Files
LocalAI/pkg/natsauth/permissions.go
Nicholas Ciechanowski be1ae9338b fix(distributed): missing agent NATS permissions (#10571)
Signed-off-by: Nicholas Ciechanowski <nicholas@ciech.anow.ski>
2026-06-28 12:58:13 +02:00

54 lines
1.4 KiB
Go

package natsauth
import "strings"
// workerSubjectToken mirrors messaging.sanitizeSubjectToken without importing unexported logic.
func workerSubjectToken(nodeID string) string {
r := strings.NewReplacer(".", "-", "*", "-", ">", "-", " ", "-", "\t", "-", "\n", "-")
return r.Replace(nodeID)
}
// WorkerPermissions returns NATS pub/sub allow lists for a registered node.
func WorkerPermissions(nodeID, nodeType string) (pubAllow, subAllow []string) {
tok := workerSubjectToken(nodeID)
prefix := "nodes." + tok
switch nodeType {
case "agent":
// Agent workers consume queue workloads; they must not handle backend.install.
// Keep this list in sync with the subscriptions in core/cli/agent_worker.go.
subAllow = []string{
"agent.execute",
"agent.*.cancel",
"gallery.*.cancel",
"gallery.*.progress",
"jobs.*.cancel",
"jobs.*.progress",
"jobs.*.result",
"jobs.mcp-ci.new", // MCP CI jobs dispatched to agent workers
"mcp.tools.execute",
"mcp.discovery",
prefix + ".backend.stop", // stop events drive MCP session cleanup
"staging.*.progress",
"_INBOX.>",
}
pubAllow = []string{
"agent.>",
"jobs.>",
"_INBOX.>",
}
default:
// Backend worker: lifecycle + file staging on this node only.
subAllow = []string{
prefix + ".>",
"_INBOX.>",
}
pubAllow = []string{
prefix + ".backend.install.*.progress",
prefix + ".files.>",
"_INBOX.>",
}
}
return pubAllow, subAllow
}