feat: OnlyAgent Hands — WebHID remote keystroke execution

apps/gateway/Cargo.toml

@@ -61,6 +61,12 @@ futures-util = "0.3"
 # Error handling
 anyhow = "1"
 
+# Date/time (for Hands DB rows)
+chrono = { version = "0.4", features = ["serde"] }
+
+# ULID generation (for Hands session tokens)
+ulid = "1"
+
 # Time (for certificate validity)
 time = "0.3"
 

apps/gateway/src/gateway.rs

@@ -31,6 +31,7 @@ use tracing::{info, warn};
 use crate::auth::AuthUser;
 use crate::ca::CertificateAuthority;
 use crate::connect::{self, CachedConnect, ConnectCacheKey, ConnectError, PolicyEngine};
+use crate::hands;
 use crate::inject::{self, ConnectRule};
 
 // ── GatewayState ───────────────────────────────────────────────────────
@@ -42,6 +43,7 @@ pub(crate) struct GatewayState {
     pub http_client: reqwest::Client,
     pub policy_engine: Arc<PolicyEngine>,
     pub connect_cache: Arc<DashMap<ConnectCacheKey, CachedConnect>>,
+    pub hands_state: Arc<hands::api::HandsState>,
 }
 
 // ── GatewayServer ───────────────────────────────────────────────────────
@@ -52,7 +54,12 @@ pub struct GatewayServer {
 }
 
 impl GatewayServer {
-    pub fn new(ca: CertificateAuthority, port: u16, policy_engine: Arc<PolicyEngine>) -> Self {
+    pub fn new(
+        ca: CertificateAuthority,
+        port: u16,
+        policy_engine: Arc<PolicyEngine>,
+        hands_state: Arc<hands::api::HandsState>,
+    ) -> Self {
         let state = GatewayState {
             ca: Arc::new(ca),
             http_client: reqwest::Client::builder()
@@ -63,6 +70,7 @@ impl GatewayServer {
                 .expect("build HTTP client"),
             policy_engine,
             connect_cache: Arc::new(DashMap::new()),
+            hands_state,
         };
 
         Self { state, port }
@@ -95,11 +103,31 @@ impl GatewayServer {
             ])
             .allow_credentials(true);
 
+        // Build Hands sub-router with its own state.
+        let hands_router: Router = Router::new()
+            .route("/jobs", axum::routing::post(hands::api::create_job))
+            .route("/jobs", axum::routing::get(hands::api::list_jobs))
+            .route("/jobs/{id}", axum::routing::get(hands::api::get_job))
+            .route("/jobs/{id}/start", axum::routing::post(hands::api::start_job))
+            .route("/jobs/{id}/cancel", axum::routing::post(hands::api::cancel_job))
+            .route("/sessions", axum::routing::post(hands::api::create_session))
+            .route("/sessions/{id}", axum::routing::get(hands::api::get_session))
+            .route("/sessions/{id}", axum::routing::delete(hands::api::close_session))
+            .route("/sessions/{id}/activated", axum::routing::post(hands::api::activate_session))
+            .route("/sessions/{id}/emergency-stop", axum::routing::post(hands::api::emergency_stop))
+            .route("/sessions/{id}/next-packet", axum::routing::get(hands::api::next_packet))
+            .route("/sessions/{id}/packet-acked", axum::routing::post(hands::api::packet_acked))
+            .route("/sessions/{id}/step-status", axum::routing::post(hands::api::step_status))
+            .route("/screenshots", axum::routing::post(hands::api::upload_screenshot))
+            .route("/screenshots/{id}", axum::routing::get(hands::api::get_screenshot))
+            .with_state(Arc::clone(&self.state.hands_state));
+
         // Build the Axum router for non-CONNECT routes.
         // The fallback returns 400 Bad Request for anything other than defined routes.
         let axum_router = Router::new()
             .route("/healthz", axum::routing::get(healthz))
             .route("/me", axum::routing::get(me))
+            .nest("/v1/hands", hands_router)
             .layer(cors_layer)
             .fallback(fallback)
             .with_state(self.state.clone());