Revert "feat(dgw): route KDC traffic through agent tunnel" (#1781)#1791
Merged
irvingouj@Devolutions (irvingoujAtDevolution) merged 2 commits intoMay 21, 2026
Merged
Conversation
This reverts commit 6e80f71 (PR #1781). Reason: the merged change reshaped `KdcToken` from a tuple struct (`pub struct KdcToken(pub KdcTokenClaims)`) to a named-fields struct (`pub struct KdcToken { pub claims, pub jti }`) without prior consult. This is a breaking change to a public API surface. The correct shape for surfacing the KDC token's `jti` is to add it to `KdcTokenClaims` (and `KdcClaimsHelper`'s serde) so it lives next to the other token fields, keeping `KdcToken` itself unchanged. That follow-up will be done in a separate PR. The listener.rs `Arc::clone` drive-by fix from #1781 is also reverted here; it should be re-landed in its own hotfix PR independent of DGW-384. Issue: DGW-384
Let maintainers know that an action is required on their side
|
Marc-André Moreau (mamoreau-devolutions)
approved these changes
May 21, 2026
`crates/agent-tunnel/src/listener.rs:152-163` moves the same
`Arc<CaManager>` into both `AgentTunnelHandle` and `AgentTunnelListener`,
which fails to compile:
error[E0382]: use of moved value: `ca_manager`
--> crates/agent-tunnel/src/listener.rs:162:13
Clone the Arc for the handle so the move into `Self` still type-checks.
Root cause: PR #1773 added the `ca_manager` field to
`AgentTunnelListener`; PR #1775 used `ca_manager` in the same `bind()`
body for the handle initializer. Each PR's CI was green against its own
base, but the merge of #1775 on top of #1773 produced a semantic
conflict that wasn't textually conflicting, so GitHub merged it without
re-running CI.
This is the same fix originally proposed in #1790 (closed because #1781
incidentally carried it). Reapplied here because the revert removes
that incidental fix.
irvingouj@Devolutions (irvingoujAtDevolution)
force-pushed
the
revert/DGW-384-kdc-agent-tunnel
branch
from
68d8737 to
042cd88
Compare
irvingouj@Devolutions (irvingoujAtDevolution)
merged commit 64777c6
into
master
42 checks passed
irvingouj@Devolutions (irvingoujAtDevolution)
deleted the
revert/DGW-384-kdc-agent-tunnel
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reverts #1781, plus re-applies the listener.rs
Arc::clonemaster-compile fix.What happened (timeline)
feat(dgw): route KDC traffic through agent tunnel #1781 was rebased + extended by Claude Code (acting on my behalf). During the rebase, Claude applied review feedback — including a
jti-as-session-id suggestion from Benoît Cortier (@CBenoit). The implementation of that suggestion reshaped the publicKdcTokenextractor from a tuple struct to a named-fields struct:This is a public API surface change that should have been called out separately. It was not.
Claude also enabled auto-merge while the PR was still being iterated. Benoît Cortier (@CBenoit) had already LGTM'd an earlier clean version. Auto-merge took my final force-push to master before I had a chance to final-diff.
Result: master got a public API reshape I did not intend, on top of the functionally-correct DGW-384 work.
This is my process gap — I authorized an automated rebase, then didn't gate the merge behind a final review. Reverting now, then re-doing DGW-384 the right way, is cheaper than carrying the API shape forward.
Commits in this PR
c3f20661—Revert "feat(dgw): route KDC traffic through agent tunnel". Byte-for-byte undo of feat(dgw): route KDC traffic through agent tunnel #1781's squash commit; tree matches6f692e75(pre-feat(dgw): route KDC traffic through agent tunnel #1781 master) exactly.042cd88f—fix: clone ca_manager Arc to unbreak master build. The listener.rsArc::clonefix originally proposed in fix(agent-tunnel): clone ca_manager Arc to unbreak master build #1790 (closed). feat(dgw): route KDC traffic through agent tunnel #1781 incidentally carried this fix; the revert removes it; master would not compile without it. Reapplied here in its own commit so future archeology shows the master-compile fix is independent of DGW-384.Follow-up plan (separate PRs)
jtiby adding it toKdcTokenClaimsitself (and itsKdcClaimsHelperserde plumbing), soKdcTokenkeeps its original tuple-struct shape. The other DGW-384 work (CredSSP / HTTP agent-tunnel routing,explicit_agent_id, hardening) will come back in that PR, unchanged on the wire.Issue: DGW-384