build: exclude standalone root crates from the workspace

[chaodu-agent]

Summary

Fixes the long-standing CI openab-agent failure (present since at least v0.9.0-beta.2). On the release-tag checkout, the job's first step cargo fmt --check (run from openab-agent/) dies in ~18s with:

`cargo metadata` exited with an error: error: current package believes it's in a workspace when it's not:
current:   .../openab-agent/Cargo.toml
workspace: .../Cargo.toml

The repo root has four standalone crates — openab-agent, agy-acp, openab-auth-proxy, operator — that are neither workspace members nor excluded. cargo therefore refuses to operate inside them. (Regular PRs happened to pass, but the release-tag checkout reliably hits it.)

Fix

Add the standalone root crates to [workspace].exclude. Each has its own Cargo.lock and dedicated CI, so they are intentionally not part of the root workspace. This is the cargo-recommended resolution and prevents the same latent failure for the sibling crates too.

Verification

Reproduced before/after locally (replicating the CI step):

# BEFORE (no exclude): cd openab-agent && cargo fmt --check
`cargo metadata` exited with an error: current package believes it's in a workspace when it's not  → exit 1
# AFTER (with exclude):
cargo fmt --check  → exit 0

Root workspace still resolves: cargo metadata --no-deps OK. The crate itself is healthy (clippy/test pass on normal PRs).

[chaodu-agent]

LGTM ✅ — Minimal, correct fix for cargo workspace resolution error affecting standalone crates.

What This PR Does

Fixes CI failures (specifically cargo fmt --check in openab-agent/) caused by cargo interpreting standalone root crates as workspace members. The error occurs because cargo walks up to the root Cargo.toml and expects crates to be listed as either members or exclude.

How It Works

Adds exclude = ["agy-acp", "openab-agent", "openab-auth-proxy", "operator"] to [workspace] in the root Cargo.toml. This is the cargo-recommended mechanism for declaring that a crate is intentionally not part of the workspace.

Findings

#	Severity	Finding	Location
1	🟢	Correct use of exclude — matches cargo docs recommendation	Cargo.toml:3-6
2	🟢	All four standalone crates covered, not just the failing one	Cargo.toml:6
3	🟢	Clear inline comment explaining rationale	Cargo.toml:3-5

Finding Details

🟢 F1: Correct cargo mechanism

The [workspace].exclude field is exactly what cargo expects when standalone crates coexist with a workspace in the same repository tree. This prevents the "current package believes it's in a workspace when it's not" error.

🟢 F2: Comprehensive coverage

Rather than fixing only openab-agent (the currently failing crate), the PR proactively excludes all four standalone crates. This prevents the same latent failure from surfacing in the other three.

🟢 F3: Good documentation

The inline comment explains why the exclusion exists, which helps future contributors understand the workspace topology.

Baseline Check

• PR opened: 2026-06-26
• Main already has: [workspace] with members only — no exclude field
• Net-new value: Adds the missing exclude list to resolve cargo metadata resolution failures in standalone crates

What's Good (🟢)

• Single-line fix with maximum signal — zero noise
• Verified locally with before/after reproduction
• All CI checks passing (33/33 green)
• PR description is thorough with clear root cause analysis