Currently, you can't, so you're not missing anything. :) But I'm currently working on the necessary hooks so that any security model you want can be enforced by the server.
I have worked on projects that occupy this space. I tend to think that it's ok for the client to have arbitrary read access, but for writes it's a better idea for the client to generate events that are then approved and applied by the/a server. The reason for this is that it's much easier to approve high level events than low-level change-sets.
Yup. I haven't dug too much, but is there anyway to have the web clients just respond to state changes and then have some server "client" (in node or what not) be allowed to alter state?
