feat(agent-installer): add Agent Tunnel configuration dialog

Adds an optional Agent Tunnel wizard step to the Devolutions Agent
installer so admins can enroll the agent in a Gateway QUIC tunnel as
part of MSI install (UI or unattended).

Surfaces three MSI public properties for unattended installs:
- AGENT_TUNNEL_ENROLLMENT_STRING (dgw-enroll:v1:<base64> from DVLS/Hub/Gateway)
- AGENT_TUNNEL_ADVERTISE_SUBNETS (CSV CIDR; empty = none)
- AGENT_TUNNEL_ADVERTISE_DOMAINS (CSV DNS suffixes; empty = auto-detect only)

Wires a new deferred elevated custom action (EnrollAgentTunnel) that
runs Before StartServices when AGENT_TUNNEL_FEATURE is being installed.
It base64-decodes the enrollment payload, shells out to
`devolutions-agent.exe enroll <url> <token> <name> [subnets]` with a 60s
timeout, and redacts the token in the session log. Advertise domains
are persisted by patching `Tunnel.AdvertiseDomains` in agent.json
post-enrollment, matching the agreed direction that domain config lives
in the file rather than as a CLI flag.

The Tunnel feature itself is opt-in (isEnabled:false, allowChange:true);
the dialog is skipped when the feature isn't selected. An empty
enrollment string also skips tunnel setup, allowing the installer to be
used without touching the tunnel.

Author: irvingoujAtDevolution

package/AgentWindowsManaged/Actions/AgentActions.cs

@@ -279,6 +279,18 @@ internal static class AgentActions
         UsesProperties = UseProperties(new[] { AgentProperties.featuresToConfigure })
     };
 
+    private static readonly ElevatedManagedAction enrollAgentTunnel = new(
+        new Id($"CA.{nameof(enrollAgentTunnel)}"),
+        CustomActions.EnrollAgentTunnel,
+        Return.check,
+        When.Before, Step.StartServices,
+        Features.AGENT_TUNNEL_FEATURE.BeingInstall(),
+        Sequence.InstallExecuteSequence)
+    {
+        Execute = Execute.deferred,
+        Impersonate = false,
+    };
+
     private static readonly ElevatedManagedAction registerExplorerCommand = new(
         CustomActions.RegisterExplorerCommand
     )
@@ -352,6 +364,7 @@ private static string UseProperties(IEnumerable<IWixProperty> properties)
         setArpInstallLocation,
         setFeaturesToConfigure,
         configureFeatures,
+        enrollAgentTunnel,
         createProgramDataDirectory,
         setProgramDataDirectoryPermissions,
         createProgramDataPedmDirectories,

package/AgentWindowsManaged/Actions/CustomActions.cs

@@ -3,6 +3,7 @@
 using Microsoft.Deployment.WindowsInstaller;
 using Microsoft.Win32;
 using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
 using System;
 using System.Collections.Generic;
 using System.ComponentModel;
@@ -12,6 +13,7 @@
 using System.Linq;
 using System.Runtime.InteropServices;
 using System.Security.Claims;
+using System.Text.RegularExpressions;
 using System.Threading;
 using WixSharp;
 using File = System.IO.File;
@@ -318,6 +320,155 @@ public static ActionResult SetFeaturesToConfigure(Session session)
             return ActionResult.Success;
         }
 
+        [CustomAction]
+        public static ActionResult EnrollAgentTunnel(Session session)
+        {
+            string enrollmentString = session.Property(AgentProperties.AgentTunnelEnrollmentString);
+            string subnetsRaw = session.Property(AgentProperties.AgentTunnelAdvertiseSubnets);
+            string domainsRaw = session.Property(AgentProperties.AgentTunnelAdvertiseDomains);
+
+            if (string.IsNullOrWhiteSpace(enrollmentString))
+            {
+                session.Log("Agent tunnel enrollment string not provided, skipping tunnel setup");
+                return ActionResult.Success;
+            }
+
+            try
+            {
+                // Parse enrollment string to extract gateway URL, token, and name.
+                // Format: dgw-enroll:v1:<base64 JSON payload>
+                const string prefix = "dgw-enroll:v1:";
+                if (!enrollmentString.StartsWith(prefix))
+                {
+                    session.Log("Invalid enrollment string prefix");
+                    return ActionResult.Failure;
+                }
+
+                // base64url -> base64. Strip whitespace (line breaks from copy-paste across wrapped
+                // terminal output are common) and pad to length % 4 == 0 (RFC 4648 §5 allows omitting `=`).
+                string base64 = Regex.Replace(enrollmentString.Substring(prefix.Length), @"\s+", "")
+                    .Replace('-', '+').Replace('_', '/');
+                base64 = base64.PadRight((base64.Length + 3) & ~3, '=');
+                string json = System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(base64));
+
+                JObject payload = JsonConvert.DeserializeObject<JObject>(json);
+                string apiBaseUrl = payload?["api_base_url"]?.Value<string>();
+                string enrollmentToken = payload?["enrollment_token"]?.Value<string>();
+                string agentName = payload?["name"]?.Value<string>();
+
+                if (string.IsNullOrWhiteSpace(apiBaseUrl) || string.IsNullOrWhiteSpace(enrollmentToken))
+                {
+                    session.Log("Enrollment payload missing api_base_url or enrollment_token");
+                    return ActionResult.Failure;
+                }
+                if (string.IsNullOrWhiteSpace(agentName)) agentName = Environment.MachineName;
+
+                // Build CLI arguments for: devolutions-agent.exe enroll <url> <token> <name> [subnets]
+                // Advertise domains are not a CLI flag — the agent reads them from the Tunnel
+                // section of agent.json. We persist them after enrollment writes the file.
+                string installDir = session.Property(AgentProperties.InstallDir);
+                string exePath = Path.Combine(installDir, Includes.EXECUTABLE_NAME);
+
+                string subnetsArg = subnetsRaw?.Trim() ?? string.Empty;
+                string domainsArg = domainsRaw?.Trim() ?? string.Empty;
+
+                string arguments = $"enroll \"{apiBaseUrl}\" \"{enrollmentToken}\" \"{agentName}\"";
+                if (subnetsArg.Length != 0)
+                {
+                    arguments += $" \"{subnetsArg}\"";
+                }
+
+                string Redact(string s) => s.Replace(enrollmentToken, "***");
+                session.Log($"Running enrollment: {exePath} {Redact(arguments)}");
+
+                ProcessStartInfo startInfo = new(exePath, arguments)
+                {
+                    UseShellExecute = false,
+                    RedirectStandardOutput = true,
+                    RedirectStandardError = true,
+                    CreateNoWindow = true,
+                    WorkingDirectory = ProgramDataDirectory,
+                };
+
+                using Process process = Process.Start(startInfo);
+                if (!process.WaitForExit(60_000))
+                {
+                    try { process.Kill(); } catch { /* already gone */ }
+                    session.Log("Enrollment process timed out after 60 seconds");
+                    return ActionResult.Failure;
+                }
+                string stdout = process.StandardOutput.ReadToEnd();
+                string stderr = process.StandardError.ReadToEnd();
+
+                if (!string.IsNullOrEmpty(stdout)) session.Log($"enrollment stdout: {Redact(stdout)}");
+                if (!string.IsNullOrEmpty(stderr)) session.Log($"enrollment stderr: {Redact(stderr)}");
+
+                if (process.ExitCode != 0)
+                {
+                    session.Log($"Enrollment failed with exit code {process.ExitCode}");
+                    return ActionResult.Failure;
+                }
+
+                if (domainsArg.Length != 0)
+                {
+                    WriteAdvertiseDomainsToConfig(session, domainsArg);
+                }
+
+                session.Log("Agent tunnel enrollment completed successfully");
+                return ActionResult.Success;
+            }
+            catch (Exception e)
+            {
+                session.Log($"Agent tunnel enrollment failed: {e}");
+                return ActionResult.Failure;
+            }
+        }
+
+        private static void WriteAdvertiseDomainsToConfig(Session session, string domainsCsv)
+        {
+            string configPath = Path.Combine(ProgramDataDirectory, "agent.json");
+            if (!File.Exists(configPath))
+            {
+                session.Log($"agent.json not found at {configPath}; cannot persist advertise_domains");
+                return;
+            }
+
+            try
+            {
+                string[] domains = domainsCsv
+                    .Split(',')
+                    .Select(d => d.Trim())
+                    .Where(d => !string.IsNullOrEmpty(d))
+                    .ToArray();
+
+                if (domains.Length == 0)
+                {
+                    return;
+                }
+
+                JObject root = JObject.Parse(File.ReadAllText(configPath));
+
+                // ConfFile uses serde rename_all = "PascalCase", so the tunnel section is keyed
+                // "Tunnel" and the field is "AdvertiseDomains".
+                if (root["Tunnel"] is not JObject tunnel)
+                {
+                    session.Log("agent.json has no Tunnel section after enrollment; skipping advertise_domains write");
+                    return;
+                }
+
+                tunnel["AdvertiseDomains"] = new JArray(domains);
+
+                File.WriteAllText(configPath, root.ToString(Formatting.Indented));
+                session.Log($"Wrote {domains.Length} advertise_domains entries to agent.json");
+            }
+            catch (Exception e)
+            {
+                // Don't fail the install over this — the tunnel works fine without domain
+                // advertisements (subnets cover IP routing on their own).
+                session.Log($"Failed to write advertise_domains to agent.json: {e}");
+            }
+        }
+
         [CustomAction]
         public static ActionResult ConfigureFeatures(Session session)
         {