# SAFE OPEN DEFAULT — anonymous full access, no secrets. Same behavior as the
# pre-auth broker so fresh deploys and the repo stay valid.
#
# Regenerated on deploy by scripts/generate-nats-auth.mjs with the privileged
# internal user + per-license scoped users (those carry secrets and must NOT be
# committed — mark the host copy with `git update-index --assume-unchanged`).
authorization {
  users: [
    { user: "anonymous", password: "", permissions: { publish: ">", subscribe: ">" } }
  ]
  no_auth_user: "anonymous"
}