feat(agent): add Agent Tunnel configuration dialog (#1789)

## Summary

Adds an optional **Agent Tunnel** wizard step to the Devolutions Agent
MSI installer so admins can enrol the agent in a Gateway QUIC tunnel
during install — UI or unattended.

Three text fields in the dialog: enrolment string, advertise subnets,
advertise domains. The feature is opt-in (`isEnabled: false,
allowChange: true`); the dialog is skipped when the feature isn't
selected, and an empty enrolment string skips tunnel setup even if the
feature is on, so the installer remains usable for non-tunnel
deployments.

Smoke-tested end-to-end against a local DVLS + Gateway + Agent stack:
MSI built clean, agent enrolled successfully, RDP TCP traffic routed
through the agent tunnel to `IT-HELP-DC:3389`.

## MSI public properties (unattended install)

```
msiexec /i DevolutionsAgent.msi /qn ADDLOCAL="...,AgentTunnel" \
  AGENT_TUNNEL_ENROLLMENT_STRING="dgw-enroll:v1:<base64>" \
  AGENT_TUNNEL_ADVERTISE_SUBNETS="10.10.0.0/24" \
  AGENT_TUNNEL_ADVERTISE_DOMAINS="corp.example.com"
```

## Custom action

`EnrollAgentTunnel` is deferred + elevated + `Impersonate=false`, runs
`Before StartServices`, gated by
`Features.AGENT_TUNNEL_FEATURE.BeingInstall()`. It:

1. Validates the `dgw-enroll:v1:` prefix, strips whitespace, pads
base64url, decodes JSON payload (`api_base_url`, `enrollment_token`,
optional `name`).
2. Shells out to `devolutions-agent.exe enroll <url> <token> <name>
[subnets]` with a 60s timeout; on timeout the child is killed.
3. Token is redacted (`***`) symmetrically across the command-line log
and child stdout/stderr.
4. After enrolment, advertise domains are patched into
`Tunnel.AdvertiseDomains` of
`%ProgramData%\Devolutions\Agent\agent.json`. This matches the design
that advertise domains live in config, not on the CLI (replaces the
closed #1774).

## Depends on

- #1773 — DVLS-signed JWT enrolment flow (`/jet/tunnel/enroll`)
- #1775 — agent cert renewal (referenced by the bundled agent binary)

Both merged to master 2026-05-20.

## Test plan

- [x] Cold MSI build clean, no errors (8 preexisting
`CNDL1138`/`CNDL1006` warnings from existing code, not introduced here)
- [x] Wizard order: Welcome → Features → AgentTunnel → InstallDir →
VerifyReady
- [x] AgentTunnel dialog skipped when feature not selected
- [x] Empty enrolment string skips enrolment (no failure)
- [x] Invalid `dgw-enroll:v1:` prefix → validation error in dialog
- [x] Invalid base64 → validation error in dialog (caught client-side,
not at CA time)
- [x] Smoke test against local DVLS-signed enrolment JWT — agent
registered, cert issued
- [x] Smoke test routing: RDP TCP through agent tunnel to
`IT-HELP-DC:3389` succeeds

## Review history

Pre-review and codex-review passes folded into the single commit.
Notable points addressed:

- Robust JSON payload parsing (`JObject`, `Value<string>()`,
`IsNullOrWhiteSpace` validation)
- Symmetric token redaction (cmdline + stdout + stderr)
- `WaitForExit(60_000)` return-value check with child kill on timeout
- Whitespace-stripped + padded base64url decoding on both dialog
validation and CA
- ADDLOCAL CSV value trimming for admin-supplied lists with whitespace
- Dropped 2 stray `InstallDirDlg*` strings leaked into en-us
- Added 5 missing fr-fr translations

Author: irvingoujAtDevolution

package/AgentWindowsManaged/Actions/AgentActions.cs

@@ -279,6 +279,28 @@ internal static class AgentActions
         UsesProperties = UseProperties(new[] { AgentProperties.featuresToConfigure })
     };
 
+    private static readonly ElevatedManagedAction enrollAgentTunnel = new(
+        new Id($"CA.{nameof(enrollAgentTunnel)}"),
+        CustomActions.EnrollAgentTunnel,
+        Return.check,
+        When.Before, Step.StartServices,
+        Features.AGENT_TUNNEL_FEATURE.BeingInstall(),
+        Sequence.InstallExecuteSequence)
+    {
+        Execute = Execute.deferred,
+        Impersonate = false,
+        // Deferred CAs only see properties bubbled through CustomActionData. The Set_<CA>_Props
+        // immediate action expands [PROP] for each entry below before the deferred CA runs.
+        UsesProperties = string.Join(";", new[]
+        {
+            AgentProperties.AgentTunnelEnrollmentString,
+            AgentProperties.AgentTunnelAgentName,
+            AgentProperties.AgentTunnelAdvertiseSubnets,
+            AgentProperties.AgentTunnelAdvertiseDomains,
+            AgentProperties.InstallDir,
+        }.Select(p => $"{p}=[{p}]")),
+    };
+
     private static readonly ElevatedManagedAction registerExplorerCommand = new(
         CustomActions.RegisterExplorerCommand
     )
@@ -352,6 +374,7 @@ private static string UseProperties(IEnumerable<IWixProperty> properties)
         setArpInstallLocation,
         setFeaturesToConfigure,
         configureFeatures,
+        enrollAgentTunnel,
         createProgramDataDirectory,
         setProgramDataDirectoryPermissions,
         createProgramDataPedmDirectories,

package/AgentWindowsManaged/Actions/CustomActions.cs

@@ -3,6 +3,7 @@
 using Microsoft.Deployment.WindowsInstaller;
 using Microsoft.Win32;
 using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
 using System;
 using System.Collections.Generic;
 using System.ComponentModel;
@@ -12,6 +13,7 @@
 using System.Linq;
 using System.Runtime.InteropServices;
 using System.Security.Claims;
+using System.Text;
 using System.Threading;
 using WixSharp;
 using File = System.IO.File;
@@ -318,6 +320,196 @@ public static ActionResult SetFeaturesToConfigure(Session session)
             return ActionResult.Success;
         }
 
+        [CustomAction]
+        public static ActionResult EnrollAgentTunnel(Session session)
+        {
+            string enrollmentString = session.Property(AgentProperties.AgentTunnelEnrollmentString)?.Trim() ?? string.Empty;
+            string subnetsArg = session.Property(AgentProperties.AgentTunnelAdvertiseSubnets)?.Trim() ?? string.Empty;
+            string domainsArg = session.Property(AgentProperties.AgentTunnelAdvertiseDomains)?.Trim() ?? string.Empty;
+            string agentNameArg = session.Property(AgentProperties.AgentTunnelAgentName)?.Trim() ?? string.Empty;
+
+            ActionResult Fail(string msg)
+            {
+                session.Log(msg);
+                using Record record = new(0) { FormatString = msg };
+                session.Message(InstallMessage.Error, record);
+                return ActionResult.Failure;
+            }
+
+            if (enrollmentString.Length == 0)
+            {
+                return Fail("An enrollment string is required. Paste the enrollment string provided by your gateway operator, or deselect the Agent Tunnel feature.");
+            }
+
+            try
+            {
+                // Hand the enrollment string through verbatim. The agent's
+                // `up --enrollment-string` parses the gateway URL and agent name out of it.
+                // Advertise domains aren't a CLI flag — agent.json carries them — so we patch
+                // that after enrollment succeeds.
+                string installDir = session.Property(AgentProperties.InstallDir);
+                string exePath = Path.Combine(installDir, Includes.EXECUTABLE_NAME);
+
+                // agent.exe `up` requires an agent name. Resolution: dialog value > JWT's
+                // jet_agent_name (left to the agent CLI by omitting --name) > local computer name.
+                string resolvedName = agentNameArg;
+                if (resolvedName.Length == 0 && !JwtHasAgentName(enrollmentString))
+                {
+                    resolvedName = Environment.MachineName;
+                    session.Log($"JWT carried no jet_agent_name and no name was provided in the wizard; falling back to computer name '{resolvedName}'");
+                }
+
+                // Only `--enrollment-string` is mandatory at enroll time — the gateway needs the
+                // JWT to authenticate. `--name` is conditionally passed because the gateway
+                // embeds it in the issued client cert and registers the agent under it; agent.json
+                // can't carry it before `up` runs because the file doesn't exist yet. Everything
+                // else (advertise subnets, advertise domains) is patched into agent.json *after*
+                // enrollment, so we don't accumulate parallel CLI surfaces for what is ultimately
+                // configuration data.
+                string arguments = $"up --enrollment-string \"{enrollmentString}\"";
+                if (resolvedName.Length != 0)
+                {
+                    arguments += $" --name \"{resolvedName}\"";
+                }
+
+                string Redact(string s) => s.Replace(enrollmentString, "***");
+                session.Log($"Running enrollment: {exePath} {Redact(arguments)}");
+
+                ProcessStartInfo startInfo = new(exePath, arguments)
+                {
+                    UseShellExecute = false,
+                    RedirectStandardOutput = true,
+                    RedirectStandardError = true,
+                    CreateNoWindow = true,
+                    WorkingDirectory = ProgramDataDirectory,
+                };
+
+                using Process process = Process.Start(startInfo);
+                if (!process.WaitForExit(60_000))
+                {
+                    try
+                    {
+                        process.Kill();
+                    }
+                    catch
+                    {
+                        // Already exited between WaitForExit timing out and Kill firing.
+                    }
+                    return Fail("Agent tunnel enrollment timed out. Verify your Devolutions Gateway is reachable from this machine.");
+                }
+                string stdout = process.StandardOutput.ReadToEnd();
+                string stderr = process.StandardError.ReadToEnd();
+
+                if (!string.IsNullOrEmpty(stdout))
+                {
+                    session.Log($"enrollment stdout: {Redact(stdout)}");
+                }
+                if (!string.IsNullOrEmpty(stderr))
+                {
+                    session.Log($"enrollment stderr: {Redact(stderr)}");
+                }
+
+                if (process.ExitCode != 0)
+                {
+                    string detail = !string.IsNullOrWhiteSpace(stderr) ? Redact(stderr).Trim() : $"exit code {process.ExitCode}";
+                    return Fail($"Agent tunnel enrollment failed: {detail}");
+                }
+
+                if (subnetsArg.Length != 0 || domainsArg.Length != 0)
+                {
+                    WriteTunnelAdvertisementsToConfig(session, subnetsArg, domainsArg);
+                }
+
+                session.Log("Agent tunnel enrollment completed successfully");
+                return ActionResult.Success;
+            }
+            catch (Exception e)
+            {
+                return Fail($"Agent tunnel enrollment failed: {e.Message}");
+            }
+        }
+
+        private static bool JwtHasAgentName(string jwt)
+        {
+            try
+            {
+                string[] parts = jwt.Split('.');
+                if (parts.Length != 3) return false;
+                string payload = parts[1].Replace('-', '+').Replace('_', '/');
+                payload = payload.PadRight((payload.Length + 3) & ~3, '=');
+                string json = Encoding.UTF8.GetString(Convert.FromBase64String(payload));
+                string name = JObject.Parse(json)["jet_agent_name"]?.ToString();
+                return !string.IsNullOrWhiteSpace(name);
+            }
+            catch
+            {
+                return false;
+            }
+        }
+
+        /// <summary>
+        /// Patch the freshly-written agent.json's <c>Tunnel</c> section with the operator's
+        /// advertised subnets and DNS suffixes from the wizard. Keeping this out of the
+        /// <c>agent.exe up</c> command line means we only carry mandatory enroll inputs on the
+        /// CLI; everything else flows through the same configuration file the agent reads at
+        /// runtime.
+        /// </summary>
+        private static void WriteTunnelAdvertisementsToConfig(Session session, string subnetsCsv, string domainsCsv)
+        {
+            string configPath = Path.Combine(ProgramDataDirectory, "agent.json");
+            if (!File.Exists(configPath))
+            {
+                session.Log($"agent.json not found at {configPath}; cannot persist tunnel advertisements");
+                return;
+            }
+
+            try
+            {
+                string[] subnets = SplitCsv(subnetsCsv);
+                string[] domains = SplitCsv(domainsCsv);
+
+                if (subnets.Length == 0 && domains.Length == 0)
+                {
+                    return;
+                }
+
+                JObject root = JObject.Parse(File.ReadAllText(configPath));
+
+                // ConfFile uses serde rename_all = "PascalCase", so the tunnel section is keyed
+                // "Tunnel" and the fields are "AdvertiseSubnets" / "AdvertiseDomains".
+                if (root["Tunnel"] is not JObject tunnel)
+                {
+                    session.Log("agent.json has no Tunnel section after enrollment; skipping tunnel advertisements write");
+                    return;
+                }
+
+                if (subnets.Length != 0)
+                {
+                    tunnel["AdvertiseSubnets"] = new JArray(subnets);
+                }
+                if (domains.Length != 0)
+                {
+                    tunnel["AdvertiseDomains"] = new JArray(domains);
+                }
+
+                File.WriteAllText(configPath, root.ToString(Formatting.Indented));
+                session.Log($"Wrote {subnets.Length} advertise_subnets and {domains.Length} advertise_domains entries to agent.json");
+            }
+            catch (Exception e)
+            {
+                // Don't fail the install over this — the tunnel works fine without these
+                // advertisements; the agent simply won't route additional traffic for them.
+                session.Log($"Failed to write tunnel advertisements to agent.json: {e}");
+            }
+        }
+
+        private static string[] SplitCsv(string csv) =>
+            (csv ?? string.Empty)
+                .Split(',')
+                .Select(s => s.Trim())
+                .Where(s => !string.IsNullOrEmpty(s))
+                .ToArray();
+
         [CustomAction]
         public static ActionResult ConfigureFeatures(Session session)
         {