Implement remote execution in scout (e.g. for firmware upgrades)

Author: rahmonov

Cargo.lock

@@ -6403,6 +6403,7 @@ message ScoutStreamApiBoundMessage {
     mlx_device.MlxDeviceConfigSyncResponse mlx_device_config_sync_response = 12;
     mlx_device.MlxDeviceConfigCompareResponse mlx_device_config_compare_response = 13;
     ScoutStreamAgentPingResponse scout_stream_agent_ping_response = 14;
+    ScoutRemoteExecResponse scout_remote_exec_response = 15;
   }
 }
 
@@ -6432,6 +6433,7 @@ message ScoutStreamScoutBoundMessage {
     mlx_device.MlxDeviceConfigSyncRequest mlx_device_config_sync_request = 13;
     mlx_device.MlxDeviceConfigCompareRequest mlx_device_config_compare_request = 14;
     ScoutStreamAgentPingRequest scout_stream_agent_ping_request = 15;
+    ScoutRemoteExecRequest scout_remote_exec_request = 16;
   }
 }
 
@@ -6493,6 +6495,30 @@ message ScoutStreamAgentPingResponse {
   }
 }
 
+// ScoutRemoteExecRequest is sent from carbide-api to the scout agent
+// to download files and execute a script on the host.
+message ScoutRemoteExecRequest {
+  string component_type = 1;
+  string target_version = 2;
+  string script_url = 3;
+  uint32 timeout_seconds = 4;
+  // Files to download before running the script.
+  // Keys are download URLs, values are expected SHA-256 hex checksums.
+  // Scout will verify each file after download and reject execution
+  // if any checksum does not match.
+  map<string, string> download_files = 5;
+}
+
+// ScoutRemoteExecResponse is the result of a scout remote execution,
+// sent from scout back to carbide-api.
+message ScoutRemoteExecResponse {
+  bool success = 1;
+  int32 exit_code = 2;
+  string stdout = 3;
+  string stderr = 4;
+  string error = 5;
+}
+
 // ScoutStreamConnectionInfo contains information about an
 // active scout agent connection.
 message ScoutStreamConnectionInfo {
@@ -6696,4 +6722,4 @@ message DPFStateResponse {
 
 message GetDPFStateRequest {
   repeated common.MachineId machine_ids = 1;
-}
+}

crates/rpc/proto/forge.proto

@@ -66,10 +66,15 @@ reqwest = { default-features = false, features = [
   "rustls-tls",
   "stream",
 ], workspace = true }
+sha2 = { workspace = true }
+tempfile = { workspace = true }
 futures-util = { workspace = true }
 prost-types = { workspace = true }
 x509-parser = { workspace = true }
 
+[dev-dependencies]
+axum = { workspace = true }
+
 [build-dependencies]
 carbide-version = { path = "../version" }
 

crates/scout/Cargo.toml

@@ -38,3 +38,22 @@ pub(crate) async fn create_forge_client(
         .map_err(|err| CarbideClientError::TransportError(err.to_string()))?;
     Ok(client)
 }
+
+// create_http_client builds a reqwest HTTP client configured with the same
+// mTLS certificates used for gRPC communication with carbide-api.
+pub(crate) fn create_http_client(config: &Options) -> CarbideClientResult<reqwest::Client> {
+    let root_ca = std::fs::read(&config.root_ca)?;
+    let root_cert = reqwest::Certificate::from_pem(&root_ca)
+        .map_err(|e| CarbideClientError::TransportError(e.to_string()))?;
+
+    let client_cert = std::fs::read(&config.client_cert)?;
+    let client_key = std::fs::read(&config.client_key)?;
+    let identity = reqwest::Identity::from_pem(&[client_cert, client_key].concat())
+        .map_err(|e| CarbideClientError::TransportError(e.to_string()))?;
+
+    reqwest::Client::builder()
+        .add_root_certificate(root_cert)
+        .identity(identity)
+        .build()
+        .map_err(|e| CarbideClientError::TransportError(e.to_string()))
+}

crates/scout/src/client.rs

@@ -53,6 +53,7 @@ mod discovery;
 mod machine_validation;
 mod mlx_device;
 mod register;
+mod remote_exec;
 mod stream;
 
 struct DevEnv {