feat(dgw): agent tunnel routing, cert renewal, Docker deployment

Builds on #1738 (core infrastructure) to make the agent tunnel
production-ready for a DVLS-driven deployment. Not yet: agent
management webapp UI (follow-up PR) and Playwright E2E harness
(follow-up PR).

Transparent routing:

- `crates/agent-tunnel/src/routing.rs`: `RoutingDecision` pipeline —
  explicit `jet_agent_id` from the JWT → subnet match → domain
  suffix match (longest wins) → direct connect. Single `try_route`
  entry point consumed by all gateway proxy paths.
- `crates/agent-tunnel/src/registry.rs`: `find_agents_for(host)` +
  `RouteAdvertisementState::matches_target()` do the lookup in one
  spot; offline agents are skipped.
- Gateway proxy integration: `api/fwd.rs`, `api/kdc_proxy.rs`,
  `api/rdp.rs`, `rd_clean_path.rs`, `generic_client.rs`, `rdp_proxy.rs`
  all call `try_route` before falling through to direct TCP.
- Tests: `agent-tunnel/src/integration_test.rs` (2 full-stack QUIC
  E2E), `tests/agent_tunnel_registry.rs` (13), `tests/agent_tunnel_
  routing.rs` (8).

Agent-side certificate renewal:

- `enrollment.rs`: `is_cert_expiring(cert_path, threshold_days)` and
  `generate_csr_from_existing_key(key_path, agent_name)` — the key
  never changes across renewals, the gateway just signs a new cert
  with the same public key.
- `tunnel.rs`: on connect, if the cert is within 15 days of expiry,
  the agent sends a `CertRenewalRequest` control message with a new
  CSR, waits for `CertRenewalResponse::Success`, writes the renewed
  cert and CA, and reconnects.
- `agent-tunnel/src/listener.rs`: gateway-side handler signs the
  CSR via `CaManager::sign_agent_csr` and returns the new cert chain.
  (Stub replaced: master's handler emitted a debug log and dropped
  the message.)

QUIC endpoint override:

- `enrollment.rs`: new `quic_endpoint_override: Option<String>`
  parameter on `enroll_agent` — if set, overrides the endpoint
  returned by the enroll API. Needed because the gateway's
  `quic_endpoint` is derived from `conf.hostname`, which in Docker
  is often the container ID (not routable from outside).
- `main.rs`: new `--quic-endpoint` CLI flag and `jet_quic_endpoint`
  JWT claim; precedence is CLI flag > JWT claim > enroll API
  response.

Agent-side routing primitives:

- `tunnel_helpers.rs`: `Target::Ip` / `Target::Domain` enum parsed
  from the gateway's `ConnectRequest::target`, `resolve_target`
  (domain → DNS), `connect_to_target` (happy-eyeballs).

Deployment:

- `Dockerfile`: multi-stage build for the gateway. Produces an
  image that can run behind a DVLS-managed reverse proxy.
- `docker-compose.yml`: gateway + network setup for local dev.
- `.dockerignore` + `.gitignore` updates.

Tests: 22 agent-tunnel lib + 3 proto version + 24 proto control +
11 proto session + 13 registry + 8 routing integration + 64 gateway
lib, all green. Zero clippy warnings; nightly fmt clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: irvingoujAtDevolution

.dockerignore

@@ -1,4 +1,5 @@
 **/target
+**/node_modules
 .git/
 .dockerignore
 Dockerfile

.gitignore

@@ -13,3 +13,11 @@ dist/
 # Downloaded build dependencies
 tun2socks.exe
 wintun.dll
+PROTOCOL.md
+TECHNICAL_SPEC.md
+
+# E2E test artifacts
+tests/e2e/test-results/
+tests/e2e/node_modules/
+# Dev artifacts
+devolutions-agent-linux

Cargo.lock

@@ -0,0 +1,117 @@
+# =============================================================================
+# Devolutions Gateway — Source build for Coolify
+# =============================================================================
+# Multi-stage build:
+#   1. rust-builder      — compile the gateway binary from source
+#   2. official-image    — extract libxmf and PowerShell module from official image
+#   3. runtime           — assemble the final image
+#
+# Both the gateway binary AND the webapp are built from THIS repo's source.
+# The webapp must be pre-built locally (pnpm build:gateway) because some
+# dependencies (@devolutions/icons) require private registry authentication.
+# The libxmf.so and PowerShell module come from the official published image.
+# =============================================================================
+
+# Global ARG — must be before any FROM to be usable in FROM lines
+ARG GATEWAY_VERSION=latest
+
+# ---------------------------------------------------------------------------
+# Stage 1: Rust builder
+# ---------------------------------------------------------------------------
+FROM rust:1.90-bookworm AS rust-builder
+
+WORKDIR /src
+
+# Install build dependencies (cmake required by quiche/BoringSSL, go required by quiche)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    cmake \
+    golang-go \
+    nasm \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy manifests first for better layer caching
+COPY Cargo.toml Cargo.lock rust-toolchain.toml ./
+COPY crates crates
+COPY devolutions-gateway devolutions-gateway
+COPY devolutions-agent devolutions-agent
+COPY devolutions-session devolutions-session
+COPY jetsocat jetsocat
+COPY testsuite testsuite
+COPY tools tools
+COPY fuzz fuzz
+
+# Build only the gateway binary in release mode
+RUN cargo build --release --package devolutions-gateway \
+    && cp target/release/devolutions-gateway /usr/local/bin/devolutions-gateway
+
+# ---------------------------------------------------------------------------
+# Stage 2: Extract libxmf + PowerShell module from the official image
+# ---------------------------------------------------------------------------
+FROM devolutions/devolutions-gateway:${GATEWAY_VERSION} AS official-image
+
+# ---------------------------------------------------------------------------
+# Stage 3: Runtime
+# ---------------------------------------------------------------------------
+FROM debian:bookworm-slim
+
+LABEL maintainer="Devolutions Inc."
+LABEL description="Devolutions Gateway — built from source with QUIC agent tunnel"
+
+# Install PowerShell and runtime dependencies
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends wget ca-certificates openssl curl \
+    && ARCH=$(dpkg --print-architecture) \
+    && if [ "$ARCH" = "arm64" ]; then \
+        PWSH_VERSION=7.4.6 \
+        && wget -q "https://github.com/PowerShell/PowerShell/releases/download/v${PWSH_VERSION}/powershell-${PWSH_VERSION}-linux-arm64.tar.gz" \
+        && mkdir -p /opt/microsoft/powershell/7 \
+        && tar -xzf "powershell-${PWSH_VERSION}-linux-arm64.tar.gz" -C /opt/microsoft/powershell/7 \
+        && chmod +x /opt/microsoft/powershell/7/pwsh \
+        && ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh \
+        && rm "powershell-${PWSH_VERSION}-linux-arm64.tar.gz"; \
+    else \
+        wget -q https://packages.microsoft.com/config/debian/12/packages-microsoft-prod.deb -O packages-microsoft-prod.deb \
+        && dpkg -i packages-microsoft-prod.deb \
+        && rm packages-microsoft-prod.deb \
+        && apt-get update \
+        && apt-get install -y --no-install-recommends powershell; \
+    fi \
+    && rm -rf /var/lib/apt/lists/*
+
+ENV XDG_CACHE_HOME="/tmp/.cache"
+ENV XDG_DATA_HOME="/tmp/.local/share"
+ENV POWERSHELL_TELEMETRY_OPTOUT="1"
+
+ENV DGATEWAY_CONFIG_PATH="/tmp/devolutions-gateway"
+RUN mkdir -p "$DGATEWAY_CONFIG_PATH"
+
+WORKDIR /opt/devolutions/gateway
+
+ENV DGATEWAY_EXECUTABLE_PATH="/opt/devolutions/gateway/devolutions-gateway"
+ENV DGATEWAY_LIB_XMF_PATH="/opt/devolutions/gateway/libxmf.so"
+ENV DGATEWAY_WEBAPP_PATH="/opt/devolutions/gateway/webapp"
+
+# Gateway binary — built from THIS repo's source code
+COPY --from=rust-builder /usr/local/bin/devolutions-gateway $DGATEWAY_EXECUTABLE_PATH
+
+# Webapp — pre-built locally (pnpm build:gateway), output in webapp/dist/gateway-ui/
+COPY webapp/dist/gateway-ui/ /opt/devolutions/gateway/webapp/client/
+
+# libxmf — from official image (native library, not built from source)
+COPY --from=official-image /opt/devolutions/gateway/libxmf.so $DGATEWAY_LIB_XMF_PATH
+
+# PowerShell module — from official image (includes pre-compiled .NET DLLs)
+COPY --from=official-image /opt/microsoft/powershell/7/Modules/DevolutionsGateway /opt/microsoft/powershell/7/Modules/DevolutionsGateway
+
+# Entrypoint script from this repo's source
+COPY package/Linux/entrypoint.ps1 /usr/local/bin/entrypoint.ps1
+RUN chmod +x /usr/local/bin/entrypoint.ps1
+
+EXPOSE 7171
+EXPOSE 8181
+EXPOSE 4433/udp
+
+HEALTHCHECK --interval=30s --timeout=10s --retries=5 --start-period=15s \
+    CMD curl -sf http://localhost:7171/jet/health || exit 1
+
+ENTRYPOINT ["pwsh", "-File", "/usr/local/bin/entrypoint.ps1"]

Dockerfile

@@ -43,4 +43,6 @@ quinn = "0.11"
 
 [dev-dependencies]
 base64 = "0.22"
-tokio = { version = "1.45", features = ["macros"] }
+tempfile = "3"
+rustls-pemfile = "2.2"
+tokio = { version = "1.45", features = ["macros", "net"] }

crates/agent-tunnel/Cargo.toml

@@ -8,7 +8,7 @@ use std::time::Duration;
 
 use anyhow::{Context as _, bail};
 use camino::{Utf8Path, Utf8PathBuf};
-use picky::pem::parse_pem;
+use picky::pem::{PemError, parse_pem, read_pem};
 use picky::x509::Cert;
 use picky_asn1_x509::{ExtensionView, GeneralName};
 use rcgen::{CertificateParams, DnType, ExtendedKeyUsagePurpose, IsCa, KeyPair, KeyUsagePurpose, SanType};
@@ -32,29 +32,28 @@ fn cert_pem_to_der(pem_str: &str) -> anyhow::Result<Vec<u8>> {
 /// Parse one or more PEM-encoded certificates into `rustls` certificate types.
 ///
 /// A PEM file can carry multiple concatenated CERTIFICATE blocks (chain). We
-/// iterate block-by-block with [`parse_pem`], check each label, and wrap the
-/// DER bytes in [`rustls_pki_types::CertificateDer`] — the only type the
-/// rustls/quinn TLS builders accept.
+/// use [`read_pem`] in a loop — each call consumes one block; `HeaderNotFound`
+/// signals "no more blocks left", which is the termination condition. Each
+/// block's label is verified, then the DER bytes are wrapped in
+/// [`rustls_pki_types::CertificateDer`] — the type the rustls/quinn TLS
+/// builders accept.
 fn read_cert_chain(pem_str: &str) -> anyhow::Result<Vec<rustls::pki_types::CertificateDer<'static>>> {
+    use std::io::BufReader;
+
+    let mut reader = BufReader::new(pem_str.as_bytes());
     let mut chain = Vec::new();
-    let mut remaining = pem_str;
-    while let Some(start) = remaining.find("-----BEGIN ") {
-        let block_end = remaining[start..]
-            .find("-----END ")
-            .and_then(|e| {
-                remaining[start + e..]
-                    .find("-----\n")
-                    .map(|n| start + e + n + "-----\n".len())
-            })
-            .context("malformed PEM block (no END tag)")?;
-
-        let block = &remaining[start..block_end];
-        let pem = parse_pem(block).context("parse PEM block")?;
-        if pem.label() != PEM_LABEL_CERTIFICATE {
-            bail!("expected {PEM_LABEL_CERTIFICATE} PEM, got {}", pem.label());
+
+    loop {
+        match read_pem(&mut reader) {
+            Ok(pem) => {
+                if pem.label() != PEM_LABEL_CERTIFICATE {
+                    bail!("expected {PEM_LABEL_CERTIFICATE} PEM, got {}", pem.label());
+                }
+                chain.push(rustls::pki_types::CertificateDer::from(pem.data().to_vec()));
+            }
+            Err(PemError::HeaderNotFound) => break,
+            Err(e) => return Err(anyhow::Error::new(e).context("parse PEM block")),
         }
-        chain.push(rustls::pki_types::CertificateDer::from(pem.data().to_vec()));
-        remaining = &remaining[block_end..];
     }
 
     if chain.is_empty() {
@@ -87,7 +86,7 @@ const SERVER_CERT_FILENAME: &str = "agent-tunnel-server-cert.pem";
 const SERVER_KEY_FILENAME: &str = "agent-tunnel-server-key.pem";
 const CA_VALIDITY_DAYS: u32 = 3650; // ~10 years
 const SERVER_CERT_VALIDITY_DAYS: u32 = 365; // 1 year
-const AGENT_CERT_VALIDITY_DAYS: u32 = 365; // 1 year
+const AGENT_CERT_VALIDITY_DAYS: u32 = 30; // 30 days (short-lived, auto-renewed)
 
 const SECS_PER_DAY: u64 = 86_400;
 const CA_COMMON_NAME: &str = "Devolutions Gateway Agent Tunnel CA";