Realtime that cannot leak.

Two transports, one canonical SubscriptionManager. RealtimeWebSocketHandler and RealtimeSseHandler are thin transport adapters; subscription state and dispatch are shared.

ConcurrentDictionary keyed by entity name. O(1) subscription removal. Posting a change fans out to every matching subscriber's filter evaluation in parallel.

Subscribers attach filter expressions in the same AST that drives access policies. The platform evaluates per-subscriber, per-event — same predicate semantics as queries.

ChangeEvent.NewValues is null. ChangedFields is the field NAME list. Sensitive / encrypted data cannot leak through realtime — anti-pattern explicit.

EntitySubscription captures UserId / Roles / Tenant / Project at WebSocket / SSE handshake. Doesn't hold a reference to scoped IRequestScope — anti-pattern that would survive HTTP scope disposal.

Bounded channel. Posted by WriteCoordinator AFTER commit. Fire-and-forget DropOldest under load. Never blocks the write path; never delivers a phantom event.

Names matching _vadyl_* prefix are internal dispatch only. SubscriptionManager.Subscribe returns false on reserved names; the metric tracks attempts. External clients cannot route to internal signals (anti-pattern #75).

Named broadcast channels with presence tracking. Scoped to tenant / project. Use for typing indicators, live cursors, room state — peer to entity subscriptions.

Subscribers can request a small replay window on connection. Buffered in memory, capacity-bounded. Useful for catch-up after transient disconnects.