# -----------------------------------------------------------------------
# Mosquitto ACL — DRB C2 Server
# -----------------------------------------------------------------------
# Two principals:
#   drb-c2-core  — the backend service; needs full broker access
#   drb-node     — shared credential for all edge nodes; scoped to their
#                  own namespace via MQTT client ID (%c = NODE_ID)
# -----------------------------------------------------------------------

# C2-core service — full read/write on every topic
user drb-c2-core
topic readwrite #

# Edge nodes — each node may only read/write topics under nodes/<its-own-ID>/
# Mosquitto substitutes %c with the connecting client's MQTT client ID at
# runtime. Edge nodes set client_id = NODE_ID in mqtt_manager.py, so this
# cryptographically prevents node-A from publishing to nodes/node-B/api_key
# or any other node's namespace.
pattern readwrite nodes/%c/#