%% Qipai EMQX ACL baseline for device topic isolation.
%% EMQX ACL files use Erlang tuple rules and are matched from top to bottom.
%% Replace example usernames and topic namespaces after M06 device onboarding.

%% Device clients may publish telemetry/status under their own client id.
{allow, {clientid, {re, "^qipai-device-[A-Za-z0-9_-]+$"}}, publish, [
  "qipai/${clientid}/telemetry",
  "qipai/${clientid}/status",
  "qipai/${clientid}/event/#"
]}.

%% Device clients may subscribe only to commands for their own client id.
{allow, {clientid, {re, "^qipai-device-[A-Za-z0-9_-]+$"}}, subscribe, [
  "qipai/${clientid}/command/#"
]}.

%% Backend service may publish commands and subscribe to device events.
{allow, {username, "qipai_backend"}, all, [
  "qipai/+/command/#",
  "qipai/+/telemetry",
  "qipai/+/status",
  "qipai/+/event/#"
]}.

%% Do not expose system topics or broad wildcards to ordinary clients.
{deny, all, subscribe, ["$SYS/#", {eq, "#"}, {eq, "+/#"}]}.

%% Production default: deny anything not explicitly allowed above.
{deny, all}.