@cosmicdrift/kumiko-bundled-features 0.16.0 → 0.18.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.16.0",
+  "version": "0.18.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",

package/src/billing-foundation/get-subscription-for-tenant.ts

@@ -1,7 +1,6 @@
 // Resolver-helper: liest die current subscription-row für einen Tenant
 // aus der read_subscriptions-projection.
 
-import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { HandlerContext } from "@cosmicdrift/kumiko-framework/engine";
 import { subscriptionAggregateId } from "./aggregate-id";
 import { subscriptionsProjectionTable } from "./projection";
@@ -22,7 +21,8 @@ export async function getSubscriptionForTenant(
   tenantId: string,
 ): Promise<SubscriptionView | null> {
   const aggId = subscriptionAggregateId(tenantId);
-  const [row] = await selectMany(ctx.db, subscriptionsProjectionTable, { id: aggId }, { limit: 1 });
+  const rows = await ctx.db.selectMany(subscriptionsProjectionTable, { id: aggId }, { limit: 1 });
+  const row = rows[0];
   if (!row) return null;
   // @cast-boundary db-row — drizzle-row carries column-as-unknown
   return {

package/src/cap-counter/__tests__/{cap-counter.integration.ts → cap-counter.integration.test.ts}

@@ -6,10 +6,14 @@
 // assert. Mirrors the mail-foundation / file-foundation integration
 // test pattern.
 
-import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
-import { defineFeature, type WriteHandlerDef } from "@cosmicdrift/kumiko-framework/engine";
-import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createEntityExecutor,
+  defineFeature,
+  type WriteHandlerDef,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable, eventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import {
   createTestUser,
   setupTestStack,
@@ -18,6 +22,7 @@ import {
   testTenantId,
   unsafeCreateEntityTable,
 } from "@cosmicdrift/kumiko-framework/stack";
+import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
 import { z } from "zod";
 import { CapCounterHandlers, CapCounterQueries } from "../constants";
 import {
@@ -192,6 +197,12 @@ afterAll(async () => {
 // which month — just need a stable iso-string so `increment` +
 // `readCounter` hit the same aggregate.
 const PERIOD = "2026-05-01T00:00:00Z";
+const { table: capCounterTable } = createEntityExecutor("cap-counter", capCounterEntity);
+
+beforeEach(async () => {
+  await resetTestTables(db, [capCounterTable, eventsTable]);
+});
+
 const sysadmin = TestUsers.systemAdmin;
 
 function adminFor(tenantNumber: number) {

package/src/cap-counter/__tests__/enforce-cap.test.ts

@@ -17,15 +17,19 @@ import {
   enforceRollingCapAndMaybeNotify,
 } from "../enforce-cap";
 
-// Test-mock: ctx.db unterstützt sowohl bun-db's .unsafe() (selectMany ruft das)
-// als auch drizzle's .select().from().where() chain (rolling-path nutzt das
-// direkt). Beide pfade returnen denselben rows-set unabhängig von filtern.
+// Test-mock: ctx.db exposes TenantDb-style selectMany (production path)
+// plus legacy drizzle .select().from().where() chain stubs.
 
 function makeMockDb(rows: unknown[]) {
+  const selectMany = async (_table: unknown, _where?: unknown, options?: { limit?: number }) => {
+    const slice = options?.limit !== undefined ? rows.slice(0, options.limit) : rows;
+    return slice;
+  };
   return {
     unsafe: async () => rows,
+    selectMany,
     begin: async <T>(fn: (tx: unknown) => Promise<T>) =>
-      fn({ unsafe: async () => rows, begin: async () => undefined }),
+      fn({ unsafe: async () => rows, selectMany, begin: async () => undefined }),
     select: () => ({
       from: () => ({
         where: Object.assign(async () => rows, {

package/src/cap-counter/__tests__/{with-cap-enforcement.integration.ts → with-cap-enforcement.integration.test.ts}

@@ -8,10 +8,14 @@
 //   5. Failed handler: counter NICHT inkrementiert (cap-quota nicht
 //      verbrannt für gescheiterte writes)
 
-import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
-import { defineFeature, type WriteHandlerDef } from "@cosmicdrift/kumiko-framework/engine";
-import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createEntityExecutor,
+  defineFeature,
+  type WriteHandlerDef,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable, eventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import {
   createTestUser,
   setupTestStack,
@@ -19,6 +23,7 @@ import {
   testTenantId,
   unsafeCreateEntityTable,
 } from "@cosmicdrift/kumiko-framework/stack";
+import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
 import { z } from "zod";
 import { CapCounterQueries } from "../constants";
 import type { SoftHitNotifier } from "../enforce-cap";
@@ -59,6 +64,8 @@ const innerSendHandler: WriteHandlerDef = {
 
 const PERIOD = "2026-07-01T00:00:00Z";
 
+const { table: capCounterTable } = createEntityExecutor("cap-counter", capCounterEntity);
+
 const wrappedCalendar = withCapEnforcement(innerSendHandler, () => ({
   capName: "newsletter-cap",
   periodStartIso: PERIOD,
@@ -103,6 +110,10 @@ afterAll(async () => {
   await stack.cleanup();
 });
 
+beforeEach(async () => {
+  await resetTestTables(db, [capCounterTable, eventsTable]);
+});
+
 function adminFor(tenantNumber: number) {
   return createTestUser({
     id: tenantNumber,

package/src/cap-counter/enforce-cap.ts

@@ -1,4 +1,3 @@
-import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEntityExecutor, type HandlerContext } from "@cosmicdrift/kumiko-framework/engine";
 import { eventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import { rollingCapAggregateId } from "./aggregate-id";
@@ -109,8 +108,7 @@ export async function enforceCap(
   const softThreshold = options.limit * tolerance.soft;
   const hardThreshold = options.limit * tolerance.hard;
 
-  const rows = await selectMany(
-    ctx.db,
+  const rows = await ctx.db.selectMany(
     table,
     { capName: options.capName, periodStart: options.periodStartIso },
     { limit: 1 },
@@ -188,7 +186,7 @@ export async function enforceRollingCap(
   // covers the prefix; the additional aggregate_id eq narrows to the
   // single rolling-stream. Postgres can use the index even with the
   // aggregate_id filter applied as a residual.
-  const rows = await selectMany<{ payload: { amount?: number } }>(ctx.db, eventsTable, {
+  const rows = await ctx.db.selectMany<{ payload: { amount?: number } }>(eventsTable, {
     tenantId: ctx.user.tenantId,
     aggregateType: CAP_COUNTER_ROLLING_AGGREGATE_TYPE,
     aggregateId,

package/src/cap-counter/handlers/get-counter.query.ts

@@ -1,4 +1,3 @@
-import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEntityExecutor, type QueryHandlerDef } from "@cosmicdrift/kumiko-framework/engine";
 import { z } from "zod";
 import { capCounterEntity } from "../entity";
@@ -25,8 +24,7 @@ export const getCounterQuery: QueryHandlerDef = {
     const { capName, periodStartIso } = query.payload as z.infer<typeof getCounterSchema>; // @cast-boundary engine-payload
 
     // ctx.db is tenant-scoped; filter by capName + periodStart explicitly.
-    const rows = await selectMany(
-      ctx.db,
+    const rows = await ctx.db.selectMany(
       table,
       { capName, periodStart: periodStartIso },
       { limit: 1 },

package/src/cap-counter/handlers/increment.write.ts

@@ -1,4 +1,3 @@
-import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEntityExecutor, type WriteHandlerDef } from "@cosmicdrift/kumiko-framework/engine";
 import { Temporal } from "temporal-polyfill";
 import { z } from "zod";
@@ -55,7 +54,7 @@ export const incrementCapHandler: WriteHandlerDef = {
 
     // Read existing aggregate's projection-row to decide create vs update.
     // ctx.db is auto-tenant-scoped — id-lookup is unique per tenant.
-    const existing = await selectMany(ctx.db, table, { id: aggregateId }, { limit: 1 });
+    const existing = await ctx.db.selectMany(table, { id: aggregateId }, { limit: 1 });
 
     if (existing.length === 0) {
       return executor.create(

package/src/cap-counter/handlers/mark-soft-warned.write.ts

@@ -1,4 +1,3 @@
-import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEntityExecutor, type WriteHandlerDef } from "@cosmicdrift/kumiko-framework/engine";
 import { Temporal } from "temporal-polyfill";
 import { z } from "zod";
@@ -32,7 +31,7 @@ export const markSoftWarnedHandler: WriteHandlerDef = {
       payload.periodStartIso,
     );
 
-    const existing = await selectMany(ctx.db, table, { id: aggregateId }, { limit: 1 });
+    const existing = await ctx.db.selectMany(table, { id: aggregateId }, { limit: 1 });
     if (existing.length === 0) {
       throw new Error(
         `cap-counter: cannot mark-soft-warned, no counter found for tenant=${event.user.tenantId} cap=${payload.capName} period=${payload.periodStartIso}`,

package/src/channel-in-app/in-app-channel.ts

@@ -1,4 +1,3 @@
-import { insertOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import { tenantChannel } from "@cosmicdrift/kumiko-framework/engine";
 import type { DeliveryChannel } from "../delivery";
 import { inAppMessagesTable } from "./tables";
@@ -15,8 +14,7 @@ export const inAppChannel: DeliveryChannel = {
     // address is the user-id string after the ES migration — keep it as-is.
     const userId = address;
 
-    const row = await insertOne<{ id: string }>(ctx.db, inAppMessagesTable, {
-      tenantId: ctx.tenantId,
+    const row = await ctx.db.insertOne<{ id: string }>(inAppMessagesTable, {
       userId,
       notificationType: message.notificationType,
       title: message.title,

package/src/custom-fields/__tests__/cross-tenant-field-delete.integration.test.ts

@@ -0,0 +1,177 @@
+// Regression: deleting a tenant-scoped custom-field definition must only clear
+// that tenant's rows — NOT every tenant's row that happens to use the same
+// kebab fieldKey.
+//
+// Bug: the fieldDefinition.deleted MSP-handler stripped the jsonb key from
+// every row of the host table (no tenant filter). Two tenants that each define
+// their own field with the same key (e.g. "priority") share the jsonb key on
+// the host-entity table; one tenant deleting their definition wiped the other
+// tenant's values. The fix scopes cleanup by the deleted definition's owning
+// tenant (system-scope still cascades to all).
+
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
+import { buildEntityTable } from "@cosmicdrift/kumiko-framework/db";
+import {
+  createEntity,
+  createEntityExecutor,
+  createTextField,
+  defineEntityListHandler,
+  defineFeature,
+  type SessionUser,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createTestUser,
+  setupTestStack,
+  type TestStack,
+  testTenantId,
+  testUserId,
+  unsafeCreateEntityTable,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { z } from "zod";
+import { fieldDefinitionEntity } from "../entity";
+import { createCustomFieldsFeature } from "../feature";
+import { customFieldsField, wireCustomFieldsFor } from "../wire-for-entity";
+
+const propertyEntity = createEntity({
+  table: "read_xt_properties",
+  fields: {
+    name: createTextField({ required: true }),
+    customFields: customFieldsField(),
+  },
+});
+const propertyTable = buildEntityTable("property", propertyEntity);
+
+const propertyFeature = defineFeature("property-xt", (r) => {
+  r.entity("property", propertyEntity);
+  r.requires("custom-fields");
+  wireCustomFieldsFor(r, "property", propertyTable);
+
+  const { executor: propertyExecutor } = createEntityExecutor("property", propertyEntity);
+  r.writeHandler({
+    name: "property:create",
+    schema: z.object({ id: z.string(), name: z.string() }),
+    access: { roles: ["TenantAdmin"] },
+    handler: async (event, ctx) => {
+      const payload = event.payload as { id: string; name: string };
+      return propertyExecutor.create(
+        { id: payload.id, name: payload.name, customFields: {} },
+        event.user,
+        ctx.db,
+      );
+    },
+  });
+
+  r.queryHandler(
+    defineEntityListHandler("property", propertyEntity, { access: { roles: ["TenantAdmin"] } }),
+  );
+});
+
+const customFieldsFeature = createCustomFieldsFeature();
+
+let stack: TestStack;
+
+const adminA = createTestUser({
+  id: testUserId(1),
+  tenantId: testTenantId(1),
+  roles: ["TenantAdmin"],
+});
+const adminB = createTestUser({
+  id: testUserId(10),
+  tenantId: testTenantId(2),
+  roles: ["TenantAdmin"],
+});
+
+const PROP_A = "aaaaaaaa-aaaa-4000-8000-000000000001";
+const PROP_B = "bbbbbbbb-bbbb-4000-8000-000000000002";
+
+beforeAll(async () => {
+  stack = await setupTestStack({ features: [customFieldsFeature, propertyFeature] });
+  await unsafeCreateEntityTable(stack.db, fieldDefinitionEntity);
+  await unsafeCreateEntityTable(stack.db, propertyEntity);
+  await createEventsTable(stack.db);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  await asRawClient(stack.db).unsafe(`DELETE FROM kumiko_events`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM read_xt_properties`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM read_custom_field_definitions`);
+});
+
+async function defineField(user: SessionUser, fieldKey: string) {
+  return stack.http.writeOk(
+    "custom-fields:write:define-tenant-field",
+    {
+      entityName: "property",
+      fieldKey,
+      serializedField: { type: "text" },
+      required: false,
+      searchable: false,
+      displayOrder: 0,
+    },
+    user,
+  );
+}
+
+async function setCustomField(
+  user: SessionUser,
+  entityId: string,
+  fieldKey: string,
+  value: unknown,
+) {
+  return stack.http.writeOk(
+    "custom-fields:write:set-custom-field",
+    { entityName: "property", entityId, fieldKey, value },
+    user,
+  );
+}
+
+async function deleteField(user: SessionUser, fieldKey: string) {
+  return stack.http.writeOk(
+    "custom-fields:write:delete-tenant-field",
+    { entityName: "property", fieldKey },
+    user,
+  );
+}
+
+async function createProperty(user: SessionUser, id: string, name: string) {
+  return stack.http.writeOk("property-xt:write:property:create", { id, name }, user);
+}
+
+async function priorityOf(user: SessionUser, id: string): Promise<unknown> {
+  const { rows } = (await stack.http.queryOk("property-xt:query:property:list", {}, user)) as {
+    rows: Array<Record<string, unknown>>;
+  };
+  return rows.find((r) => r["id"] === id)?.["priority"];
+}
+
+describe("custom-fields cross-tenant isolation — fieldDefinition delete", () => {
+  test("deleting tenant A's field with a shared kebab key must NOT wipe tenant B's values", async () => {
+    // Both tenants independently define their own "priority" field on property.
+    await defineField(adminA, "priority");
+    await defineField(adminB, "priority");
+
+    await createProperty(adminA, PROP_A, "A-Prop");
+    await createProperty(adminB, PROP_B, "B-Prop");
+
+    await setCustomField(adminA, PROP_A, "priority", "A-value");
+    await setCustomField(adminB, PROP_B, "priority", "B-value");
+    await stack.eventDispatcher?.runOnce();
+
+    expect(await priorityOf(adminA, PROP_A)).toBe("A-value");
+    expect(await priorityOf(adminB, PROP_B)).toBe("B-value");
+
+    // Tenant A deletes their "priority" field definition.
+    await deleteField(adminA, "priority");
+    await stack.eventDispatcher?.runOnce();
+
+    // A's value is correctly gone; B's value MUST survive (tenant-scoped cleanup).
+    expect(await priorityOf(adminA, PROP_A)).toBeUndefined();
+    expect(await priorityOf(adminB, PROP_B)).toBe("B-value");
+  });
+});

package/src/custom-fields/__tests__/{custom-fields.integration.ts → custom-fields.integration.test.ts}

@@ -259,3 +259,108 @@ describe("custom-fields integration — Last-Wins on concurrent set", () => {
     expect(p6?.["status"]).toBe("published");
   });
 });
+
+describe("custom-fields integration — value validation (Builder-Reuse)", () => {
+  async function setErr(entityId: string, fieldKey: string, value: unknown) {
+    return stack.http.writeErr(
+      "custom-fields:write:set-custom-field",
+      { entityName: "property", entityId, fieldKey, value },
+      admin,
+    );
+  }
+
+  async function countSetEvents(entityId: string): Promise<number> {
+    const rows = await asRawClient(stack.db).unsafe(
+      "SELECT count(*)::int AS n FROM kumiko_events WHERE aggregate_id = $1 AND type = $2",
+      [entityId, "custom-fields:event:custom-field-set"],
+    );
+    return (rows as ReadonlyArray<{ n: number }>)[0]?.n ?? 0;
+  }
+
+  async function rawCustomFields(entityId: string): Promise<Record<string, unknown>> {
+    const rows = await asRawClient(stack.db).unsafe(
+      "SELECT custom_fields FROM read_t1_properties WHERE id = $1",
+      [entityId],
+    );
+    const cf = (rows as ReadonlyArray<{ custom_fields: unknown }>)[0]?.custom_fields;
+    return cf && typeof cf === "object" && !Array.isArray(cf)
+      ? (cf as Record<string, unknown>)
+      : {};
+  }
+
+  test("type mismatch → 422, no event emitted, no jsonb key after projection", async () => {
+    const id = "77777777-7777-4000-8000-000000000007";
+    await defineField("property", "count", "number");
+    await createProperty(id, "TypeMismatch");
+
+    const err = await setErr(id, "count", "not-a-number");
+    expect(err.httpStatus).toBe(422);
+    expect(err.code).toBe("unprocessable");
+    expect(err.details).toMatchObject({ reason: "custom_field_value_invalid" });
+
+    // Plan-Promise: kein Event entsteht — Projection bleibt typed.
+    expect(await countSetEvents(id)).toBe(0);
+
+    await stack.eventDispatcher?.runOnce();
+    expect(await rawCustomFields(id)).not.toHaveProperty("count");
+  });
+
+  test("matching values pass — number/text/boolean land correctly", async () => {
+    const id = "88888888-8888-4000-8000-000000000008";
+    await defineField("property", "count", "number");
+    await defineField("property", "label", "text");
+    await defineField("property", "active", "boolean");
+    await createProperty(id, "Valid");
+
+    await setCustomField("property", id, "count", 42);
+    await setCustomField("property", id, "label", "ok");
+    await setCustomField("property", id, "active", true);
+    await stack.eventDispatcher?.runOnce();
+
+    const row = (await listProperties()).rows.find((r) => r["id"] === id);
+    expect(row?.["count"]).toBe(42);
+    expect(row?.["label"]).toBe("ok");
+    expect(row?.["active"]).toBe(true);
+  });
+
+  test("boolean field rejects a string value → 422, no event", async () => {
+    const id = "99999999-9999-4000-8000-000000000009";
+    await defineField("property", "flag", "boolean");
+    await createProperty(id, "BoolReject");
+
+    const err = await setErr(id, "flag", "yes");
+    expect(err.httpStatus).toBe(422);
+    expect(err.code).toBe("unprocessable");
+    expect(err.details).toMatchObject({ reason: "custom_field_value_invalid" });
+    expect(await countSetEvents(id)).toBe(0);
+  });
+
+  test("embedded field rejects a non-object value → 422, no event", async () => {
+    const id = "aaaaaaaa-aaaa-4000-8000-00000000000a";
+    // embedded carries a sub-field schema in serializedField — exercises
+    // fieldToZod's z.object(...) dispatch (the structurally complex path).
+    await stack.http.writeOk(
+      "custom-fields:write:define-tenant-field",
+      {
+        entityName: "property",
+        fieldKey: "geo",
+        serializedField: { type: "embedded", schema: { city: { type: "text", required: true } } },
+        required: false,
+        searchable: false,
+        displayOrder: 0,
+      },
+      admin,
+    );
+    await createProperty(id, "EmbeddedReject");
+
+    const err = await setErr(id, "geo", "not-an-object");
+    expect(err.httpStatus).toBe(422);
+    expect(err.details).toMatchObject({ reason: "custom_field_value_invalid" });
+    expect(await countSetEvents(id)).toBe(0);
+
+    // Positive: a matching object passes + lands.
+    await setCustomField("property", id, "geo", { city: "Bonn" });
+    await stack.eventDispatcher?.runOnce();
+    expect(await rawCustomFields(id)).toMatchObject({ geo: { city: "Bonn" } });
+  });
+});

package/src/custom-fields/db/queries/projection.ts

@@ -5,18 +5,27 @@ function quoteTable(tableName: string): string {
   return `"${tableName.replace(/"/g, '""')}"`;
 }
 
+function bindJsonbParam(value: unknown): { sql: string; bound: unknown } {
+  // postgres-js infers boolean params as boolean[] candidates — route via text::jsonb.
+  if (typeof value === "boolean") {
+    return { sql: "$1::text::jsonb", bound: JSON.stringify(value) };
+  }
+  return { sql: "$1::jsonb", bound: value };
+}
+
 export async function setCustomFieldValue(
   db: DbRunner,
   tableName: string,
   fieldKey: string,
-  valueJson: string,
+  value: unknown,
   aggregateId: string,
 ): Promise<void> {
   const tbl = quoteTable(tableName);
   const escapedKey = fieldKey.replace(/'/g, "''");
+  const jsonb = bindJsonbParam(value);
   await asRawClient(db).unsafe(
-    `UPDATE ${tbl} SET custom_fields = jsonb_set(custom_fields, '{${escapedKey}}', $1::jsonb, true) WHERE id = $2`,
-    [valueJson, aggregateId],
+    `UPDATE ${tbl} SET custom_fields = jsonb_set(custom_fields, '{${escapedKey}}', ${jsonb.sql}, true) WHERE id = $2`,
+    [jsonb.bound, aggregateId],
   );
 }
 
@@ -33,7 +42,27 @@ export async function clearCustomFieldKey(
   );
 }
 
-export async function removeCustomFieldKeyFromAllRows(
+// Tenant-scoped orphan-cleanup: removes the jsonb key only from the deleting
+// tenant's rows. This is the default path for tenant-field deletions — without
+// the tenant_id filter, deleting tenant A's field strips the same kebab key
+// from every tenant's rows (cross-tenant data loss).
+export async function removeCustomFieldKeyForTenant(
+  db: DbRunner,
+  tableName: string,
+  fieldKey: string,
+  tenantId: string,
+): Promise<void> {
+  const tbl = quoteTable(tableName);
+  await asRawClient(db).unsafe(
+    `UPDATE ${tbl} SET custom_fields = custom_fields - $1 WHERE tenant_id = $2`,
+    [fieldKey, tenantId],
+  );
+}
+
+// Cross-tenant cleanup: strips the key from EVERY tenant's rows. Only valid for
+// system-scope field-definition deletions (the field applied to all tenants).
+// Never call this for a tenant-scoped deletion — use removeCustomFieldKeyForTenant.
+export async function removeCustomFieldKeyFromAllTenants(
   db: DbRunner,
   tableName: string,
   fieldKey: string,

package/src/custom-fields/db/queries/retention.ts

@@ -28,12 +28,12 @@ export async function selectHostRowsWithCustomFields(
 export async function updateHostRowCustomFields(
   db: DbRunner,
   tableName: string,
-  customFieldsJson: string,
+  customFields: Record<string, unknown>,
   rowId: string,
 ): Promise<void> {
   const quoted = `"${tableName.replace(/"/g, '""')}"`;
   await asRawClient(db).unsafe(`UPDATE ${quoted} SET custom_fields = $1::jsonb WHERE id = $2`, [
-    customFieldsJson,
+    customFields,
     rowId,
   ]);
 }

package/src/custom-fields/db/queries/user-data-rights.ts

@@ -35,10 +35,13 @@ export async function stripSensitiveCustomFieldKeys(
 ): Promise<void> {
   const tbl = quoteTable(tableName);
   const userCol = quoteColumn(userIdColumn);
-  const placeholders = sensitiveKeys.map((_, i) => `$${i + 1}`).join(" - ");
   await asRawClient(db).unsafe(
-    `UPDATE ${tbl} SET custom_fields = custom_fields - ${placeholders} WHERE ${userCol} = $${sensitiveKeys.length + 1} AND tenant_id = $${sensitiveKeys.length + 2}`,
-    [...sensitiveKeys, userId, tenantId],
+    `UPDATE ${tbl} SET custom_fields = CASE
+       WHEN jsonb_typeof(custom_fields) = 'object' THEN custom_fields - $1::text[]
+       ELSE custom_fields
+     END
+     WHERE ${userCol} = $2 AND tenant_id = $3`,
+    [sensitiveKeys, userId, tenantId],
   );
 }
 

package/src/custom-fields/feature.ts

@@ -30,12 +30,12 @@
 //   hand-gebauten Template-Literals mehr (T1 hat den toKebab-collapse-drift
 //   aufgedeckt, siehe Memory feedback_event_def_exports_pattern).
 //
-// **Out-of-B2 (future iterations)**:
+// **Noch offen (future iterations)**:
 //   - Cross-scope-conflict-Detection (Tenant überschreibt system fieldKey)
-//   - cap-counter quota-Check beim fieldDefinition-create
-//   - user-data-rights anonymization-Wiring für sensitive customFields
-//   - Value-Validation gegen fieldDefinition.serializedField
 //   - Cross-Scope-Read-UNION (system + tenant fieldDefinitions in einem List)
+//   (cap-counter-quota → T1.5e, user-data-rights-anonymization → T1.5c,
+//    Value-Validation gegen serializedField → set-custom-field via fieldToZod —
+//    alle erledigt.)
 
 import { defineEntityListHandler, defineFeature } from "@cosmicdrift/kumiko-framework/engine";
 import { z } from "zod";
@@ -63,6 +63,12 @@ const tenantAdminAccess = { access: { roles: ["TenantAdmin"] } } as const;
 const fieldDefinitionDeletedSchema = z.object({
   entityName: z.string(),
   fieldKey: z.string(),
+  // Owning tenant of the deleted definition: a specific tenant for tenant-scope
+  // deletions, SYSTEM_TENANT_ID for system-scope. The cascade-MSP scopes its
+  // orphan-cleanup by this so a tenant deletion never touches other tenants'
+  // rows. Optional for backward-compat with events appended before this field
+  // existed — the MSP falls back to the event's stream tenantId.
+  tenantId: z.string().optional(),
 });
 
 // Singleton feature-definition mit typed exports. Handler + wire-for-entity

package/src/custom-fields/handlers/delete-system-field.write.ts

@@ -38,7 +38,11 @@ export const deleteSystemFieldHandler: WriteHandlerDef = {
         aggregateId,
         aggregateType: "field-definition",
         type: customFieldsFeature.exports.fieldDefinitionDeletedEvent.name,
-        payload: { entityName: payload.entityName, fieldKey: payload.fieldKey },
+        payload: {
+          entityName: payload.entityName,
+          fieldKey: payload.fieldKey,
+          tenantId: SYSTEM_TENANT_ID,
+        },
       });
     }
 

package/src/custom-fields/handlers/delete-tenant-field.write.ts

@@ -46,7 +46,7 @@ export const deleteTenantFieldHandler: WriteHandlerDef = {
         aggregateId,
         aggregateType: "field-definition",
         type: customFieldsFeature.exports.fieldDefinitionDeletedEvent.name,
-        payload: { entityName: payload.entityName, fieldKey: payload.fieldKey },
+        payload: { entityName: payload.entityName, fieldKey: payload.fieldKey, tenantId },
       });
     }