Use the filter option on @Subscription(). The filter function receives the event payload as the first argument and the subscription variables as the second. Return true to deliver the event to the subscriber, false to skip it. The context (third argument) provides the authenticated user for per-user authorization filters.
filter(payload, variables, context) — payload is the published event, variables are the subscription args.
Return true to deliver the event; return false or undefined to skip it for this subscriber.
The context third argument provides the authenticated user — use it for per-user security filtering.
resolve option reshapes the payload before delivery — useful to unwrap a nested field.
Always filter server-side — never rely on clients to discard events they should not see.