@cosmicdrift/kumiko-bundled-features 0.15.0 → 0.18.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.15.0",
+  "version": "0.18.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",

package/src/billing-foundation/get-subscription-for-tenant.ts

@@ -1,7 +1,6 @@
 // Resolver-helper: liest die current subscription-row für einen Tenant
 // aus der read_subscriptions-projection.
 
-import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { HandlerContext } from "@cosmicdrift/kumiko-framework/engine";
 import { subscriptionAggregateId } from "./aggregate-id";
 import { subscriptionsProjectionTable } from "./projection";
@@ -22,7 +21,8 @@ export async function getSubscriptionForTenant(
   tenantId: string,
 ): Promise<SubscriptionView | null> {
   const aggId = subscriptionAggregateId(tenantId);
-  const [row] = await selectMany(ctx.db, subscriptionsProjectionTable, { id: aggId }, { limit: 1 });
+  const rows = await ctx.db.selectMany(subscriptionsProjectionTable, { id: aggId }, { limit: 1 });
+  const row = rows[0];
   if (!row) return null;
   // @cast-boundary db-row — drizzle-row carries column-as-unknown
   return {

package/src/cap-counter/__tests__/{cap-counter.integration.ts → cap-counter.integration.test.ts}

@@ -6,10 +6,14 @@
 // assert. Mirrors the mail-foundation / file-foundation integration
 // test pattern.
 
-import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
-import { defineFeature, type WriteHandlerDef } from "@cosmicdrift/kumiko-framework/engine";
-import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createEntityExecutor,
+  defineFeature,
+  type WriteHandlerDef,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable, eventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import {
   createTestUser,
   setupTestStack,
@@ -18,6 +22,7 @@ import {
   testTenantId,
   unsafeCreateEntityTable,
 } from "@cosmicdrift/kumiko-framework/stack";
+import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
 import { z } from "zod";
 import { CapCounterHandlers, CapCounterQueries } from "../constants";
 import {
@@ -192,6 +197,12 @@ afterAll(async () => {
 // which month — just need a stable iso-string so `increment` +
 // `readCounter` hit the same aggregate.
 const PERIOD = "2026-05-01T00:00:00Z";
+const { table: capCounterTable } = createEntityExecutor("cap-counter", capCounterEntity);
+
+beforeEach(async () => {
+  await resetTestTables(db, [capCounterTable, eventsTable]);
+});
+
 const sysadmin = TestUsers.systemAdmin;
 
 function adminFor(tenantNumber: number) {

package/src/cap-counter/__tests__/enforce-cap.test.ts

@@ -17,15 +17,19 @@ import {
   enforceRollingCapAndMaybeNotify,
 } from "../enforce-cap";
 
-// Test-mock: ctx.db unterstützt sowohl bun-db's .unsafe() (selectMany ruft das)
-// als auch drizzle's .select().from().where() chain (rolling-path nutzt das
-// direkt). Beide pfade returnen denselben rows-set unabhängig von filtern.
+// Test-mock: ctx.db exposes TenantDb-style selectMany (production path)
+// plus legacy drizzle .select().from().where() chain stubs.
 
 function makeMockDb(rows: unknown[]) {
+  const selectMany = async (_table: unknown, _where?: unknown, options?: { limit?: number }) => {
+    const slice = options?.limit !== undefined ? rows.slice(0, options.limit) : rows;
+    return slice;
+  };
   return {
     unsafe: async () => rows,
+    selectMany,
     begin: async <T>(fn: (tx: unknown) => Promise<T>) =>
-      fn({ unsafe: async () => rows, begin: async () => undefined }),
+      fn({ unsafe: async () => rows, selectMany, begin: async () => undefined }),
     select: () => ({
       from: () => ({
         where: Object.assign(async () => rows, {

package/src/cap-counter/__tests__/{with-cap-enforcement.integration.ts → with-cap-enforcement.integration.test.ts}

@@ -8,10 +8,14 @@
 //   5. Failed handler: counter NICHT inkrementiert (cap-quota nicht
 //      verbrannt für gescheiterte writes)
 
-import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
-import { defineFeature, type WriteHandlerDef } from "@cosmicdrift/kumiko-framework/engine";
-import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createEntityExecutor,
+  defineFeature,
+  type WriteHandlerDef,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable, eventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import {
   createTestUser,
   setupTestStack,
@@ -19,6 +23,7 @@ import {
   testTenantId,
   unsafeCreateEntityTable,
 } from "@cosmicdrift/kumiko-framework/stack";
+import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
 import { z } from "zod";
 import { CapCounterQueries } from "../constants";
 import type { SoftHitNotifier } from "../enforce-cap";
@@ -59,6 +64,8 @@ const innerSendHandler: WriteHandlerDef = {
 
 const PERIOD = "2026-07-01T00:00:00Z";
 
+const { table: capCounterTable } = createEntityExecutor("cap-counter", capCounterEntity);
+
 const wrappedCalendar = withCapEnforcement(innerSendHandler, () => ({
   capName: "newsletter-cap",
   periodStartIso: PERIOD,
@@ -103,6 +110,10 @@ afterAll(async () => {
   await stack.cleanup();
 });
 
+beforeEach(async () => {
+  await resetTestTables(db, [capCounterTable, eventsTable]);
+});
+
 function adminFor(tenantNumber: number) {
   return createTestUser({
     id: tenantNumber,

package/src/cap-counter/enforce-cap.ts

@@ -1,4 +1,3 @@
-import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEntityExecutor, type HandlerContext } from "@cosmicdrift/kumiko-framework/engine";
 import { eventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import { rollingCapAggregateId } from "./aggregate-id";
@@ -109,8 +108,7 @@ export async function enforceCap(
   const softThreshold = options.limit * tolerance.soft;
   const hardThreshold = options.limit * tolerance.hard;
 
-  const rows = await selectMany(
-    ctx.db,
+  const rows = await ctx.db.selectMany(
     table,
     { capName: options.capName, periodStart: options.periodStartIso },
     { limit: 1 },
@@ -188,7 +186,7 @@ export async function enforceRollingCap(
   // covers the prefix; the additional aggregate_id eq narrows to the
   // single rolling-stream. Postgres can use the index even with the
   // aggregate_id filter applied as a residual.
-  const rows = await selectMany<{ payload: { amount?: number } }>(ctx.db, eventsTable, {
+  const rows = await ctx.db.selectMany<{ payload: { amount?: number } }>(eventsTable, {
     tenantId: ctx.user.tenantId,
     aggregateType: CAP_COUNTER_ROLLING_AGGREGATE_TYPE,
     aggregateId,

package/src/cap-counter/handlers/get-counter.query.ts

@@ -1,4 +1,3 @@
-import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEntityExecutor, type QueryHandlerDef } from "@cosmicdrift/kumiko-framework/engine";
 import { z } from "zod";
 import { capCounterEntity } from "../entity";
@@ -25,8 +24,7 @@ export const getCounterQuery: QueryHandlerDef = {
     const { capName, periodStartIso } = query.payload as z.infer<typeof getCounterSchema>; // @cast-boundary engine-payload
 
     // ctx.db is tenant-scoped; filter by capName + periodStart explicitly.
-    const rows = await selectMany(
-      ctx.db,
+    const rows = await ctx.db.selectMany(
       table,
       { capName, periodStart: periodStartIso },
       { limit: 1 },

package/src/cap-counter/handlers/increment.write.ts

@@ -1,4 +1,3 @@
-import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEntityExecutor, type WriteHandlerDef } from "@cosmicdrift/kumiko-framework/engine";
 import { Temporal } from "temporal-polyfill";
 import { z } from "zod";
@@ -55,7 +54,7 @@ export const incrementCapHandler: WriteHandlerDef = {
 
     // Read existing aggregate's projection-row to decide create vs update.
     // ctx.db is auto-tenant-scoped — id-lookup is unique per tenant.
-    const existing = await selectMany(ctx.db, table, { id: aggregateId }, { limit: 1 });
+    const existing = await ctx.db.selectMany(table, { id: aggregateId }, { limit: 1 });
 
     if (existing.length === 0) {
       return executor.create(

package/src/cap-counter/handlers/mark-soft-warned.write.ts

@@ -1,4 +1,3 @@
-import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEntityExecutor, type WriteHandlerDef } from "@cosmicdrift/kumiko-framework/engine";
 import { Temporal } from "temporal-polyfill";
 import { z } from "zod";
@@ -32,7 +31,7 @@ export const markSoftWarnedHandler: WriteHandlerDef = {
       payload.periodStartIso,
     );
 
-    const existing = await selectMany(ctx.db, table, { id: aggregateId }, { limit: 1 });
+    const existing = await ctx.db.selectMany(table, { id: aggregateId }, { limit: 1 });
     if (existing.length === 0) {
       throw new Error(
         `cap-counter: cannot mark-soft-warned, no counter found for tenant=${event.user.tenantId} cap=${payload.capName} period=${payload.periodStartIso}`,

package/src/channel-in-app/in-app-channel.ts

@@ -1,4 +1,3 @@
-import { insertOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import { tenantChannel } from "@cosmicdrift/kumiko-framework/engine";
 import type { DeliveryChannel } from "../delivery";
 import { inAppMessagesTable } from "./tables";
@@ -15,8 +14,7 @@ export const inAppChannel: DeliveryChannel = {
     // address is the user-id string after the ES migration — keep it as-is.
     const userId = address;
 
-    const row = await insertOne<{ id: string }>(ctx.db, inAppMessagesTable, {
-      tenantId: ctx.tenantId,
+    const row = await ctx.db.insertOne<{ id: string }>(inAppMessagesTable, {
       userId,
       notificationType: message.notificationType,
       title: message.title,

package/src/compliance-profiles/_internal/parse-override.ts

@@ -0,0 +1,19 @@
+import type { ComplianceProfileOverride } from "@cosmicdrift/kumiko-framework/compliance";
+import { parseJsonSafe } from "@cosmicdrift/kumiko-framework/utils";
+
+export function parseComplianceProfileOverride(
+  raw: string | null,
+  tenantId: string,
+  callerLabel: string,
+): ComplianceProfileOverride | undefined {
+  if (!raw || raw.trim() === "") return undefined;
+  const parsed = parseJsonSafe<ComplianceProfileOverride | null>(raw, null);
+  if (parsed === null) {
+    // biome-ignore lint/suspicious/noConsole: operator visibility for DB-corruption edge-case
+    console.warn(
+      `[${callerLabel}] tenant ${tenantId}: stored override is not valid JSON, ignoring.`,
+    );
+    return undefined;
+  }
+  return parsed;
+}

package/src/compliance-profiles/handlers/for-tenant.query.ts

@@ -1,12 +1,12 @@
 import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import {
   type ComplianceProfileKey,
-  type ComplianceProfileOverride,
   type EffectiveComplianceProfile,
   resolveComplianceProfile,
 } from "@cosmicdrift/kumiko-framework/compliance";
 import { defineQueryHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { z } from "zod";
+import { parseComplianceProfileOverride } from "../_internal/parse-override";
 import { tenantComplianceProfileTable } from "../schema/profile-selection";
 
 // Liefert das effektive Compliance-Profile fuer den aktuellen Tenant.
@@ -29,33 +29,14 @@ export const forTenantQuery = defineQueryHandler({
       return resolveComplianceProfile({});
     }
 
-    const override = parseOverride(row.override, query.user.tenantId);
+    const override = parseComplianceProfileOverride(
+      row.override,
+      query.user.tenantId,
+      "compliance-profiles:for-tenant",
+    );
     return resolveComplianceProfile({
       selection: row.profileKey as ComplianceProfileKey, // @cast-boundary engine-payload
       override,
     });
   },
 });
-
-function parseOverride(
-  raw: string | null,
-  tenantId: string,
-): ComplianceProfileOverride | undefined {
-  if (!raw || raw.trim() === "") return undefined;
-  try {
-    const parsed: unknown = JSON.parse(raw);
-    return parsed as ComplianceProfileOverride; // @cast-boundary engine-payload
-  } catch (e: unknown) {
-    const reason = e instanceof Error ? e.message : String(e);
-    // Defensiv: ungültiges JSON wird als "kein Override" behandelt. Der
-    // set-profile-Handler validiert Zod das Override schon — invalides
-    // JSON in der DB ist also nur möglich bei manueller DB-Manipulation
-    // oder Migration-Bug. Resolver-Caller darf trotzdem nicht crashen.
-    // Operator-Sichtbarkeit via console.warn — Telemetry-Hook spaeter.
-    // biome-ignore lint/suspicious/noConsole: operator visibility for DB-corruption edge-case
-    console.warn(
-      `[compliance-profiles:for-tenant] tenant ${tenantId}: stored override is not valid JSON, falling back to base profile. Reason: ${reason}`,
-    );
-    return undefined;
-  }
-}

package/src/compliance-profiles/resolve-for-tenant.ts

@@ -11,12 +11,12 @@
 import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import {
   type ComplianceProfileKey,
-  type ComplianceProfileOverride,
   type EffectiveComplianceProfile,
   resolveComplianceProfile,
 } from "@cosmicdrift/kumiko-framework/compliance";
 import type { DbRunner } from "@cosmicdrift/kumiko-framework/db";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import { parseComplianceProfileOverride } from "./_internal/parse-override";
 import { tenantComplianceProfileTable } from "./schema/profile-selection";
 
 export interface ResolveProfileForTenantArgs {
@@ -35,27 +35,13 @@ export async function resolveProfileForTenant(
     return resolveComplianceProfile({});
   }
 
-  const override = parseOverride(row.override, args.tenantId);
+  const override = parseComplianceProfileOverride(
+    row.override,
+    args.tenantId,
+    "compliance-profiles:resolve-for-tenant",
+  );
   return resolveComplianceProfile({
     selection: row.profileKey as ComplianceProfileKey, // @cast-boundary engine-payload
     override,
   });
 }
-
-function parseOverride(
-  raw: string | null,
-  tenantId: string,
-): ComplianceProfileOverride | undefined {
-  if (!raw || raw.trim() === "") return undefined;
-  try {
-    const parsed: unknown = JSON.parse(raw);
-    return parsed as ComplianceProfileOverride; // @cast-boundary engine-payload
-  } catch (e: unknown) {
-    const reason = e instanceof Error ? e.message : String(e);
-    // biome-ignore lint/suspicious/noConsole: operator visibility for DB-corruption edge-case
-    console.warn(
-      `[compliance-profiles:resolve-for-tenant] tenant ${tenantId}: stored override is not valid JSON, ignoring. Reason: ${reason}`,
-    );
-    return undefined;
-  }
-}

package/src/custom-fields/__tests__/cross-tenant-field-delete.integration.test.ts

@@ -0,0 +1,177 @@
+// Regression: deleting a tenant-scoped custom-field definition must only clear
+// that tenant's rows — NOT every tenant's row that happens to use the same
+// kebab fieldKey.
+//
+// Bug: the fieldDefinition.deleted MSP-handler stripped the jsonb key from
+// every row of the host table (no tenant filter). Two tenants that each define
+// their own field with the same key (e.g. "priority") share the jsonb key on
+// the host-entity table; one tenant deleting their definition wiped the other
+// tenant's values. The fix scopes cleanup by the deleted definition's owning
+// tenant (system-scope still cascades to all).
+
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
+import { buildEntityTable } from "@cosmicdrift/kumiko-framework/db";
+import {
+  createEntity,
+  createEntityExecutor,
+  createTextField,
+  defineEntityListHandler,
+  defineFeature,
+  type SessionUser,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createTestUser,
+  setupTestStack,
+  type TestStack,
+  testTenantId,
+  testUserId,
+  unsafeCreateEntityTable,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { z } from "zod";
+import { fieldDefinitionEntity } from "../entity";
+import { createCustomFieldsFeature } from "../feature";
+import { customFieldsField, wireCustomFieldsFor } from "../wire-for-entity";
+
+const propertyEntity = createEntity({
+  table: "read_xt_properties",
+  fields: {
+    name: createTextField({ required: true }),
+    customFields: customFieldsField(),
+  },
+});
+const propertyTable = buildEntityTable("property", propertyEntity);
+
+const propertyFeature = defineFeature("property-xt", (r) => {
+  r.entity("property", propertyEntity);
+  r.requires("custom-fields");
+  wireCustomFieldsFor(r, "property", propertyTable);
+
+  const { executor: propertyExecutor } = createEntityExecutor("property", propertyEntity);
+  r.writeHandler({
+    name: "property:create",
+    schema: z.object({ id: z.string(), name: z.string() }),
+    access: { roles: ["TenantAdmin"] },
+    handler: async (event, ctx) => {
+      const payload = event.payload as { id: string; name: string };
+      return propertyExecutor.create(
+        { id: payload.id, name: payload.name, customFields: {} },
+        event.user,
+        ctx.db,
+      );
+    },
+  });
+
+  r.queryHandler(
+    defineEntityListHandler("property", propertyEntity, { access: { roles: ["TenantAdmin"] } }),
+  );
+});
+
+const customFieldsFeature = createCustomFieldsFeature();
+
+let stack: TestStack;
+
+const adminA = createTestUser({
+  id: testUserId(1),
+  tenantId: testTenantId(1),
+  roles: ["TenantAdmin"],
+});
+const adminB = createTestUser({
+  id: testUserId(10),
+  tenantId: testTenantId(2),
+  roles: ["TenantAdmin"],
+});
+
+const PROP_A = "aaaaaaaa-aaaa-4000-8000-000000000001";
+const PROP_B = "bbbbbbbb-bbbb-4000-8000-000000000002";
+
+beforeAll(async () => {
+  stack = await setupTestStack({ features: [customFieldsFeature, propertyFeature] });
+  await unsafeCreateEntityTable(stack.db, fieldDefinitionEntity);
+  await unsafeCreateEntityTable(stack.db, propertyEntity);
+  await createEventsTable(stack.db);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  await asRawClient(stack.db).unsafe(`DELETE FROM kumiko_events`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM read_xt_properties`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM read_custom_field_definitions`);
+});
+
+async function defineField(user: SessionUser, fieldKey: string) {
+  return stack.http.writeOk(
+    "custom-fields:write:define-tenant-field",
+    {
+      entityName: "property",
+      fieldKey,
+      serializedField: { type: "text" },
+      required: false,
+      searchable: false,
+      displayOrder: 0,
+    },
+    user,
+  );
+}
+
+async function setCustomField(
+  user: SessionUser,
+  entityId: string,
+  fieldKey: string,
+  value: unknown,
+) {
+  return stack.http.writeOk(
+    "custom-fields:write:set-custom-field",
+    { entityName: "property", entityId, fieldKey, value },
+    user,
+  );
+}
+
+async function deleteField(user: SessionUser, fieldKey: string) {
+  return stack.http.writeOk(
+    "custom-fields:write:delete-tenant-field",
+    { entityName: "property", fieldKey },
+    user,
+  );
+}
+
+async function createProperty(user: SessionUser, id: string, name: string) {
+  return stack.http.writeOk("property-xt:write:property:create", { id, name }, user);
+}
+
+async function priorityOf(user: SessionUser, id: string): Promise<unknown> {
+  const { rows } = (await stack.http.queryOk("property-xt:query:property:list", {}, user)) as {
+    rows: Array<Record<string, unknown>>;
+  };
+  return rows.find((r) => r["id"] === id)?.["priority"];
+}
+
+describe("custom-fields cross-tenant isolation — fieldDefinition delete", () => {
+  test("deleting tenant A's field with a shared kebab key must NOT wipe tenant B's values", async () => {
+    // Both tenants independently define their own "priority" field on property.
+    await defineField(adminA, "priority");
+    await defineField(adminB, "priority");
+
+    await createProperty(adminA, PROP_A, "A-Prop");
+    await createProperty(adminB, PROP_B, "B-Prop");
+
+    await setCustomField(adminA, PROP_A, "priority", "A-value");
+    await setCustomField(adminB, PROP_B, "priority", "B-value");
+    await stack.eventDispatcher?.runOnce();
+
+    expect(await priorityOf(adminA, PROP_A)).toBe("A-value");
+    expect(await priorityOf(adminB, PROP_B)).toBe("B-value");
+
+    // Tenant A deletes their "priority" field definition.
+    await deleteField(adminA, "priority");
+    await stack.eventDispatcher?.runOnce();
+
+    // A's value is correctly gone; B's value MUST survive (tenant-scoped cleanup).
+    expect(await priorityOf(adminA, PROP_A)).toBeUndefined();
+    expect(await priorityOf(adminB, PROP_B)).toBe("B-value");
+  });
+});

package/src/custom-fields/__tests__/{custom-fields.integration.ts → custom-fields.integration.test.ts}

@@ -259,3 +259,108 @@ describe("custom-fields integration — Last-Wins on concurrent set", () => {
     expect(p6?.["status"]).toBe("published");
   });
 });
+
+describe("custom-fields integration — value validation (Builder-Reuse)", () => {
+  async function setErr(entityId: string, fieldKey: string, value: unknown) {
+    return stack.http.writeErr(
+      "custom-fields:write:set-custom-field",
+      { entityName: "property", entityId, fieldKey, value },
+      admin,
+    );
+  }
+
+  async function countSetEvents(entityId: string): Promise<number> {
+    const rows = await asRawClient(stack.db).unsafe(
+      "SELECT count(*)::int AS n FROM kumiko_events WHERE aggregate_id = $1 AND type = $2",
+      [entityId, "custom-fields:event:custom-field-set"],
+    );
+    return (rows as ReadonlyArray<{ n: number }>)[0]?.n ?? 0;
+  }
+
+  async function rawCustomFields(entityId: string): Promise<Record<string, unknown>> {
+    const rows = await asRawClient(stack.db).unsafe(
+      "SELECT custom_fields FROM read_t1_properties WHERE id = $1",
+      [entityId],
+    );
+    const cf = (rows as ReadonlyArray<{ custom_fields: unknown }>)[0]?.custom_fields;
+    return cf && typeof cf === "object" && !Array.isArray(cf)
+      ? (cf as Record<string, unknown>)
+      : {};
+  }
+
+  test("type mismatch → 422, no event emitted, no jsonb key after projection", async () => {
+    const id = "77777777-7777-4000-8000-000000000007";
+    await defineField("property", "count", "number");
+    await createProperty(id, "TypeMismatch");
+
+    const err = await setErr(id, "count", "not-a-number");
+    expect(err.httpStatus).toBe(422);
+    expect(err.code).toBe("unprocessable");
+    expect(err.details).toMatchObject({ reason: "custom_field_value_invalid" });
+
+    // Plan-Promise: kein Event entsteht — Projection bleibt typed.
+    expect(await countSetEvents(id)).toBe(0);
+
+    await stack.eventDispatcher?.runOnce();
+    expect(await rawCustomFields(id)).not.toHaveProperty("count");
+  });
+
+  test("matching values pass — number/text/boolean land correctly", async () => {
+    const id = "88888888-8888-4000-8000-000000000008";
+    await defineField("property", "count", "number");
+    await defineField("property", "label", "text");
+    await defineField("property", "active", "boolean");
+    await createProperty(id, "Valid");
+
+    await setCustomField("property", id, "count", 42);
+    await setCustomField("property", id, "label", "ok");
+    await setCustomField("property", id, "active", true);
+    await stack.eventDispatcher?.runOnce();
+
+    const row = (await listProperties()).rows.find((r) => r["id"] === id);
+    expect(row?.["count"]).toBe(42);
+    expect(row?.["label"]).toBe("ok");
+    expect(row?.["active"]).toBe(true);
+  });
+
+  test("boolean field rejects a string value → 422, no event", async () => {
+    const id = "99999999-9999-4000-8000-000000000009";
+    await defineField("property", "flag", "boolean");
+    await createProperty(id, "BoolReject");
+
+    const err = await setErr(id, "flag", "yes");
+    expect(err.httpStatus).toBe(422);
+    expect(err.code).toBe("unprocessable");
+    expect(err.details).toMatchObject({ reason: "custom_field_value_invalid" });
+    expect(await countSetEvents(id)).toBe(0);
+  });
+
+  test("embedded field rejects a non-object value → 422, no event", async () => {
+    const id = "aaaaaaaa-aaaa-4000-8000-00000000000a";
+    // embedded carries a sub-field schema in serializedField — exercises
+    // fieldToZod's z.object(...) dispatch (the structurally complex path).
+    await stack.http.writeOk(
+      "custom-fields:write:define-tenant-field",
+      {
+        entityName: "property",
+        fieldKey: "geo",
+        serializedField: { type: "embedded", schema: { city: { type: "text", required: true } } },
+        required: false,
+        searchable: false,
+        displayOrder: 0,
+      },
+      admin,
+    );
+    await createProperty(id, "EmbeddedReject");
+
+    const err = await setErr(id, "geo", "not-an-object");
+    expect(err.httpStatus).toBe(422);
+    expect(err.details).toMatchObject({ reason: "custom_field_value_invalid" });
+    expect(await countSetEvents(id)).toBe(0);
+
+    // Positive: a matching object passes + lands.
+    await setCustomField("property", id, "geo", { city: "Bonn" });
+    await stack.eventDispatcher?.runOnce();
+    expect(await rawCustomFields(id)).toMatchObject({ geo: { city: "Bonn" } });
+  });
+});