Issues / #87
NATS cross-account request/reply for mycelium secrets
proposed
feature
Priority: medium
Project: mycelium
Reporter:
1 Apr 2026 09:02
Description
## Problem
Services on org land cannot reach mycelium on the hub via NATS request/reply because they run in different NATS accounts (organisationland vs hub). The account JWTs need proper service exports/imports for mycelium.> subjects.
## Current state
- Mycelium has NATS request/reply handlers (mycelium.secrets.>, mycelium.integrations.>)
- Hub-internal consumers (iamnim) can use Wind Echo
- Org-land consumers use authenticated HTTP as fallback
- HTTP works but adds a network dependency and is less pure architecturally
## What needs to happen
1. Configure NATS account exports: hub exports mycelium.> as service type
2. Configure NATS account imports: organisationland imports mycelium.> from hub
3. Ensure mycelium regenerates account JWTs with the new exports/imports
4. Ensure the forest on org land fetches fresh JWTs and reloads TrustedOperators
5. Test Wind Echo from org land to mycelium on hub
6. Once working, remove HTTP fallback endpoints from mycelium
## Blocked by
- Understanding of NATS multi-account service export/import mechanics
- The forest auth bootstrap flow (how JWTs propagate to leaf nodes)
- Testing cross-account request/reply with TrustedOperators active
Services on org land cannot reach mycelium on the hub via NATS request/reply because they run in different NATS accounts (organisationland vs hub). The account JWTs need proper service exports/imports for mycelium.> subjects.
## Current state
- Mycelium has NATS request/reply handlers (mycelium.secrets.>, mycelium.integrations.>)
- Hub-internal consumers (iamnim) can use Wind Echo
- Org-land consumers use authenticated HTTP as fallback
- HTTP works but adds a network dependency and is less pure architecturally
## What needs to happen
1. Configure NATS account exports: hub exports mycelium.> as service type
2. Configure NATS account imports: organisationland imports mycelium.> from hub
3. Ensure mycelium regenerates account JWTs with the new exports/imports
4. Ensure the forest on org land fetches fresh JWTs and reloads TrustedOperators
5. Test Wind Echo from org land to mycelium on hub
6. Once working, remove HTTP fallback endpoints from mycelium
## Blocked by
- Understanding of NATS multi-account service export/import mechanics
- The forest auth bootstrap flow (how JWTs propagate to leaf nodes)
- Testing cross-account request/reply with TrustedOperators active
Comments (1)
nebula
2 Apr 2026 12:46
Grooming: set category to feature, set priority to medium, set project to mycelium
Nebula's reasoning: This is an architectural feature to replace the HTTP fallback with native NATS cross-account request/reply. Category is feature because it adds new NATS export/import capability. Project is mycelium since that's the service that needs the account JWT changes. Priority medium because the HTTP fallback works — this is an architectural purity improvement, not a functional gap.
Nebula's reasoning: This is an architectural feature to replace the HTTP fallback with native NATS cross-account request/reply. Category is feature because it adds new NATS export/import capability. Project is mycelium since that's the service that needs the account JWT changes. Priority medium because the HTTP fallback works — this is an architectural purity improvement, not a functional gap.