- ConnectMessage → ConnectRequest (precise naming)
- Move encode/decode into ControlStream/SessionStream wrappers
  (actor-on-object: ctrl.send(&msg) instead of msg.encode(&mut stream))
- ControlStream.into_split() → ControlSendStream + ControlRecvStream
  (compile-time separation, no phantom halves)
- From<(S, R)> for stream wrappers (connection.open_bi().await?.into())
- Rename spawned tasks: run_control_reader, run_session_proxy,
  run_agent_connection, run_control_loop
- Spawned tasks own args and handle errors internally
- Collect JoinHandles, abort all on shutdown
- Extract helpers to tunnel_helpers.rs
- Document backoff strategy with examples

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

- CaManager::load_or_generate returns Arc<Self> directly
- Rename enrollment token consume → redeem
- Remove unused resolve-target API endpoint + helpers + tests
- Remove routing methods from registry (PR2 scope)
- Remove Option from RouteAdvertisementState (empty = no routes)
- Target enum for typed IP vs domain parsing
- Prefix variables clearly (server_cert_*, ca_*)
- Add TODO for traffic audit and Windows DACL
- Backoff strategy documented with examples

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Address review feedback from Benoit and Marc-André:

- Rename HTTP mountpoint /jet/agent-tunnel → /jet/tunnel
- Replace SkipHostnameVerification with SpkiPinnedVerifier that
  performs full chain + hostname + SPKI pin validation
- Enrollment response now includes server_spki_sha256 for pinning
- Agent sends machine hostname; gateway adds it as DNS SAN alongside
  the UUID SAN (dual names for future direct connectivity)
- Agent connects using real gateway hostname instead of dummy value
- Move sha2/hex to cross-platform deps, add x509-parser + hostname

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

- Remove agent_name from EnrollResponse (agent knows it already)
- Agent generates its own UUID and sends it in EnrollRequest
- Rename api/agent_enrollment.rs → api/tunnel.rs (match endpoint)
- Use backoff crate for reconnect loop (same pattern as subscriber.rs)
- ALPN: "devolutions-agent-tunnel" → "gw-agent-tunnel/1" (versioned)
- Protocol version: 2 → 1 (previous was experimental, start fresh)
- Move session tests to integration test file (public API only)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

- SanType::Rfc822Name → SanType::URI for urn:uuid: (correct X.509 type)
- GeneralName::RFC822Name → GeneralName::URI in extraction
- Reject duplicate agent UUID on enrollment (409 Conflict)
- tokio::join! instead of select! for session proxy (prevents data loss)
- JoinSet instead of Vec<JoinHandle> (prevents unbounded growth)
- Timeout (30s) on session handshake recv_request/recv_response
- Fix typos: "redeemd" → "redeemed"

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

- Move current_time_millis() to agent-tunnel-proto (R1: eliminate duplication)
- Delete DomainInfo, use DomainAdvertisement directly in AgentInfo (R2)
- Merge enroll_agent/bootstrap_and_persist into single function (I1)
- Agent task_handles: Vec<JoinHandle> → JoinSet with reaping (I4)
- Same-epoch route refresh: mutate updated_at in place, no clone (I5)
- Add #[must_use] on enrollment_store::redeem() (I6)
- connect_via_agent: cleaner error extraction with if-let (I3)
- Add TODO for active_stream_count tracking (I2)
- SECS_PER_DAY constant replaces magic 86400 (P4)
- Consistent .context() for ProtoError instead of map_err (P7)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

- Hoist protocol version validation before match in both gateway and
  agent control loops (single check, no per-variant boilerplate)
- Validate ConnectResponse protocol version in connect_via_agent
- ServerCertStatus enum for ensure_server_cert (expiry + hostname SAN)
- send.finish() after proxy copy (graceful QUIC EOF)
- Fix constant_time_eq doc (inaccurate timing claim)
- Extract ALPN to agent_tunnel_proto::ALPN_PROTOCOL constant
- Destruct EnrollResponse at parameter level for readability
- ValidatedTunnelConf: make wrong state unrepresentable at type level
  (dto::TunnelConf for JSON, TunnelConf for runtime with non-optional fields)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Addresses Benoit's review comment: "Switch to JWT instead of a custom
format". The old `dgw-enroll:v1:<base64-JSON>` envelope is replaced with
a standard JWT that carries the same information via JWT claims and
doubles as the Bearer token for `/jet/tunnel/enroll`.

Gateway:
- Add `AccessScope::TunnelEnroll` and a dedicated `EnrollmentTokenClaims`
  struct with `scope`, `exp`, `jti`, `jet_gw_url` (required) and
  `jet_agent_name` (optional). The `jet_*` prefix matches the existing
  convention for gateway-specific custom claims (`jet_aid`, `jet_ap`,
  `jet_gw_id`, ...).
- Add `validate_enrollment_jwt` in `api/tunnel.rs` (ported from feature
  branch). Verifies signature against `provisioner_public_key`, checks
  `exp`/`nbf` via picky's strict validator, and enforces scope is
  `TunnelEnroll` or `Wildcard`.
- `enroll_agent` now tries JWT first, then the one-time token store,
  then the static `enrollment_secret` as a fallback.
- 7 unit tests cover the happy path, wildcard scope, wrong scope,
  expiry, signature mismatch, missing required claim, and malformed
  input.

Agent:
- Replace `EnrollmentStringPayload` / `parse_enrollment_string` with
  `EnrollmentJwtClaims` / `parse_enrollment_jwt`. The parser splits on
  `.` and decodes the payload segment without verifying the signature
  (agent is the intended recipient; the Gateway verifies on enrollment).
- The JWT string itself becomes the Bearer token — no more separate
  `enrollment_token` field nested inside a custom envelope.
- 3 tests: happy path via `parse_up_command_args`, malformed rejection,
  and missing-`jet_gw_url` rejection.

Also fixes the pre-existing inline registry tests that broke in the
previous commit when `DashMap` → `tokio::sync::RwLock<HashMap>` made
`AgentRegistry` methods async and `DomainAdvertisement.domain` became
a `DomainName` newtype.

Addresses Benoit's review comment: "Extract more logic into a separate
crate, the same way we did for the network scanner. `agent-tunnel-proto`
(already existing) + `agent-tunnel`."

The agent tunnel module was already self-contained (zero `use crate::*`
imports), so the extraction is a mechanical move:

- Create `crates/agent-tunnel/` as a new workspace crate
- Move `cert.rs`, `enrollment_store.rs`, `listener.rs`, `registry.rs`,
  `stream.rs` from `devolutions-gateway/src/agent_tunnel/` (git tracks
  these as renames)
- New `lib.rs` does the `#[macro_use] extern crate tracing` dance and
  re-exports the public surface (`AgentTunnelHandle`,
  `AgentTunnelListener`, `AgentRegistry`, `EnrollmentTokenStore`,
  `TunnelStream`)
- Delete `devolutions-gateway/src/agent_tunnel/mod.rs`
- Gateway now depends on `agent-tunnel` as a path dependency; call
  sites change `crate::agent_tunnel::*` → `agent_tunnel::*`

Also promote `Encode` / `Decode` in `agent-tunnel-proto::codec` from
`pub(crate)` to `pub` so `FramedSend::send` / `FramedRecv::recv` (which
bound on them) are reachable in the new crate without `private_bounds`
warnings.

Tests: 20 moved from gateway inline into the new crate and all still
pass; gateway still has 64 lib tests + all integration tests green;
agent + proto tests untouched.

Review-agent findings addressed:

- Drop `ControlMessage`/`ConnectRequest`/`ConnectResponse` inherent
  `encode`/`decode` methods. They duplicated the `Encode`/`Decode`
  trait impls with identical signatures, so callsites and rustdoc saw
  two methods for one job. Only the trait impls remain; stream wrappers
  already go through the traits.
- `RouteAdvertisementState::update_routes` same-epoch branch now logs
  the *incoming* subnet/domain counts (previously re-logged the
  existing state's count, which read as if we had accepted the new
  set) and makes it explicit in the message that incoming routes are
  ignored.
- Rename `constant_time_eq` → `timing_safe_eq`. The function hashes
  inputs first and only the 32-byte digest compare is constant-time.
  New name describes intent; doc comment now explains both what the
  hash normalization buys and what the function does *not* guarantee.
- Document that `EnrollmentTokenStore::redeem` removes expired tokens
  as a side effect (so callers cannot distinguish "missing" from
  "expired", and shouldn't).
- Explain in `parse_enrollment_jwt` why we handroll the split/decode
  instead of pulling `picky` into the agent for unverified payload
  reading.
- Move `use agent_tunnel_proto::current_time_millis;` to the top of
  `registry.rs` with the other imports (was dangling at module bottom
  after the IPv4-only revert).
- Apply `cargo fmt`.

Tests: 20 agent-tunnel + 13 agent-tunnel-proto + 5 session_roundtrip
+ 64 gateway lib + 5 devolutions-agent, all green. Zero clippy
warnings on the changed crates.

- Drop the 1-byte IP family tag from each subnet on the wire. The type
  is `Ipv4Network` so the tag could only ever be `0x04`. Encoding it
  was a TODO-by-bytes that would have constrained a future v2 without
  helping v1. Each subnet is now `[4B ipv4_octets][1B prefix]` — saves
  a byte per subnet per RouteAdvertise. If IPv6 arrives, the wire bump
  comes with a `protocol_version` bump and the format can reintroduce
  a tag cleanly.
- Add six unit tests for `DomainName::matches_hostname` covering exact
  match, case insensitivity, suffix match, rejected partial-label
  ("fakecontoso.local" vs "contoso.local"), unrelated hostname, and
  parent vs child domain. The method is only called from PR2's routing
  code; these tests make sure the algorithm is locked down on PR1 so
  the PR2 consumer can rely on it.
- `devolutions-agent/src/tunnel.rs`: replace the `continue;` on
  backoff exhaustion with a fall-through using a 1s floor. Previously,
  if `backoff.next_backoff()` ever returned `None` (supposedly
  unreachable with `max_elapsed_time(None)`), the loop would spin
  without any sleep. Defensive fix, not a correctness one.

All 20 agent-tunnel / 19 agent-tunnel-proto / 64 gateway-lib / 5
session_roundtrip / 5 devolutions-agent tests still pass. Zero clippy
warnings on the changed crates.