# NATS config for kez-chat home server.
#
# - Native NATS protocol on 4222 for CLI clients (TLS terminated by your
#   reverse proxy in production).
# - WebSocket on 8443 for the browser SPA. Also TLS-terminated upstream.
# - JetStream on for offline message buffering (durable consumers).
# - auth_callout points at our chat-server's /internal/nats/auth endpoint.
#   The chat-server is the source of truth for which nkeys are allowed
#   to connect and what subjects they can publish/subscribe to.

# Standard NATS listener (CLI clients use this).
listen: 0.0.0.0:4222

# WebSocket listener (browser SPA uses this via nats.ws).
websocket {
  port: 8443
  no_tls: true                  # TLS terminated by Cloudflare tunnel / reverse proxy
}

# Persistent storage for durable consumers (offline buffering).
jetstream {
  store_dir: /data/jetstream
  max_mem: 1G
  max_file: 10G
}

# Monitoring / healthcheck.
http_port: 8222

# Auth callout: every connection's auth request is forwarded to our
# chat-server, which checks the handle registry and signs a response.
# Until we ship the v0.2 auth callout, the chat-server returns 501 and
# all connections are rejected. That's intentional — fail closed.
authorization {
  auth_callout {
    # The chat-server signs its callout responses with this nkey; NATS
    # accepts responses signed by this key only. Generated once via
    # `nsc generate nkey -o` (operator-level) and embedded in the
    # chat-server's deployment secrets.
    #
    # PLACEHOLDER — replace before going live.
    issuer: "ABACVOI4POPS3SBFLDQYTQHHHACRVMCM2HK7PXX4UTI7XYWQHQGOA3PX"

    # NATS uses this user identity when invoking the callout endpoint.
    # Distinct from real users; it's just an internal protocol marker.
    auth_users: ["AUTHUSER"]

    # The account real users land in once the callout approves them.
    account: "DEFAULT"
  }
}