Add open enrollment + update Windows installer

Open enrollment (OPEN_ENROLLMENT=true in .env):
- Agents can register with just --server <url>, no token needed
- Machines assigned to OPEN_ENROLLMENT_USER_EMAIL, first admin, or first user
- Falls back gracefully if env var not set
- agent.py register() now takes optional token; --server alone triggers registration

Agent CLI changes:
- --server without --enroll triggers open enrollment registration on first run
- --enroll still works for token-based or re-enrollment
- Error message updated to reflect new syntax

NSIS installer changes:
- Interactive mode: custom page prompts for server URL + optional token
- Silent mode: /SERVER= alone works with open enrollment, /ENROLL= still supported
- Cleans up config on uninstall

agent.spec: add pyperclip, base64, struct, uuid to hidden imports

docker-compose + .env: OPEN_ENROLLMENT and OPEN_ENROLLMENT_USER_EMAIL vars

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

agent/agent.py

@@ -112,24 +112,26 @@ def save_config(data: dict):
 
 # ── Registration ──────────────────────────────────────────────────────────────
 
-async def register(server_url: str, enrollment_token: str) -> dict:
+async def register(server_url: str, enrollment_token: Optional[str] = None) -> dict:
-    """Self-register with the server using an enrollment token."""
+    """Self-register with the server. Token is optional when open enrollment is enabled."""
     hostname = platform.node()
     os_name = platform.system()
     os_version = platform.version()
 
-    url = f"{server_url.rstrip('/')}/api/agent/register"
+    payload: dict = {
-    async with httpx.AsyncClient(timeout=30) as client:
-        resp = await client.post(url, json={
-            "enrollmentToken": enrollment_token,
         "name": hostname,
         "hostname": hostname,
         "os": os_name,
         "osVersion": os_version,
         "agentVersion": AGENT_VERSION,
-            "ipAddress": None,
         "macAddress": get_mac_address(),
-        })
+    }
+    if enrollment_token:
+        payload["enrollmentToken"] = enrollment_token
+
+    url = f"{server_url.rstrip('/')}/api/agent/register"
+    async with httpx.AsyncClient(timeout=30) as client:
+        resp = await client.post(url, json=payload)
         if resp.status_code != 200:
             raise RuntimeError(f"Registration failed: {resp.status_code} {resp.text}")
         data = resp.json()
@@ -815,11 +817,25 @@ async def main():
     config = load_config()
 
     # ── First-time registration ──────────────────────────────────────────────
-    if args.enroll:
+    if args.server and not config:
+        # Register with enrollment token (if provided) or open enrollment
+        log.info(f"Registering with server {args.server}…")
+        reg = await register(args.server, args.enroll or None)
+        relay_url = args.relay or _default_relay_url(args.server)
+        config = {
+            "server_url": args.server,
+            "relay_url": relay_url,
+            "machine_id": reg["machineId"],
+            "access_key": reg["accessKey"],
+        }
+        if not args.run_once:
+            save_config(config)
+    elif args.enroll:
+        # Re-enroll existing machine with a new token (replaces config)
         if not args.server:
             log.error("--server is required with --enroll")
             sys.exit(1)
-        log.info(f"Enrolling with server {args.server}…")
+        log.info(f"Re-enrolling with server {args.server}…")
         reg = await register(args.server, args.enroll)
         relay_url = args.relay or _default_relay_url(args.server)
         config = {
@@ -830,11 +846,10 @@ async def main():
         }
         if not args.run_once:
             save_config(config)
-
     elif not config:
         log.error(
             f"No config found at {CONFIG_FILE}.\n"
-            "Run with --server <url> --enroll <token> to register this machine."
+            "Run with --server <url> to register (or --server <url> --enroll <token> if enrollment tokens are required)."
         )
         sys.exit(1)
 

agent/agent.spec

@@ -34,12 +34,16 @@ a = Analysis(
         'websockets.legacy.client',
         'httpx',
         'httpcore',
+        'pyperclip',
         'asyncio',
         'json',
         'logging',
         'platform',
         'subprocess',
         'signal',
+        'base64',
+        'struct',
+        'uuid',
     ],
     hookspath=[],
     runtime_hooks=[],

agent/installer.nsi

@@ -2,20 +2,25 @@
 ; Requires: NSIS 3.x, the dist/ folder from PyInstaller build
 ;
 ; Build:        makensis installer.nsi
-; Silent install: RemoteLink-Setup.exe /S
+;
-; Silent install + enroll: RemoteLink-Setup.exe /S /SERVER=https://myserver.com /ENROLL=mytoken
+; Silent install (open enrollment — no token):
+;   RemoteLink-Setup.exe /S /SERVER=https://myserver.com
+;
+; Silent install with enrollment token:
+;   RemoteLink-Setup.exe /S /SERVER=https://myserver.com /ENROLL=mytoken
+;
+; Interactive install:
+;   RemoteLink-Setup.exe
 
 !define APP_NAME "RemoteLink Agent"
 !define APP_VERSION "1.0.0"
 !define APP_PUBLISHER "RemoteLink"
-!define APP_URL "https://remotelink.example.com"
 !define INSTALL_DIR "$PROGRAMFILES64\RemoteLink"
 !define SERVICE_EXE "remotelink-agent-service.exe"
 !define AGENT_EXE "remotelink-agent.exe"
 !define REG_KEY "Software\RemoteLink\Agent"
 !define UNINSTALL_KEY "Software\Microsoft\Windows\CurrentVersion\Uninstall\RemoteLinkAgent"
 
-; Installer settings
 Name "${APP_NAME} ${APP_VERSION}"
 OutFile "RemoteLink-Setup.exe"
 InstallDir "${INSTALL_DIR}"
@@ -23,20 +28,22 @@ InstallDirRegKey HKLM "${REG_KEY}" "InstallDir"
 RequestExecutionLevel admin
 SetCompressor /SOLID lzma
 
-; Command-line parameters
 Var ServerURL
 Var EnrollToken
 
-; Modern UI
 !include "MUI2.nsh"
 !include "LogicLib.nsh"
-!include "nsProcess.nsh"
 
 !define MUI_ABORTWARNING
 !define MUI_ICON "assets\icon.ico"
 !define MUI_UNICON "assets\icon.ico"
 
+; Pages shown in interactive mode
 !insertmacro MUI_PAGE_WELCOME
+
+; Custom server URL page (interactive only)
+Page custom ServerURLPage ServerURLPageLeave
+
 !insertmacro MUI_PAGE_DIRECTORY
 !insertmacro MUI_PAGE_INSTFILES
 !insertmacro MUI_PAGE_FINISH
@@ -46,15 +53,48 @@ Var EnrollToken
 
 !insertmacro MUI_LANGUAGE "English"
 
-; ── Functions ─────────────────────────────────────────────────────────────────
+; ── Custom server URL page ────────────────────────────────────────────────────
+
+Var hServerEdit
+Var hTokenEdit
+
+Function ServerURLPage
+    IfSilent skip_page  ; skip in silent/mass-deploy mode
+    nsDialogs::Create 1018
+    Pop $0
+
+    ${NSD_CreateLabel} 0 0 100% 20u "Server URL (e.g. https://remotelink.example.com):"
+    ${NSD_CreateText} 0 22u 100% 14u "$ServerURL"
+    Pop $hServerEdit
+
+    ${NSD_CreateLabel} 0 44u 100% 20u "Enrollment Token (leave blank if open enrollment is enabled):"
+    ${NSD_CreateText} 0 66u 100% 14u "$EnrollToken"
+    Pop $hTokenEdit
+
+    nsDialogs::Show
+    skip_page:
+FunctionEnd
+
+Function ServerURLPageLeave
+    IfSilent skip
+    ${NSD_GetText} $hServerEdit $ServerURL
+    ${NSD_GetText} $hTokenEdit $EnrollToken
+    ${If} $ServerURL == ""
+        MessageBox MB_OK|MB_ICONEXCLAMATION "Server URL is required."
+        Abort
+    ${EndIf}
+    skip:
+FunctionEnd
+
+; ── Init: parse command-line ──────────────────────────────────────────────────
 
 Function .onInit
-    ; Parse command-line switches /SERVER= and /ENROLL=
     ${GetParameters} $R0
+    ClearErrors
     ${GetOptions} $R0 "/SERVER=" $ServerURL
+    ClearErrors
     ${GetOptions} $R0 "/ENROLL=" $EnrollToken
 
-    ; Silent mode: skip UI if /S passed
     IfSilent 0 +2
     SetSilent silent
 FunctionEnd
@@ -64,32 +104,39 @@ FunctionEnd
 Section "Install" SEC_MAIN
     SetOutPath "${INSTALL_DIR}"
 
-    ; Stop existing service if running
+    ; Stop and remove existing service
     nsExec::ExecToLog '"${INSTALL_DIR}\${SERVICE_EXE}" stop'
     nsExec::ExecToLog '"${INSTALL_DIR}\${SERVICE_EXE}" remove'
     Sleep 1000
 
-    ; Copy files from PyInstaller dist/
+    ; Copy binaries
     File "dist\remotelink-agent.exe"
     File "dist\remotelink-agent-service.exe"
 
-    ; Write registry
+    ; Registry
     WriteRegStr HKLM "${REG_KEY}" "InstallDir" "${INSTALL_DIR}"
     WriteRegStr HKLM "${REG_KEY}" "Version" "${APP_VERSION}"
-
-    ; Run enrollment if tokens were provided (silent mass-deploy)
     ${If} $ServerURL != ""
-    ${AndIf} $EnrollToken != ""
+        WriteRegStr HKLM "${REG_KEY}" "ServerURL" "$ServerURL"
-        DetailPrint "Enrolling with server $ServerURL…"
-        nsExec::ExecToLog '"${INSTALL_DIR}\${AGENT_EXE}" --server "$ServerURL" --enroll "$EnrollToken"'
     ${EndIf}
 
-    ; Install + start Windows service
+    ; Enroll with server
+    ${If} $ServerURL != ""
+        ${If} $EnrollToken != ""
+            DetailPrint "Enrolling with token…"
+            nsExec::ExecToLog '"${INSTALL_DIR}\${AGENT_EXE}" --server "$ServerURL" --enroll "$EnrollToken"'
+        ${Else}
+            DetailPrint "Registering (open enrollment)…"
+            nsExec::ExecToLog '"${INSTALL_DIR}\${AGENT_EXE}" --server "$ServerURL"'
+        ${EndIf}
+    ${EndIf}
+
+    ; Install and start service
     DetailPrint "Installing Windows service…"
     nsExec::ExecToLog '"${INSTALL_DIR}\${SERVICE_EXE}" install'
     nsExec::ExecToLog '"${INSTALL_DIR}\${SERVICE_EXE}" start'
 
-    ; Create uninstaller
+    ; Uninstaller
     WriteUninstaller "${INSTALL_DIR}\Uninstall.exe"
     WriteRegStr HKLM "${UNINSTALL_KEY}" "DisplayName" "${APP_NAME}"
     WriteRegStr HKLM "${UNINSTALL_KEY}" "UninstallString" "${INSTALL_DIR}\Uninstall.exe"
@@ -108,9 +155,13 @@ Section "Uninstall"
 
     Delete "${INSTALL_DIR}\remotelink-agent.exe"
     Delete "${INSTALL_DIR}\remotelink-agent-service.exe"
+    Delete "${INSTALL_DIR}\agent.json"
     Delete "${INSTALL_DIR}\Uninstall.exe"
     RMDir "${INSTALL_DIR}"
 
+    ; Delete config
+    RMDir /r "$APPDATA\RemoteLink"
+
     DeleteRegKey HKLM "${REG_KEY}"
     DeleteRegKey HKLM "${UNINSTALL_KEY}"
 SectionEnd

app/api/agent/register/route.ts

@@ -1,21 +1,20 @@
 import { db } from '@/lib/db'
-import { machines, enrollmentTokens } from '@/lib/db/schema'
+import { machines, enrollmentTokens, users } from '@/lib/db/schema'
-import { eq, and, isNull, or, gt } from 'drizzle-orm'
+import { eq, asc } from 'drizzle-orm'
 import { NextRequest, NextResponse } from 'next/server'
 import { randomBytes } from 'crypto'
 
 // POST /api/agent/register
-// Two modes:
+// Three modes:
-//   1. First-time: { enrollmentToken, name, hostname, os, osVersion, agentVersion, ipAddress }
+//   1. Re-register (existing agent):  { accessKey, ... }         → updates machine
-//      → creates machine, returns { machineId, accessKey }
+//   2. Enrollment token:              { enrollmentToken, ... }   → creates machine owned by token creator
-//   2. Re-register: { accessKey, name, hostname, os, osVersion, agentVersion, ipAddress }
+//   3. Open enrollment (no token):    { name, ... }              → creates machine, OPEN_ENROLLMENT must be true
-//      → updates existing machine, returns { machineId }
 export async function POST(request: NextRequest) {
   try {
     const body = await request.json()
-    const { accessKey, enrollmentToken, name, hostname, os, osVersion, agentVersion, ipAddress } = body
+    const { accessKey, enrollmentToken, name, hostname, os, osVersion, agentVersion, ipAddress, macAddress } = body
 
-    // ── Mode 2: existing agent re-registering ─────────────────────────────────
+    // ── Mode 1: existing agent re-registering ─────────────────────────────────
     if (accessKey) {
       const result = await db
         .select()
@@ -37,6 +36,7 @@ export async function POST(request: NextRequest) {
           osVersion: osVersion || machine.osVersion,
           agentVersion: agentVersion || machine.agentVersion,
           ipAddress: ipAddress || machine.ipAddress,
+          macAddress: macAddress || machine.macAddress,
           isOnline: true,
           lastSeen: new Date(),
           updatedAt: new Date(),
@@ -46,11 +46,14 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({ machineId: machine.id })
     }
 
-    // ── Mode 1: first-time registration with enrollment token ─────────────────
+    if (!name) {
-    if (!enrollmentToken) {
+      return NextResponse.json({ error: 'name is required' }, { status: 400 })
-      return NextResponse.json({ error: 'accessKey or enrollmentToken required' }, { status: 400 })
     }
 
+    const newAccessKey = randomBytes(32).toString('hex')
+
+    // ── Mode 2: enrollment token ───────────────────────────────────────────────
+    if (enrollmentToken) {
       const tokenResult = await db
         .select()
         .from(enrollmentTokens)
@@ -58,53 +61,51 @@ export async function POST(request: NextRequest) {
         .limit(1)
 
       const token = tokenResult[0]
-    if (!token) {
+      if (!token) return NextResponse.json({ error: 'Invalid enrollment token' }, { status: 401 })
-      return NextResponse.json({ error: 'Invalid enrollment token' }, { status: 401 })
+      if (token.revokedAt) return NextResponse.json({ error: 'Enrollment token revoked' }, { status: 401 })
-    }
+      if (token.expiresAt && token.expiresAt < new Date()) return NextResponse.json({ error: 'Enrollment token expired' }, { status: 401 })
-
+      if (token.maxUses !== null && token.usedCount >= token.maxUses) return NextResponse.json({ error: 'Enrollment token use limit reached' }, { status: 401 })
-    // Check revoked
-    if (token.revokedAt) {
-      return NextResponse.json({ error: 'Enrollment token has been revoked' }, { status: 401 })
-    }
-
-    // Check expiry
-    if (token.expiresAt && token.expiresAt < new Date()) {
-      return NextResponse.json({ error: 'Enrollment token has expired' }, { status: 401 })
-    }
-
-    // Check max uses
-    if (token.maxUses !== null && token.usedCount >= token.maxUses) {
-      return NextResponse.json({ error: 'Enrollment token has reached its use limit' }, { status: 401 })
-    }
-
-    if (!name) {
-      return NextResponse.json({ error: 'name is required for first-time registration' }, { status: 400 })
-    }
-
-    // Generate a secure access key for this machine
-    const newAccessKey = randomBytes(32).toString('hex')
 
       const newMachine = await db
         .insert(machines)
-      .values({
+        .values({ userId: token.createdBy!, name, hostname, os, osVersion, agentVersion, ipAddress, macAddress, accessKey: newAccessKey, isOnline: true, lastSeen: new Date() })
-        userId: token.createdBy!,
-        name,
-        hostname,
-        os,
-        osVersion,
-        agentVersion,
-        ipAddress,
-        accessKey: newAccessKey,
-        isOnline: true,
-        lastSeen: new Date(),
-      })
         .returning({ id: machines.id })
 
-    // Increment use count
+      await db.update(enrollmentTokens).set({ usedCount: token.usedCount + 1 }).where(eq(enrollmentTokens.id, token.id))
-    await db
+
-      .update(enrollmentTokens)
+      return NextResponse.json({ machineId: newMachine[0].id, accessKey: newAccessKey })
-      .set({ usedCount: token.usedCount + 1 })
+    }
-      .where(eq(enrollmentTokens.id, token.id))
+
+    // ── Mode 3: open enrollment (no token required) ────────────────────────────
+    const openEnrollment = process.env.OPEN_ENROLLMENT === 'true'
+    if (!openEnrollment) {
+      return NextResponse.json({ error: 'accessKey or enrollmentToken required' }, { status: 400 })
+    }
+
+    // Find the owner: OPEN_ENROLLMENT_USER_EMAIL env var, or first admin, or first user
+    let ownerId: string | null = null
+    const ownerEmail = process.env.OPEN_ENROLLMENT_USER_EMAIL
+    if (ownerEmail) {
+      const ownerResult = await db.select({ id: users.id }).from(users).where(eq(users.email, ownerEmail)).limit(1)
+      ownerId = ownerResult[0]?.id ?? null
+    }
+    if (!ownerId) {
+      // Fall back to first admin, then first user
+      const adminResult = await db.select({ id: users.id }).from(users).where(eq(users.role, 'admin')).orderBy(asc(users.createdAt)).limit(1)
+      ownerId = adminResult[0]?.id ?? null
+    }
+    if (!ownerId) {
+      const anyUser = await db.select({ id: users.id }).from(users).orderBy(asc(users.createdAt)).limit(1)
+      ownerId = anyUser[0]?.id ?? null
+    }
+    if (!ownerId) {
+      return NextResponse.json({ error: 'No users exist on the server yet. Create an account first.' }, { status: 503 })
+    }
+
+    const newMachine = await db
+      .insert(machines)
+      .values({ userId: ownerId, name, hostname, os, osVersion, agentVersion, ipAddress, macAddress, accessKey: newAccessKey, isOnline: true, lastSeen: new Date() })
+      .returning({ id: machines.id })
 
     return NextResponse.json({ machineId: newMachine[0].id, accessKey: newAccessKey })
   } catch (error) {

docker-compose.yml

@@ -37,6 +37,8 @@ services:
       AUTH_SECRET: ${AUTH_SECRET}
       NEXT_PUBLIC_APP_URL: ${NEXT_PUBLIC_APP_URL:-http://localhost:3000}
       NEXT_PUBLIC_RELAY_URL: ${NEXT_PUBLIC_RELAY_URL:-localhost:8765}
+      OPEN_ENROLLMENT: ${OPEN_ENROLLMENT:-false}
+      OPEN_ENROLLMENT_USER_EMAIL: ${OPEN_ENROLLMENT_USER_EMAIL:-}
     env_file:
       - .env
     depends_on: