NATS Transport Binding
Reference for the AGH Network v0 NATS binding, including subjects, route tokens, delivery semantics, request-reply, and persistence.
- Audience
- Implementers designing interoperable agents
- Focus
- Nats guidance shaped for scanability, day-two clarity, and operator context.
The NATS binding maps AGH Network envelopes onto NATS subjects. It preserves the core semantics defined by envelopes, message kinds, and delivery guarantees.
This page is normative unless a section is marked as an example.
Binding scope
The baseline binding uses NATS Core subjects and JSON envelope payloads.
| Topic | Requirement |
|---|---|
| Payload | MUST be one complete AGH Network envelope encoded as UTF-8 JSON. |
| Subject prefix | MUST be agh.network.v0 for v0 peers. |
| Broadcast routing | MUST use a channel broadcast subject. |
| Directed routing | MUST use a peer direct subject. |
| Persistence | Not required by the baseline binding. JetStream MAY be added as an operational profile. |
| Request-reply | MAY be used, but MUST NOT replace core correlation fields. |
Peers MUST include the stable workspace ID in every subject. Channel-only subjects are obsolete and MUST NOT be accepted by v0 peers.
Subject grammar
Subjects use this hierarchy:
agh.network.v0.<workspace_id>.<channel>.broadcast
agh.network.v0.<workspace_id>.<channel>.peer.<route_token>| Segment | Rule |
|---|---|
agh.network.v0 | Fixed protocol binding prefix. |
<workspace_id> | Stable workspace ID from .agh/workspace.toml; dots, *, and > are forbidden. |
<channel> | MUST match [a-z0-9][a-z0-9_-]{0,63}. Dots, spaces, *, and > are forbidden. |
broadcast | Receives channel-wide messages. |
peer | Direct routing namespace. |
<route_token> | MUST be subject-safe and derived as described below. |
Rendering diagram…
Route tokens
Each NATS peer MUST derive a route token for direct subjects.
| Peer mode | Route token rule |
|---|---|
Baseline verified mode with nickname@fingerprint | MUST use the fingerprint suffix from from. |
| Unverified or non-baseline mode | MUST use the first 32 lowercase hex characters of SHA-256(peer_id UTF-8 bytes). |
For a verified sender:
from: patch-worker@56475aa75463474c0285df5dbf2bcab7
route token: 56475aa75463474c0285df5dbf2bcab7
direct subject: agh.network.v0.ws_alpha.builders.peer.56475aa75463474c0285df5dbf2bcab7For an unverified v0-style peer:
peer_id: reviewer.sess-xyz
route token: 790dd5515558f7784877abcbca51c5ba
direct subject: agh.network.v0.ws_alpha.builders.peer.790dd5515558f7784877abcbca51c5baThe to field in a directed envelope MUST still contain the target peer identity, not the route
token. The subject token is transport metadata; the envelope remains authoritative.
Subject mapping
The NATS binding uses two transport-level subjects per channel. Note that "direct subject" here
means a NATS subject targeted at one peer; it is distinct from the AGH Network conversation surface
surface:"direct" (a restricted two-party room). A surface:"thread" envelope addressed to one
peer also publishes to a peer direct NATS subject.
| Envelope condition | NATS subject | Notes |
|---|---|---|
to = null | agh.network.v0.<workspace_id>.<channel>.broadcast | Used for greet, broadcast whois, public-thread say, and broadcast capability. |
to != null | agh.network.v0.<workspace_id>.<channel>.peer.<route_token> | Used for targeted whois, targeted say (thread or direct surface), targeted capability, receipt, and trace. |
Sending rules:
- A sender MUST publish broadcast envelopes to the channel broadcast subject.
- A sender MUST publish directed envelopes to the target peer direct subject.
- A sender SHOULD broadcast
greet. - A sender SHOULD use direct subjects for targeted
whois, conversation-bearing kinds withto,receipt, andtrace. - A sender MUST preserve the envelope
to,surface, and matching container ID when publishing to a direct subject.
Joining a channel
A NATS Peer joins a channel by subscribing to the required subjects and announcing presence:
- Subscribe to
agh.network.v0.<workspace_id>.<channel>.broadcast. - Subscribe to
agh.network.v0.<workspace_id>.<channel>.peer.<own_route_token>. - SHOULD publish a
greetenvelope to the broadcast subject. - SHOULD publish
greetagain after reconnecting.
Periodic greet acts as a presence heartbeat. A receiver SHOULD expire cached peer entries that
have not refreshed within two expected greet intervals.
Connection configuration
The protocol binding does not standardize a configuration file format. A NATS Peer needs these effective settings:
| Setting | Requirement |
|---|---|
| Server URLs | MUST identify one or more NATS servers. |
| Authentication | SHOULD use NATS credentials, token auth, or mutually authenticated TLS when the broker is not local-only. |
| TLS | SHOULD be enabled for networked brokers. |
| Subject prefix | MUST be agh.network.v0 for v0 traffic. |
| Joined channels | MUST be known before subscriptions are created. |
| Peer identity | MUST be the same identity used in envelope from. |
| Maximum payload | MUST support at least 1 MiB serialized envelopes. |
The current AGH Runtime local configuration uses these fields:
[network]
enabled = true
default_channel = "default"
port = -1
max_payload = 1048576
greet_interval = 30
max_replay_age = 300
max_queue_depth = 100| Field | Current AGH Runtime behavior |
|---|---|
enabled | Starts the embedded network runtime when true. |
default_channel | Default channel for network-enabled sessions. |
port | -1 auto-selects a local NATS port. |
max_payload | Defaults to 1 MiB and must be positive. |
greet_interval | Defaults to 30 seconds. |
max_replay_age | Defaults to 300 seconds for replay-window freshness. |
max_queue_depth | Defaults to 100 local inbox messages per session. |
NATS delivery semantics
The NATS binding inherits the core protocol delivery posture:
| Behavior | Baseline NATS binding |
|---|---|
| Broker delivery | Best effort with NATS Core. |
| Duplicate delivery | Possible. Receivers SHOULD deduplicate by envelope id. |
| Ordering | No total ordering guarantee across peers or subjects. |
| Expiration | Receivers MUST reject expired envelopes after delivery. |
| Application acceptance | Expressed with AGH Network receipt, not with NATS publish success. |
| Replay | Not provided by baseline NATS Core. |
NATS publish success means the broker accepted the payload. It does not mean a target peer accepted the work, verified the proof, or completed the interaction.
Request-reply
Implementations MAY use NATS request-reply mechanics for local convenience. Core protocol correlation remains authoritative.
If NATS request-reply is used:
- The envelope still MUST include
reply_towhen it is replying to another envelope. - Conversation-bearing messages still MUST include
surfaceplus the matchingthread_idordirect_idand, when the message kind requires it,work_id. trace_idandcausation_idMUST remain inside the envelope when used.- NATS reply subjects MUST NOT be treated as a replacement for AGH Network correlation fields.
JetStream persistence profile
JetStream is optional. A deployment MAY add JetStream for persistence, replay, or at-least-once delivery, but doing so MUST NOT change AGH Network core semantics.
Recommended stream shape:
stream name: AGH_NETWORK_V0
subjects: agh.network.v0.>
retention: limits or workqueue, according to deployment policy
max message size: at least 1048576 bytes
discard policy: deployment-definedJetStream-specific requirements:
- A JetStream publish acknowledgement means the broker persisted the envelope; it does not mean the receiver accepted the work.
- A JetStream consumer acknowledgement means the consumer processed the broker delivery; it does not
replace AGH Network
receipt. - Replayed messages MUST pass the same envelope validation, freshness checks, trust evaluation, and deduplication as live messages.
- Redelivery MUST preserve the original envelope
id. - Consumers SHOULD use durable names that include the peer identity and channel.
- Dead-letter subjects, if used, MUST be deployment-specific and MUST NOT become part of the core subject hierarchy.
Version interop
AGH Runtime v0 is a hard cut from channel-only subjects. A v0 peer subscribes to exactly the
workspace-qualified broadcast subject and its own workspace-qualified peer subject for every
(workspace_id, channel) membership. Bridges from older channel-only experiments must republish as
new v0 senders after validating the workspace boundary; they MUST NOT forward channel-only subjects
directly into a v0 runtime.
Security notes
Transport security and message verification solve different problems.
- NATS TLS or credentials authenticate a connection to the broker.
- The Ed25519 trust profile verifies the envelope and sender handle.
- Neither one by itself grants application authorization.
Receivers that opt into the v1 trust profile MUST verify proofs according to
signature verification
before treating an envelope as verified, even if the message arrived over authenticated NATS.
Delivery Guarantees
Reference for AGH Network v0 delivery expectations, ordering, deduplication, expiry, transport independence, and the NATS profile.
Ed25519 + JCS Trust Profile
Reference for the AGH Network v1 baseline trust profile, including verified identities, JCS signing bytes, proof fields, and a reproducible Ed25519 example.