feat: Lima Docker-in-VM backend, remote attach over tailnet, task reporting

Lima backend overhaul:
- Boot Docker-ready VM (template:docker), pull OCI image, run workspace container
- Stream output during VM creation instead of silent blocking
- Prompt to install Lima when limactl is missing (brew on macOS, GitHub release on Linux)
- Mount ~/.config/gh into VM for GHCR auth, docker login with gh token
- Fix exec to route through docker exec inside VM with binary existence guard
- Add -it flags for interactive TTY allocation (cw exec -it -- bash)

Remote attach over tailnet:
- Serve /ws (frame protocol) alongside /peer (RPC) on tailnet listener
- Runtime credential auth for /ws on tailnet connections
- cw attach node:session dials remote node over tailnet and attaches via /ws
- Extract AttachConn/ResolveSessionArgConn for transport-agnostic attach
- wrapLocalRuntimeRunCommand passes -it for PTY propagation through cw run

Task reporting, relay improvements, and MCP tool additions.

Author: noeljackson

README.md

@@ -371,6 +371,46 @@ Run a relay server. The relay provides SSH gateway access, node discovery, and s
 cw relay serve --base-url https://relay.example.com --data-dir /data/relay
 ```
 
+To enable durable task reporting and `cw tasks`, point the relay at NATS JetStream:
+
+```bash
+cw relay serve \
+  --base-url https://relay.example.com \
+  --data-dir /data/relay \
+  --auth-mode token \
+  --auth-token dev-secret \
+  --nats-url nats://127.0.0.1:4222
+```
+
+Relevant flags:
+
+- `--nats-url` enables JetStream-backed task events
+- `--nats-creds` uses a NATS user credentials file
+- `--nats-subject-root` defaults to `tasks`
+- `--task-events-stream` defaults to `TASK_EVENTS`
+- `--task-latest-bucket` defaults to `TASK_LATEST`
+
+Nodes still talk only to the relay. NATS credentials stay private to the relay tier.
+
+### `cw tasks`
+
+List or watch the latest task reports aggregated at the relay.
+
+```bash
+# Latest task per (node, session)
+cw tasks
+
+# Stream live task events
+cw tasks --watch
+
+# Speak new task events when a local TTS backend is available
+cw tasks --watch --speak
+
+# Filter by node / session / state
+cw tasks --node builder --state working
+cw tasks --session 7
+```
+
 ### `cw mcp-server`
 
 Start an MCP (Model Context Protocol) server for programmatic access.
@@ -856,7 +896,7 @@ claude mcp add --scope user codewire -- cw mcp-server
 claude mcp add codewire -- cw mcp-server
 ```
 
-This exposes 26 tools across sessions, environments, messaging, and shared state:
+This exposes tools across sessions, environments, messaging, network state, and task reporting:
 
 **Sessions**
 
@@ -871,6 +911,7 @@ This exposes 26 tools across sessions, environments, messaging, and shared state
 | `codewire_kill_session` | Terminate session (by ID or tags) |
 | `codewire_subscribe` | Subscribe to session events |
 | `codewire_wait_for` | Block until sessions complete |
+| `codewire_report_task` | Report current task status for a session |
 
 **Messaging**
 
@@ -908,6 +949,33 @@ This exposes 26 tools across sessions, environments, messaging, and shared state
 | `codewire_kv_list` | List keys by prefix |
 | `codewire_kv_delete` | Delete key |
 
+### Task Reporting Via MCP
+
+Agents can report what they are doing with:
+
+```json
+{
+  "session_id": 7,
+  "summary": "implement relay task SSE replay",
+  "state": "working"
+}
+```
+
+The MCP tool is `codewire_report_task`. It requires:
+
+- `session_id`: the local Codewire session ID
+- `summary`: a short, current description of the work
+- `state`: one of `working`, `complete`, `blocked`, or `failed`
+
+Recommended agent behavior:
+
+- emit `working` when starting a meaningful new chunk of work
+- emit a fresh `working` update when the focus changes materially
+- emit `blocked` when waiting on a missing dependency or decision
+- emit `complete` or `failed` when the task finishes
+
+These reports stay local in the session event log and, when the node is connected to a JetStream-enabled relay, are also visible through `cw tasks` and `cw tasks --watch`.
+
 ## Contributing
 
 ```bash

cmd/cw/exec_cmd.go

@@ -43,7 +43,8 @@ var execLocally = func(workDir string, command []string) error {
 	return nil
 }
 
-var execInLocalRuntimeTarget = func(instance *cwconfig.LocalInstance, workDir string, command []string) error {
+var execInLocalRuntimeTarget = func(instance *cwconfig.LocalInstance, workDir string, command []string, allocTTY ...bool) error {
+	wantTTY := len(allocTTY) > 0 && allocTTY[0]
 	if instance == nil {
 		return fmt.Errorf("local instance is required")
 	}
@@ -55,6 +56,9 @@ var execInLocalRuntimeTarget = func(instance *cwconfig.LocalInstance, workDir st
 	switch instance.Backend {
 	case "docker":
 		args := []string{"exec", "-i"}
+		if wantTTY {
+			args = append(args, "-t")
+		}
 		if strings.TrimSpace(workDir) != "" {
 			args = append(args, "-w", workDir)
 		}
@@ -70,16 +74,34 @@ var execInLocalRuntimeTarget = func(instance *cwconfig.LocalInstance, workDir st
 		args = append(args, command...)
 		cmd = osExec.Command("incus", args...)
 	case "lima":
-		args := []string{"shell"}
+		// Lima runs a Docker container inside the VM. Route exec through it.
+		name := limaInstanceName(instance)
+
+		// Verify the command exists inside the container, not the VM.
+		checkOut, checkErr := localRunCommand("limactl", "shell", "--workdir", "/", name,
+			"docker", "exec", limaContainerName, "which", command[0])
+		if checkErr != nil {
+			return fmt.Errorf("%q not found inside Lima instance %q\n%s", command[0], name, strings.TrimSpace(string(checkOut)))
+		}
+
 		wd := workDir
 		if wd == "" {
 			wd = instance.Workdir
 		}
+
+		// limactl shell <vm> docker exec -i [-t] -w <wd> cw-workspace <command...>
+		dockerArgs := []string{"docker", "exec", "-i"}
+		if wantTTY {
+			dockerArgs = append(dockerArgs, "-t")
+		}
 		if strings.TrimSpace(wd) != "" {
-			args = append(args, "--workdir", wd)
+			dockerArgs = append(dockerArgs, "-w", wd)
 		}
-		args = append(args, limaInstanceName(instance))
-		args = append(args, command...)
+		dockerArgs = append(dockerArgs, limaContainerName)
+		dockerArgs = append(dockerArgs, command...)
+
+		args := []string{"shell", "--workdir", "/", name}
+		args = append(args, dockerArgs...)
 		cmd = osExec.Command("limactl", args...)
 	case "firecracker":
 		vsockPath := instance.FirecrackerSocket + ".vsock"
@@ -116,9 +138,11 @@ var execInLocalRuntimeTarget = func(instance *cwconfig.LocalInstance, workDir st
 
 func execCmd() *cobra.Command {
 	var (
-		workDir string
-		timeout int
-		on      string
+		workDir     string
+		timeout     int
+		on          string
+		interactive bool
+		tty         bool
 	)
 
 	cmd := &cobra.Command{
@@ -150,7 +174,7 @@ func execCmd() *cobra.Command {
 					if workDir == "" {
 						workDir = localWorkspacePath
 					}
-					return execInLocalRuntimeTarget(instance, workDir, cmdArgs)
+					return execInLocalRuntimeTarget(instance, workDir, cmdArgs, interactive && tty)
 				}
 				if workDir == "" {
 					workDir, _ = os.Getwd()
@@ -183,5 +207,7 @@ func execCmd() *cobra.Command {
 	cmd.Flags().StringVar(&on, "on", "", "Override the current target for this command")
 	cmd.Flags().StringVarP(&workDir, "workdir", "w", "", "Working directory (default: cwd for local, /workspace for env)")
 	cmd.Flags().IntVar(&timeout, "timeout", 30, "Timeout in seconds for environment exec")
+	cmd.Flags().BoolVarP(&interactive, "interactive", "i", false, "Keep stdin open")
+	cmd.Flags().BoolVarP(&tty, "tty", "t", false, "Allocate a pseudo-TTY")
 	return cmd
 }

cmd/cw/exec_cmd_test.go

@@ -153,7 +153,7 @@ func TestExecCmdUsesCurrentLocalInstanceTarget(t *testing.T) {
 	var gotInstance *cwconfig.LocalInstance
 	var gotWorkDir string
 	var gotCommand []string
-	execInLocalRuntimeTarget = func(instance *cwconfig.LocalInstance, workDir string, command []string) error {
+	execInLocalRuntimeTarget = func(instance *cwconfig.LocalInstance, workDir string, command []string, allocTTY ...bool) error {
 		gotInstance = instance
 		gotWorkDir = workDir
 		gotCommand = append([]string(nil), command...)