refactor(token): collapse two enrollment scopes into agent.enroll

Two scopes had grown for the same concept now that DVLS mints the
enrollment JWT itself: `gateway.tunnel.enroll` was the scope on the
JWT presented by the agent at `/jet/tunnel/enroll`, and
`gateway.agent.enroll` was the scope DVLS used when calling the
removed `/jet/tunnel/enrollment-string` endpoint. With that endpoint
gone, the second meaning is dead and the first is the only one that
actually authorizes anything on the wire.

Drop `AccessScope::TunnelEnroll` and have the gateway-side validator
accept `AgentEnroll | Wildcard`. DVLS signs with `agent.enroll`. The
.NET side gets a new `EnrollmentClaims` class that mirrors the Rust
`EnrollmentTokenClaims` shape (scope + jet_gw_url + optional
jet_agent_name + optional jet_quic_endpoint) so `TokenUtils.Sign` can
emit the JWT directly.

NuGet bumped to 2025.10.3.

Author: irvingoujAtDevolution

devolutions-agent/src/cli_tests.rs

@@ -88,7 +88,7 @@ fn make_jwt(payload: serde_json::Value) -> String {
 #[test]
 fn parse_up_command_args_accepts_enrollment_string() {
     let jwt = make_jwt(serde_json::json!({
-        "scope": "gateway.tunnel.enroll",
+        "scope": "gateway.agent.enroll",
         "exp": 1_999_999_999i64,
         "jti": "00000000-0000-0000-0000-000000000000",
         "jet_gw_url": "https://gateway.example.com:7171",
@@ -110,7 +110,7 @@ fn parse_up_command_args_accepts_enrollment_string() {
 fn parse_up_command_args_rejects_enrollment_string_missing_quic_endpoint() {
     // JWT lacks `jet_quic_endpoint` AND no CLI `--quic-endpoint` → must fail.
     let jwt = make_jwt(serde_json::json!({
-        "scope": "gateway.tunnel.enroll",
+        "scope": "gateway.agent.enroll",
         "exp": 1_999_999_999i64,
         "jti": "00000000-0000-0000-0000-000000000000",
         "jet_gw_url": "https://gateway.example.com:7171",
@@ -128,7 +128,7 @@ fn parse_up_command_args_rejects_enrollment_string_missing_quic_endpoint() {
 #[test]
 fn parse_up_command_args_cli_quic_endpoint_wins_over_jwt() {
     let jwt = make_jwt(serde_json::json!({
-        "scope": "gateway.tunnel.enroll",
+        "scope": "gateway.agent.enroll",
         "exp": 1_999_999_999i64,
         "jti": "00000000-0000-0000-0000-000000000000",
         "jet_gw_url": "https://gateway.example.com:7171",

devolutions-agent/src/enrollment.rs

@@ -374,7 +374,7 @@ mod tests {
     #[test]
     fn parse_enrollment_jwt_requires_gw_url() {
         let jwt = make_jwt(serde_json::json!({
-            "scope": "gateway.tunnel.enroll",
+            "scope": "gateway.agent.enroll",
             "jet_agent_name": "agent-a",
         }));
         assert!(parse_enrollment_jwt(&jwt).is_err());

devolutions-gateway/src/api/tunnel.rs

@@ -12,7 +12,7 @@ use crate::http::HttpError;
 ///
 /// Returns `true` if the token is a well-formed JWT whose signature verifies
 /// against `provisioner_key`, whose `exp` has not passed, and whose `scope`
-/// is `TunnelEnroll` (or `Wildcard`). Returns `false` for any failure.
+/// is `AgentEnroll` (or `Wildcard`). Returns `false` for any failure.
 ///
 /// The enrollment JWT carries extra claims (`jet_gw_url`, `jet_agent_name`)
 /// that the *agent* reads locally from its own copy of the token — the Gateway
@@ -40,7 +40,7 @@ fn validate_enrollment_jwt(token: &str, provisioner_key: &picky::key::PublicKey)
 
     matches!(
         validated.state.claims.scope,
-        AccessScope::TunnelEnroll | AccessScope::Wildcard
+        AccessScope::AgentEnroll | AccessScope::Wildcard
     )
 }
 
@@ -96,7 +96,7 @@ pub fn make_router<S>(state: DgwState) -> Router<S> {
 /// Enroll a new agent.
 ///
 /// Requires a Bearer token that is either:
-/// - a JWT signed by the configured provisioner key with `TunnelEnroll` /
+/// - a JWT signed by the configured provisioner key with `AgentEnroll` /
 ///   `Wildcard` scope (issued by DVLS — the only authority for agent
 ///   enrollment tokens), or
 /// - the static `enrollment_secret` from the gateway configuration (admin
@@ -138,7 +138,7 @@ async fn enroll_agent(
         .ok_or_else(|| HttpError::not_found().msg("agent enrollment is not configured"))?;
 
     // Token validation order:
-    // 1. JWT signed by the configured provisioner key (scope == TunnelEnroll)
+    // 1. JWT signed by the configured provisioner key (scope == AgentEnroll)
     // 2. Static enrollment secret from configuration (constant-time comparison)
     let jwt_valid = validate_enrollment_jwt(provided_token, &conf.provisioner_public_key);
 
@@ -282,7 +282,7 @@ mod tests {
         let (priv_key, pub_key) = keypair();
         let token = sign(
             json!({
-                "scope": "gateway.tunnel.enroll",
+                "scope": "gateway.agent.enroll",
                 "nbf": now_ts() - 60,
                 "exp": now_ts() + 3600,
                 "jti": Uuid::new_v4(),
@@ -334,7 +334,7 @@ mod tests {
         let (priv_key, pub_key) = keypair();
         let token = sign(
             json!({
-                "scope": "gateway.tunnel.enroll",
+                "scope": "gateway.agent.enroll",
                 "nbf": now_ts() - 7200,
                 "exp": now_ts() - 3600,
                 "jti": Uuid::new_v4(),
@@ -352,7 +352,7 @@ mod tests {
         let (_, gateway_pub) = keypair();
         let token = sign(
             json!({
-                "scope": "gateway.tunnel.enroll",
+                "scope": "gateway.agent.enroll",
                 "nbf": now_ts() - 60,
                 "exp": now_ts() + 3600,
                 "jti": Uuid::new_v4(),
@@ -369,7 +369,7 @@ mod tests {
         let (priv_key, pub_key) = keypair();
         let token = sign(
             json!({
-                "scope": "gateway.tunnel.enroll",
+                "scope": "gateway.agent.enroll",
                 "nbf": now_ts() - 60,
                 "exp": now_ts() + 3600,
                 "jti": Uuid::new_v4(),

devolutions-gateway/src/token.rs

@@ -472,8 +472,6 @@ pub enum AccessScope {
     NetMonitorConfig,
     #[serde(rename = "gateway.net.monitor.drain")]
     NetMonitorDrain,
-    #[serde(rename = "gateway.tunnel.enroll")]
-    TunnelEnroll,
     #[serde(rename = "gateway.agent.enroll")]
     AgentEnroll,
     #[serde(rename = "gateway.agent.read")]
@@ -503,7 +501,7 @@ pub struct ScopeTokenClaims {
 /// and expiry against the configured provisioner key.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct EnrollmentTokenClaims {
-    /// Must be `AccessScope::TunnelEnroll` (or `Wildcard`).
+    /// Must be `AccessScope::AgentEnroll` (or `Wildcard`).
     pub scope: AccessScope,
 
     /// JWT expiration time claim.

utils/dotnet/Devolutions.Gateway.Utils/Devolutions.Gateway.Utils.csproj

@@ -11,7 +11,7 @@
     <Description>Useful classes to use Devolutions Gateway</Description>
     <Copyright>© Devolutions Inc. All rights reserved.</Copyright>
     <RootNamespace>Devolutions.Gateway.Utils</RootNamespace>
-    <Version>2025.10.2</Version>
+    <Version>2025.10.3</Version>
     <PackageLicenseExpression>MIT OR Apache-2.0</PackageLicenseExpression>
     <RepositoryUrl>https://github.com/Devolutions/devolutions-gateway.git</RepositoryUrl>
     <RepositoryType>git</RepositoryType>

utils/dotnet/Devolutions.Gateway.Utils/src/EnrollmentClaims.cs

@@ -0,0 +1,54 @@
+using System.Text.Json.Serialization;
+
+namespace Devolutions.Gateway.Utils;
+
+/// <summary>
+/// Claims carried by an agent-tunnel enrollment JWT.
+///
+/// DVLS signs this with the gateway's provisioner private key and hands the
+/// resulting JWT to the operator. The operator pastes the JWT into
+/// <c>devolutions-agent up --enrollment-string &lt;jwt&gt;</c>; the agent uses
+/// it as the Bearer token on <c>POST /jet/tunnel/enroll</c>, where the
+/// gateway verifies the signature and the <c>scope</c> claim.
+///
+/// Use <see cref="AccessScope.GatewayAgentEnroll"/> for <see cref="Scope"/>.
+/// The agent reads <see cref="JetGwUrl"/>, <see cref="JetAgentName"/>, and
+/// <see cref="JetQuicEndpoint"/> locally without verifying the signature
+/// (it is the intended recipient).
+/// </summary>
+public class EnrollmentClaims : IGatewayClaims
+{
+    [JsonPropertyName("scope")]
+    public AccessScope Scope { get; set; }
+
+    /// <summary>Gateway HTTP base URL the agent calls for enrollment.</summary>
+    [JsonPropertyName("jet_gw_url")]
+    public string JetGwUrl { get; set; }
+
+    /// <summary>Optional agent display-name hint.</summary>
+    [JsonPropertyName("jet_agent_name")]
+    [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+    public string? JetAgentName { get; set; }
+
+    /// <summary>
+    /// Optional QUIC endpoint (<c>host:port</c>) the agent dials after enrollment.
+    /// The gateway never reports this itself; the operator (DVLS) supplies it
+    /// because only they know the agent-reachable address.
+    /// </summary>
+    [JsonPropertyName("jet_quic_endpoint")]
+    [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+    public string? JetQuicEndpoint { get; set; }
+
+    public EnrollmentClaims(string jetGwUrl, string? jetAgentName = null, string? jetQuicEndpoint = null)
+    {
+        this.Scope = AccessScope.GatewayAgentEnroll;
+        this.JetGwUrl = jetGwUrl;
+        this.JetAgentName = jetAgentName;
+        this.JetQuicEndpoint = jetQuicEndpoint;
+    }
+
+    public string GetContentType()
+    {
+        return "ENROLLMENT";
+    }
+}