chore(agent-tunnel): address maintainer review feedback

* Drop `enroll.nu` — it was a developer convenience for local smoke
  tests, not part of the shipped product.
* Document `EnrollmentClaims.JetAgentName` end-to-end: explain that
  the gateway never reads it (auth is by signature/scope), the
  authoritative name is sent in the agent's enrollment request body,
  and the JWT claim is read agent-side as the default for the
  `--name` CLI flag — letting DVLS pre-fill the name typed in the
  "Generate Enrollment String" dialog.
* Move the `agent_tunnel_*` integration tests out of
  `devolutions-gateway/tests/` and into the `testsuite` crate's
  central test binary (`testsuite/tests/agent_tunnel/{integration,
  registry, routing}.rs`), where the rest of the cross-crate
  integration tests already live. Drop the now-ineffective
  `#![allow(unused_crate_dependencies)]` inner attributes (the lint
  is crate-level only) and add the agent-tunnel-related dev deps to
  `testsuite/Cargo.toml`.

Author: irvingoujAtDevolution

Cargo.lock

@@ -31,16 +31,27 @@ typed-builder = "0.21"
 tokio-tungstenite = { version = "0.26", features = ["rustls-tls-native-roots"] }
 
 [dev-dependencies]
+agent-tunnel = { path = "../crates/agent-tunnel" }
+agent-tunnel-proto = { path = "../crates/agent-tunnel-proto", features = ["serde"] }
+devolutions-gateway-task = { path = "../crates/devolutions-gateway-task" }
 base64 = "0.22"
-proxy-socks = { path = "../crates/proxy-socks" }
+camino = "1"
+ipnetwork = "0.20"
 libsql = { version = "0.9", default-features = false, features = ["core"] }
 mcp-proxy.path = "../crates/mcp-proxy"
+proxy-socks = { path = "../crates/proxy-socks" }
+quinn = "0.11"
+rcgen = { version = "0.13", features = ["pem", "x509-parser"] }
 rstest = "0.25"
+rustls = { version = "0.23", default-features = false, features = ["ring", "logging", "std", "tls12"] }
+rustls-pemfile = "2"
+rustls-pki-types = "1"
 serde_json = "1"
 sysevent.path = "../crates/sysevent"
 tempfile = "3"
 test-utils.path = "../crates/test-utils"
 tokio-rustls = { version = "0.26", features = ["ring"] }
+uuid = { version = "1", features = ["v4"] }
 
 [target.'cfg(unix)'.dev-dependencies]
 sysevent-syslog.path = "../crates/sysevent-syslog"

enroll.nu

@@ -1,6 +1,3 @@
-#![allow(unused_crate_dependencies)]
-#![allow(clippy::unwrap_used)]
-
 //! Full-stack integration test for the QUIC agent tunnel (Quinn).
 //!
 //! Verifies the full data path:

testsuite/Cargo.toml

@@ -0,0 +1,10 @@
+//! Agent-tunnel integration tests.
+//!
+//! Cover the QUIC tunnel data path end-to-end (`integration`), the registry
+//! online/offline accounting (`registry`), and the routing decision pipeline
+//! (`routing`). All three exercise the live `agent-tunnel` crate; no
+//! mocking of the QUIC layer.
+
+mod integration;
+mod registry;
+mod routing;

…ateway/tests/agent_tunnel_integration.rs …tsuite/tests/agent_tunnel/integration.rsdevolutions-gateway/tests/agent_tunnel_integration.rs renamed to testsuite/tests/agent_tunnel/integration.rs devolutions-gateway/tests/agent_tunnel_integration.rs renamed to testsuite/tests/agent_tunnel/integration.rs

@@ -1,6 +1,3 @@
-#![allow(unused_crate_dependencies)]
-#![allow(clippy::unwrap_used)]
-
 use std::sync::Arc;
 
 use agent_tunnel::registry::{AGENT_OFFLINE_TIMEOUT, AgentPeer, AgentRegistry};

testsuite/tests/agent_tunnel/mod.rs

@@ -1,6 +1,3 @@
-#![allow(unused_crate_dependencies)]
-#![allow(clippy::unwrap_used)]
-
 use std::sync::Arc;
 
 use agent_tunnel::registry::{AgentPeer, AgentRegistry};

…s-gateway/tests/agent_tunnel_registry.rs testsuite/tests/agent_tunnel/registry.rsdevolutions-gateway/tests/agent_tunnel_registry.rs renamed to testsuite/tests/agent_tunnel/registry.rs devolutions-gateway/tests/agent_tunnel_registry.rs renamed to testsuite/tests/agent_tunnel/registry.rs

@@ -2,6 +2,7 @@
 #![allow(clippy::print_stdout, reason = "test code uses print for diagnostics")]
 #![allow(clippy::print_stderr, reason = "test code uses print for diagnostics")]
 
+mod agent_tunnel;
 mod cli;
 mod mcp_proxy;
 mod sysevent;

…ns-gateway/tests/agent_tunnel_routing.rs testsuite/tests/agent_tunnel/routing.rsdevolutions-gateway/tests/agent_tunnel_routing.rs renamed to testsuite/tests/agent_tunnel/routing.rs devolutions-gateway/tests/agent_tunnel_routing.rs renamed to testsuite/tests/agent_tunnel/routing.rs

@@ -25,7 +25,22 @@ public class EnrollmentClaims : IGatewayClaims
     [JsonPropertyName("jet_gw_url")]
     public string JetGwUrl { get; set; }
 
-    /// <summary>Optional agent display-name hint.</summary>
+    /// <summary>
+    /// Optional agent display-name hint.
+    ///
+    /// The gateway never reads this claim — it only verifies the JWT
+    /// signature, scope, and expiry on <c>POST /jet/tunnel/enroll</c>; the
+    /// authoritative agent name is the one the agent sends in its
+    /// <c>EnrollRequest</c> body (which the gateway also stamps into the
+    /// signed client certificate's CN).
+    ///
+    /// The agent-side CLI parses this claim out of the JWT it receives via
+    /// <c>--enrollment-string</c> and uses it as the default for
+    /// <c>--name</c> when the operator did not pass one explicitly. Setting
+    /// it here lets DVLS pre-fill the name the admin typed in the "Generate
+    /// Enrollment String" dialog so the agent shows up under that name in
+    /// the registry without an extra CLI flag.
+    /// </summary>
     [JsonPropertyName("jet_agent_name")]
     [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
     public string? JetAgentName { get; set; }