feat: enforce account jetstream limits and jwt tiers

src/NATS.Server/Auth/Account.cs

@@ -12,6 +12,8 @@ public sealed class Account : IDisposable
     public Permissions? DefaultPermissions { get; set; }
     public int MaxConnections { get; set; } // 0 = unlimited
     public int MaxSubscriptions { get; set; } // 0 = unlimited
+    public int MaxJetStreamStreams { get; set; } // 0 = unlimited
+    public string? JetStreamTier { get; set; }
 
     // JWT fields
     public string? Nkey { get; set; }
@@ -33,6 +35,7 @@ public sealed class Account : IDisposable
 
     private readonly ConcurrentDictionary<ulong, byte> _clients = new();
     private int _subscriptionCount;
+    private int _jetStreamStreamCount;
 
     public Account(string name)
     {
@@ -41,6 +44,7 @@ public sealed class Account : IDisposable
 
     public int ClientCount => _clients.Count;
     public int SubscriptionCount => Volatile.Read(ref _subscriptionCount);
+    public int JetStreamStreamCount => Volatile.Read(ref _jetStreamStreamCount);
 
     /// <summary>Returns false if max connections exceeded.</summary>
     public bool AddClient(ulong clientId)
@@ -66,6 +70,23 @@ public sealed class Account : IDisposable
         Interlocked.Decrement(ref _subscriptionCount);
     }
 
+    public bool TryReserveStream()
+    {
+        if (MaxJetStreamStreams > 0 && Volatile.Read(ref _jetStreamStreamCount) >= MaxJetStreamStreams)
+            return false;
+
+        Interlocked.Increment(ref _jetStreamStreamCount);
+        return true;
+    }
+
+    public void ReleaseStream()
+    {
+        if (Volatile.Read(ref _jetStreamStreamCount) == 0)
+            return;
+
+        Interlocked.Decrement(ref _jetStreamStreamCount);
+    }
+
     // Per-account message/byte stats
     private long _inMsgs;
     private long _outMsgs;