feat: add runtime workload contracts

[intel352]

Summary

• add public EnvRef, ConfidentialPayloadRef, CommandWorkload, and ContainerBuildWorkload contracts to compute-core
• document this as the RTE-1 prerequisite before workflow-compute can move command/container-build runtime adapters into workflow-plugin-compute-container
• add protocol tests covering resolved env refs, scoped artifacts/confidential payloads, and registry target refs

Verification

• GOWORK=off go test ./protocol -run 'Test(CommandWorkloadContractUsesResolvedRefs|ContainerBuildWorkloadContractUsesRegistryRefs)' -count=1\n- GOWORK=off go test ./... -count=1\n- GOWORK=off go build ./...\n- GOWORK=off go test ./... -v -race -count=1\n- GOWORK=off go vet ./...\n- wfctl plugin validate-contract --require-contract-kind message .\n- ./scripts/check-wfctl-action-pin.sh --workflow .github/workflows/ci.yml --workflow .github/workflows/release.yml --workflow .github/workflows/release-candidate.yml --wfctl-version v0.64.7\n- ./scripts/check-proto.sh\n\n## Revert/restore proof\nWith production types reverted and tests kept:\n\n$ GOWORK=off go test ./protocol -run 'Test(CommandWorkloadContractUsesResolvedRefs|ContainerBuildWorkloadContractUsesRegistryRefs)' -count=1\nFAIL — undefined: protocol.CommandWorkload / protocol.EnvRef / protocol.ConfidentialPayloadRef / protocol.ContainerBuildWorkload\n\nWith production types restored:\n\n$ GOWORK=off go test ./protocol -run 'Test(CommandWorkloadContractUsesResolvedRefs|ContainerBuildWorkloadContractUsesRegistryRefs)' -count=1\nok github.com/GoCodeAlone/workflow-plugin-compute-core/protocol\n\n

[intel352]

Autodev adversarial review

Find at least three things wrong with this design/plan, even if minor. I found no blocking issue; scan below.

Scope-vs-dispatch: PASS. The PR does not attempt the full RTE-1 plugin move. It adds the missing public workload payload contracts needed before workflow-compute can consume a container runtime plugin without copying host-local structs.

Findings: none blocking.

Class	Result	Note
User-intent drift	Clean	This is a prerequisite for slimming workflow-compute; it does not claim T520 completion.
Repo-precedent conflicts	Clean	Extends existing compute-core runtime request/result/adapter contracts in protocol/types.go.
YAGNI	Clean	Adds only command/container-build payloads needed by RTE-1, not service/WASM payloads.
Security/privacy	Clean	Secret resolution remains host-owned; EnvRef carries refs only. Registry allowlists and lease auth remain host-owned.
Missing failure modes	Clean	Tests cover env-ref exclusivity, scoped artifact/confidential payload refs, and container-build target refs.
Rollback	Clean	Additive public types only; rollback leaves existing workflow-compute-local contracts in place.
Release impact	Important, tracked	Requires a new compute-core tag after merge before workflow-compute can consume the contracts.

Verdict: SHIP-IT after CI is green and review threads remain clear.