feat(web): add webhook-managed machine access and multi-instance CLI support (#1989)

* feat: add webhook-managed access and multi-instance CLI support
* fix(foreign): verify credential of foreign credential peer

easytier-web/src/restful/network.rs

@@ -295,6 +295,87 @@ impl NetworkApi {
             .into())
     }
 
+    // --- Token-authenticated machine-scoped handlers (no AuthSession) ---
+
+    async fn handle_run_network_instance_internal(
+        State(client_mgr): AppState,
+        Path(machine_id): Path<uuid::Uuid>,
+        Json(payload): Json<RunNetworkJsonReq>,
+    ) -> Result<Json<Void>, HttpHandleError> {
+        let user_id = Self::get_user_id_from_machine(&client_mgr, &machine_id)?;
+        client_mgr
+            .handle_run_network_instance((user_id, machine_id), payload.config, payload.save)
+            .await
+            .map_err(convert_error)?;
+        Ok(Void::default().into())
+    }
+
+    async fn handle_remove_network_instance_internal(
+        State(client_mgr): AppState,
+        Path((machine_id, inst_id)): Path<(uuid::Uuid, uuid::Uuid)>,
+    ) -> Result<(), HttpHandleError> {
+        let user_id = Self::get_user_id_from_machine(&client_mgr, &machine_id)?;
+        client_mgr
+            .handle_remove_network_instances((user_id, machine_id), vec![inst_id])
+            .await
+            .map_err(convert_error)
+    }
+
+    async fn handle_list_network_instance_ids_internal(
+        State(client_mgr): AppState,
+        Path(machine_id): Path<uuid::Uuid>,
+    ) -> Result<Json<ListNetworkInstanceIdsJsonResp>, HttpHandleError> {
+        let user_id = Self::get_user_id_from_machine(&client_mgr, &machine_id)?;
+        Ok(client_mgr
+            .handle_list_network_instance_ids((user_id, machine_id))
+            .await
+            .map_err(convert_error)?
+            .into())
+    }
+
+    async fn handle_collect_network_info_internal(
+        State(client_mgr): AppState,
+        Path(machine_id): Path<uuid::Uuid>,
+        Json(payload): Json<CollectNetworkInfoJsonReq>,
+    ) -> Result<Json<CollectNetworkInfoResponse>, HttpHandleError> {
+        let user_id = Self::get_user_id_from_machine(&client_mgr, &machine_id)?;
+        Ok(client_mgr
+            .handle_collect_network_info((user_id, machine_id), payload.inst_ids)
+            .await
+            .map_err(convert_error)?
+            .into())
+    }
+
+    /// Look up user_id from a machine's active session token.
+    fn get_user_id_from_machine(
+        client_mgr: &AppStateInner,
+        machine_id: &uuid::Uuid,
+    ) -> Result<UserIdInDb, HttpHandleError> {
+        client_mgr
+            .get_user_id_by_machine_id_global(machine_id)
+            .ok_or((
+                StatusCode::NOT_FOUND,
+                other_error("Machine not found").into(),
+            ))
+    }
+
+    pub fn build_route_internal() -> Router<AppStateInner> {
+        Router::new()
+            .route(
+                "/api/internal/machines/:machine-id/networks",
+                post(Self::handle_run_network_instance_internal)
+                    .get(Self::handle_list_network_instance_ids_internal),
+            )
+            .route(
+                "/api/internal/machines/:machine-id/networks/:inst-id",
+                delete(Self::handle_remove_network_instance_internal),
+            )
+            .route(
+                "/api/internal/machines/:machine-id/networks/info",
+                get(Self::handle_collect_network_info_internal),
+            )
+    }
+
     pub fn build_route() -> Router<AppStateInner> {
         Router::new()
             .route("/api/v1/machines", get(Self::handle_list_machines))