@arcote.tech/arc 0.5.1 → 0.5.5

package/dist/adapters/auth-adapter.d.ts

@@ -19,6 +19,17 @@ export declare class AuthAdapter {
      * Auto-persists to localStorage when available.
      */
     setToken(token: string | null, scope?: string): void;
+    /**
+     * Set an already-decoded token for a scope, bypassing JWT parsing.
+     *
+     * Used by listener auth reconstruction: events carry decoded auth context
+     * (tokenName + params) which has been validated at emit time. This method
+     * restores that context into a fresh AuthAdapter without requiring the
+     * original raw JWT.
+     *
+     * Does NOT touch localStorage — purely in-memory restoration.
+     */
+    setDecoded(decoded: DecodedToken, scope?: string): void;
     /**
      * Load all persisted scope tokens from localStorage.
      * Call once on app init before any queries.

package/dist/adapters/event-publisher.d.ts

@@ -27,6 +27,11 @@ export interface StoredEvent {
     type: string;
     payload: string;
     createdAt: string;
+    /**
+     * JSON-serialized EventAuthContext snapshot from the mutation that emitted
+     * this event. Null for system events / cron / seed (no active auth scope).
+     */
+    authContext: string | null;
 }
 /** Event tag record in the event_tags table */
 export interface StoredEventTag {

package/dist/adapters/event-wire.d.ts

@@ -7,11 +7,13 @@
  * - Handles reconnection and sync state
  * - Manages per-scope token caching
  */
+import type { EventAuthContext } from "../context-element/event/instance";
 export interface SyncableEvent {
     localId: string;
     type: string;
     payload: any;
     createdAt: string;
+    authContext: EventAuthContext | null;
 }
 export interface ReceivedEvent {
     localId: string;
@@ -20,6 +22,7 @@ export interface ReceivedEvent {
     payload: any;
     createdAt: string;
     clientId: string;
+    authContext: EventAuthContext | null;
 }
 import type { ContextDescriptor } from "../model/context-accessor";
 type EventWireState = "disconnected" | "connecting" | "connected";

package/dist/context-element/aggregate/aggregate-data.d.ts

@@ -6,6 +6,7 @@
  */
 import type { ArcIdAny } from "../../elements/id";
 import type { ArcObjectAny } from "../../elements/object";
+import type { ArcContextElement } from "../context-element";
 import type { Simplify } from "../../utils";
 import type { ArcEventAny } from "../event/event";
 import type { ArcEventInstance } from "../event/instance";
@@ -34,6 +35,8 @@ export interface AggregateMutateMethodEntry {
     readonly handler: Function | false | null;
     readonly result?: any;
     readonly cronExpression?: string;
+    readonly queryElements?: ArcContextElement<any>[];
+    readonly mutationElements?: ArcContextElement<any>[];
 }
 /**
  * Cron method entry extracted at build time.

package/dist/context-element/aggregate/aggregate-element.d.ts

@@ -111,7 +111,7 @@ export declare class ArcAggregateElement<Name extends string = string, Id extend
         data: any[];
         version: number;
     });
-    protectBy<T extends ArcTokenAny>(token: T, protectionFn: ViewProtectionFn<any>): ArcAggregateElement<Name, Id, Schema, Events, MutateMethods, QueryMethods>;
+    protectBy<T extends ArcTokenAny>(token: T, protectionFn: ViewProtectionFn<T>): ArcAggregateElement<Name, Id, Schema, Events, MutateMethods, QueryMethods>;
     event<const EventName extends string, PayloadShape extends ArcRawShape>(eventName: EventName, payload: PayloadShape, handler: (ctx: ArcViewHandlerContext<Id, Schema>, event: ArcEventInstance<InlineArcEvent<EventName, PayloadShape>>) => Promise<void>): ArcAggregateElement<Name, Id, Schema, [
         ...Events,
         AggregateEventEntry<InlineArcEvent<EventName, PayloadShape>, Id, Schema, false>
@@ -196,8 +196,9 @@ export declare class ArcAggregateElement<Name extends string = string, Id extend
     get cronMethods(): AggregateCronMethodEntry[];
     queryContext(adapters: ModelAdapters): AggregateQueryContext<QueryMethods>;
     private buildPrivateQuery;
-    private buildUnrestrictedQuery;
+    private isScopeDenied;
     private getAuth;
+    private getScopeRestrictions;
     mutateContext(adapters: ModelAdapters): AggregateMutateMethodContext<MutateMethods>;
     databaseStoreSchema(): DatabaseStoreSchema;
     getSeeds(): {

package/dist/context-element/aggregate/index.d.ts

@@ -11,5 +11,5 @@ export { aggregate } from "./aggregate-builder";
 export { ArcAggregateElement, type AggregateConstructor, type AggregateConstructorAny, type AggregateData, type AggregateInstanceCtx, type AggregateRow, } from "./aggregate-element";
 export { AggregateBase } from "./aggregate-base";
 export type { AggregateCronMethodEntry, AggregateEventEntry, AggregateEventHandler, AggregateMutateMethodContext, AggregateMutateMethodEntry, AggregateQueryContext, AggregateQueryMethodEntry, AggregateStaticConfig, } from "./aggregate-data";
-export type { ArcEventPayload } from "../event/instance";
+export type { ArcEventPayload, EventAuthContext, EventMetadata } from "../event/instance";
 //# sourceMappingURL=index.d.ts.map

package/dist/context-element/event/index.d.ts

@@ -1,5 +1,5 @@
 export { ArcEvent, event, type ArcEventAny } from "./event";
 export type { ArcEventData } from "./event-data";
-export type { ArcEventInstance, ArcEventPayload, EventMetadata, } from "./instance";
+export type { ArcEventInstance, ArcEventPayload, EventAuthContext, EventMetadata, } from "./instance";
 export type { ArcObjectAny, ArcRawShape } from "../../elements/object";
 //# sourceMappingURL=index.d.ts.map

package/dist/context-element/event/instance.d.ts

@@ -1,11 +1,30 @@
 import type { $type } from "../../utils/types/get-type";
 import type { ArcEventAny } from "./event";
+/**
+ * Auth context captured at event emission time.
+ * Stored alongside the event in the event store so async listeners can
+ * reconstruct the original protection scope without losing security guarantees.
+ *
+ * Trust model: the event store is trusted (same threat surface as the
+ * aggregate state DB). No cryptographic re-verification — payload is
+ * authoritative because only authorized mutations could have written it.
+ */
+export type EventAuthContext = {
+    tokenName: string;
+    params: Record<string, any>;
+};
 /**
  * Event metadata attached to every event instance
  */
 export type EventMetadata = {
     id: string;
     createdAt: Date;
+    /**
+     * Auth context that authorized the mutation which emitted this event.
+     * `null` for system events emitted without an active auth scope —
+     * listeners with `protectBy()` will deny access for null-auth events.
+     */
+    authContext: EventAuthContext | null;
 };
 /**
  * Event instance type - represents an actual event occurrence

package/dist/context-element/function/arc-function-data.d.ts

@@ -1,18 +1,29 @@
 import type { ArcObjectAny } from "../../elements/object";
 import type { ArcToken, ArcTokenAny } from "../../token/token";
-import type { TokenInstanceAny } from "../../token/token-instance";
+import type { TokenInstance, TokenInstanceAny } from "../../token/token-instance";
 import type { $type } from "../../utils/types/get-type";
 import type { ArcContextElement } from "../context-element";
 import type { ElementContext } from "../element-context";
+/**
+ * Extract typed TokenInstance from a token definition.
+ *
+ * Given `ArcToken<"workspace", { workspaceId: ArcId, role: ArcString }, ...>`,
+ * returns `TokenInstance<{ workspaceId: string, role: string }, RuleNames>`.
+ */
+export type TypedTokenInstance<T extends ArcTokenAny> = T extends ArcToken<any, infer ParamsShape, any, infer Rules> ? TokenInstance<$type<import("../../elements/object").ArcObject<ParamsShape>>, Rules extends Record<string, any> ? Extract<keyof Rules, string> : string> : TokenInstanceAny;
 /**
  * Unified protection check function.
  *
+ * Callback receives a **typed** TokenInstance — `token.params.workspaceId`
+ * has full autocomplete and type safety.
+ *
  * Return value determines behavior:
  * - `false`  → access denied
  * - `true`   → access allowed, no data filter
  * - `Record` → access allowed + merged into WHERE clause (query context)
+ *              + validated on writes (scope enforcement)
  */
-export type FnProtectionCheck<T extends ArcTokenAny> = (tokenInstance: TokenInstanceAny) => boolean | Record<string, unknown> | Promise<boolean | Record<string, unknown>>;
+export type FnProtectionCheck<T extends ArcTokenAny> = (tokenInstance: TypedTokenInstance<T>) => boolean | Record<string, unknown> | Promise<boolean | Record<string, unknown>>;
 /**
  * Protection configuration for an ArcFunction.
  */

package/dist/context-element/listener/listener.d.ts

@@ -76,6 +76,20 @@ export declare class ArcListener<const Data extends ArcListenerData> extends Arc
     get isAsync(): boolean;
     init(environment: ArcEnvironment, adapters: ModelAdapters): Promise<void>;
     private handleEvent;
+    /**
+     * Build scoped adapters for the listener handler.
+     *
+     * Sync listeners run inline with the originating mutation and inherit the
+     * caller's auth context directly. Async listeners run after the mutation
+     * completes and lose request scope — they reconstruct auth from the
+     * `authContext` snapshotted into the event at emit time
+     * (see aggregate-element.ts emit handler).
+     *
+     * Events with `authContext: null` (system events / cron / seed) leave the
+     * adapters without auth — listeners with `protectBy()` will deny access
+     * downstream at the protection layer.
+     */
+    private buildScopedAdapters;
     destroy(): void;
 }
 export declare function listener<const Name extends string>(name: Name): ArcListener<{

package/dist/context-element/view/view-data.d.ts

@@ -1,6 +1,6 @@
 import type { WhereCondition } from "../../data-storage/find-options";
 import type { ArcObjectAny } from "../../elements/object";
-import type { ArcTokenAny } from "../../token/token";
+import type { ArcToken, ArcTokenAny } from "../../token/token";
 import type { ArcContextElement } from "../context-element";
 /**
  * Protection config for views
@@ -9,11 +9,11 @@ import type { ArcContextElement } from "../context-element";
  */
 export type ViewProtectionConfig = WhereCondition | false;
 /**
- * Protection function for views
- * Receives token params and returns read conditions (where clause)
- * Return false to deny access entirely
+ * Protection function for views/aggregates.
+ * Receives typed token params and returns read/write conditions (where clause).
+ * Return false to deny access entirely.
  */
-export type ViewProtectionFn<TokenParams> = (params: TokenParams) => ViewProtectionConfig;
+export type ViewProtectionFn<T extends ArcTokenAny = ArcTokenAny> = (params: T extends ArcToken<any, infer P, any, any> ? import("../../utils/types/get-type").$type<import("../../elements/object").ArcObject<P>> : Record<string, any>) => ViewProtectionConfig;
 /**
  * View protection configuration
  */

package/dist/context-element/view/view.d.ts

@@ -5,7 +5,7 @@ import type { ArcTokenAny } from "../../token/token";
 import type { TokenInstanceAny } from "../../token/token-instance";
 import type { Merge } from "../../utils";
 import type { ArcViewHandlerContext, ArcViewItem, ArcViewQueryContext } from "./view-context";
-import type { ArcViewData, ViewProtectionFn } from "./view-data";
+import type { ArcViewData, ViewProtection, ViewProtectionFn } from "./view-data";
 /**
  * Arc View - Read-optimized projection of events
  *
@@ -104,6 +104,7 @@ export declare class ArcView<const Data extends ArcViewData> extends ArcContextE
      * @returns Context object with find/findOne methods
      */
     queryContext(adapters: any): ArcViewQueryContext<Data["id"], Data["schema"]>;
+    private resolveProtection;
     /**
      * Get event handlers for this view
      * Used by the framework to set up event listeners
@@ -144,7 +145,7 @@ export declare class ArcView<const Data extends ArcViewData> extends ArcContextE
     /**
      * Get all protection configurations
      */
-    get protections(): import("./view-data").ViewProtection[];
+    get protections(): ViewProtection[];
     /**
      * Get protection config for a specific token instance
      *

package/dist/data-storage/index.d.ts

@@ -9,5 +9,6 @@ export * from "./query-result-resolver";
 export * from "./schema-extraction";
 export * from "./store-state-fork";
 export * from "./store-state-master";
+export * from "./scoped-data-storage";
 export * from "./store-state.abstract";
 //# sourceMappingURL=index.d.ts.map

package/dist/data-storage/scoped-data-storage.d.ts

@@ -0,0 +1,35 @@
+import { DataStorage, type QueryListenerCallback, type StoreStateChange } from "./data-storage.abstract";
+import type { StoreState } from "./store-state.abstract";
+import type { FindOptions } from "./find-options";
+import type { ForkedDataStorage } from "./data-storage-forked";
+import type { ReadTransaction, ReadWriteTransaction } from "./database-adapter";
+export type ScopeRestrictions = Record<string, unknown>;
+export type StorePermission = "read" | "read-write";
+export declare class ScopedStore<Item extends {
+    _id: string;
+}> {
+    #private;
+    constructor(inner: StoreState<Item>, restrictions: ScopeRestrictions, canWrite: boolean);
+    get storeName(): string;
+    find(options?: FindOptions<Item>, listener?: QueryListenerCallback<Item>): Promise<Item[]>;
+    set(item: Item): Promise<void>;
+    remove(id: string): Promise<void>;
+    modify(id: string, data: Partial<Item>): Promise<{
+        from: Item | null;
+        to: Item | null;
+    }>;
+    applyChanges(changes: StoreStateChange<Item>[]): Promise<void>;
+    unsubscribe(listener: QueryListenerCallback<Item>): void;
+}
+export declare class ScopedDataStorage extends DataStorage {
+    #private;
+    constructor(inner: DataStorage, allowedStores: Map<string, StorePermission>, restrictions: ScopeRestrictions);
+    getStore<Item extends {
+        _id: string;
+    }>(storeName: string): StoreState<Item>;
+    fork(): ForkedDataStorage;
+    getReadTransaction(): Promise<ReadTransaction>;
+    getReadWriteTransaction(): Promise<ReadWriteTransaction>;
+}
+export declare function createScopedDataStorage(inner: DataStorage, queryElementNames: string[], mutateElementNames: string[], restrictions: ScopeRestrictions): ScopedDataStorage;
+//# sourceMappingURL=scoped-data-storage.d.ts.map

package/dist/index.js

@@ -50,6 +50,9 @@ class AuthAdapter {
         localStorage.removeItem(TOKEN_PREFIX + scope);
     }
   }
+  setDecoded(decoded, scope = "default") {
+    this.scopes.set(scope, { raw: "", decoded });
+  }
   loadPersisted() {
     if (!hasLocalStorage())
       return;
@@ -325,7 +328,8 @@ class EventWire {
           localId: e.localId,
           type: e.type,
           payload: e.payload,
-          createdAt: e.createdAt
+          createdAt: e.createdAt,
+          authContext: e.authContext
         }))
       }));
     }
@@ -541,11 +545,13 @@ class LocalEventPublisher {
   }
   async publish(event) {
     const allChanges = [];
+    const eventAuthContext = event.authContext ?? null;
     const storedEvent = {
       _id: event.id,
       type: event.type,
       payload: JSON.stringify(event.payload),
-      createdAt: event.createdAt.toISOString()
+      createdAt: event.createdAt.toISOString(),
+      authContext: eventAuthContext ? JSON.stringify(eventAuthContext) : null
     };
     allChanges.push({
       store: EVENT_TABLES.events,
@@ -1270,6 +1276,122 @@ function object(element) {
   return new ArcObject(element);
 }
 
+// src/data-storage/data-storage.abstract.ts
+class DataStorage {
+  async commitChanges(changes) {
+    await Promise.all(changes.map(({ store, changes: changes2 }) => this.getStore(store).applyChanges(changes2)));
+  }
+}
+
+// src/data-storage/scoped-data-storage.ts
+class ScopedStore {
+  #inner;
+  #restrictions;
+  #canWrite;
+  #storeName;
+  constructor(inner, restrictions, canWrite) {
+    this.#inner = inner;
+    this.#restrictions = restrictions;
+    this.#canWrite = canWrite;
+    this.#storeName = inner.storeName;
+  }
+  get storeName() {
+    return this.#storeName;
+  }
+  async find(options, listener) {
+    const restricted = this.#applyReadRestrictions(options);
+    return this.#inner.find(restricted, listener);
+  }
+  async set(item) {
+    this.#assertWriteAccess();
+    this.#validateScopeFields(item);
+    return this.#inner.set(item);
+  }
+  async remove(id) {
+    this.#assertWriteAccess();
+    return this.#inner.remove(id);
+  }
+  async modify(id, data) {
+    this.#assertWriteAccess();
+    this.#validateScopeFields(data);
+    return this.#inner.modify(id, data);
+  }
+  async applyChanges(changes) {
+    this.#assertWriteAccess();
+    for (const change of changes) {
+      if (change.type === "set") {
+        this.#validateScopeFields(change.data);
+      } else if (change.type === "modify") {
+        this.#validateScopeFields(change.data);
+      }
+    }
+    return this.#inner.applyChanges(changes);
+  }
+  unsubscribe(listener) {
+    this.#inner.unsubscribe(listener);
+  }
+  #applyReadRestrictions(options) {
+    if (Object.keys(this.#restrictions).length === 0) {
+      return options ?? {};
+    }
+    return {
+      ...options,
+      where: { ...options?.where ?? {}, ...this.#restrictions }
+    };
+  }
+  #assertWriteAccess() {
+    if (!this.#canWrite) {
+      throw new Error(`Scope violation: write access denied to store "${this.#storeName}" (read-only)`);
+    }
+  }
+  #validateScopeFields(data) {
+    for (const [key, value] of Object.entries(this.#restrictions)) {
+      if (key in data && data[key] !== value) {
+        throw new Error(`Scope violation: field "${key}" must be "${value}", got "${data[key]}" in store "${this.#storeName}"`);
+      }
+    }
+  }
+}
+
+class ScopedDataStorage extends DataStorage {
+  #inner;
+  #allowedStores;
+  #restrictions;
+  constructor(inner, allowedStores, restrictions) {
+    super();
+    this.#inner = inner;
+    this.#allowedStores = allowedStores;
+    this.#restrictions = restrictions;
+  }
+  getStore(storeName) {
+    const permission = this.#allowedStores.get(storeName);
+    if (!permission) {
+      throw new Error(`Scope violation: access denied to store "${storeName}" (not declared in query/mutate)`);
+    }
+    const inner = this.#inner.getStore(storeName);
+    return new ScopedStore(inner, this.#restrictions, permission === "read-write");
+  }
+  fork() {
+    return this.#inner.fork();
+  }
+  getReadTransaction() {
+    return this.#inner.getReadTransaction();
+  }
+  getReadWriteTransaction() {
+    return this.#inner.getReadWriteTransaction();
+  }
+}
+function createScopedDataStorage(inner, queryElementNames, mutateElementNames, restrictions) {
+  const allowedStores = new Map;
+  for (const name of queryElementNames) {
+    allowedStores.set(name, "read");
+  }
+  for (const name of mutateElementNames) {
+    allowedStores.set(name, "read-write");
+  }
+  return new ScopedDataStorage(inner, allowedStores, restrictions);
+}
+
 // src/elements/abstract-primitive.ts
 class ArcPrimitive extends ArcAbstract {
   serialize(value) {
@@ -1460,6 +1582,56 @@ class ArcContextElement extends ArcFragmentBase {
   }
 }
 
+// src/context-element/element-context.ts
+function buildElementContext(queryElements, mutationElements, adapters) {
+  const queryMap = new Map;
+  const mutateMap = new Map;
+  const queryProps = {};
+  for (const element of queryElements) {
+    if (element.queryContext) {
+      const ctx = element.queryContext(adapters);
+      queryProps[element.name] = ctx;
+      queryMap.set(element, ctx);
+    }
+  }
+  const mutateProps = {};
+  for (const element of mutationElements) {
+    if (element.mutateContext) {
+      const ctx = element.mutateContext(adapters);
+      mutateProps[element.name] = ctx;
+      mutateMap.set(element, ctx);
+    }
+  }
+  const queryFn = (element) => {
+    const cached = queryMap.get(element);
+    if (cached)
+      return cached;
+    if (element.queryContext) {
+      const ctx = element.queryContext(adapters);
+      queryMap.set(element, ctx);
+      return ctx;
+    }
+    throw new Error(`Element "${element.name}" has no queryContext`);
+  };
+  Object.assign(queryFn, queryProps);
+  const mutateFn = (element) => {
+    const cached = mutateMap.get(element);
+    if (cached)
+      return cached;
+    if (element.mutateContext) {
+      const ctx = element.mutateContext(adapters);
+      mutateMap.set(element, ctx);
+      return ctx;
+    }
+    throw new Error(`Element "${element.name}" has no mutateContext`);
+  };
+  Object.assign(mutateFn, mutateProps);
+  return {
+    query: queryFn,
+    mutate: mutateFn
+  };
+}
+
 // src/elements/boolean.ts
 class ArcBoolean extends ArcPrimitive {
   hasToBeTrue() {
@@ -1609,11 +1781,14 @@ class ArcEvent extends ArcContextElement {
         if (!adapters.eventPublisher) {
           throw new Error(`Event "${this.data.name}" cannot be emitted: no eventPublisher adapter available`);
         }
+        const decoded = adapters.authAdapter?.getDecoded() ?? null;
+        const authContext = decoded ? { tokenName: decoded.tokenName, params: decoded.params } : null;
         const event = {
           type: this.data.name,
           payload,
           id: this.eventId.generate(),
-          createdAt: new Date
+          createdAt: new Date,
+          authContext
         };
         await adapters.eventPublisher.publish(event);
       }
@@ -1697,56 +1872,6 @@ function event(name, payload) {
   });
 }
 
-// src/context-element/element-context.ts
-function buildElementContext(queryElements, mutationElements, adapters) {
-  const queryMap = new Map;
-  const mutateMap = new Map;
-  const queryProps = {};
-  for (const element of queryElements) {
-    if (element.queryContext) {
-      const ctx = element.queryContext(adapters);
-      queryProps[element.name] = ctx;
-      queryMap.set(element, ctx);
-    }
-  }
-  const mutateProps = {};
-  for (const element of mutationElements) {
-    if (element.mutateContext) {
-      const ctx = element.mutateContext(adapters);
-      mutateProps[element.name] = ctx;
-      mutateMap.set(element, ctx);
-    }
-  }
-  const queryFn = (element) => {
-    const cached = queryMap.get(element);
-    if (cached)
-      return cached;
-    if (element.queryContext) {
-      const ctx = element.queryContext(adapters);
-      queryMap.set(element, ctx);
-      return ctx;
-    }
-    throw new Error(`Element "${element.name}" has no queryContext`);
-  };
-  Object.assign(queryFn, queryProps);
-  const mutateFn = (element) => {
-    const cached = mutateMap.get(element);
-    if (cached)
-      return cached;
-    if (element.mutateContext) {
-      const ctx = element.mutateContext(adapters);
-      mutateMap.set(element, ctx);
-      return ctx;
-    }
-    throw new Error(`Element "${element.name}" has no mutateContext`);
-  };
-  Object.assign(mutateFn, mutateProps);
-  return {
-    query: queryFn,
-    mutate: mutateFn
-  };
-}
-
 // src/context-element/function/arc-function.ts
 class ArcFunction {
   data;
@@ -1881,11 +2006,14 @@ class AggregateBase {
           if (!adapters.eventPublisher) {
             throw new Error(`Cannot emit event "${arcEvent.name}": no eventPublisher adapter available`);
           }
+          const decoded = adapters.authAdapter?.getDecoded() ?? null;
+          const authContext = decoded ? { tokenName: decoded.tokenName, params: decoded.params } : null;
           const eventInstance = {
             type: arcEvent.name,
             payload,
             id: `${Date.now()}_${Math.random().toString(36).slice(2)}`,
-            createdAt: new Date
+            createdAt: new Date,
+            authContext
           };
           await adapters.eventPublisher.publish(eventInstance);
         }
@@ -1962,7 +2090,9 @@ class ArcAggregateElement extends ArcContextElement {
     const entry = {
       name: methodName,
       params: configuredFn.data.params,
-      handler: configuredFn.data.handler
+      handler: configuredFn.data.handler,
+      queryElements: configuredFn.data.queryElements?.length ? configuredFn.data.queryElements : undefined,
+      mutationElements: configuredFn.data.mutationElements?.length ? configuredFn.data.mutationElements : undefined
     };
     return new ArcAggregateElement(this.name, this._id_factory, this.schema, this._events, this._protections, [...this._mutateMethods, entry], this._queryMethods, this._seeds);
   }
@@ -2089,38 +2219,16 @@ class ArcAggregateElement extends ArcContextElement {
   }
   buildPrivateQuery(adapters) {
     const viewName = this.name;
-    const protections = this._protections;
-    const getReadRestrictions = () => {
-      if (protections.length === 0)
-        return null;
-      if (!adapters.authAdapter)
-        return false;
-      const decoded = adapters.authAdapter.getDecoded();
-      if (!decoded)
-        return false;
-      for (const protection of protections) {
-        if (protection.token.name === decoded.tokenName) {
-          const restrictions = protection.protectionFn(decoded.params);
-          if (restrictions === false)
-            return false;
-          return restrictions ?? {};
-        }
-      }
-      return false;
-    };
-    const applyRestrictions = (options) => {
-      const restrictions = getReadRestrictions();
-      if (restrictions === false)
-        return false;
-      if (!restrictions || Object.keys(restrictions).length === 0) {
-        return options || {};
-      }
-      const where = { ...options?.where || {}, ...restrictions };
-      return { ...options, where };
-    };
+    const restrictions = this.getScopeRestrictions(adapters);
+    const isDenied = this.isScopeDenied(adapters);
     const findRows = async (options) => {
-      if (adapters.dataStorage)
+      if (adapters.dataStorage) {
+        if (restrictions) {
+          const scopedStore = new ScopedStore(adapters.dataStorage.getStore(viewName), restrictions, false);
+          return scopedStore.find(options);
+        }
         return adapters.dataStorage.getStore(viewName).find(options);
+      }
       if (adapters.streamingCache)
         return adapters.streamingCache.getStore(viewName).find(options);
       if (adapters.queryWire)
@@ -2134,18 +2242,15 @@ class ArcAggregateElement extends ArcContextElement {
     };
     return {
       find: async (options, mapper) => {
-        const restricted = applyRestrictions(options);
-        if (restricted === false)
+        if (isDenied)
           return [];
-        const rows = await findRows(restricted);
+        const rows = await findRows(options || {});
         return mapper ? rows.map((row) => new mapper(row, adapters)) : rows.map(deserializeRow);
       },
       findOne: async (where, mapper) => {
-        const restrictions = getReadRestrictions();
-        if (restrictions === false)
+        if (isDenied)
           return;
-        const mergedWhere = restrictions && Object.keys(restrictions).length > 0 ? { ...where, ...restrictions } : where;
-        const rows = await findRows({ where: mergedWhere });
+        const rows = await findRows({ where: where || {} });
         const row = rows[0];
         if (!row)
           return;
@@ -2153,35 +2258,22 @@ class ArcAggregateElement extends ArcContextElement {
       }
     };
   }
-  buildUnrestrictedQuery(adapters) {
-    const viewName = this.name;
-    const schema = this.schema;
-    const deserializeRow = (row) => {
-      const { _id, ...rest } = row;
-      return { _id, ...schema.deserialize(rest) };
-    };
-    const findRows = async (options) => {
-      if (adapters.dataStorage)
-        return adapters.dataStorage.getStore(viewName).find(options);
-      if (adapters.streamingCache)
-        return adapters.streamingCache.getStore(viewName).find(options);
-      if (adapters.queryWire)
-        return adapters.queryWire.query(viewName, options);
-      return [];
-    };
-    return {
-      find: async (options, mapper) => {
-        const rows = await findRows(options || {});
-        return mapper ? rows.map((row) => new mapper(row, adapters)) : rows.map(deserializeRow);
-      },
-      findOne: async (where, mapper) => {
-        const rows = await findRows({ where });
-        const row = rows[0];
-        if (!row)
-          return;
-        return mapper ? new mapper(row, adapters) : deserializeRow(row);
+  isScopeDenied(adapters) {
+    const protections = this._protections;
+    if (protections.length === 0)
+      return false;
+    if (!adapters.authAdapter)
+      return true;
+    const decoded = adapters.authAdapter.getDecoded();
+    if (!decoded)
+      return true;
+    for (const protection of protections) {
+      if (protection.token.name === decoded.tokenName) {
+        const result = protection.protectionFn(decoded.params);
+        return result === false;
       }
-    };
+    }
+    return true;
   }
   getAuth(adapters) {
     if (adapters.authAdapter) {
@@ -2190,12 +2282,33 @@ class ArcAggregateElement extends ArcContextElement {
     }
     return { params: {}, tokenName: "" };
   }
+  getScopeRestrictions(adapters) {
+    const protections = this._protections;
+    if (protections.length === 0)
+      return null;
+    if (!adapters.authAdapter)
+      return null;
+    const decoded = adapters.authAdapter.getDecoded();
+    if (!decoded)
+      return null;
+    for (const protection of protections) {
+      if (protection.token.name === decoded.tokenName) {
+        const result = protection.protectionFn(decoded.params);
+        if (result === false)
+          return null;
+        return result ?? null;
+      }
+    }
+    console.log(`[Scope:${this.name}] no matching protection`);
+    return null;
+  }
   mutateContext(adapters) {
     const events = this._events;
-    const privateQuery = this.buildUnrestrictedQuery(adapters);
+    const privateQuery = this.buildPrivateQuery(adapters);
     const auth = this.getAuth(adapters);
     const aggregateName = this.name;
-    const buildMutateMethodCtx = () => {
+    const scopeRestrictions = this.getScopeRestrictions(adapters);
+    const buildMutateMethodCtx = (method) => {
       const ctx = {};
       for (const entry of events) {
         const arcEvent = entry.event;
@@ -2206,11 +2319,21 @@ class ArcAggregateElement extends ArcContextElement {
             if (!adapters.eventPublisher) {
               throw new Error(`Cannot emit event "${arcEvent.name}": no eventPublisher adapter available`);
             }
+            if (scopeRestrictions) {
+              for (const [key, value] of Object.entries(scopeRestrictions)) {
+                if (key in payload && payload[key] !== value) {
+                  throw new Error(`Scope violation: event "${arcEvent.name}" field "${key}" must be "${value}", got "${payload[key]}"`);
+                }
+              }
+            }
+            const decoded = adapters.authAdapter?.getDecoded() ?? null;
+            const authContext = decoded ? { tokenName: decoded.tokenName, params: decoded.params } : null;
             const eventInstance = {
               type: `${aggregateName}.${arcEvent.name}`,
               payload,
               id: `${Date.now()}_${Math.random().toString(36).slice(2)}`,
-              createdAt: new Date
+              createdAt: new Date,
+              authContext
             };
             await adapters.eventPublisher.publish(eventInstance);
           }
@@ -2218,6 +2341,11 @@ class ArcAggregateElement extends ArcContextElement {
       }
       ctx.$auth = auth;
       ctx.$query = privateQuery;
+      if (method.queryElements?.length || method.mutationElements?.length) {
+        const elementCtx = buildElementContext(method.queryElements ?? [], method.mutationElements ?? [], adapters);
+        ctx.query = elementCtx.query;
+        ctx.mutate = elementCtx.mutate;
+      }
       return ctx;
     };
     const result = {};
@@ -2233,7 +2361,7 @@ class ArcAggregateElement extends ArcContextElement {
           } : undefined;
           return adapters.commandWire.executeCommand(`${aggregateName}.${method.name}`, params, wireAuth);
         }
-        const ctx = buildMutateMethodCtx();
+        const ctx = buildMutateMethodCtx(method);
         return method.handler(ctx, params);
       };
     }
@@ -2461,9 +2589,10 @@ class ArcListener extends ArcContextElement {
   async handleEvent(event2, adapters) {
     if (!this.data.handler)
       return;
-    const context2 = this.#fn.buildContext(adapters);
-    if (adapters.authAdapter) {
-      const decoded = adapters.authAdapter.getDecoded();
+    const scopedAdapters = this.buildScopedAdapters(event2, adapters);
+    const context2 = this.#fn.buildContext(scopedAdapters);
+    if (scopedAdapters.authAdapter) {
+      const decoded = scopedAdapters.authAdapter.getDecoded();
       if (decoded) {
         context2.$auth = {
           params: decoded.params,
@@ -2479,6 +2608,21 @@ class ArcListener extends ArcContextElement {
       await this.data.handler(context2, event2);
     }
   }
+  buildScopedAdapters(event2, adapters) {
+    if (adapters.authAdapter?.isAuthenticated()) {
+      return adapters;
+    }
+    const authContext = event2.authContext;
+    if (!authContext) {
+      return adapters;
+    }
+    const scopedAuth = new AuthAdapter;
+    scopedAuth.setDecoded({
+      tokenName: authContext.tokenName,
+      params: authContext.params
+    });
+    return { ...adapters, authAdapter: scopedAuth };
+  }
   destroy() {
     for (const unsubscribe of this.unsubscribers) {
       unsubscribe();
@@ -2739,74 +2883,63 @@ class ArcView extends ArcContextElement {
   queryContext(adapters) {
     const viewName = this.data.name;
     const protections = this.data.protections || [];
-    const getReadRestrictions = () => {
-      if (protections.length === 0)
-        return null;
-      if (!adapters.authAdapter) {
-        return false;
-      }
-      const decoded = adapters.authAdapter.getDecoded();
-      if (!decoded) {
-        return false;
-      }
-      for (const protection of protections) {
-        if (protection.token.name === decoded.tokenName) {
-          const restrictions = protection.protectionFn(decoded.params);
-          if (restrictions === false)
-            return false;
-          return restrictions ?? {};
-        }
-      }
-      return false;
-    };
-    const applyRestrictions = (options) => {
-      const restrictions = getReadRestrictions();
-      if (restrictions === false)
-        return false;
-      if (!restrictions || Object.keys(restrictions).length === 0) {
-        return options || {};
-      }
-      const where = { ...options?.where || {}, ...restrictions };
-      return { ...options, where };
-    };
+    const { restrictions, denied } = this.resolveProtection(protections, adapters);
     return {
       find: async (options) => {
-        const restrictedOptions = applyRestrictions(options);
-        if (restrictedOptions === false) {
+        if (denied)
           return [];
-        }
         if (adapters.dataStorage) {
-          const store = adapters.dataStorage.getStore(viewName);
-          return store.find(restrictedOptions);
+          if (restrictions) {
+            const scopedStore = new ScopedStore(adapters.dataStorage.getStore(viewName), restrictions, false);
+            return scopedStore.find(options);
+          }
+          return adapters.dataStorage.getStore(viewName).find(options);
         }
         if (adapters.queryWire) {
-          return adapters.queryWire.query(viewName, restrictedOptions);
+          const where = restrictions ? { ...options?.where || {}, ...restrictions } : options?.where;
+          return adapters.queryWire.query(viewName, { ...options, where });
         }
-        console.warn(`View "${viewName}" query: no dataStorage or queryWire available`);
         return [];
       },
       findOne: async (where) => {
-        const restrictions = getReadRestrictions();
-        if (restrictions === false) {
+        if (denied)
           return;
-        }
-        const mergedWhere = restrictions && Object.keys(restrictions).length > 0 ? { ...where, ...restrictions } : where;
         if (adapters.dataStorage) {
-          const store = adapters.dataStorage.getStore(viewName);
-          const results = await store.find({ where: mergedWhere });
+          if (restrictions) {
+            const scopedStore = new ScopedStore(adapters.dataStorage.getStore(viewName), restrictions, false);
+            const results2 = await scopedStore.find({ where: where || {} });
+            return results2[0];
+          }
+          const results = await adapters.dataStorage.getStore(viewName).find({ where });
           return results[0];
         }
         if (adapters.queryWire) {
-          const results = await adapters.queryWire.query(viewName, {
-            where: mergedWhere
-          });
+          const mergedWhere = restrictions ? { ...where, ...restrictions } : where;
+          const results = await adapters.queryWire.query(viewName, { where: mergedWhere });
           return results[0];
         }
-        console.warn(`View "${viewName}" query: no dataStorage or queryWire available`);
         return;
       }
     };
   }
+  resolveProtection(protections, adapters) {
+    if (protections.length === 0)
+      return { restrictions: null, denied: false };
+    if (!adapters.authAdapter)
+      return { restrictions: null, denied: true };
+    const decoded = adapters.authAdapter.getDecoded();
+    if (!decoded)
+      return { restrictions: null, denied: true };
+    for (const protection of protections) {
+      if (protection.token.name === decoded.tokenName) {
+        const result = protection.protectionFn(decoded.params);
+        if (result === false)
+          return { restrictions: null, denied: true };
+        return { restrictions: result ?? null, denied: false };
+      }
+    }
+    return { restrictions: null, denied: true };
+  }
   getHandlers() {
     return this.data.handler;
   }
@@ -2925,7 +3058,8 @@ class ArcView extends ArcContextElement {
             type: storedEvent.type,
             payload,
             id: storedEvent._id,
-            createdAt: new Date(storedEvent.createdAt)
+            createdAt: new Date(storedEvent.createdAt),
+            authContext: storedEvent.authContext ? typeof storedEvent.authContext === "string" ? JSON.parse(storedEvent.authContext) : storedEvent.authContext : null
           };
           await handler(ctx, eventInstance);
         }
@@ -2943,13 +3077,6 @@ function view(name, id2, schema) {
     protections: []
   });
 }
-// src/data-storage/data-storage.abstract.ts
-class DataStorage {
-  async commitChanges(changes) {
-    await Promise.all(changes.map(({ store, changes: changes2 }) => this.getStore(store).applyChanges(changes2)));
-  }
-}
-
 // src/data-storage/store-state-fork.ts
 import { apply } from "mutative";
 
@@ -4643,7 +4770,8 @@ class StreamingEventPublisher {
         localId: event3.id,
         type: event3.type,
         payload: event3.payload,
-        createdAt: event3.createdAt.toISOString()
+        createdAt: event3.createdAt.toISOString(),
+        authContext: event3.authContext ?? null
       }
     ]);
   }
@@ -5091,6 +5219,7 @@ export {
   deepMerge,
   date,
   customId,
+  createScopedDataStorage,
   contextMerge,
   context,
   command,
@@ -5113,7 +5242,9 @@ export {
   StoreState,
   SecuredStoreState,
   SecuredDataStorage,
+  ScopedStore,
   ScopedModel,
+  ScopedDataStorage,
   QueryWire,
   ObservableDataStorage,
   Model,

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@arcote.tech/arc",
   "type": "module",
-  "version": "0.5.1",
+  "version": "0.5.5",
   "private": false,
   "author": "Przemysław Krasiński [arcote.tech]",
   "description": "Arc framework core rewrite with improved event emission and type safety",