Implement remote execution

docs/CONFIGURATION.md

@@ -303,6 +303,47 @@ keys and what each one does.
 
 ---
 
+## Remote PowerShell exec (per-peer, strategy-gated)
+
+Admins can dispatch a PowerShell script to a managed device from the
+dashboard's **Run command…** action (Devices page row menu, or directly
+via `/admin/pages/devices/:peer_id/exec`). The agent runs the script as
+its service account — typically LocalSystem on Windows — and the
+output streams back into the dashboard within ~1 s.
+
+This feature is **disabled by default**. To enable it for a peer (or
+fleet):
+
+1. Edit (or create) a strategy on the **Strategies** page with the JSON:
+   ```json
+   { "enable-remote-exec": "Y" }
+   ```
+   (mix with whatever other strategy options you already push)
+2. Assign that strategy to the peer, its device group, or its owner.
+3. The peer's `Auth` column must show **Signed** — exec is refused on
+   `peer.managed=0` peers. See [AGENT-API-AUTH.md](AGENT-API-AUTH.md).
+
+All three gates (admin role, managed=1, strategy opt-in) are enforced
+server-side at dispatch time. The strategy key is never pushed to the
+client — it's checked on the server only and serves purely as the
+authorization toggle.
+
+Caps (defaults; live in `src/api/heartbeat.rs` and
+`src/api/admin/pages/exec.rs`):
+
+- Script size: **32 KiB** per dispatch.
+- Wall clock: **5 minutes** per command; the agent kills the process
+  on timeout and marks the row `timed_out`.
+- Output capture: **1 MiB** combined stdout+stderr; further bytes are
+  drained and discarded, the row gets `truncated=true`.
+- One in-flight exec per peer at a time.
+
+See [AGENT-API-AUTH.md](AGENT-API-AUTH.md) for the wire format,
+authentication, and threat model. Result POSTs are mandatory-signed —
+there's no legacy/unsigned path for the exec result endpoint.
+
+---
+
 ## Agent API signing (per-peer)
 
 `POST /api/heartbeat`, `POST /api/sysinfo`, and