microdao-daarion/config/nats-server.conf

# NATS Server config — Fabric v0.3 with accounts
# Hub node (NODA1). Leafnodes connect to this.

listen: 0.0.0.0:4222
jetstream {
  store_dir: /data/jetstream
  max_mem: 256MB
  max_file: 2GB
}

http_port: 8222

# ── Accounts ────────────────────────────────────────────────────────────────

accounts {
  SYS {
    users: [
      { user: sys, password: "$SYS_NATS_PASS" }
    ]
  }

  FABRIC {
    users: [
      # Router — publishes capability queries + offload requests
      {
        user: router
        password: "$FABRIC_NATS_PASS"
        permissions: {
          publish: {
            allow: [
              "node.*.capabilities.get",
              "node.*.llm.request",
              "node.*.vision.request",
              "node.*.stt.request",
              "node.*.tts.request",
              "_INBOX.>"
            ]
          }
          subscribe: {
            allow: ["_INBOX.>"]
          }
        }
      }
      # NCS — responds to capability queries
      {
        user: ncs
        password: "$FABRIC_NATS_PASS"
        permissions: {
          publish: {
            allow: ["_INBOX.>"]
          }
          subscribe: {
            allow: [
              "node.*.capabilities.get",
              "node.*.capabilities.report"
            ]
          }
        }
      }
      # Node Worker — responds to inference requests
      {
        user: node_worker
        password: "$FABRIC_NATS_PASS"
        permissions: {
          publish: {
            allow: [
              "_INBOX.>",
              "node.*.capabilities.report"
            ]
          }
          subscribe: {
            allow: [
              "node.*.llm.request",
              "node.*.vision.request",
              "node.*.stt.request",
              "node.*.tts.request"
            ]
          }
        }
      }
    ]
    exports: [
      { stream: ">" }
    ]
  }

  APP {
    users: [
      # Gateway, other services
      {
        user: app
        password: "$APP_NATS_PASS"
        permissions: {
          publish: { allow: [">"] }
          subscribe: { allow: [">"] }
        }
      }
    ]
    imports: [
      { stream: { account: FABRIC, subject: ">" } }
    ]
  }
}

system_account: SYS

# ── Leafnode listener ───────────────────────────────────────────────────────

leafnodes {
  listen: 0.0.0.0:7422
  authorization {
    user: leaf
    password: "$LEAF_NATS_PASS"
    account: FABRIC
  }
}