refactor(agent-tunnel): JWT-only enrollment, drop server-side mint

DVLS holds the provisioner private key, the gateway holds the public key
and verifies statelessly. The gateway-side enrollment-string mint
endpoint was the wrong shape: it required the gateway to hold issuance
state (the in-memory `EnrollmentTokenStore`), which broke HA (a token
could only be redeemed against the specific gateway node that minted
it, and a restart silently invalidated unredeemed tokens).

This PR removes that path entirely. DVLS signs an enrollment JWT with
its `gateway.agent.enroll` scope; the agent presents the JWT as the
Bearer token on `POST /jet/tunnel/enroll`; the gateway verifies the
signature against the configured provisioner public key. No state on
the gateway, no per-node affinity, no restart hazards.

Companion changes:

- Token: rename `gateway.tunnel.enroll` to `gateway.agent.enroll` (the
  scope governs agent management, not the tunnel transport). Add the
  matching `gateway.agent.read` scope. Both extractors
  (`AgentManagementReadAccess` / `WriteAccess`) accept the new scopes
  alongside the existing `Wildcard` / `ConfigWrite` / `DiagnosticsRead`
  for back-compat with callers that predate the rename.

- .NET utils: new `EnrollmentClaims` mirroring the Rust shape so DVLS
  can sign the JWT directly via `TokenUtils.Sign`. Two new
  `AccessScope` constants. Round-trip JSON tests for both. NuGet
  bumped to 2026.4.27.

Author: irvingoujAtDevolution

crates/agent-tunnel/src/enrollment_store.rs

@@ -7,12 +7,10 @@
 extern crate tracing;
 
 pub mod cert;
-pub mod enrollment_store;
 pub mod listener;
 pub mod registry;
 pub mod stream;
 
-pub use enrollment_store::EnrollmentTokenStore;
 pub use listener::{AgentTunnelHandle, AgentTunnelListener};
 pub use registry::AgentRegistry;
 pub use stream::TunnelStream;

crates/agent-tunnel/src/lib.rs

@@ -16,7 +16,6 @@ use tokio::sync::RwLock;
 use uuid::Uuid;
 
 use super::cert::CaManager;
-use super::enrollment_store::EnrollmentTokenStore;
 use super::registry::{AgentPeer, AgentRegistry};
 use super::stream::TunnelStream;
 
@@ -33,7 +32,6 @@ pub struct AgentTunnelHandle {
     /// Map of agent_id → live Quinn connection, used for opening new streams.
     agent_connections: Arc<RwLock<HashMap<Uuid, quinn::Connection>>>,
     ca_manager: Arc<CaManager>,
-    enrollment_token_store: Arc<EnrollmentTokenStore>,
 }
 
 impl AgentTunnelHandle {
@@ -45,10 +43,6 @@ impl AgentTunnelHandle {
         &self.ca_manager
     }
 
-    pub fn enrollment_token_store(&self) -> &EnrollmentTokenStore {
-        &self.enrollment_token_store
-    }
-
     /// Open a proxy stream through a connected agent.
     // TODO: Emit TrafficEvent for connections routed through the agent tunnel.
     pub async fn connect_via_agent(
@@ -148,13 +142,11 @@ impl AgentTunnelListener {
 
         let registry = Arc::new(AgentRegistry::new());
         let agent_connections: Arc<RwLock<HashMap<Uuid, quinn::Connection>>> = Arc::new(RwLock::new(HashMap::new()));
-        let enrollment_token_store = Arc::new(EnrollmentTokenStore::new());
 
         let handle = AgentTunnelHandle {
             registry: Arc::clone(&registry),
             agent_connections: Arc::clone(&agent_connections),
             ca_manager,
-            enrollment_token_store,
         };
 
         let listener = Self {

crates/agent-tunnel/src/listener.rs

@@ -1,6 +1,7 @@
 use axum::extract::{Path, State};
 use axum::http::HeaderMap;
 use axum::{Json, Router};
+use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 
 use crate::DgwState;
@@ -11,7 +12,7 @@ use crate::http::HttpError;
 ///
 /// Returns `true` if the token is a well-formed JWT whose signature verifies
 /// against `provisioner_key`, whose `exp` has not passed, and whose `scope`
-/// is `TunnelEnroll` (or `Wildcard`). Returns `false` for any failure.
+/// is `AgentEnroll` (or `Wildcard`). Returns `false` for any failure.
 ///
 /// The enrollment JWT carries extra claims (`jet_gw_url`, `jet_agent_name`)
 /// that the *agent* reads locally from its own copy of the token — the Gateway
@@ -39,7 +40,7 @@ fn validate_enrollment_jwt(token: &str, provisioner_key: &picky::key::PublicKey)
 
     matches!(
         validated.state.claims.scope,
-        AccessScope::TunnelEnroll | AccessScope::Wildcard
+        AccessScope::AgentEnroll | AccessScope::Wildcard
     )
 }
 
@@ -96,8 +97,12 @@ pub fn make_router<S>(state: DgwState) -> Router<S> {
 
 /// Enroll a new agent.
 ///
-/// Requires a Bearer token matching the configured enrollment secret
-/// or a valid one-time enrollment token from the store.
+/// Requires a Bearer token that is either:
+/// - a JWT signed by the configured provisioner key with `AgentEnroll` /
+///   `Wildcard` scope (issued by DVLS — the only authority for agent
+///   enrollment tokens), or
+/// - the static `enrollment_secret` from the gateway configuration (admin
+///   bootstrap fallback for environments without DVLS).
 ///
 /// The agent generates its own key pair and sends a CSR. The gateway signs it
 /// and returns the certificate. The private key never leaves the agent.
@@ -135,24 +140,19 @@ async fn enroll_agent(
         .ok_or_else(|| HttpError::not_found().msg("agent enrollment is not configured"))?;
 
     // Token validation order:
-    // 1. JWT signed by the configured provisioner key (scope == TunnelEnroll)
-    // 2. One-time enrollment token from the in-memory store
-    // 3. Static enrollment secret from configuration (constant-time comparison)
+    // 1. JWT signed by the configured provisioner key (scope == AgentEnroll)
+    // 2. Static enrollment secret from configuration (constant-time comparison)
     let jwt_valid = validate_enrollment_jwt(provided_token, &conf.provisioner_public_key);
 
     if !jwt_valid {
-        let token_valid = handle.enrollment_token_store().redeem(provided_token).await;
-
-        if !token_valid {
-            let enrollment_secret = conf
-                .agent_tunnel
-                .enrollment_secret
-                .as_deref()
-                .ok_or_else(|| HttpError::not_found().msg("agent enrollment is not configured"))?;
-
-            if !timing_safe_eq(provided_token.as_bytes(), enrollment_secret.as_bytes()) {
-                return Err(HttpError::forbidden().msg("invalid enrollment token"));
-            }
+        let enrollment_secret = conf
+            .agent_tunnel
+            .enrollment_secret
+            .as_deref()
+            .ok_or_else(|| HttpError::not_found().msg("agent enrollment is not configured"))?;
+
+        if !timing_safe_eq(provided_token.as_bytes(), enrollment_secret.as_bytes()) {
+            return Err(HttpError::forbidden().msg("invalid enrollment token"));
         }
     }
 
@@ -282,7 +282,7 @@ mod tests {
         let (priv_key, pub_key) = keypair();
         let token = sign(
             json!({
-                "scope": "gateway.tunnel.enroll",
+                "scope": "gateway.agent.enroll",
                 "nbf": now_ts() - 60,
                 "exp": now_ts() + 3600,
                 "jti": Uuid::new_v4(),
@@ -334,7 +334,7 @@ mod tests {
         let (priv_key, pub_key) = keypair();
         let token = sign(
             json!({
-                "scope": "gateway.tunnel.enroll",
+                "scope": "gateway.agent.enroll",
                 "nbf": now_ts() - 7200,
                 "exp": now_ts() - 3600,
                 "jti": Uuid::new_v4(),
@@ -352,7 +352,7 @@ mod tests {
         let (_, gateway_pub) = keypair();
         let token = sign(
             json!({
-                "scope": "gateway.tunnel.enroll",
+                "scope": "gateway.agent.enroll",
                 "nbf": now_ts() - 60,
                 "exp": now_ts() + 3600,
                 "jti": Uuid::new_v4(),
@@ -369,7 +369,7 @@ mod tests {
         let (priv_key, pub_key) = keypair();
         let token = sign(
             json!({
-                "scope": "gateway.tunnel.enroll",
+                "scope": "gateway.agent.enroll",
                 "nbf": now_ts() - 60,
                 "exp": now_ts() + 3600,
                 "jti": Uuid::new_v4(),

devolutions-gateway/src/api/tunnel.rs

@@ -424,12 +424,19 @@ where
             .map_err(HttpError::internal().err())?
             .0;
 
-        // DiagnosticsRead is accepted because DVLS maps its AgentRead scope
-        // to GatewayDiagnosticsRead, which serializes as "gateway.diagnostics.read".
+        // Accepted scopes:
+        // - AgentRead: the canonical scope for this endpoint (DVLS uses this).
+        // - DiagnosticsRead / ConfigWrite: back-compat for older callers that predate
+        //   the dedicated agent scopes; safe because both imply broader privileges.
         match claims {
             AccessTokenClaims::Scope(scope) => match scope.scope {
-                AccessScope::Wildcard | AccessScope::DiagnosticsRead | AccessScope::ConfigWrite => Ok(Self),
-                _ => Err(HttpError::forbidden().msg("invalid scope for agent management read")),
+                AccessScope::Wildcard
+                | AccessScope::AgentRead
+                | AccessScope::DiagnosticsRead
+                | AccessScope::ConfigWrite => Ok(Self),
+                _ => Err(HttpError::forbidden().msg(
+                    "invalid scope for agent management read (require one of: gateway.agent.read, gateway.diagnostics.read, gateway.config.write, *)",
+                )),
             },
             _ => Err(HttpError::forbidden().msg("scope token required for agent management read")),
         }
@@ -438,7 +445,7 @@ where
 
 /// Grants write access to agent management endpoints (e.g. enrollment, delete).
 ///
-/// Accepts scope tokens with `ConfigWrite` (or `Wildcard`) scope only.
+/// Accepts scope tokens with `AgentEnroll`, `ConfigWrite`, or `Wildcard` scope.
 #[derive(Clone, Copy)]
 pub struct AgentManagementWriteAccess;
 
@@ -454,10 +461,16 @@ where
             .map_err(HttpError::internal().err())?
             .0;
 
+        // Accepted scopes:
+        // - AgentEnroll: the canonical scope for this endpoint (DVLS uses this).
+        // - ConfigWrite: back-compat for older callers that predate the
+        //   dedicated agent scope.
         match claims {
             AccessTokenClaims::Scope(scope) => match scope.scope {
-                AccessScope::Wildcard | AccessScope::ConfigWrite => Ok(Self),
-                _ => Err(HttpError::forbidden().msg("invalid scope for agent management write")),
+                AccessScope::Wildcard | AccessScope::AgentEnroll | AccessScope::ConfigWrite => Ok(Self),
+                _ => Err(HttpError::forbidden().msg(
+                    "invalid scope for agent management write (require one of: gateway.agent.enroll, gateway.config.write, *)",
+                )),
             },
             _ => Err(HttpError::forbidden().msg("scope token required for agent management write")),
         }

devolutions-gateway/src/extract.rs

@@ -472,8 +472,10 @@ pub enum AccessScope {
     NetMonitorConfig,
     #[serde(rename = "gateway.net.monitor.drain")]
     NetMonitorDrain,
-    #[serde(rename = "gateway.tunnel.enroll")]
-    TunnelEnroll,
+    #[serde(rename = "gateway.agent.enroll")]
+    AgentEnroll,
+    #[serde(rename = "gateway.agent.read")]
+    AgentRead,
 }
 
 #[derive(Clone, Serialize, Deserialize)]
@@ -499,7 +501,7 @@ pub struct ScopeTokenClaims {
 /// and expiry against the configured provisioner key.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct EnrollmentTokenClaims {
-    /// Must be `AccessScope::TunnelEnroll` (or `Wildcard`).
+    /// Must be `AccessScope::AgentEnroll` (or `Wildcard`).
     pub scope: AccessScope,
 
     /// JWT expiration time claim.