Currently it seems 'deny' must be used to add data on the server side during a client initiated insert(*). It would be nice to see a mechanism added for document manipulation explicitly.
Maintaining createdAt and updatedAt timestamps is a common use case that would be nice to support elegantly.
Thanks for flagging this. I agree that using deny for this is a pretty crazy hack.
I think that the right way to handle this is a schema layer that includes validators, flexible mapping of field names to Mongo document names or in the future SQL column names (as you suggested on roadmap.meteor.com), createdAt and updatedAt, as well as maybe arbitrary hooks that can run on create, update, and delete.
We do not use GitHub to track feature requests (other than for Blaze). The core team's current roadmap is at https://roadmap.meteor.com/. Discussions about features that users desire are great topics for the meteor-talk mailing list, where the community can help come up with solutions that don't require core changes.