "google_project_iam_member" "firestore_user" {
+  project = var.project_id
+  role    = "roles/datastore.user"
+  member  = "serviceAccount:${google_service_account.hub_sa.email}"
+}
+
+resource "google_project_iam_member" "sa_user" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountUser"
+  member  = "serviceAccount:${google_service_account.hub_sa.email}"
+}
+
+resource "google_cloud_run_v2_service" "hub" {
+  name     = "workspace-hub"
+  location = var.region
+  ingress  = "INGRESS_TRAFFIC_ALL"
+
+  template {
+    service_account = google_service_account.hub_sa.email
+    containers {
+      image = var.hub_image_uri
+      env {
+        name  = "GOOGLE_CLOUD_PROJECT"
+        value = var.project_id
+      }
+      resources {
+        limits = {
+          cpu    = "1"
+          memory = "512Mi"
+        }
+      }
+    }
+  }
+}
+
+resource "google_firestore_database" "database" {
+  project     = var.project_id
+  name        = "(default)"
+  location_id = var.region
+  type        = "FIRESTORE_NATIVE"
+}

packages/workspace-manager/terraform/modules/workspace-hub/variables.tf

@@ -0,0 +1,18 @@
+# Copyright 2026 Google LLC
+# SPDX-License-Identifier: Apache-2.0
+
+variable "project_id" {
+  description = "The GCP project ID"
+  type        = string
+}
+
+variable "region" {
+  description = "The GCP region to deploy to"
+  type        = string
+  default     = "us-west1"
+}
+
+variable "hub_image_uri" {
+  description = "The Docker image URI for the Workspace Hub"
+  type        = string
+}

plans/phase-1-workspace-core.md

@@ -33,8 +33,9 @@ Implement the core API to manage GCE-based workspaces.
 
 Prepare the Hub for self-service deployment.
 
-- [ ] Create `packages/workspace-manager/terraform/` for basic Hub provisioning.
+- [x] Create `packages/workspace-manager/terraform/` for basic Hub provisioning.
-- [ ] Setup IAP/OAuth authentication on the Cloud Run endpoint.
+- [x] Provide a `scripts/deploy-hub.sh` using `gcloud` for a zero-install
+      alternative.
 
 ## 3. Verification & Success Criteria
 
@@ -47,5 +48,5 @@ Prepare the Hub for self-service deployment.
 
 ## 4. Next Steps
 
-- Implement Task 1.2: Integrate `@google-cloud/compute` for GCE instance
+- Milestone 2: Basic CLI Management (Phase 2). Add `workspace` commands to the
-  lifecycle.
+  CLI.

plans/workspaces-implementation.md

@@ -1,45 +1,63 @@
 # Gemini CLI Workspaces: High-Level Implementation Plan
 
 ## 1. Objective
-Transform the architectural vision of "Gemini CLI Workspaces" into a production-ready, self-service feature for `gemini-cli`.
+
+Transform the architectural vision of "Gemini CLI Workspaces" into a
+production-ready, self-service feature for `gemini-cli`.
 
 ## 2. Milestones & Phases
 
 ### Milestone 1: The Workspace Core (Phase 1)
+
 Build the foundational container environment and the core management API.
-- [ ] Define and build the `Workspace Container Image`.
+
-- [ ] Deploy a basic `Workspace Hub` (Cloud Run) with GCE provisioning.
+- [x] Define and build the `Workspace Container Image`.
-- [ ] Implement simple `/create`, `/list`, `/delete` API endpoints.
+- [x] Deploy a basic `Workspace Hub` (Cloud Run) with GCE provisioning.
+- [x] Implement simple `/create`, `/list`, `/delete` API endpoints.
 
 ### Milestone 2: Basic CLI Management (Phase 2)
+
 Enable developers to manage their remote fleet from the local CLI.
+
 - [ ] Add `gemini workspace create/list/delete` commands.
 - [ ] Implement Hub authentication (Google OAuth/IAP).
 - [ ] Add local configuration for Hub discovery (`settings.json`).
 
 ### Milestone 3: Connectivity & Persistence (Phase 3)
+
 Enable the "Teleport" experience with session persistence.
+
 - [ ] Implement `gemini workspace connect`.
 - [ ] Setup `gcloud compute ssh --tunnel-through-iap` logic in the client.
 - [ ] Integrate `shpool` into the container entrypoint for session detachment.
 
 ### Milestone 4: Secure Sync & Identity (Phase 4)
+
 Make the remote workspace "feel like home" with secure credential forwarding.
+
 - [ ] Implement `~/.gemini/` configuration synchronization.
 - [ ] Implement SSH Agent Forwarding (`-A`) in the connectivity logic.
 - [ ] Implement secure GitHub PAT injection via `/dev/shm`.
 
 ### Milestone 5: UI & Advanced Hub Features (Phase 5)
+
 Polish the developer experience and add enterprise-grade Hub capabilities.
+
 - [ ] Implement the "Workspaces Ability" in the CLI (interactive React UI).
 - [ ] Implement multi-tenancy models (User, Team, Repo) in the Hub.
 - [ ] Add auto-cleanup (TTL) and resource monitoring to the Hub.
 
 ## 3. Implementation Strategy
-- **Surgical Changes:** Each phase will be implemented as a series of small, verified PRs.
+
-- **Verification:** Every phase must include integration tests (using mocks for GCP if necessary).
+- **Surgical Changes:** Each phase will be implemented as a series of small,
-- **Documentation:** Architecture docs will be updated as implementation details evolve.
+  verified PRs.
+- **Verification:** Every phase must include integration tests (using mocks for
+  GCP if necessary).
+- **Documentation:** Architecture docs will be updated as implementation details
+  evolve.
 
 ## 4. Next Steps
-1.  **Phase 1 Sub-plan:** Define the exact Dockerfile and initial Hub API schema.
+
+1.  **Phase 1 Sub-plan:** Define the exact Dockerfile and initial Hub API
+    schema.
 2.  **Phase 1.1:** Build and push the initial `gemini-workspace:latest` image.

scripts/deploy-hub.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# Copyright 2026 Google LLC
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+
+# Configuration
+PROJECT_ID=$(gcloud config get-value project)
+REGION="us-west1"
+IMAGE_NAME="workspace-hub"
+SERVICE_NAME="workspace-hub"
+
+echo "Using Project: $PROJECT_ID"
+
+# 1. Build and Push the Hub Image
+# (Assuming the Dockerfile is in the current package for the hub)
+echo "Building and pushing $IMAGE_NAME..."
+gcloud builds submit --tag "gcr.io/$PROJECT_ID/$IMAGE_NAME" packages/workspace-manager/
+
+# 2. Deploy to Cloud Run
+echo "Deploying $SERVICE_NAME to Cloud Run..."
+gcloud run deploy "$SERVICE_NAME" \
+  --image "gcr.io/$PROJECT_ID/$IMAGE_NAME" \
+  --platform managed \
+  --region "$REGION" \
+  --allow-unauthenticated \
+  --set-env-vars "GOOGLE_CLOUD_PROJECT=$PROJECT_ID"
+
+echo "Deployment complete!"
+gcloud run services describe "$SERVICE_NAME" --region "$REGION" --format 'value(status.url)'