feat: 支持自托管的 remote-control-server (#214)

* feat: 支持自托管的 remote-control-server (#214)

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

packages/remote-control-server/src/routes/web/control.ts

@@ -0,0 +1,64 @@
+import { Hono } from "hono";
+import { uuidAuth } from "../../auth/middleware";
+import { getSession, updateSessionStatus } from "../../services/session";
+import { publishSessionEvent } from "../../services/transport";
+import { getEventBus } from "../../transport/event-bus";
+import { storeIsSessionOwner } from "../../store";
+
+const app = new Hono();
+
+function checkOwnership(c: { get: (key: string) => string | undefined }, sessionId: string) {
+  const uuid = c.get("uuid");
+  if (!storeIsSessionOwner(sessionId, uuid)) {
+    return { error: true, session: null };
+  }
+  const session = getSession(sessionId);
+  if (!session) {
+    return { error: true, session: null };
+  }
+  return { error: false, session };
+}
+
+/** POST /web/sessions/:id/events — Send user message to session */
+app.post("/sessions/:id/events", uuidAuth, async (c) => {
+  const sessionId = c.req.param("id")!;
+  const { error } = checkOwnership(c, sessionId);
+  if (error) {
+    return c.json({ error: { type: "forbidden", message: "Not your session" } }, 403);
+  }
+
+  const body = await c.req.json();
+  const eventType = body.type || "user";
+  console.log(`[RC-DEBUG] web -> server: POST /web/sessions/${sessionId}/events type=${eventType} content=${JSON.stringify(body).slice(0, 200)}`);
+  const event = publishSessionEvent(sessionId, eventType, body, "outbound");
+  console.log(`[RC-DEBUG] web -> server: published outbound event id=${event.id} type=${event.type} direction=${event.direction} subscribers=${getEventBus(sessionId).subscriberCount()}`);
+  return c.json({ status: "ok", event }, 200);
+});
+
+/** POST /web/sessions/:id/control — Send control request (permission approval etc) */
+app.post("/sessions/:id/control", uuidAuth, async (c) => {
+  const sessionId = c.req.param("id")!;
+  const { error } = checkOwnership(c, sessionId);
+  if (error) {
+    return c.json({ error: { type: "forbidden", message: "Not your session" } }, 403);
+  }
+
+  const body = await c.req.json();
+  const event = publishSessionEvent(sessionId, body.type || "control_request", body, "outbound");
+  return c.json({ status: "ok", event }, 200);
+});
+
+/** POST /web/sessions/:id/interrupt — Interrupt session */
+app.post("/sessions/:id/interrupt", uuidAuth, async (c) => {
+  const sessionId = c.req.param("id")!;
+  const { error } = checkOwnership(c, sessionId);
+  if (error) {
+    return c.json({ error: { type: "forbidden", message: "Not your session" } }, 403);
+  }
+
+  publishSessionEvent(sessionId, "interrupt", { action: "interrupt" }, "outbound");
+  updateSessionStatus(sessionId, "idle");
+  return c.json({ status: "ok" }, 200);
+});
+
+export default app;