@vibes.diy/api-svc 2.4.8 → 2.4.11

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibes.diy/api-svc",
-  "version": "2.4.8",
+  "version": "2.4.11",
   "type": "module",
   "main": "./index.js",
   "scripts": {
@@ -25,18 +25,18 @@
     "@libsql/client": "~0.17.3",
     "@neondatabase/serverless": "~1.1.0",
     "@noble/hashes": "~2.2.0",
-    "@vibes.diy/api-impl": "2.4.8",
-    "@vibes.diy/api-pkg": "2.4.8",
-    "@vibes.diy/api-sql": "2.4.8",
-    "@vibes.diy/api-types": "2.4.8",
-    "@vibes.diy/call-ai-v2": "2.4.8",
-    "@vibes.diy/prompts": "2.4.8",
-    "@vibes.diy/use-vibes-base": "2.4.8",
-    "@vibes.diy/vibe-db-explorer": "2.4.8",
-    "@vibes.diy/vibe-types": "2.4.8",
+    "@vibes.diy/api-impl": "2.4.11",
+    "@vibes.diy/api-pkg": "2.4.11",
+    "@vibes.diy/api-sql": "2.4.11",
+    "@vibes.diy/api-types": "2.4.11",
+    "@vibes.diy/call-ai-v2": "2.4.11",
+    "@vibes.diy/prompts": "2.4.11",
+    "@vibes.diy/use-vibes-base": "2.4.11",
+    "@vibes.diy/vibe-db-explorer": "2.4.11",
+    "@vibes.diy/vibe-types": "2.4.11",
     "acorn": "~8.16.0",
     "arktype": "~2.2.0",
-    "call-ai": "2.4.8",
+    "call-ai": "2.4.11",
     "cookie": "~1.1.1",
     "drizzle-orm": "~0.45.2",
     "jose": "~6.2.2",

package/public/access-function.d.ts

@@ -2,6 +2,7 @@ import type { AccessDescriptor, AccessFunction, Helpers, UserContext } from "@vi
 export type { AccessDescriptor, AccessFunction, Helpers, UserContext };
 export declare function enforceAllowAnonymous(result: AccessDescriptor, user: UserContext | null): void;
 export declare function makeHelpers(user: UserContext | null): Helpers;
+export declare function extractExportSource(fullSource: string, bindingDbName: string): string | undefined;
 export declare class ForbiddenError extends Error {
     readonly forbidden: string;
     constructor(reason: string);

package/public/access-function.js

@@ -17,6 +17,38 @@ export function makeHelpers(user) {
         },
     };
 }
+export function extractExportSource(fullSource, bindingDbName) {
+    let pattern;
+    if (bindingDbName === "*") {
+        pattern = /export\s+default\s+(?:function\s*(?:\w+\s*)?\([^)]*\)\s*\{|\([^)]*\)\s*=>\s*\{|\w+\s*=>\s*\{)/;
+    }
+    else {
+        pattern = new RegExp(`export\\s+function\\s+${bindingDbName}\\s*\\([^)]*\\)\\s*\\{`);
+    }
+    const match = fullSource.match(pattern);
+    if (!match)
+        return undefined;
+    const start = match.index;
+    if (start === undefined)
+        return undefined;
+    let depth = 0;
+    let end = start;
+    for (let i = start; i < fullSource.length; i++) {
+        if (fullSource[i] === "{")
+            depth++;
+        if (fullSource[i] === "}") {
+            depth--;
+            if (depth === 0) {
+                end = i + 1;
+                break;
+            }
+        }
+    }
+    let extracted = fullSource.slice(start, end).replace(/^export\s+/, "");
+    if (bindingDbName === "*")
+        extracted = extracted.replace(/^default\s+/, "");
+    return extracted;
+}
 export class ForbiddenError extends Error {
     forbidden;
     constructor(reason) {

package/public/access-function.js.map

@@ -1 +1 @@
-{"version":3,"file":"access-function.js","sourceRoot":"","sources":["../../jsr/public/access-function.ts"],"names":[],"mappings":"AA4BA,MAAM,UAAU,qBAAqB,CAAC,MAAwB,EAAE,IAAwB;IACtF,IAAI,IAAI,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;QAC5C,MAAM,IAAI,cAAc,CAAC,yBAAyB,CAAC,CAAC;IACtD,CAAC;AACH,CAAC;AAQD,MAAM,UAAU,WAAW,CAAC,IAAwB;IAClD,OAAO;QACL,aAAa,CAAC,SAAiB;YAC7B,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;gBAClB,MAAM,IAAI,cAAc,CAAC,mBAAmB,SAAS,EAAE,CAAC,CAAC;YAC3D,CAAC;QAGH,CAAC;QACD,WAAW,CAAC,QAAgB;YAC1B,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;gBAClB,MAAM,IAAI,cAAc,CAAC,gBAAgB,QAAQ,EAAE,CAAC,CAAC;YACvD,CAAC;QAGH,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,OAAO,cAAe,SAAQ,KAAK;IAC9B,SAAS,CAAS;IAE3B,YAAY,MAAc;QACxB,KAAK,CAAC,MAAM,CAAC,CAAC;QACd,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;QAC7B,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC;IAC1B,CAAC;CACF"}
+{"version":3,"file":"access-function.js","sourceRoot":"","sources":["../../jsr/public/access-function.ts"],"names":[],"mappings":"AA4BA,MAAM,UAAU,qBAAqB,CAAC,MAAwB,EAAE,IAAwB;IACtF,IAAI,IAAI,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;QAC5C,MAAM,IAAI,cAAc,CAAC,yBAAyB,CAAC,CAAC;IACtD,CAAC;AACH,CAAC;AAQD,MAAM,UAAU,WAAW,CAAC,IAAwB;IAClD,OAAO;QACL,aAAa,CAAC,SAAiB;YAC7B,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;gBAClB,MAAM,IAAI,cAAc,CAAC,mBAAmB,SAAS,EAAE,CAAC,CAAC;YAC3D,CAAC;QAGH,CAAC;QACD,WAAW,CAAC,QAAgB;YAC1B,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;gBAClB,MAAM,IAAI,cAAc,CAAC,gBAAgB,QAAQ,EAAE,CAAC,CAAC;YACvD,CAAC;QAGH,CAAC;KACF,CAAC;AACJ,CAAC;AAQD,MAAM,UAAU,mBAAmB,CAAC,UAAkB,EAAE,aAAqB;IAC3E,IAAI,OAAe,CAAC;IACpB,IAAI,aAAa,KAAK,GAAG,EAAE,CAAC;QAC1B,OAAO,GAAG,+FAA+F,CAAC;IAC5G,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,IAAI,MAAM,CAAC,yBAAyB,aAAa,wBAAwB,CAAC,CAAC;IACvF,CAAC;IACD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACxC,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;IAC1B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1C,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,GAAG,GAAG,KAAK,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,KAAK,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC/C,IAAI,UAAU,CAAC,CAAC,CAAC,KAAK,GAAG;YAAE,KAAK,EAAE,CAAC;QACnC,IAAI,UAAU,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YAC1B,KAAK,EAAE,CAAC;YACR,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;gBAChB,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;gBACZ,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,SAAS,GAAG,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;IACvE,IAAI,aAAa,KAAK,GAAG;QAAE,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;IAC5E,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,OAAO,cAAe,SAAQ,KAAK;IAC9B,SAAS,CAAS;IAE3B,YAAY,MAAc;QACxB,KAAK,CAAC,MAAM,CAAC,CAAC;QACd,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;QAC7B,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC;IAC1B,CAAC;CACF"}

package/public/app-documents.js

@@ -1,12 +1,15 @@
-import { Result, Option, EventoResult } from "@adviser/cement";
+import { Result, Option, EventoResult, exception2Result } from "@adviser/cement";
 import { reqPutDoc, reqGetDoc, reqQueryDocs, reqDeleteDoc, reqSubscribeDocs, reqListDbNames, reqListDmThreads, reqMarkDmRead, COMMENTS_DB_NAME, isDirectChannel, directChannelParticipants, } from "@vibes.diy/api-types";
 import { unwrapMsgBase } from "../unwrap-msg-base.js";
 import { checkAuth, optAuth } from "../check-auth.js";
-import { eq, and, sql, inArray } from "drizzle-orm";
+import { eq, and, sql, inArray, desc } from "drizzle-orm";
 import { max } from "drizzle-orm/sql";
 import { type } from "arktype";
 import { checkDocAccess, canRead, isPublicReadable } from "./access-helpers.js";
+import { enforceAllowAnonymous, ForbiddenError, extractExportSource } from "./access-function.js";
 import { aclAllows, resolveDbAcl, checkDirectChannelAccess } from "./db-acl-resolver.js";
+import { GrantReduce, extractContribution } from "./grant-reduce.js";
+import { filterDocsByChannel } from "./channel-read-filter.js";
 import { mintFilesUrls, isFileMeta } from "./files-url-mint.js";
 async function readAllowed(vctx, acl, access, appSlug, ownerHandle) {
     if (acl?.read !== undefined)
@@ -54,18 +57,22 @@ export const putDocEvento = {
         }
         return Result.Ok(Option.Some({ ...msg, payload: ret }));
     }),
-    handle: checkAuth(async (ctx) => {
+    handle: optAuth(async (ctx) => {
         const req = ctx.validated.payload;
         const vctx = ctx.ctx.getOrThrow("vibesApiCtx");
-        const userId = req._auth.verifiedAuth.claims.userId;
+        const userId = req._auth?.verifiedAuth.claims.userId ?? null;
         if (isDirectChannel(req.ownerHandle)) {
+            if (!userId) {
+                await ctx.send.send(ctx, { type: "vibes.diy.res-error", error: { message: "Access denied" } });
+                return Result.Ok(EventoResult.Continue);
+            }
             const rAccess = await checkDirectChannelAccess(vctx, req.ownerHandle, userId);
             if (rAccess.isErr() || !rAccess.Ok()) {
                 await ctx.send.send(ctx, { type: "vibes.diy.res-error", error: { message: "Access denied" } });
                 return Result.Ok(EventoResult.Continue);
             }
         }
-        else {
+        else if (userId) {
             const access = await checkDocAccess(vctx, userId, req.appSlug, req.ownerHandle);
             const rAcl = await resolveDbAcl(vctx, req.ownerHandle, req.appSlug, req.dbName);
             if (rAcl.isErr()) {
@@ -86,8 +93,114 @@ export const putDocEvento = {
             });
             return Result.Ok(EventoResult.Continue);
         }
-        const now = new Date().toISOString();
+        let accessResult;
+        const tAfb = vctx.sql.tables.accessFunctionBindings;
+        const afbRow = await vctx.sql.db
+            .select({ accessFnCid: tAfb.accessFnCid, accessFnAssetUri: tAfb.accessFnAssetUri, dbName: tAfb.dbName })
+            .from(tAfb)
+            .where(and(eq(tAfb.userSlug, req.ownerHandle), eq(tAfb.appSlug, req.appSlug), inArray(tAfb.dbName, [req.dbName, "*"])))
+            .orderBy(sql `CASE WHEN ${tAfb.dbName} = ${req.dbName} THEN 0 ELSE 1 END`)
+            .limit(1)
+            .then((r) => r[0]);
+        if (!userId && !afbRow?.accessFnCid) {
+            await ctx.send.send(ctx, {
+                type: "vibes.diy.res-error",
+                error: { message: "Access denied" },
+            });
+            return Result.Ok(EventoResult.Continue);
+        }
         const docId = req.docId ?? vctx.sthis.timeOrderedNextId().str;
+        if (afbRow?.accessFnCid && vctx.invokeAccessFn) {
+            const fnCid = afbRow.accessFnCid;
+            const t_usb = vctx.sql.tables.handleBinding;
+            const writerRow = userId
+                ? await vctx.sql.db
+                    .select({ handle: t_usb.handle })
+                    .from(t_usb)
+                    .where(eq(t_usb.userId, userId))
+                    .limit(1)
+                    .then((r) => r[0])
+                : undefined;
+            const userContext = writerRow?.handle ? { userHandle: writerRow.handle } : null;
+            let oldDoc = null;
+            if (req.docId) {
+                const tDocs = vctx.sql.tables.appDocuments;
+                const existing = await vctx.sql.db
+                    .select({ data: tDocs.data })
+                    .from(tDocs)
+                    .where(and(eq(tDocs.ownerHandle, req.ownerHandle), eq(tDocs.appSlug, req.appSlug), eq(tDocs.dbName, req.dbName), eq(tDocs.docId, req.docId)))
+                    .orderBy(desc(tDocs.seq))
+                    .limit(1)
+                    .then((r) => r[0]);
+                oldDoc = existing?.data ?? null;
+            }
+            let accessFnSource;
+            if (afbRow.accessFnAssetUri) {
+                const rFetch = await vctx.storage.fetch(afbRow.accessFnAssetUri);
+                if (rFetch.type === "fetch.ok") {
+                    const reader = rFetch.data.getReader();
+                    const chunks = [];
+                    for (;;) {
+                        const { done, value } = await reader.read();
+                        if (done)
+                            break;
+                        if (value)
+                            chunks.push(value);
+                    }
+                    const totalLength = chunks.reduce((sum, c) => sum + c.length, 0);
+                    const merged = new Uint8Array(totalLength);
+                    let offset = 0;
+                    for (const chunk of chunks) {
+                        merged.set(chunk, offset);
+                        offset += chunk.length;
+                    }
+                    const rawSource = new TextDecoder().decode(merged);
+                    accessFnSource = extractExportSource(rawSource, afbRow.dbName) ?? rawSource;
+                }
+            }
+            const tOutputs = vctx.sql.tables.accessFnOutputs;
+            const storedOutputs = await vctx.sql.db
+                .select({ docId: tOutputs.docId, output: tOutputs.output })
+                .from(tOutputs)
+                .where(and(eq(tOutputs.userSlug, req.ownerHandle), eq(tOutputs.appSlug, req.appSlug), eq(tOutputs.dbName, req.dbName), eq(tOutputs.fnCid, fnCid), eq(tOutputs.hasGrants, 1)));
+            const reduce = new GrantReduce();
+            for (const row of storedOutputs) {
+                reduce.addDoc(row.docId, extractContribution(JSON.parse(row.output)));
+            }
+            const grantState = {
+                members: Object.fromEntries(Array.from(reduce.effectiveMembers).map(([k, v]) => [k, Array.from(v)])),
+                roleGrants: Object.fromEntries(Array.from(reduce.roleGrants).map(([k, v]) => [k, Array.from(v)])),
+                userGrants: Object.fromEntries(Array.from(reduce.userGrants).map(([k, v]) => [k, Array.from(v)])),
+            };
+            const invokeResult = await vctx.invokeAccessFn({
+                cid: fnCid,
+                doc: { ...req.doc, _id: docId },
+                oldDoc,
+                user: userContext,
+                source: accessFnSource,
+                grantState,
+            });
+            if ("forbidden" in invokeResult) {
+                await ctx.send.send(ctx, {
+                    type: "vibes.diy.res-error",
+                    error: { message: invokeResult.forbidden },
+                });
+                return Result.Ok(EventoResult.Continue);
+            }
+            try {
+                enforceAllowAnonymous(invokeResult, userContext);
+            }
+            catch (err) {
+                const reason = err instanceof ForbiddenError ? err.forbidden : String(err);
+                await ctx.send.send(ctx, {
+                    type: "vibes.diy.res-error",
+                    error: { message: reason },
+                });
+                return Result.Ok(EventoResult.Continue);
+            }
+            accessResult = invokeResult;
+        }
+        const now = new Date().toISOString();
         const dbName = req.dbName;
         const t = vctx.sql.tables.appDocuments;
         const maxSeqResult = await vctx.sql.db
@@ -102,7 +215,7 @@ export const putDocEvento = {
             dbName,
             docId,
             seq: nextSeq,
-            userId,
+            userId: userId ?? "unknown",
             data: req.doc,
             deleted: 0,
             created: now,
@@ -122,14 +235,14 @@ export const putDocEvento = {
                 const senderRow = await vctx.sql.db
                     .select({ handle: t_usb.handle })
                     .from(t_usb)
-                    .where(and(eq(t_usb.userId, userId), inArray(t_usb.handle, participants)))
+                    .where(and(eq(t_usb.userId, userId ?? ""), inArray(t_usb.handle, participants)))
                     .then((r) => r[0]);
                 const senderUserSlug = senderRow?.handle ?? "";
                 const recipientUserSlug = participants.find((h) => h !== senderUserSlug) ?? participants[1];
                 await vctx.postQueue({
                     payload: {
                         type: "vibes.diy.evt-dm-received",
-                        senderUserId: userId,
+                        senderUserId: userId ?? "",
                         senderUserSlug,
                         recipientUserSlug,
                         channelUserSlug: req.ownerHandle,
@@ -160,12 +273,12 @@ export const putDocEvento = {
             await vctx.postQueue({
                 payload: {
                     type: "vibes.diy.evt-comment-posted",
-                    userId,
+                    userId: userId ?? "unknown",
                     ownerHandle: req.ownerHandle,
                     appSlug: req.appSlug,
                     docId,
                     created: now,
-                    email: req._auth.verifiedAuth.claims.params.email,
+                    email: req._auth?.verifiedAuth.claims.params.email ?? "unknown",
                 },
                 tid: "queue-event",
                 src: "putDoc",
@@ -174,9 +287,56 @@ export const putDocEvento = {
             });
         }
         if (vctx.notifyDocChanged) {
-            vctx
-                .notifyDocChanged({ ownerHandle: req.ownerHandle, appSlug: req.appSlug, dbName, docId }, clientWsSend(ctx).connId)
-                .catch((e) => console.error("DocNotify error:", e));
+            if (accessResult?.channels?.length) {
+                for (const channel of accessResult.channels) {
+                    vctx
+                        .notifyDocChanged({ ownerHandle: req.ownerHandle, appSlug: req.appSlug, dbName: channel, docId }, clientWsSend(ctx).connId)
+                        .catch((e) => console.error("DocNotify channel error:", e));
+                }
+            }
+            else {
+                vctx
+                    .notifyDocChanged({ ownerHandle: req.ownerHandle, appSlug: req.appSlug, dbName, docId }, clientWsSend(ctx).connId)
+                    .catch((e) => console.error("DocNotify error:", e));
+            }
+        }
+        if (accessResult && !("forbidden" in accessResult) && afbRow?.accessFnCid) {
+            const tOutputs = vctx.sql.tables.accessFnOutputs;
+            const outputHasGrants = (accessResult.members && Object.keys(accessResult.members).length > 0) ||
+                (accessResult.grant?.users && Object.keys(accessResult.grant.users).length > 0) ||
+                (accessResult.grant?.roles && Object.keys(accessResult.grant.roles).length > 0) ||
+                (accessResult.grant?.public && accessResult.grant.public.length > 0)
+                ? 1
+                : 0;
+            const rUpsert = await exception2Result(() => vctx.sql.db
+                .insert(tOutputs)
+                .values({
+                userSlug: req.ownerHandle,
+                appSlug: req.appSlug,
+                dbName: req.dbName,
+                docId,
+                fnCid: afbRow.accessFnCid,
+                output: JSON.stringify(accessResult),
+                hasGrants: outputHasGrants,
+            })
+                .onConflictDoUpdate({
+                target: [tOutputs.userSlug, tOutputs.appSlug, tOutputs.dbName, tOutputs.docId],
+                set: {
+                    fnCid: afbRow.accessFnCid,
+                    output: JSON.stringify(accessResult),
+                    hasGrants: outputHasGrants,
+                },
+            }));
+            if (rUpsert.isErr()) {
+                console.error("AccessFnOutputs upsert failed:", rUpsert.Err());
+                if (outputHasGrants === 1) {
+                    await ctx.send.send(ctx, {
+                        type: "vibes.diy.res-error",
+                        error: { message: "grant storage failed — retry the write" },
+                    });
+                    return Result.Ok(EventoResult.Continue);
+                }
+            }
         }
         await ctx.send.send(ctx, {
             type: "vibes.diy.res-put-doc",
@@ -225,6 +385,59 @@ export const getDocEvento = {
             });
             return Result.Ok(EventoResult.Continue);
         }
+        const tAfbG = vctx.sql.tables.accessFunctionBindings;
+        const afbRowG = await vctx.sql.db
+            .select({ accessFnCid: tAfbG.accessFnCid })
+            .from(tAfbG)
+            .where(and(eq(tAfbG.userSlug, req.ownerHandle), eq(tAfbG.appSlug, req.appSlug), inArray(tAfbG.dbName, [req.dbName, "*"])))
+            .orderBy(sql `CASE WHEN ${tAfbG.dbName} = ${req.dbName} THEN 0 ELSE 1 END`)
+            .limit(1)
+            .then((r) => r[0]);
+        if (afbRowG?.accessFnCid) {
+            const tOutputsG = vctx.sql.tables.accessFnOutputs;
+            const docOutput = await vctx.sql.db
+                .select({ output: tOutputsG.output })
+                .from(tOutputsG)
+                .where(and(eq(tOutputsG.userSlug, req.ownerHandle), eq(tOutputsG.appSlug, req.appSlug), eq(tOutputsG.dbName, req.dbName), eq(tOutputsG.docId, req.docId), eq(tOutputsG.fnCid, afbRowG.accessFnCid)))
+                .limit(1)
+                .then((r) => r[0]);
+            const parsed = docOutput ? JSON.parse(docOutput.output) : undefined;
+            const docChannels = parsed?.channels;
+            if (docChannels === undefined || docChannels.length === 0) {
+                await ctx.send.send(ctx, {
+                    type: "vibes.diy.res-get-doc",
+                    status: "not-found",
+                    id: req.docId,
+                });
+                return Result.Ok(EventoResult.Continue);
+            }
+            const grantOutputs = await vctx.sql.db
+                .select({ docId: tOutputsG.docId, output: tOutputsG.output })
+                .from(tOutputsG)
+                .where(and(eq(tOutputsG.userSlug, req.ownerHandle), eq(tOutputsG.appSlug, req.appSlug), eq(tOutputsG.dbName, req.dbName), eq(tOutputsG.fnCid, afbRowG.accessFnCid), eq(tOutputsG.hasGrants, 1)));
+            const reduce = new GrantReduce();
+            for (const r of grantOutputs) {
+                reduce.addDoc(r.docId, extractContribution(JSON.parse(r.output)));
+            }
+            const userHandle = req._auth
+                ? await vctx.sql.db
+                    .select({ handle: vctx.sql.tables.handleBinding.handle })
+                    .from(vctx.sql.tables.handleBinding)
+                    .where(eq(vctx.sql.tables.handleBinding.userId, req._auth.verifiedAuth.claims.userId))
+                    .limit(1)
+                    .then((r) => r[0]?.handle ?? null)
+                : null;
+            const effectiveChannels = userHandle !== null ? reduce.resolveEffectiveChannels(userHandle) : new Set();
+            const hasAccess = docChannels.some((ch) => effectiveChannels.has(ch) || reduce.publicChannels.has(ch));
+            if (!hasAccess) {
+                await ctx.send.send(ctx, {
+                    type: "vibes.diy.res-get-doc",
+                    status: "not-found",
+                    id: req.docId,
+                });
+                return Result.Ok(EventoResult.Continue);
+            }
+        }
         const doc = mintFilesUrls(row.data, {
             ownerHandle: req.ownerHandle,
             appSlug: req.appSlug,
@@ -335,7 +548,44 @@ export const queryDocsEvento = {
                 ...doc,
             });
         }
-        const filteredDocs = applyQueryFilter(docs, req.filter);
+        const tAfbQ = vctx.sql.tables.accessFunctionBindings;
+        const afbRowQ = await vctx.sql.db
+            .select({ accessFnCid: tAfbQ.accessFnCid })
+            .from(tAfbQ)
+            .where(and(eq(tAfbQ.userSlug, req.ownerHandle), eq(tAfbQ.appSlug, req.appSlug), inArray(tAfbQ.dbName, [req.dbName, "*"])))
+            .orderBy(sql `CASE WHEN ${tAfbQ.dbName} = ${req.dbName} THEN 0 ELSE 1 END`)
+            .limit(1)
+            .then((r) => r[0]);
+        let channelFilteredDocs = docs;
+        if (afbRowQ?.accessFnCid) {
+            const tOutputsQ = vctx.sql.tables.accessFnOutputs;
+            const allOutputs = await vctx.sql.db
+                .select({ docId: tOutputsQ.docId, output: tOutputsQ.output })
+                .from(tOutputsQ)
+                .where(and(eq(tOutputsQ.userSlug, req.ownerHandle), eq(tOutputsQ.appSlug, req.appSlug), eq(tOutputsQ.dbName, req.dbName), eq(tOutputsQ.fnCid, afbRowQ.accessFnCid)));
+            const grantOutputs = allOutputs.filter((r) => {
+                const parsed = JSON.parse(r.output);
+                return ((parsed.members !== undefined && Object.keys(parsed.members).length > 0) ||
+                    (parsed.grant?.users !== undefined && Object.keys(parsed.grant.users).length > 0) ||
+                    (parsed.grant?.roles !== undefined && Object.keys(parsed.grant.roles).length > 0) ||
+                    (parsed.grant?.public !== undefined && parsed.grant.public.length > 0));
+            });
+            const reduce = new GrantReduce();
+            for (const row of grantOutputs) {
+                reduce.addDoc(row.docId, extractContribution(JSON.parse(row.output)));
+            }
+            const userHandle = req._auth
+                ? await vctx.sql.db
+                    .select({ handle: vctx.sql.tables.handleBinding.handle })
+                    .from(vctx.sql.tables.handleBinding)
+                    .where(eq(vctx.sql.tables.handleBinding.userId, req._auth.verifiedAuth.claims.userId))
+                    .limit(1)
+                    .then((r) => r[0]?.handle ?? null)
+                : null;
+            const effectiveChannels = userHandle !== null ? reduce.resolveEffectiveChannels(userHandle) : new Set();
+            channelFilteredDocs = filterDocsByChannel(docs, allOutputs, userHandle, effectiveChannels, reduce.publicChannels);
+        }
+        const filteredDocs = applyQueryFilter(channelFilteredDocs, req.filter);
         await ctx.send.send(ctx, {
             type: "vibes.diy.res-query-docs",
             status: "ok",
@@ -443,9 +693,58 @@ export const subscribeDocsEvento = {
         }
         const wsSend = clientWsSend(ctx);
         const subscriptionKey = `${req.ownerHandle}/${req.appSlug}/${req.dbName}`;
-        wsSend.subscribedDocKeys.add(subscriptionKey);
+        const tAfbS = vctx.sql.tables.accessFunctionBindings;
+        const afbRowS = await vctx.sql.db
+            .select({ accessFnCid: tAfbS.accessFnCid })
+            .from(tAfbS)
+            .where(and(eq(tAfbS.userSlug, req.ownerHandle), eq(tAfbS.appSlug, req.appSlug), inArray(tAfbS.dbName, [req.dbName, "*"])))
+            .orderBy(sql `CASE WHEN ${tAfbS.dbName} = ${req.dbName} THEN 0 ELSE 1 END`)
+            .limit(1)
+            .then((r) => r[0]);
+        const channelKeys = [];
+        if (afbRowS?.accessFnCid) {
+            const tOutputsS = vctx.sql.tables.accessFnOutputs;
+            const grantOutputs = await vctx.sql.db
+                .select({ docId: tOutputsS.docId, output: tOutputsS.output })
+                .from(tOutputsS)
+                .where(and(eq(tOutputsS.userSlug, req.ownerHandle), eq(tOutputsS.appSlug, req.appSlug), eq(tOutputsS.dbName, req.dbName), eq(tOutputsS.fnCid, afbRowS.accessFnCid), eq(tOutputsS.hasGrants, 1)));
+            const reduce = new GrantReduce();
+            for (const row of grantOutputs) {
+                reduce.addDoc(row.docId, extractContribution(JSON.parse(row.output)));
+            }
+            const userHandle = req._auth
+                ? await vctx.sql.db
+                    .select({ handle: vctx.sql.tables.handleBinding.handle })
+                    .from(vctx.sql.tables.handleBinding)
+                    .where(eq(vctx.sql.tables.handleBinding.userId, req._auth.verifiedAuth.claims.userId))
+                    .limit(1)
+                    .then((r) => r[0]?.handle ?? null)
+                : null;
+            const effectiveChannels = userHandle !== null ? reduce.resolveEffectiveChannels(userHandle) : new Set();
+            for (const ch of effectiveChannels) {
+                channelKeys.push(`${req.ownerHandle}/${req.appSlug}/${ch}`);
+            }
+            for (const ch of reduce.publicChannels) {
+                channelKeys.push(`${req.ownerHandle}/${req.appSlug}/${ch}`);
+            }
+        }
+        if (channelKeys.length > 0) {
+            for (const key of channelKeys) {
+                wsSend.subscribedDocKeys.add(key);
+            }
+        }
+        else {
+            wsSend.subscribedDocKeys.add(subscriptionKey);
+        }
         if (vctx.registerDocSubscription) {
-            vctx.registerDocSubscription(subscriptionKey).catch((e) => console.error("DocNotify error:", e));
+            if (channelKeys.length > 0) {
+                for (const key of channelKeys) {
+                    vctx.registerDocSubscription(key).catch((e) => console.error("DocNotify error:", e));
+                }
+            }
+            else {
+                vctx.registerDocSubscription(subscriptionKey).catch((e) => console.error("DocNotify error:", e));
+            }
         }
         await ctx.send.send(ctx, {
             type: "vibes.diy.res-subscribe-docs",