feat: runner-workspace executor on the live dispatch contract + CLI mount flip (Closes #1602)

[chubes4]

Gives the WP Codebox runner a codebox-owned git + GitHub + file agent-tool surface and wires it onto the now-live Agents API tool-executor dispatch contract, so the runner no longer depends on an external coding-agent plugin (Data Machine Code) for its agent-facing tools.

Closes #1602

Phase 1 — Runner-native tool engine + executor (foundation)

• WP_Codebox_Runner_Workspace_Tools: WordPress-independent engine for the agent-facing file tools (read/ls/grep/write/edit/apply-patch), git tools (status/diff/add/commit, push construction) and GitHub request construction (create PR/issue, comment PR) with env-token auth, bound to one workspace root with path-escape confinement.
• WP_Codebox_Runner_Workspace_Executor (target wp-codebox/runner-workspace): implements the Agents API WP_Agent_Tool_Executor contract, mapping tool names to the engine and resolving the workspace root from call input / client context / a runner constant / a filter.
• Deterministic engine smoke on a real temp git repo (no DMC, no network).

Phase 2 — Wire onto the live contract + flip the CLI mount (the dependency shed)

Mirrors the merged git-less sandbox executor (#1605):

• WP_Codebox_Runner_Workspace_Executor::register() registers onto the canonical Agents API filters:
  • agents_api_tool_sources declares the 14 file/git/GitHub tools under the wp-codebox-runner source, each carrying runtime.executor_target = wp-codebox/runner-workspace (host executor kind) + per-tool capability/side-effect metadata.
  • agents_api_executor_targets / agents_api_execution_targets register the target descriptor.
  • agents_api_tool_executors registers the executor instance under the target id, so WP_Agent_Tool_Execution_Core's registry-based dispatch (executePreparedTool → resolveExecutorForTool) routes matching calls here.
  • register() gates on substrate_exists() (both the WP_Agent_Tool_Executor interface and WP_Agent_Tool_Source_Registry must be loaded — the gotcha the merged sandbox harness surfaced) and is invoked next to the sandbox executor in WP_Codebox_Abilities.
• The runner agent already runs through the Agents API conversation loop, which instantiates WP_Agent_Tool_Execution_Core and calls executePreparedTool. That path builds the executor registry from agents_api_tool_executors, so registering the executor is sufficient — no conversation-loop change is needed.

CLI mount flip

defaultRuntimeComponentSources() in both packages/cli/src/agent-sandbox.ts and packages/runtime-core/src/agent-task-recipe.ts stops mounting the external coding-agent plugin (and the data-machine plugin it sat beside) for the runner. Only the Agents API runtime is mounted by default, alongside the bundled wp-codebox plugin (wordpress-plugin) that registers the runner executor. A host/deploy that still needs extra substrate opts back in through CONTAINED_RUNTIME_COMPONENT_PATHS / WP_CODEBOX_AGENT_RUNTIME_COMPONENT_PATHS. clone / worktree-add stay on the host-side runner-workspace backend filter (orchestration, not an in-runner agent tool), so the flip strips no agent-called surface.

Decoupling from data-machine names

wp-codebox no longer names the data-machine plugins on the runner path. Agents API resolves from explicit WP_CODEBOX_AGENTS_API_PATH, then a generic vendoring root via WP_CODEBOX_AGENTS_API_VENDOR_ROOT (<root>/vendor/wordpress/agents-api), then a sibling agents-api checkout.

Verification

• Real-dispatch proof — scripts/php-runner-workspace-executor-dispatch-smoke.php drives the real Agents API WP_Agent_Tool_Execution_Core + WP_Agent_Tool_Executor_Registry (no shims for the registry/core) against a real temp git repo: a tool with runtime.executor_target = wp-codebox/runner-workspace routes to the runner executor (NOT the default), returns real workspace content/git state, and an untargeted control tool falls back to the default executor (backward compat). 64 assertions pass against the merged agents-api contract. Wired into npm + the policy smoke group; skips cleanly (no fake pass) when no real agents-api checkout is resolvable.
• No-DMC-needed — the runner agent-facing surface is exactly the 14 file/git/GitHub tools the executor covers (the scoping doc's mirrored subset). The host-side WP_Codebox_Runner_Workspace_Adapter handles clone / worktree-add / prepare / publish through the wp_codebox_runner_workspace_backend filter — host orchestration, not an in-runner agent tool — so dropping the default mount strips no agent-called surface.
• Mount-flip test — tests/agent-runtime-components.test.ts updated to encode the flipped contract: default runtime mounts only agents-api (+ bundled wp-codebox), no data-machine plugins; opt-in components still mount; agents-api resolves via the vendoring root with no product-specific name.
• npm ci + npm run build clean. Smoke groups policy (incl. the dispatch proof + runner-workspace tools) and agent (incl. the agents-api adapter contract, sandbox executor, execution targets) pass. production-boundary-enforcement passes.
• Pre-existing failures on clean origin/main (not introduced here): command-registry-smoke fails on wordpress.editor-validate-blocks outputShape (feat: add wordpress.editor-validate-blocks command (real wp.blocks.validateBlock on imported content) #1597), and docs-boundary-language fails on a README agents-api/ reference. Both reproduce with this PR's changes stashed.

Follow-ups (deferred)

1. Network-level GitHub verification (cassette/live-token gated) for create-PR / issue / comment + git push against a throwaway remote.
2. Legacy removal (held): prune any remaining data-machine-code-specific wiring once the runner has run end-to-end on the codebox-native surface in the Playground. This PR stops mounting it by default; the held step is pruning dead references, not behavior.

AI assistance

• AI assistance: Yes
• Tool(s): Claude Opus 4.8 via Claude Code
• Used for: Wiring the runner executor onto the Agents API dispatch contract, the CLI mount flip, the real-dispatch integration test, and the data-machine name decoupling. Every line reviewed by the submitter.