feat: enforce account jetstream limits and jwt tiers

src/NATS.Server/Auth/Account.cs

@@ -12,6 +12,8 @@ public sealed class Account : IDisposable
     public Permissions? DefaultPermissions { get; set; }
     public int MaxConnections { get; set; } // 0 = unlimited
     public int MaxSubscriptions { get; set; } // 0 = unlimited
+    public int MaxJetStreamStreams { get; set; } // 0 = unlimited
+    public string? JetStreamTier { get; set; }
 
     // JWT fields
     public string? Nkey { get; set; }
@@ -33,6 +35,7 @@ public sealed class Account : IDisposable
 
     private readonly ConcurrentDictionary<ulong, byte> _clients = new();
     private int _subscriptionCount;
+    private int _jetStreamStreamCount;
 
     public Account(string name)
     {
@@ -41,6 +44,7 @@ public sealed class Account : IDisposable
 
     public int ClientCount => _clients.Count;
     public int SubscriptionCount => Volatile.Read(ref _subscriptionCount);
+    public int JetStreamStreamCount => Volatile.Read(ref _jetStreamStreamCount);
 
     /// <summary>Returns false if max connections exceeded.</summary>
     public bool AddClient(ulong clientId)
@@ -66,6 +70,23 @@ public sealed class Account : IDisposable
         Interlocked.Decrement(ref _subscriptionCount);
     }
 
+    public bool TryReserveStream()
+    {
+        if (MaxJetStreamStreams > 0 && Volatile.Read(ref _jetStreamStreamCount) >= MaxJetStreamStreams)
+            return false;
+
+        Interlocked.Increment(ref _jetStreamStreamCount);
+        return true;
+    }
+
+    public void ReleaseStream()
+    {
+        if (Volatile.Read(ref _jetStreamStreamCount) == 0)
+            return;
+
+        Interlocked.Decrement(ref _jetStreamStreamCount);
+    }
+
     // Per-account message/byte stats
     private long _inMsgs;
     private long _outMsgs;

src/NATS.Server/Auth/AuthResult.cs

@@ -6,4 +6,6 @@ public sealed class AuthResult
     public string? AccountName { get; init; }
     public Permissions? Permissions { get; init; }
     public DateTimeOffset? Expiry { get; init; }
+    public int MaxJetStreamStreams { get; init; }
+    public string? JetStreamTier { get; init; }
 }

src/NATS.Server/Auth/Jwt/AccountClaims.cs

@@ -47,6 +47,10 @@ public sealed class AccountNats
     [JsonPropertyName("limits")]
     public AccountLimits? Limits { get; set; }
 
+    /// <summary>JetStream entitlement limits/tier for this account.</summary>
+    [JsonPropertyName("jetstream")]
+    public AccountJetStreamLimits? JetStream { get; set; }
+
     /// <summary>NKey public keys authorized to sign user JWTs for this account.</summary>
     [JsonPropertyName("signing_keys")]
     public string[]? SigningKeys { get; set; }
@@ -92,3 +96,12 @@ public sealed class AccountLimits
     [JsonPropertyName("data")]
     public long MaxData { get; set; }
 }
+
+public sealed class AccountJetStreamLimits
+{
+    [JsonPropertyName("max_streams")]
+    public int MaxStreams { get; set; }
+
+    [JsonPropertyName("tier")]
+    public string? Tier { get; set; }
+}

src/NATS.Server/Auth/JwtAuthenticator.cs

@@ -143,6 +143,8 @@ public sealed class JwtAuthenticator : IAuthenticator
             AccountName = issuerAccount,
             Permissions = permissions,
             Expiry = userClaims.GetExpiry(),
+            MaxJetStreamStreams = accountClaims.Nats?.JetStream?.MaxStreams ?? 0,
+            JetStreamTier = accountClaims.Nats?.JetStream?.Tier,
         };
     }