refactor(agent-tunnel): JWT-only enrollment, drop server-side mint

DVLS holds the provisioner private key, the gateway holds the public key
and verifies statelessly. The gateway-side enrollment-string mint
endpoint was the wrong shape: it required the gateway to hold issuance
state (the in-memory `EnrollmentTokenStore`), which broke HA (a token
could only be redeemed against the specific gateway node that minted it,
and a restart silently invalidated unredeemed tokens).

This PR removes that path entirely. DVLS signs an enrollment JWT with
its `gateway.agent.enroll` scope; the agent presents the JWT as the
Bearer token on `POST /jet/tunnel/enroll`; the gateway verifies the
signature against the configured provisioner public key. No state on
the gateway, no per-node affinity, no restart hazards.

Companion changes:

- Token: rename `gateway.tunnel.enroll` to `gateway.agent.enroll` (the
  scope governs agent management, not the tunnel transport). Add the
  matching `gateway.agent.read` scope. Both extractors
  (`AgentManagementReadAccess` / `WriteAccess`) accept the new scopes
  alongside the existing `Wildcard` / `ConfigWrite` / `DiagnosticsRead`
  for back-compat with callers that predate the rename.

- Agent CLI (`up`): the JWT itself becomes the enrollment artifact, so
  `up --enrollment-string <jwt>` is the one-step bootstrap path.
  `--enrollment-string` is decoded locally to populate `--gateway`,
  `--name`, and the new `--quic-endpoint` / `--advertise-domains` flags.
  CLI flags still take precedence over claim values.

- `EnrollResponse` no longer returns `quic_endpoint`. A running gateway
  cannot know the address its agents can actually reach (Docker bridge
  NAT, K8s service FQDN, split-horizon DNS, LB VIP) — that is operator
  knowledge, supplied via the `jet_quic_endpoint` JWT claim or the
  `--quic-endpoint` agent flag. The doc on `EnrollmentJwtClaims` spells
  out the rationale.

- .NET utils: new `EnrollmentClaims` mirroring the Rust shape so DVLS
  can sign the JWT directly via `TokenUtils.Sign`. Two new
  `AccessScope` constants. Round-trip JSON tests for both. NuGet bumped
  to 2026.4.27.

- `--advertise-domains` agent CLI flag (parallels `--advertise-routes`,
  for hostname-based routing once the gateway side accepts domain
  advertisements).

Author: irvingoujAtDevolution

crates/agent-tunnel/src/enrollment_store.rs

@@ -7,12 +7,10 @@
 extern crate tracing;
 
 pub mod cert;
-pub mod enrollment_store;
 pub mod listener;
 pub mod registry;
 pub mod stream;
 
-pub use enrollment_store::EnrollmentTokenStore;
 pub use listener::{AgentTunnelHandle, AgentTunnelListener};
 pub use registry::AgentRegistry;
 pub use stream::TunnelStream;

crates/agent-tunnel/src/lib.rs

@@ -16,7 +16,6 @@ use tokio::sync::RwLock;
 use uuid::Uuid;
 
 use super::cert::CaManager;
-use super::enrollment_store::EnrollmentTokenStore;
 use super::registry::{AgentPeer, AgentRegistry};
 use super::stream::TunnelStream;
 
@@ -33,7 +32,6 @@ pub struct AgentTunnelHandle {
     /// Map of agent_id → live Quinn connection, used for opening new streams.
     agent_connections: Arc<RwLock<HashMap<Uuid, quinn::Connection>>>,
     ca_manager: Arc<CaManager>,
-    enrollment_token_store: Arc<EnrollmentTokenStore>,
 }
 
 impl AgentTunnelHandle {
@@ -45,10 +43,6 @@ impl AgentTunnelHandle {
         &self.ca_manager
     }
 
-    pub fn enrollment_token_store(&self) -> &EnrollmentTokenStore {
-        &self.enrollment_token_store
-    }
-
     /// Open a proxy stream through a connected agent.
     // TODO: Emit TrafficEvent for connections routed through the agent tunnel.
     pub async fn connect_via_agent(
@@ -148,13 +142,11 @@ impl AgentTunnelListener {
 
         let registry = Arc::new(AgentRegistry::new());
         let agent_connections: Arc<RwLock<HashMap<Uuid, quinn::Connection>>> = Arc::new(RwLock::new(HashMap::new()));
-        let enrollment_token_store = Arc::new(EnrollmentTokenStore::new());
 
         let handle = AgentTunnelHandle {
             registry: Arc::clone(&registry),
             agent_connections: Arc::clone(&agent_connections),
             ca_manager,
-            enrollment_token_store,
         };
 
         let listener = Self {

crates/agent-tunnel/src/listener.rs

@@ -0,0 +1,148 @@
+use base64::Engine as _;
+
+use super::*;
+
+#[test]
+fn parse_up_command_args_happy_path() {
+    let args = vec![
+        "--gateway".to_owned(),
+        "https://gateway.example.com:7171".to_owned(),
+        "--token".to_owned(),
+        "bootstrap-token".to_owned(),
+        "--name".to_owned(),
+        "site-a-agent".to_owned(),
+        "--quic-endpoint".to_owned(),
+        "gateway.example.com:7172".to_owned(),
+        "--advertise-routes".to_owned(),
+        "10.0.0.0/8,192.168.1.0/24".to_owned(),
+    ];
+
+    let parsed = parse_up_command_args(&args).expect("parse up args");
+
+    assert_eq!(
+        parsed,
+        UpCommand {
+            gateway_url: "https://gateway.example.com:7171".to_owned(),
+            enrollment_token: "bootstrap-token".to_owned(),
+            agent_name: "site-a-agent".to_owned(),
+            advertise_subnets: vec!["10.0.0.0/8".to_owned(), "192.168.1.0/24".to_owned()],
+            quic_endpoint: "gateway.example.com:7172".to_owned(),
+        }
+    );
+}
+
+#[test]
+fn parse_up_command_args_accepts_aliases() {
+    let args = vec![
+        "--gateway".to_owned(),
+        "https://gateway.example.com:7171".to_owned(),
+        "--enrollment-token".to_owned(),
+        "bootstrap-token".to_owned(),
+        "--agent-name".to_owned(),
+        "site-a-agent".to_owned(),
+        "--quic-endpoint".to_owned(),
+        "gateway.example.com:7172".to_owned(),
+        "--advertise-subnets".to_owned(),
+        "10.0.0.0/8".to_owned(),
+    ];
+
+    let parsed = parse_up_command_args(&args).expect("parse up args");
+
+    assert_eq!(parsed.advertise_subnets, vec!["10.0.0.0/8".to_owned()]);
+    assert_eq!(parsed.quic_endpoint, "gateway.example.com:7172");
+}
+
+#[test]
+fn parse_up_command_args_rejects_missing_quic_endpoint() {
+    // No --quic-endpoint and no JWT claim → must fail. The gateway does not
+    // self-report a QUIC endpoint, so the operator has to supply one.
+    let args = vec![
+        "--gateway".to_owned(),
+        "https://gateway.example.com:7171".to_owned(),
+        "--token".to_owned(),
+        "bootstrap-token".to_owned(),
+        "--name".to_owned(),
+        "site-a-agent".to_owned(),
+    ];
+
+    let err = parse_up_command_args(&args).expect_err("should reject missing QUIC endpoint");
+    assert!(
+        err.to_string().to_lowercase().contains("quic endpoint"),
+        "error should mention the missing QUIC endpoint, got: {err:#}"
+    );
+}
+
+/// Build a JWT with the given payload. The header and signature are placeholders —
+/// the agent does not verify them; only the Gateway does.
+fn make_jwt(payload: serde_json::Value) -> String {
+    let header = serde_json::json!({ "alg": "RS256", "typ": "JWT" });
+    let b64 = base64::engine::general_purpose::URL_SAFE_NO_PAD;
+    format!(
+        "{}.{}.{}",
+        b64.encode(header.to_string()),
+        b64.encode(payload.to_string()),
+        b64.encode("signature-placeholder"),
+    )
+}
+
+#[test]
+fn parse_up_command_args_accepts_enrollment_string() {
+    let jwt = make_jwt(serde_json::json!({
+        "scope": "gateway.agent.enroll",
+        "exp": 1_999_999_999i64,
+        "jti": "00000000-0000-0000-0000-000000000000",
+        "jet_gw_url": "https://gateway.example.com:7171",
+        "jet_agent_name": "site-a-agent",
+        "jet_quic_endpoint": "gateway.example.com:7172",
+    }));
+    let args = vec!["--enrollment-string".to_owned(), jwt.clone()];
+
+    let parsed = parse_up_command_args(&args).expect("parse up args");
+
+    assert_eq!(parsed.gateway_url, "https://gateway.example.com:7171");
+    // The JWT itself is used as the Bearer token for /jet/tunnel/enroll.
+    assert_eq!(parsed.enrollment_token, jwt);
+    assert_eq!(parsed.agent_name, "site-a-agent");
+    assert_eq!(parsed.quic_endpoint, "gateway.example.com:7172");
+}
+
+#[test]
+fn parse_up_command_args_rejects_enrollment_string_missing_quic_endpoint() {
+    // JWT lacks `jet_quic_endpoint` AND no CLI `--quic-endpoint` → must fail.
+    let jwt = make_jwt(serde_json::json!({
+        "scope": "gateway.agent.enroll",
+        "exp": 1_999_999_999i64,
+        "jti": "00000000-0000-0000-0000-000000000000",
+        "jet_gw_url": "https://gateway.example.com:7171",
+        "jet_agent_name": "site-a-agent",
+    }));
+    let args = vec!["--enrollment-string".to_owned(), jwt];
+
+    let err = parse_up_command_args(&args).expect_err("should reject missing QUIC endpoint");
+    assert!(
+        err.to_string().to_lowercase().contains("quic endpoint"),
+        "error should mention the missing QUIC endpoint, got: {err:#}"
+    );
+}
+
+#[test]
+fn parse_up_command_args_cli_quic_endpoint_wins_over_jwt() {
+    let jwt = make_jwt(serde_json::json!({
+        "scope": "gateway.agent.enroll",
+        "exp": 1_999_999_999i64,
+        "jti": "00000000-0000-0000-0000-000000000000",
+        "jet_gw_url": "https://gateway.example.com:7171",
+        "jet_agent_name": "site-a-agent",
+        "jet_quic_endpoint": "from-jwt.example.com:7172",
+    }));
+    let args = vec![
+        "--enrollment-string".to_owned(),
+        jwt,
+        "--quic-endpoint".to_owned(),
+        "from-cli.example.com:7172".to_owned(),
+    ];
+
+    let parsed = parse_up_command_args(&args).expect("parse up args");
+
+    assert_eq!(parsed.quic_endpoint, "from-cli.example.com:7172");
+}