Warp Control CLI v2: contract and spec sync

[zachlloyd]

Description

Root branch of the Warp Control CLI v2 review stack.

This PR establishes the contract, security model, and first working slice for controlling a running Warp instance through the standalone warpctrl CLI. Major components include:

• A shared typed local-control protocol and exact-action allowlist used by both the app and CLI.
• The initial warpctrl command surface for instance discovery, app metadata, tab creation, structured output, and shell completions.
• An app-side control bridge with deterministic targeting, typed handlers, and exact-action authorization.
• Per-instance filesystem discovery, an owner-authenticated Unix credential broker, and an authenticated loopback HTTP request path.
• A protected Settings > Scripting enablement model, including isolated owner-only Linux fallback storage for the local-control setting.
• Product, technical, and security specs describing the current foundation, trust boundaries, and requirements for future catalog expansion.

The latest update simplifies credentials to authorize one exact action, clarifies the relationship between discovery records, broker sockets, and HTTP endpoints, and keeps the stronger Linux fallback behavior isolated from existing secure-storage consumers.

Demo: https://www.loom.com/share/03740b8c7c40400f9c36eec41d8befca
PR walkthrough: https://www.loom.com/share/b97c3204dcf04dac850aade7d596cc21
Walkthrough URL: https://e94574b9.warp-pr-walkthroughs.pages.dev/

Linked Issue

• The linked issue is labeled ready-to-spec or ready-to-implement.
• Where appropriate, screenshots or a short video of the implementation are included above.

Testing

• ./script/format
• cargo check -p warpui_extras -p settings -p warp --features warp_control_cli
• cargo clippy --workspace --exclude warp_completer --exclude command-signatures-v2 --all-targets --tests -- -D warnings
• cargo clippy -p warp_completer --all-targets --tests -- -D warnings
• cargo clippy -p warpui_extras -p settings -p warp --features warp_control_cli --all-targets -- -D warnings
• cargo nextest run --no-fail-fast --workspace --exclude command-signatures-v2 local_control — 45 passed
• git diff --check and git diff --cached --check
• Exact primary presubmit workspace Clippy command is blocked before linting because command-signatures-v2 requires Yarn 4.0.1 via Corepack while this environment resolves Yarn 1.22.22; the workspace run excluding only that unrelated crate passes.
• Linux-only secure-storage tests are not runnable on this macOS checkout because no Linux Rust target is installed.
• I have manually tested my changes locally with ./script/run

Screenshots / Videos

Demo and walkthrough links are included above.

Agent Mode

• Warp Agent Mode - This PR was created and updated via Warp's AI Agent Mode

Warp Agent artifacts

Conversation: https://staging.warp.dev/conversation/8a7dca3a-a416-4378-bd49-f19fb78d6e2e

Co-Authored-By: Oz oz-agent@warp.dev

[oz-for-oss]

@zachlloyd

I'm starting a first review of this pull request.

You can view the conversation on Warp.

I completed the review and no human review was requested for this pull request.

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

[oz-for-oss]

Overview

This PR adds the Warp local-control protocol crate, app-side local-control server/bridge, warpctrl CLI skeleton, Settings > Scripting mode, packaging hooks, and synced Warp Control CLI specs.

Concerns

• The wire request shape implemented by the shared protocol does not match the TECH contract example, so external clients built from the synced spec would send requests the app cannot deserialize.
• The tab.create resolver falls back to the sole window when no active window exists, contradicting the stated mutating-targeting rule to fail instead of silently retargeting.
• No additional security findings beyond the inline contract/targeting issues.

Verdict

Found: 0 critical, 2 important, 0 suggestions

Request changes

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

[oz-for-oss]

⚠️ [IMPORTANT] The wire shape here nests kind/params under action, but TECH.md documents action and params as top-level fields; clients built from the synced contract will fail to deserialize. Align the serde shape or update the contract before marking this synced.

[zachlloyd]

Addressed in ed284890 and propagated through the zach/warp-cli-v2/* stack. TECH.md now documents the implemented RequestEnvelope / Action serde shape, with action.kind and action.params nested under action, and also updates the response examples to match the tagged ResponseEnvelope / ControlResponse implementation.

[oz-for-oss]

⚠️ [IMPORTANT] This fallback silently targets the only window when no active window exists; the tech spec says mutating defaults must return missing_target instead of falling back. Otherwise tab.create can mutate a window the caller did not explicitly select.

[zachlloyd]

Addressed in 88b0bd79 and propagated through the zach/warp-cli-v2/* stack. We kept the implemented resolver behavior and updated PRODUCT.md, SECURITY.md, and TECH.md to document it: an omitted or active window selector first uses the active Warp window, may fall back to the sole existing window when that is the only deterministic target, returns missing_target when no window exists, and returns ambiguous_target when multiple windows exist with no active window.

[Legoben]

only looked thru README.md and SECURITY.md - seems overall good to me but with many footguns if something is off in implementation

[alokedesai]

Biggest feedback from reading the product / tech spec is that I think creating a separate binary for warpctrl is probably not right.

1. It's going to cause distribution headaches . Users will either have to download a separate binary or we'll have to bundle the binary as an additional resource in our existing app bundle and then put it on the right path
2. We have to make the protocol version and channel agnostic, which makes the protocol more complicated than it needs to be.

Can we just bundle this into the existing Warp CLI binary? Similar to how we set up oz as a wrapper script that just calls out to the actual warp binary, we can expose a warpctrl script that does the same thing but with a special --warpctrl flag to differentiate between the two

@bnavetta for this thoughts

[zachlloyd]

i didn't realize that's how oz worked.

my only concern with that approach is around potential latency of spawning a full warp process on every invocation. if that's not an issue in practice, i def agree with doing this the same way as oz (and that was in fact my intention, it's a pretty big miss that it wasn't done that way)

[bnavetta]

Yeah, I think bundling into the existing binary makes sense.

Latency shouldn't be an issue - the CLI is set up so it doesn't have to fully bootstrap the app for commands that don't need it. For example, oz dump-debug-info is more-or-less instantaneous, while oz whoami is slower because it bootstraps the app and checks auth state on the server.

[zachlloyd]

perfect. super helpful!

[zachlloyd]

[Warp Agent] Re: #11772 (review) — agreed. The implementation has a lot of security-sensitive footguns if it drifts from the specs, so we are validating that the implementation matches the spec, including using the validate-implementation-matches-spec skill from common-skills.