feat: add service workload contracts

[intel352]

Summary

• add compute-core WorkloadSpec plus service and node-service workload payload contracts
• add file/env/status/health/ingress/peer validation needed by the service runtime adapter plugin
• tighten service ingress CIDR, peer port, component digest, and image ref validation

Adversarial review

• Scope-vs-dispatch: delivers the RTE-3a prerequisite discovered while building workflow-plugin-compute-service; no host runtime behavior is moved in this PR.
• Missing edge cases: added negative coverage for headless service shape, invalid ingress CIDR, missing node-service health, unsafe peer endpoints, and non-numeric peer ports.
• Boundary wiring: this PR only publishes protocol contracts; the service plugin/host consumption remains in the RTE-3 follow-up PRs and is intentionally not hidden here.
• Security scan: component workloads require provider component refs with sha256 component digests; image refs reject whitespace/NUL; peer endpoints reject schemes, wildcards, paths, userinfo, non-numeric ports, and out-of-range ports.
• Simpler alternative considered: keeping these structs private in workflow-compute blocks workflow-plugin-compute-service from compiling without importing the app repo, which violates the extraction boundary.

Verdict: SHIP-IT for the prerequisite contract PR; RTE-3 implementation still needs the service plugin and host alias/consumption PRs.

Verification

• GOWORK=off go test ./protocol -run 'TestWorkloadSpecValidatesServiceWorkload|TestServiceWorkloadRejectsUnsafeShape|TestWorkloadSpecValidatesNodeServiceWorkload|TestNodeServiceWorkloadRejectsMissingHealthAndUnsafePeers' -count=1
• GOWORK=off go test ./... -count=1
• GOWORK=off go vet ./...
• GOWORK=off go build ./cmd/workflow-plugin-compute-core
• git diff --check

[Copilot]

Pull request overview

This PR introduces new protocol-level workload contracts for service and node-service runtimes in compute-core, along with validation logic and accompanying negative/positive test coverage to support downstream runtime adapter/plugins.

Changes:

• Added WorkloadSpec plus ServiceWorkload / NodeServiceWorkload contract types and validation.
• Added validation helpers for workload file refs, ingress CIDRs, health/status probes, and peer endpoint safety.
• Added unit tests covering valid service/node-service specs and multiple invalid/unsafe shapes.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
protocol/types.go	Adds new workload contract structs and validation logic (service, node-service, ingress, peers, files).
protocol/types_test.go	Adds tests validating the new workload specs and rejecting unsafe/invalid inputs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.