feat(agent-installer): require enrollment string, surface CA errors, add Agent name field

- Propagate AGENT_TUNNEL_* properties to deferred CA via Secure MSI Property
  declarations + explicit UsesProperties string. The deferred CA was
  previously seeing empty values because the wizard-set properties never
  crossed the UAC boundary.
- Treat empty enrollment string as install failure (was silent skip).
  EnrollAgentTunnel CA now returns ActionResult.Failure and surfaces
  session.Message(InstallMessage.Error, ...) on the empty case and on
  enrollment timeout, non-zero exit, and exception paths.
- Add optional Agent name field to AgentTunnelDialog. Resolution order at
  install time: dialog value > JWT jet_agent_name claim > computer name.
  Avoids "missing required --name" failures when the JWT lacks the claim.
- Update Wizard.ShouldSkip-gated dialog so blank enrollment is blocked at
  UI validation (previously the dialog let users click Next on empty).

Author: irvingoujAtDevolution

package/AgentWindowsManaged/Actions/AgentActions.cs

@@ -289,6 +289,17 @@ internal static class AgentActions
     {
         Execute = Execute.deferred,
         Impersonate = false,
+        // Deferred CAs only see properties bubbled through CustomActionData. The Set_<CA>_Props
+        // immediate action expands [PROP] for each entry below before the deferred CA runs.
+        UsesProperties = string.Join(";", new[]
+        {
+            AgentProperties.AgentTunnelEnrollmentString,
+            AgentProperties.AgentTunnelGatewayUrl,
+            AgentProperties.AgentTunnelAgentName,
+            AgentProperties.AgentTunnelAdvertiseSubnets,
+            AgentProperties.AgentTunnelAdvertiseDomains,
+            AgentProperties.InstallDir,
+        }.Select(p => $"{p}=[{p}]")),
     };
 
     private static readonly ElevatedManagedAction registerExplorerCommand = new(

package/AgentWindowsManaged/Actions/CustomActions.cs

@@ -326,11 +326,20 @@ public static ActionResult EnrollAgentTunnel(Session session)
             string subnetsArg = session.Property(AgentProperties.AgentTunnelAdvertiseSubnets)?.Trim() ?? string.Empty;
             string domainsArg = session.Property(AgentProperties.AgentTunnelAdvertiseDomains)?.Trim() ?? string.Empty;
             string gatewayUrlArg = session.Property(AgentProperties.AgentTunnelGatewayUrl)?.Trim() ?? string.Empty;
+            string agentNameArg = session.Property(AgentProperties.AgentTunnelAgentName)?.Trim() ?? string.Empty;
+
+            ActionResult Fail(string msg)
+            {
+                session.Log(msg);
+                using Record record = new(0) { FormatString = msg };
+                session.Message(InstallMessage.Error, record);
+                return ActionResult.Failure;
+            }
 
             if (enrollmentString.Length == 0)
             {
-                session.Log("Agent tunnel enrollment string not provided, skipping tunnel setup");
-                return ActionResult.Success;
+                return Fail("Agent tunnel feature was selected but no enrollment string was provided. " +
+                    "Paste a JWT from Devolutions Server, Hub, or Gateway, or deselect the Agent Tunnel feature.");
             }
 
             try
@@ -342,8 +351,18 @@ public static ActionResult EnrollAgentTunnel(Session session)
                 string installDir = session.Property(AgentProperties.InstallDir);
                 string exePath = Path.Combine(installDir, Includes.EXECUTABLE_NAME);
 
+                // agent.exe `up` requires an agent name. Resolution: dialog value > JWT's
+                // jet_agent_name (left to the agent CLI by omitting --name) > local computer name.
+                string resolvedName = agentNameArg;
+                if (resolvedName.Length == 0 && !JwtHasAgentName(enrollmentString))
+                {
+                    resolvedName = Environment.MachineName;
+                    session.Log($"JWT carried no jet_agent_name and no name was provided in the wizard; falling back to computer name '{resolvedName}'");
+                }
+
                 string arguments = $"up --enrollment-string \"{enrollmentString}\"";
                 if (gatewayUrlArg.Length != 0) arguments += $" --gateway \"{gatewayUrlArg}\"";
+                if (resolvedName.Length != 0) arguments += $" --name \"{resolvedName}\"";
                 if (subnetsArg.Length != 0) arguments += $" --advertise-subnets \"{subnetsArg}\"";
 
                 string Redact(string s) => s.Replace(enrollmentString, "***");
@@ -362,8 +381,7 @@ public static ActionResult EnrollAgentTunnel(Session session)
                 if (!process.WaitForExit(60_000))
                 {
                     try { process.Kill(); } catch { /* already gone */ }
-                    session.Log("Enrollment process timed out after 60 seconds");
-                    return ActionResult.Failure;
+                    return Fail("Agent tunnel enrollment timed out after 60 seconds.");
                 }
                 string stdout = process.StandardOutput.ReadToEnd();
                 string stderr = process.StandardError.ReadToEnd();
@@ -373,8 +391,8 @@ public static ActionResult EnrollAgentTunnel(Session session)
 
                 if (process.ExitCode != 0)
                 {
-                    session.Log($"Enrollment failed with exit code {process.ExitCode}");
-                    return ActionResult.Failure;
+                    string detail = !string.IsNullOrWhiteSpace(stderr) ? Redact(stderr).Trim() : $"exit code {process.ExitCode}";
+                    return Fail($"Agent tunnel enrollment failed: {detail}");
                 }
 
                 if (domainsArg.Length != 0)
@@ -387,8 +405,25 @@ public static ActionResult EnrollAgentTunnel(Session session)
             }
             catch (Exception e)
             {
-                session.Log($"Agent tunnel enrollment failed: {e}");
-                return ActionResult.Failure;
+                return Fail($"Agent tunnel enrollment failed: {e.Message}");
+            }
+        }
+
+        private static bool JwtHasAgentName(string jwt)
+        {
+            try
+            {
+                string[] parts = jwt.Split('.');
+                if (parts.Length != 3) return false;
+                string payload = parts[1].Replace('-', '+').Replace('_', '/');
+                payload = payload.PadRight((payload.Length + 3) & ~3, '=');
+                string json = System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(payload));
+                string name = JObject.Parse(json)["jet_agent_name"]?.ToString();
+                return !string.IsNullOrWhiteSpace(name);
+            }
+            catch
+            {
+                return false;
             }
         }
 

package/AgentWindowsManaged/Dialogs/AgentTunnelDialog.Designer.cs

@@ -22,6 +22,7 @@ public AgentTunnelDialog()
     public override bool ToProperties()
     {
         Runtime.Session[AgentProperties.AgentTunnelEnrollmentString] = enrollmentString.Text.Trim();
+        Runtime.Session[AgentProperties.AgentTunnelAgentName] = agentName.Text.Trim();
         Runtime.Session[AgentProperties.AgentTunnelAdvertiseSubnets] = advertiseSubnets.Text.Trim();
         Runtime.Session[AgentProperties.AgentTunnelAdvertiseDomains] = advertiseDomains.Text.Trim();
         Runtime.Session[AgentProperties.AgentTunnelGatewayUrl] = gatewayUrl.Text.Trim();
@@ -34,6 +35,7 @@ public override void OnLoad(object sender, EventArgs e)
         banner.Image = Runtime.Session.GetResourceBitmap("WixUI_Bmp_Banner");
 
         enrollmentString.Text = Runtime.Session.Property(AgentProperties.AgentTunnelEnrollmentString);
+        agentName.Text = Runtime.Session.Property(AgentProperties.AgentTunnelAgentName);
         advertiseSubnets.Text = Runtime.Session.Property(AgentProperties.AgentTunnelAdvertiseSubnets);
         advertiseDomains.Text = Runtime.Session.Property(AgentProperties.AgentTunnelAdvertiseDomains);
         gatewayUrl.Text = Runtime.Session.Property(AgentProperties.AgentTunnelGatewayUrl);
@@ -43,10 +45,12 @@ public override void OnLoad(object sender, EventArgs e)
 
     public override bool DoValidate()
     {
-        // Tunnel is optional — if enrollment string is empty, skip tunnel setup entirely.
+        // The dialog is only reached when the Agent Tunnel feature is selected (see Wizard.ShouldSkip),
+        // so an enrollment string is required at this point.
         if (string.IsNullOrWhiteSpace(enrollmentString.Text))
         {
-            return true;
+            ShowValidationErrorString("Enrollment string is required. Paste a JWT from Devolutions Server, Hub, or Gateway, or go back and deselect the Agent Tunnel feature.");
+            return false;
         }
 
         // JWT shape: three base64url segments separated by dots. The agent's `up --enrollment-string`

package/AgentWindowsManaged/Dialogs/AgentTunnelDialog.cs

@@ -349,6 +349,14 @@ static void Main()
         // - Make DevolutionsDesktopAgent answer WM_CLOSE
         projectProperties.Add(new Property("MSIRESTARTMANAGERCONTROL", "Disable"));
 
+        // Agent tunnel properties: must be declared Secure so the values set in the wizard UI
+        // survive the UAC boundary and reach the deferred CA via CustomActionData.
+        projectProperties.Add(new Property(AgentProperties.AgentTunnelEnrollmentString, "") { Hidden = true, Secure = true });
+        projectProperties.Add(new Property(AgentProperties.AgentTunnelGatewayUrl, "") { Secure = true });
+        projectProperties.Add(new Property(AgentProperties.AgentTunnelAgentName, "") { Secure = true });
+        projectProperties.Add(new Property(AgentProperties.AgentTunnelAdvertiseSubnets, "") { Secure = true });
+        projectProperties.Add(new Property(AgentProperties.AgentTunnelAdvertiseDomains, "") { Secure = true });
+
         project.Properties = projectProperties.ToArray();
         project.ManagedUI = new ManagedUI();
         project.ManagedUI.InstallDialogs.AddRange(Wizard.Dialogs);

package/AgentWindowsManaged/Program.cs

@@ -38,6 +38,12 @@ internal partial class AgentProperties
         /// </summary>
         public static string AgentTunnelGatewayUrl = "AGENT_TUNNEL_GATEWAY_URL";
 
+        /// <summary>
+        /// Optional agent display name. Resolution order at install time:
+        /// dialog value (if non-empty) > JWT's jet_agent_name claim (if present) > local computer name.
+        /// </summary>
+        public static string AgentTunnelAgentName = "AGENT_TUNNEL_AGENT_NAME";
+
         public AgentProperties(ISession runtimeSession)
         {
             this.runtimeSession = runtimeSession;

package/AgentWindowsManaged/Properties/AgentProperties.cs

@@ -67,6 +67,8 @@ If it appears minimized then active it from the taskbar.</String>
                 <String Id="AgentTunnelDlgSubnetsHint">Comma-separated CIDR notation, e.g. 10.10.0.0/24, 192.168.1.0/24. Leave blank for auto-detection.</String>
                 <String Id="AgentTunnelDlgDomainsLabel">Advertise Domains:</String>
                 <String Id="AgentTunnelDlgDomainsHint">Comma-separated DNS suffixes the agent can resolve, e.g. corp.example.com, lab.example.com. Leave blank to skip.</String>
+                <String Id="AgentTunnelDlgAgentNameLabel">Agent name (optional):</String>
+                <String Id="AgentTunnelDlgAgentNameHint">Identifier for this agent. Leave blank to use the name in the JWT, or the local computer name as a final fallback.</String>
                 <String Id="AgentTunnelDlgGatewayUrlLabel">Gateway URL (advanced, optional):</String>
                 <String Id="AgentTunnelDlgGatewayUrlHint">Override the URL embedded in the enrollment JWT. Leave blank to use the JWT's value.</String>
                     </WixLocalization>

package/AgentWindowsManaged/Resources/DevolutionsAgent_en-us.wxl

@@ -12,6 +12,8 @@
                 <String Id="AgentTunnelDlgSubnetsHint">Notation CIDR séparée par des virgules, p. ex. 10.10.0.0/24, 192.168.1.0/24. Laissez vide pour la détection automatique.</String>
                 <String Id="AgentTunnelDlgDomainsLabel">Domaines annoncés :</String>
                 <String Id="AgentTunnelDlgDomainsHint">Suffixes DNS séparés par des virgules que l'agent peut résoudre, p. ex. corp.example.com, lab.example.com. Laissez vide pour ignorer.</String>
+                <String Id="AgentTunnelDlgAgentNameLabel">Nom de l'agent (facultatif) :</String>
+                <String Id="AgentTunnelDlgAgentNameHint">Identifiant de cet agent. Laissez vide pour utiliser le nom inscrit dans le JWT, ou le nom de l'ordinateur local comme dernier recours.</String>
                 <String Id="AgentTunnelDlgGatewayUrlLabel">URL de la passerelle (avancé, facultatif) :</String>
                 <String Id="AgentTunnelDlgGatewayUrlHint">Remplace l'URL incluse dans le JWT d'enrôlement. Laissez vide pour utiliser la valeur du JWT.</String>
                 <String Id="Language">1036</String>