fix: address review comments (round 2)

- Remove agent_name from EnrollResponse (agent knows it already)
- Agent generates its own UUID and sends it in EnrollRequest
- Rename api/agent_enrollment.rs → api/tunnel.rs (match endpoint)
- Use backoff crate for reconnect loop (same pattern as subscriber.rs)
- ALPN: "devolutions-agent-tunnel" → "gw-agent-tunnel/1" (versioned)
- Protocol version: 2 → 1 (previous was experimental, start fresh)
- Move session tests to integration test file (public API only)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: irvingoujAtDevolution

Cargo.lock

@@ -60,99 +60,3 @@ impl ConnectResponse {
         }
     }
 }
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::stream::SessionStream;
-
-    #[tokio::test]
-    async fn roundtrip_connect_request() {
-        let msg = ConnectRequest::new(Uuid::new_v4(), "192.168.1.100:3389".to_owned());
-
-        let mut buf = Vec::new();
-        let mut stream = SessionStream::new(&mut buf, &[][..]);
-        stream.send_request(&msg).await.expect("send should succeed");
-
-        let mut stream = SessionStream::new(tokio::io::sink(), buf.as_slice());
-        let decoded = stream.recv_request().await.expect("recv should succeed");
-        assert_eq!(msg, decoded);
-    }
-
-    #[tokio::test]
-    async fn roundtrip_connect_response_success() {
-        let msg = ConnectResponse::success();
-
-        let mut buf = Vec::new();
-        let mut stream = SessionStream::new(&mut buf, &[][..]);
-        stream.send_response(&msg).await.expect("send should succeed");
-
-        let mut stream = SessionStream::new(tokio::io::sink(), buf.as_slice());
-        let decoded = stream.recv_response().await.expect("recv should succeed");
-        assert_eq!(msg, decoded);
-    }
-
-    #[tokio::test]
-    async fn roundtrip_connect_response_error() {
-        let msg = ConnectResponse::error("connection refused");
-
-        let mut buf = Vec::new();
-        let mut stream = SessionStream::new(&mut buf, &[][..]);
-        stream.send_response(&msg).await.expect("send should succeed");
-
-        let mut stream = SessionStream::new(tokio::io::sink(), buf.as_slice());
-        let decoded = stream.recv_response().await.expect("recv should succeed");
-        assert_eq!(msg, decoded);
-    }
-}
-
-#[cfg(test)]
-mod proptests {
-    use proptest::prelude::*;
-
-    use super::*;
-    use crate::stream::SessionStream;
-
-    fn arb_connect_request() -> impl Strategy<Value = ConnectRequest> {
-        ("[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}:[0-9]{1,5}")
-            .prop_map(|target| ConnectRequest::new(Uuid::new_v4(), target))
-    }
-
-    fn arb_connect_response() -> impl Strategy<Value = ConnectResponse> {
-        prop_oneof![Just(ConnectResponse::success()), ".*".prop_map(ConnectResponse::error),]
-    }
-
-    proptest! {
-        #[test]
-        fn connect_request_roundtrip(msg in arb_connect_request()) {
-            let rt = tokio::runtime::Builder::new_current_thread().enable_all().build().expect("tokio runtime");
-            rt.block_on(async {
-                let mut buf = Vec::new();
-                let mut stream = SessionStream::new(&mut buf, &[][..]);
-                stream.send_request(&msg).await.expect("send should succeed");
-
-                let mut stream = SessionStream::new(tokio::io::sink(), buf.as_slice());
-                let decoded = stream.recv_request().await.expect("recv should succeed");
-                prop_assert_eq!(&msg.target, &decoded.target);
-                prop_assert_eq!(msg.protocol_version, decoded.protocol_version);
-                prop_assert_eq!(msg.session_id, decoded.session_id);
-                Ok(())
-            })?;
-        }
-
-        #[test]
-        fn connect_response_roundtrip(msg in arb_connect_response()) {
-            let rt = tokio::runtime::Builder::new_current_thread().enable_all().build().expect("tokio runtime");
-            rt.block_on(async {
-                let mut buf = Vec::new();
-                let mut stream = SessionStream::new(&mut buf, &[][..]);
-                stream.send_response(&msg).await.expect("send should succeed");
-
-                let mut stream = SessionStream::new(tokio::io::sink(), buf.as_slice());
-                let decoded = stream.recv_response().await.expect("recv should succeed");
-                prop_assert_eq!(msg, decoded);
-                Ok(())
-            })?;
-        }
-    }
-}

crates/agent-tunnel-proto/src/session.rs

@@ -1,8 +1,8 @@
 /// Current protocol version.
-pub const CURRENT_PROTOCOL_VERSION: u16 = 2;
+pub const CURRENT_PROTOCOL_VERSION: u16 = 1;
 
 /// Minimum protocol version that is still accepted.
-pub const MIN_SUPPORTED_VERSION: u16 = 2;
+pub const MIN_SUPPORTED_VERSION: u16 = 1;
 
 /// Validate that a received protocol version is within the supported range.
 pub fn validate_protocol_version(version: u16) -> Result<(), crate::error::ProtoError> {

crates/agent-tunnel-proto/src/version.rs

@@ -0,0 +1,90 @@
+use agent_tunnel_proto::{ConnectRequest, ConnectResponse, SessionStream};
+use uuid::Uuid;
+
+#[tokio::test]
+async fn roundtrip_connect_request() {
+    let msg = ConnectRequest::new(Uuid::new_v4(), "192.168.1.100:3389".to_owned());
+
+    let mut buf = Vec::new();
+    let mut stream = SessionStream::new(&mut buf, &[][..]);
+    stream.send_request(&msg).await.expect("send should succeed");
+
+    let mut stream = SessionStream::new(tokio::io::sink(), buf.as_slice());
+    let decoded = stream.recv_request().await.expect("recv should succeed");
+    assert_eq!(msg, decoded);
+}
+
+#[tokio::test]
+async fn roundtrip_connect_response_success() {
+    let msg = ConnectResponse::success();
+
+    let mut buf = Vec::new();
+    let mut stream = SessionStream::new(&mut buf, &[][..]);
+    stream.send_response(&msg).await.expect("send should succeed");
+
+    let mut stream = SessionStream::new(tokio::io::sink(), buf.as_slice());
+    let decoded = stream.recv_response().await.expect("recv should succeed");
+    assert_eq!(msg, decoded);
+}
+
+#[tokio::test]
+async fn roundtrip_connect_response_error() {
+    let msg = ConnectResponse::error("connection refused");
+
+    let mut buf = Vec::new();
+    let mut stream = SessionStream::new(&mut buf, &[][..]);
+    stream.send_response(&msg).await.expect("send should succeed");
+
+    let mut stream = SessionStream::new(tokio::io::sink(), buf.as_slice());
+    let decoded = stream.recv_response().await.expect("recv should succeed");
+    assert_eq!(msg, decoded);
+}
+
+mod proptests {
+    use agent_tunnel_proto::{ConnectRequest, ConnectResponse, SessionStream};
+    use proptest::prelude::*;
+    use uuid::Uuid;
+
+    fn arb_connect_request() -> impl Strategy<Value = ConnectRequest> {
+        ("[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}:[0-9]{1,5}")
+            .prop_map(|target| ConnectRequest::new(Uuid::new_v4(), target))
+    }
+
+    fn arb_connect_response() -> impl Strategy<Value = ConnectResponse> {
+        prop_oneof![Just(ConnectResponse::success()), ".*".prop_map(ConnectResponse::error),]
+    }
+
+    proptest! {
+        #[test]
+        fn connect_request_roundtrip(msg in arb_connect_request()) {
+            let rt = tokio::runtime::Builder::new_current_thread().enable_all().build().expect("tokio runtime");
+            rt.block_on(async {
+                let mut buf = Vec::new();
+                let mut stream = SessionStream::new(&mut buf, &[][..]);
+                stream.send_request(&msg).await.expect("send should succeed");
+
+                let mut stream = SessionStream::new(tokio::io::sink(), buf.as_slice());
+                let decoded = stream.recv_request().await.expect("recv should succeed");
+                prop_assert_eq!(&msg.target, &decoded.target);
+                prop_assert_eq!(msg.protocol_version, decoded.protocol_version);
+                prop_assert_eq!(msg.session_id, decoded.session_id);
+                Ok(())
+            })?;
+        }
+
+        #[test]
+        fn connect_response_roundtrip(msg in arb_connect_response()) {
+            let rt = tokio::runtime::Builder::new_current_thread().enable_all().build().expect("tokio runtime");
+            rt.block_on(async {
+                let mut buf = Vec::new();
+                let mut stream = SessionStream::new(&mut buf, &[][..]);
+                stream.send_response(&msg).await.expect("send should succeed");
+
+                let mut stream = SessionStream::new(tokio::io::sink(), buf.as_slice());
+                let decoded = stream.recv_response().await.expect("recv should succeed");
+                prop_assert_eq!(msg, decoded);
+                Ok(())
+            })?;
+        }
+    }
+}

crates/agent-tunnel-proto/tests/session_roundtrip.rs

@@ -14,6 +14,7 @@ workspace = true
 [dependencies]
 agent-tunnel-proto = { path = "../crates/agent-tunnel-proto" }
 anyhow = "1"
+backoff = "0.4"
 async-trait = "0.1"
 bincode = "1.3"
 base64 = "0.22"

devolutions-agent/Cargo.toml

@@ -13,6 +13,8 @@ use crate::config;
 /// Request body for enrollment API
 #[derive(Serialize)]
 struct EnrollRequest {
+    /// Agent-generated UUID (the agent owns its identity)
+    agent_id: Uuid,
     /// Friendly name for the agent
     agent_name: String,
     /// PEM-encoded Certificate Signing Request
@@ -26,7 +28,6 @@ struct EnrollRequest {
 #[derive(Deserialize)]
 struct EnrollResponse {
     agent_id: Uuid,
-    agent_name: String,
     client_cert_pem: String,
     gateway_ca_cert_pem: String,
     quic_endpoint: String,
@@ -70,7 +71,7 @@ pub async fn bootstrap_and_persist(
     let (key_pem, csr_pem) = generate_key_and_csr(agent_name)?;
 
     let enroll_response = request_enrollment(gateway_url, enrollment_token, agent_name, &csr_pem).await?;
-    persist_enrollment_response(advertise_subnets, enroll_response, &key_pem)
+    persist_enrollment_response(agent_name, advertise_subnets, enroll_response, &key_pem)
 }
 
 /// Generate an ECDSA P-256 key pair and a CSR containing the agent name as CN.
@@ -103,6 +104,7 @@ async fn request_enrollment(
         .post(&enroll_url)
         .bearer_auth(enrollment_token)
         .json(&EnrollRequest {
+            agent_id: Uuid::new_v4(),
             agent_name: agent_name.to_owned(),
             csr_pem: csr_pem.to_owned(),
             agent_hostname: hostname::get()
@@ -124,6 +126,7 @@ async fn request_enrollment(
 }
 
 fn persist_enrollment_response(
+    agent_name: &str,
     advertise_subnets: Vec<String>,
     enroll_response: EnrollResponse,
     key_pem: &str,
@@ -192,7 +195,7 @@ fn persist_enrollment_response(
 
     Ok(PersistedEnrollment {
         agent_id: enroll_response.agent_id,
-        agent_name: enroll_response.agent_name,
+        agent_name: agent_name.to_owned(),
         client_cert_path,
         client_key_path,
         gateway_ca_path,

devolutions-agent/src/enrollment.rs

@@ -106,28 +106,25 @@ impl Task for TunnelTask {
     type Output = anyhow::Result<()>;
     const NAME: &'static str = "tunnel";
 
-    /// Reconnect loop with exponential backoff and jitter.
+    /// Reconnect loop with exponential backoff (using the `backoff` crate).
     ///
-    /// Backoff strategy:
-    /// - Starts at 1s, doubles each retry (with ±25% jitter), caps at 60s.
-    /// - Resets to 1s after a connection survives 30s (considered stable).
-    ///
-    /// Example progression (without jitter):
-    ///   attempt 1: fail immediately  → wait ~1s
-    ///   attempt 2: fail immediately  → wait ~2s
-    ///   attempt 3: fail immediately  → wait ~4s
-    ///   attempt 4: fail immediately  → wait ~8s
-    ///   ...
-    ///   attempt N: fail immediately  → wait 60s (cap)
-    ///   attempt M: connected 45s    → next backoff resets to 1s
+    /// Resets to initial interval after a connection survives 30s (considered stable).
     async fn run(self, mut shutdown_signal: ShutdownSignal) -> anyhow::Result<()> {
-        const INITIAL_BACKOFF: Duration = Duration::from_secs(1);
-        const MAX_BACKOFF: Duration = Duration::from_secs(60);
+        use backoff::backoff::Backoff as _;
+
+        const RETRY_INITIAL_INTERVAL: Duration = Duration::from_secs(1);
+        const RETRY_MAX_INTERVAL: Duration = Duration::from_secs(60);
+        const RETRY_MULTIPLIER: f64 = 2.0;
         const CONNECTED_THRESHOLD: Duration = Duration::from_secs(30);
 
         info!("Starting QUIC agent tunnel (with auto-reconnect)");
 
-        let mut backoff = INITIAL_BACKOFF;
+        let mut backoff = backoff::ExponentialBackoffBuilder::default()
+            .with_initial_interval(RETRY_INITIAL_INTERVAL)
+            .with_max_interval(RETRY_MAX_INTERVAL)
+            .with_multiplier(RETRY_MULTIPLIER)
+            .with_max_elapsed_time(None) // retry forever
+            .build();
 
         loop {
             let start = std::time::Instant::now();
@@ -144,23 +141,25 @@ impl Task for TunnelTask {
 
             // Reset backoff if the connection was stable long enough.
             if start.elapsed() > CONNECTED_THRESHOLD {
-                backoff = INITIAL_BACKOFF;
+                backoff.reset();
             }
 
-            info!(?backoff, "Reconnecting after backoff");
+            let Some(wait) = backoff.next_backoff() else {
+                // Should never happen with max_elapsed_time(None), but just in case.
+                warn!("Backoff exhausted, resetting");
+                backoff.reset();
+                continue;
+            };
+
+            info!(?wait, "Reconnecting after backoff");
 
             tokio::select! {
                 _ = shutdown_signal.wait() => {
                     info!("Shutdown during reconnect backoff");
                     return Ok(());
                 }
-                _ = tokio::time::sleep(backoff) => {}
+                _ = tokio::time::sleep(wait) => {}
             }
-
-            // Exponential backoff with ±25% jitter to avoid thundering herd.
-            let jitter_factor = rand::Rng::gen_range(&mut rand::thread_rng(), 0.75..1.25);
-            backoff =
-                Duration::from_secs_f64((backoff.as_secs_f64() * 2.0 * jitter_factor).min(MAX_BACKOFF.as_secs_f64()));
         }
     }
 }
@@ -290,7 +289,7 @@ async fn run_single_connection(conf_handle: &ConfHandle, shutdown_signal: &mut S
         .with_client_auth_cert(certs, key)
         .context("build rustls client config with client auth")?;
 
-    client_crypto.alpn_protocols = vec![b"devolutions-agent-tunnel".to_vec()];
+    client_crypto.alpn_protocols = vec![b"gw-agent-tunnel/1".to_vec()];
 
     let mut transport = quinn::TransportConfig::default();
     transport

devolutions-agent/src/tunnel.rs

@@ -299,7 +299,7 @@ impl CaManager {
             .with_single_cert(server_cert_chain, server_private_key)
             .context("build rustls ServerConfig")?;
 
-        tls_config.alpn_protocols = vec![b"devolutions-agent-tunnel".to_vec()];
+        tls_config.alpn_protocols = vec![b"gw-agent-tunnel/1".to_vec()];
 
         Ok(tls_config)
     }

devolutions-gateway/src/agent_tunnel/cert.rs

@@ -1,4 +1,3 @@
-pub mod agent_enrollment;
 pub mod ai;
 pub mod config;
 pub mod diagnostics;
@@ -16,6 +15,7 @@ pub mod rdp;
 pub mod session;
 pub mod sessions;
 pub mod traffic;
+pub mod tunnel;
 pub mod update;
 pub mod webapp;
 
@@ -36,7 +36,7 @@ pub fn make_router<S>(state: crate::DgwState) -> axum::Router<S> {
         .nest("/jet/webapp", webapp::make_router(state.clone()))
         .nest("/jet/net", net::make_router(state.clone()))
         .nest("/jet/traffic", traffic::make_router(state.clone()))
-        .nest("/jet/tunnel", agent_enrollment::make_router(state.clone()))
+        .nest("/jet/tunnel", tunnel::make_router(state.clone()))
         .nest("/jet/update", update::make_router(state.clone()));
 
     if state.conf_handle.get_conf().web_app.enabled {