jetstream_bridge 7.1.1 → 7.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 65a794cf3e9a17511c64f2ef29edc70d56214f4cfc1c63eed8148afb65e05505
-  data.tar.gz: 44dea5d3d1900999fc788aad9e9d676a02315c18678256f4ce14d5443cb0b816
+  metadata.gz: 45dac84dd11b563f4f5b0b3d52d85722fdb5b7900923d85f7d6cb7af9b0fad95
+  data.tar.gz: a53400f90050c039fa8ac72109a99e3778911200fab983efa6f18549bcf5620f
 SHA512:
-  metadata.gz: 360c547ece5e7443487c3796d18139843ea86a2ce7f29a775fd1245d6e084d76bec11df72cdafef78ac9fa383ad99eae680f9220dc9eef451f62ba012fe20de9
-  data.tar.gz: 62e2100993ba1defc32df1ad744392148f4600527c5fab80db6cce2d211b80c79d6228c64497e61106ba13fdef9579300df1455d5caf3d4e75a83ccd896a5051
+  metadata.gz: 9e1790cb302107920d71736110db8bc19ae08ac111725614bb4221c73daddf4a992fea8c5c9913cc8dfeea7ebb4bcad359d189e691cd6cf45c1e7bb516b708c1
+  data.tar.gz: 60ee52e1c6943c8fb0c95cb7ea7f2b12d18d914fd2f03981134deaf6c5bef95680671d25ed66585914299216e70fc25f924dcf66925da7076687f95e6ee9b29d

data/CHANGELOG.md

@@ -5,6 +5,16 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [7.1.2] - 2026-02-11
+
+### Fixed
+
+- **Skip all JS.API calls when `auto_provision=false`** - `ensure_consumer!` and `auto_create_consumer_on_error` no longer issue `stream_info`, `consumer_info`, or `add_consumer` calls when `auto_provision=false`. This fixes failures in restricted NATS accounts where `$JS.API` permissions are not granted and the stream/consumer are pre-provisioned by an admin.
+
+### Changed
+
+- **Restricted permissions docs** - Added missing `$JS.ACK.{stream}.{consumer}.>` publish permissions to all permission examples. Without this permission, consumers cannot acknowledge messages and they are redelivered until `max_deliver` is exhausted.
+
 ## [7.1.1] - 2026-02-02
 
 ### Changed

data/docs/RESTRICTED_PERMISSIONS.md

@@ -31,7 +31,7 @@ When you cannot modify NATS server permissions, you have **two options**:
 
 - **No JetStream API permissions required** at runtime
 - Messages delivered automatically to a subscription subject
-- Simpler permission model: only needs subscribe permission on delivery subject
+- Simpler permission model: only needs subscribe on delivery subject + publish on `$JS.ACK` for acks
 - Best for restricted permission environments
 
 For both options, you need to:
@@ -82,7 +82,8 @@ end
 # NATS user permissions (e.g., pwas user)
 publish: {
   allow: [
-    "pwas.>",  # Your business subjects only
+    "pwas.>",                                                    # Your business subjects
+    "$JS.ACK.pwas-heavyworth-sync.pwas-workers.>",              # Ack/nak messages (required)
   ]
 }
 subscribe: {
@@ -92,7 +93,7 @@ subscribe: {
 }
 ```
 
-**No `$JS.API.*` or `_INBOX.>` permissions needed!**
+**No `$JS.API.*` or `_INBOX.>` permissions needed!** However, `$JS.ACK` publish permission is required for the consumer to acknowledge messages. Without it, messages will be redelivered until `max_deliver` is exhausted.
 
 ### Provisioning Push Consumers
 
@@ -122,11 +123,11 @@ nats consumer add pwas-heavyworth-sync pwas-workers \
 - Topology: **one shared stream per app pair**, with one durable consumer per app (each filters the opposite direction). Pre-provision via `bundle exec rake jetstream_bridge:provision` or NATS CLI.
 - NATS permissions for runtime creds:
   - **Pull consumers** (default):
-    - publish allow: `">"` (or narrowed to your business subjects) and `$JS.API.CONSUMER.MSG.NEXT.{stream_name}.{app_name}-workers`
-    - subscribe allow: `">"` (or narrowed) and `_INBOX.>` (responses for pull consumers)
+    - publish allow: `{app_name}.>`, `$JS.API.CONSUMER.MSG.NEXT.{stream_name}.{app_name}-workers`, and `$JS.ACK.{stream_name}.{app_name}-workers.>`
+    - subscribe allow: `{destination_app}.>` and `_INBOX.>` (responses for pull consumers)
   - **Push consumers** (recommended for restricted environments):
-    - publish allow: `">"` (or narrowed to your business subjects only - e.g., `pwas.>`)
-    - subscribe allow: `">"` (or narrowed to your business subjects only - e.g., `heavyworth.>`)
+    - publish allow: `{app_name}.>` and `$JS.ACK.{stream_name}.{app_name}-workers.>` (ack/nak)
+    - subscribe allow: `{destination_app}.>` (includes delivery subject)
     - No `$JS.API.*` or `_INBOX.>` permissions needed
 - Health check will only report connectivity (stream info skipped).
 
@@ -643,15 +644,15 @@ end
 
 ```conf
 # pwas user
-publish: { allow: ["pwas.>"] }
+publish: { allow: ["pwas.>", "$JS.ACK.pwas-heavyworth-sync.pwas-workers.>"] }
 subscribe: { allow: ["heavyworth.>"] }
 
 # heavyworth user
-publish: { allow: ["heavyworth.>"] }
+publish: { allow: ["heavyworth.>", "$JS.ACK.pwas-heavyworth-sync.heavyworth-workers.>"] }
 subscribe: { allow: ["pwas.>"] }
 ```
 
-**Note:** With push consumers, no `$JS.API.*` or `_INBOX.>` permissions are required.
+**Note:** With push consumers, no `$JS.API.*` or `_INBOX.>` permissions are required. The `$JS.ACK` permission is needed so the consumer can acknowledge (ack/nak) delivered messages.
 
 ---
 
@@ -664,16 +665,17 @@ If you have any influence over NATS permissions, you have two options:
 Request minimal JetStream API permissions:
 
 ```conf
-# Minimal permissions needed for pull consumer
+# Minimal permissions needed for pull consumer (e.g., pwas user)
 publish: {
   allow: [
-    ">",                                   # Your app subjects (narrow if desired)
-    "$JS.API.CONSUMER.MSG.NEXT.{stream_name}.{app_name}-workers",  # Fetch messages (required)
+    "pwas.>",                                                          # Your app subjects
+    "$JS.API.CONSUMER.MSG.NEXT.pwas-heavyworth-sync.pwas-workers",    # Fetch messages (required)
+    "$JS.ACK.pwas-heavyworth-sync.pwas-workers.>",                    # Ack/nak messages (required)
   ]
 }
 subscribe: {
   allow: [
-    ">",                                   # Your app subjects (narrow if desired)
+    "heavyworth.>",                        # Destination app subjects
     "_INBOX.>",                            # Request-reply responses (required)
   ]
 }
@@ -683,16 +685,16 @@ These are read-only operations and don't allow creating/modifying streams or con
 
 ### Option 2: Push Consumers (Recommended)
 
-Use push consumers with business subject permissions only:
+Use push consumers with business subject permissions plus ack:
 
 ```conf
 # For pwas app
-publish: { allow: ["pwas.>"] }
+publish: { allow: ["pwas.>", "$JS.ACK.pwas-heavyworth-sync.pwas-workers.>"] }
 subscribe: { allow: ["heavyworth.>"] }
 
 # For heavyworth app
-publish: { allow: ["heavyworth.>"] }
+publish: { allow: ["heavyworth.>", "$JS.ACK.pwas-heavyworth-sync.heavyworth-workers.>"] }
 subscribe: { allow: ["pwas.>"] }
 ```
 
-**No `$JS.API.*` or `_INBOX.>` permissions required!** This is the simplest and most restrictive permission model.
+**No `$JS.API.*` or `_INBOX.>` permissions required!** The only extra permission beyond business subjects is `$JS.ACK` for acknowledging messages.

data/lib/jetstream_bridge/consumer/consumer.rb

@@ -450,6 +450,14 @@ module JetstreamBridge
     end
 
     def auto_create_consumer_on_error(_error)
+      unless JetstreamBridge.config.auto_provision
+        Logging.info(
+          "Skipping consumer auto-creation (auto_provision=false) for #{@durable}",
+          tag: 'JetstreamBridge::Consumer'
+        )
+        return
+      end
+
       Logging.info(
         "Consumer not found error detected, attempting auto-creation for #{@durable}...",
         tag: 'JetstreamBridge::Consumer'

data/lib/jetstream_bridge/consumer/subscription_manager.rb

@@ -28,13 +28,13 @@ module JetstreamBridge
       @desired_cfg
     end
 
-    # Ensure consumer exists, auto-creating if missing.
-    #
-    # @param force [Boolean] Kept for backward compatibility but no longer used.
-    #   Consumers are always auto-created regardless of this parameter.
+    # Ensure consumer exists; skips all JS.API calls when auto_provision is false.
     def ensure_consumer!(**_options)
-      # Always auto-create consumer if it doesn't exist, regardless of auto_provision setting.
-      # auto_provision only controls stream topology creation, not consumer creation.
+      unless @cfg.auto_provision
+        Logging.info("Skipping consumer validation (auto_provision=false); assuming '#{@durable}' exists.",
+                     tag: 'JetstreamBridge::Consumer')
+        return
+      end
       create_consumer_if_missing!
     end
 
@@ -70,13 +70,7 @@ module JetstreamBridge
       false
     end
 
-    # Create consumer only if it doesn't already exist.
-    #
-    # Fails if the stream doesn't exist - streams must be provisioned separately.
-    #
-    # This is a safer alternative to create_consumer! that won't fail
-    # if the consumer was already created by another process.
-    #
+    # Create consumer only if it doesn't already exist. Fails if stream is missing.
     # @raise [StreamNotFoundError] if the stream doesn't exist
     def create_consumer_if_missing!
       # In restricted environments (push + auto_provision=false), we still want fail-fast semantics.

data/lib/jetstream_bridge/version.rb

@@ -4,5 +4,5 @@
 #
 # Version constant for the gem.
 module JetstreamBridge
-  VERSION = '7.1.1'
+  VERSION = '7.1.2'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jetstream_bridge
 version: !ruby/object:Gem::Version
-  version: 7.1.1
+  version: 7.1.2
 platform: ruby
 authors:
 - Mike Attara
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-02-02 00:00:00.000000000 Z
+date: 2026-02-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord