@cosmicdrift/kumiko-bundled-features 0.24.0 → 0.25.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.24.0",
+  "version": "0.25.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",

package/src/__tests__/env-schemas.test.ts

@@ -1,10 +1,6 @@
 import { describe, expect, it } from "bun:test";
 import { randomBytes } from "node:crypto";
-import {
-  composeEnvSchema,
-  type KumikoBootError,
-  parseEnv,
-} from "@cosmicdrift/kumiko-framework/env";
+import { composeEnvSchema, KumikoBootError, parseEnv } from "@cosmicdrift/kumiko-framework/env";
 import { authEmailPasswordEnvSchema, createAuthEmailPasswordFeature } from "../auth-email-password";
 import { createSecretsFeature, secretsEnvSchema } from "../secrets";
 import {
@@ -18,6 +14,13 @@ import {
 
 const validKek = randomBytes(32).toString("base64");
 
+function asBootError(err: unknown): KumikoBootError {
+  if (!(err instanceof KumikoBootError)) {
+    throw err instanceof Error ? err : new Error(String(err));
+  }
+  return err;
+}
+
 describe("secretsEnvSchema", () => {
   it("accepts a base64-32 KEK and defaults CURRENT_VERSION to '1'", () => {
     const env = parseEnv(secretsEnvSchema, {
@@ -32,7 +35,7 @@ describe("secretsEnvSchema", () => {
       parseEnv(secretsEnvSchema, { KUMIKO_SECRETS_MASTER_KEY_V1: "dGVzdA==" });
       throw new Error("should have thrown");
     } catch (err) {
-      const boot = err as KumikoBootError;
+      const boot = asBootError(err);
       const v1 = boot.errors.find((e) => e.name === "KUMIKO_SECRETS_MASTER_KEY_V1");
       expect(v1?.kind).toBe("invalid");
       expect(v1?.message).toContain("32 bytes");
@@ -47,13 +50,36 @@ describe("secretsEnvSchema", () => {
       });
       throw new Error("should have thrown");
     } catch (err) {
-      const cur = (err as KumikoBootError).errors.find(
+      const cur = asBootError(err).errors.find(
+        (e) => e.name === "KUMIKO_SECRETS_MASTER_KEY_CURRENT_VERSION",
+      );
+      expect(cur?.kind).toBe("invalid");
+    }
+  });
+
+  it("rejects CURRENT_VERSION '0' (V0 never exists, selector starts at V1)", () => {
+    try {
+      parseEnv(secretsEnvSchema, {
+        KUMIKO_SECRETS_MASTER_KEY_V1: validKek,
+        KUMIKO_SECRETS_MASTER_KEY_CURRENT_VERSION: "0",
+      });
+      throw new Error("should have thrown");
+    } catch (err) {
+      const cur = asBootError(err).errors.find(
         (e) => e.name === "KUMIKO_SECRETS_MASTER_KEY_CURRENT_VERSION",
       );
       expect(cur?.kind).toBe("invalid");
     }
   });
 
+  it("accepts CURRENT_VERSION '2' (positive version selector)", () => {
+    const env = parseEnv(secretsEnvSchema, {
+      KUMIKO_SECRETS_MASTER_KEY_V1: validKek,
+      KUMIKO_SECRETS_MASTER_KEY_CURRENT_VERSION: "2",
+    });
+    expect(env.KUMIKO_SECRETS_MASTER_KEY_CURRENT_VERSION).toBe("2");
+  });
+
   it("attaches the schema via r.envSchema() on createSecretsFeature()", () => {
     const f = createSecretsFeature();
     expect(f.envSchema).toBe(secretsEnvSchema);
@@ -74,7 +100,7 @@ describe("authEmailPasswordEnvSchema", () => {
       parseEnv(authEmailPasswordEnvSchema, { JWT_SECRET: "short" });
       throw new Error("should have thrown");
     } catch (err) {
-      const jwt = (err as KumikoBootError).errors.find((e) => e.name === "JWT_SECRET");
+      const jwt = asBootError(err).errors.find((e) => e.name === "JWT_SECRET");
       expect(jwt?.kind).toBe("invalid");
     }
   });
@@ -103,11 +129,27 @@ describe("subscriptionStripeEnvSchema", () => {
       });
       throw new Error("should have thrown");
     } catch (err) {
-      const boot = err as KumikoBootError;
+      const boot = asBootError(err);
       expect(boot.errors.length).toBe(2);
     }
   });
 
+  it("rejects a publishable key and a non-whsec webhook secret", () => {
+    try {
+      parseEnv(subscriptionStripeEnvSchema, {
+        STRIPE_WEBHOOK_SECRET: "wrong_abc",
+        STRIPE_API_KEY: "pk_live_xyz",
+      });
+      throw new Error("should have thrown");
+    } catch (err) {
+      const boot = asBootError(err);
+      const api = boot.errors.find((e) => e.name === "STRIPE_API_KEY");
+      const hook = boot.errors.find((e) => e.name === "STRIPE_WEBHOOK_SECRET");
+      expect(api?.kind).toBe("invalid");
+      expect(hook?.kind).toBe("invalid");
+    }
+  });
+
   it("attaches the schema via r.envSchema() on the factory", () => {
     const f = createSubscriptionStripeFeature({
       webhookSecret: "whsec_x",
@@ -129,7 +171,7 @@ describe("subscriptionMollieEnvSchema", () => {
       parseEnv(subscriptionMollieEnvSchema, { MOLLIE_API_KEY: "no-prefix" });
       throw new Error("should have thrown");
     } catch (err) {
-      const k = (err as KumikoBootError).errors.find((e) => e.name === "MOLLIE_API_KEY");
+      const k = asBootError(err).errors.find((e) => e.name === "MOLLIE_API_KEY");
       expect(k?.kind).toBe("invalid");
     }
   });
@@ -200,7 +242,7 @@ describe("compose across all Phase-2 features", () => {
       parseEnv(composed.schema, {}, { sources: composed.sources });
       throw new Error("should have thrown");
     } catch (err) {
-      const out = (err as KumikoBootError).format();
+      const out = asBootError(err).format();
       expect(out).toContain("✗ JWT_SECRET (auth-email-password, required, missing)");
       expect(out).toContain("✗ KUMIKO_SECRETS_MASTER_KEY_V1 (secrets, required, missing)");
       expect(out).toContain("✗ STRIPE_API_KEY (subscription-stripe, required, missing)");

package/src/auth-email-password/__tests__/auth.integration.test.ts

@@ -236,6 +236,43 @@ describe("scenario 5: change-password success", () => {
   });
 });
 
+describe("scenario 5b: change-password when the aggregate stream tenant != session tenant (sysadmin pattern)", () => {
+  test("user whose stream lives in a non-session tenant still changes password", async () => {
+    // Sysadmin pattern: created via systemAdmin (stream = systemAdmin.tenantId),
+    // only membership on a different tenant → the session/membership tenant
+    // diverges from where the aggregate actually lives. change-password writes
+    // as the session tenant; without recovering the real stream tenant it
+    // version_conflicts against an empty stream and the operator is locked out
+    // of rotating their own password.
+    const membershipTenant = testTenantId(2);
+    const seed = await seedLoginUser({
+      email: "sysadmin-cp@example.com",
+      password: "old-sysadmin-pw",
+      tenantId: membershipTenant,
+    });
+
+    const streamRows = (await asRawClient(stack.db).unsafe(
+      `SELECT "tenant_id" AS t FROM "kumiko_events" WHERE "aggregate_id" = $1 AND "aggregate_type" = $2 ORDER BY "version" LIMIT 1`,
+      [seed.id, "user"],
+    )) as ReadonlyArray<{ t: string }>;
+    expect(streamRows[0]?.t).toBe(systemAdmin.tenantId);
+    expect(streamRows[0]?.t).not.toBe(membershipTenant);
+
+    const signedIn = createTestUser({ id: seed.id, tenantId: seed.tenantId, roles: ["User"] });
+    await stack.http.writeOk(
+      AuthHandlers.changePassword,
+      { oldPassword: "old-sysadmin-pw", newPassword: "new-sysadmin-pw-long" },
+      signedIn,
+    );
+
+    const newRes = await stack.http.raw("POST", "/api/auth/login", {
+      email: "sysadmin-cp@example.com",
+      password: "new-sysadmin-pw-long",
+    });
+    expect(newRes.status).toBe(200);
+  });
+});
+
 // --- Scenario 6: logout is reachable for authenticated users ---
 
 describe("scenario 6: logout", () => {

package/src/auth-email-password/__tests__/email-verification.integration.test.ts

@@ -322,3 +322,35 @@ describe("login with strict email-verification", () => {
     expect(body.error?.details?.reason).toBe(AuthErrors.invalidCredentials);
   });
 });
+
+describe("verify-email — aggregate stream in a non-membership tenant (sysadmin pattern)", () => {
+  test("user whose aggregate stream lives in a tenant they are NOT a member of still verifies", async () => {
+    // Prod sysadmin repro: the user aggregate is created via `systemAdmin`,
+    // so its event stream lives in systemAdmin.tenantId (…0001), while the
+    // user's ONLY membership is on a different tenant (…0002). resolveStream-
+    // Tenants must discover the real stream tenant from the event log — if it
+    // only tried membership tenants, every write would target …0002, get a
+    // version_conflict, collapse to all_conflicts → invalid_verification_token.
+    const membershipTenant = "00000000-0000-4000-8000-000000000002" as TenantId;
+    const seed = await seedUser({
+      email: "sysadmin-pattern@example.com",
+      password: "pw-sysadmin-pat-1234",
+      tenantId: membershipTenant,
+    });
+
+    const streamRows = (await asRawClient(stack.db).unsafe(
+      `SELECT "tenant_id", "aggregate_type" FROM "kumiko_events" WHERE "aggregate_id" = $1 ORDER BY "version" LIMIT 1`,
+      [seed.id],
+    )) as ReadonlyArray<{ tenant_id: string; aggregate_type: string }>;
+    expect(streamRows[0]?.aggregate_type).toBe("user");
+    expect(streamRows[0]?.tenant_id).toBe(systemAdmin.tenantId);
+    expect(streamRows[0]?.tenant_id).not.toBe(membershipTenant);
+
+    const { token } = signVerificationToken(seed.id, 60, verifySecret);
+    const res = await post("/api/auth/verify-email", { token });
+    expect(res.status).toBe(200);
+
+    const row = (await selectMany(stack.db, userTable)).find((r) => r["id"] === seed.id);
+    expect(row?.["emailVerified"]).toBe(true);
+  });
+});

package/src/auth-email-password/__tests__/password-reset.integration.test.ts

@@ -303,6 +303,37 @@ describe("POST /auth/reset-password", () => {
     const body = await second.json();
     expect(body.error?.details?.reason).toBe(AuthErrors.invalidResetToken);
   });
+
+  test("user whose aggregate stream lives in a tenant they are NOT a member of can still reset", async () => {
+    // Mirror of the verify-email sysadmin repro: aggregate stream in …0001
+    // (created via systemAdmin), only membership on …0002. The reset must
+    // target the real stream tenant, not the membership tenant.
+    const membershipTenant = "00000000-0000-4000-8000-000000000002" as TenantId;
+    const seed = await seedUser({
+      email: "sysadmin-reset@example.com",
+      password: "pw-old-sysadmin-1234",
+      tenantId: membershipTenant,
+    });
+
+    const streamRows = (await asRawClient(stack.db).unsafe(
+      `SELECT "tenant_id", "aggregate_type" FROM "kumiko_events" WHERE "aggregate_id" = $1 ORDER BY "version" LIMIT 1`,
+      [seed.id],
+    )) as ReadonlyArray<{ tenant_id: string; aggregate_type: string }>;
+    expect(streamRows[0]?.aggregate_type).toBe("user");
+    expect(streamRows[0]?.tenant_id).toBe(systemAdmin.tenantId);
+    expect(streamRows[0]?.tenant_id).not.toBe(membershipTenant);
+
+    const { token } = signResetToken(seed.id, 15, resetSecret);
+    const res = await post("/api/auth/reset-password", {
+      token,
+      newPassword: "pw-new-sysadmin-1234",
+    });
+    expect(res.status).toBe(200);
+
+    const row = (await selectMany(stack.db, userTable)).find((r) => r["id"] === seed.id);
+    const valid = await verifyPassword(row?.["passwordHash"] as string, "pw-new-sysadmin-1234");
+    expect(valid).toBe(true);
+  });
 });
 
 // --- session auto-revoke (H.3 cross-feature hook) -------------------------

package/src/auth-email-password/handlers/change-password.write.ts

@@ -1,7 +1,8 @@
 import { access, createSystemUser, defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
+import { getAggregateStreamTenant } from "@cosmicdrift/kumiko-framework/event-store";
 import { z } from "zod";
-import { UserHandlers, UserQueries } from "../../user";
+import { USER_FEATURE, UserHandlers, UserQueries } from "../../user";
 import { AuthErrors } from "../constants";
 import { hashPassword, verifyPassword } from "../password-hashing";
 
@@ -43,10 +44,19 @@ export const changePasswordWrite = defineWriteHandler({
 
     const newHash = await hashPassword(event.payload.newPassword);
 
+    // The user aggregate is r.systemScope(): its event stream can live in a
+    // tenant that isn't the session tenant (a platform operator's stream sits
+    // in the seed executor's tenant, not their membership). Write against the
+    // real stream tenant so optimistic locking targets the right stream instead
+    // of version_conflict-ing against an empty one. Falls back to the session
+    // tenant when the lookup finds nothing (fresh/unknown stream).
+    const streamTenant = await getAggregateStreamTenant(ctx.db.raw, event.user.id, USER_FEATURE);
+    const writer = createSystemUser(streamTenant ?? event.user.tenantId);
+
     // Apply via user feature's update handler — writeAs(system) satisfies
     // the privileged-only write rule on passwordHash. Pass the current version
     // through so optimistic locking still applies end-to-end.
-    const writeRes = await ctx.writeAs(systemUser, UserHandlers.update, {
+    const writeRes = await ctx.writeAs(writer, UserHandlers.update, {
       id: me.id,
       version: me.version,
       changes: { passwordHash: newHash },

package/src/auth-email-password/handlers/confirm-token-flow.ts

@@ -29,8 +29,9 @@ import {
   type WriteFailure,
   writeFailure,
 } from "@cosmicdrift/kumiko-framework/errors";
+import { getAggregateStreamTenant } from "@cosmicdrift/kumiko-framework/event-store";
 import type Redis from "ioredis";
-import { UserHandlers, UserQueries } from "../../user";
+import { USER_FEATURE, UserHandlers, UserQueries } from "../../user";
 import type { AuthUserRow } from "../auth-user-row";
 import { parseAuthUserRow } from "../auth-user-row";
 import { orderTenantsByPreference } from "../stream-tenant";
@@ -153,7 +154,21 @@ async function resolveStreamTenants(
   const memberships = (await ctx.queryAs(systemUser, "tenant:query:memberships", {
     userId: me.id,
   })) as Array<{ tenantId: TenantId }>; // @cast-boundary db-runner
-  return orderTenantsByPreference(memberships, me.lastActiveTenantId);
+  const ordered = orderTenantsByPreference(memberships, me.lastActiveTenantId);
+  if (ordered.length === 0) return [];
+
+  // The user aggregate is r.systemScope(): its event stream lives in whichever
+  // tenant the creating executor used, which need NOT be a membership tenant.
+  // A platform operator seeded under a fixture/platform tenant is the live case
+  // — its stream tenant is absent from `ordered`, so a membership-only search
+  // rejects every write and collapses to invalid_token. Recover the real stream
+  // tenant from the event log and try it first; memberships stay as fallback,
+  // and an empty/unknown lookup degrades to the prior membership-only behaviour.
+  const streamTenant = await getAggregateStreamTenant(ctx.db.raw, me.id, USER_FEATURE);
+  if (streamTenant && !ordered.includes(streamTenant)) {
+    return [streamTenant, ...ordered];
+  }
+  return ordered;
 }
 
 // Discriminated result for the write-across-tenants loop.

package/src/compliance-profiles/__tests__/parse-override.test.ts

@@ -0,0 +1,53 @@
+import { describe, expect, spyOn, test } from "bun:test";
+import { parseComplianceProfileOverride } from "../_internal/parse-override";
+
+describe("parseComplianceProfileOverride", () => {
+  test("empty / whitespace / null → undefined, no warning", () => {
+    const warn = spyOn(console, "warn").mockImplementation(() => {});
+    try {
+      expect(parseComplianceProfileOverride(null, "t1", "seed")).toBeUndefined();
+      expect(parseComplianceProfileOverride("", "t1", "seed")).toBeUndefined();
+      expect(parseComplianceProfileOverride("   ", "t1", "seed")).toBeUndefined();
+      expect(warn).not.toHaveBeenCalled();
+    } finally {
+      warn.mockRestore();
+    }
+  });
+
+  test("valid JSON object is returned verbatim", () => {
+    expect(parseComplianceProfileOverride('{"region":"eu"}', "t1", "seed")).toEqual({
+      region: "eu",
+    });
+  });
+
+  test("literal JSON null → undefined (no override), no warning", () => {
+    const warn = spyOn(console, "warn").mockImplementation(() => {});
+    try {
+      expect(parseComplianceProfileOverride("null", "t1", "seed")).toBeUndefined();
+      expect(warn).not.toHaveBeenCalled();
+    } finally {
+      warn.mockRestore();
+    }
+  });
+
+  test("corrupt JSON warns WITH the parser reason and returns undefined (not a silent swallow)", () => {
+    const warn = spyOn(console, "warn").mockImplementation(() => {});
+    try {
+      const result = parseComplianceProfileOverride(
+        "{not valid json",
+        "tenant-9",
+        "resolve-for-tenant",
+      );
+      expect(result).toBeUndefined();
+      expect(warn).toHaveBeenCalledTimes(1);
+      const msg = String(warn.mock.calls[0]?.[0]);
+      expect(msg).toContain("tenant-9");
+      expect(msg).toContain("resolve-for-tenant");
+      // The point of the fix: the parser's own failure reason is preserved,
+      // not flattened to a generic "is not valid JSON".
+      expect(msg).toContain("Reason:");
+    } finally {
+      warn.mockRestore();
+    }
+  });
+});

package/src/compliance-profiles/_internal/parse-override.ts

@@ -1,5 +1,5 @@
 import type { ComplianceProfileOverride } from "@cosmicdrift/kumiko-framework/compliance";
-import { parseJsonSafe } from "@cosmicdrift/kumiko-framework/utils";
+import { parseJsonOrThrow } from "@cosmicdrift/kumiko-framework/utils";
 
 export function parseComplianceProfileOverride(
   raw: string | null,
@@ -7,13 +7,14 @@ export function parseComplianceProfileOverride(
   callerLabel: string,
 ): ComplianceProfileOverride | undefined {
   if (!raw || raw.trim() === "") return undefined;
-  const parsed = parseJsonSafe<ComplianceProfileOverride | null>(raw, null);
-  if (parsed === null) {
+  let parsed: ComplianceProfileOverride | null;
+  try {
+    parsed = parseJsonOrThrow<ComplianceProfileOverride | null>(raw, "compliance override");
+  } catch (err) {
+    const reason = err instanceof Error ? err.message : String(err);
     // biome-ignore lint/suspicious/noConsole: operator visibility for DB-corruption edge-case
-    console.warn(
-      `[${callerLabel}] tenant ${tenantId}: stored override is not valid JSON, ignoring.`,
-    );
+    console.warn(`[${callerLabel}] tenant ${tenantId}: stored override ignored. Reason: ${reason}`);
     return undefined;
   }
-  return parsed;
+  return parsed ?? undefined;
 }

package/src/custom-fields/__tests__/audit-integration.integration.test.ts

@@ -265,13 +265,40 @@ describe("T1.5a: custom-fields events are visible in the audit log", () => {
       adminWithAudit,
     );
 
+    // Tenant-2 defines its OWN field. Without this, an audit query that
+    // returned zero rows for ANY reason (e.g. a broken filter) would still
+    // pass the "doesn't see leakyField" assertion — a false-positive that
+    // reads "isolated" but actually means "blind". Asserting tenant-2 sees its
+    // own event proves the query genuinely returns tenant-2's data.
+    const otherTenantDefiner = createTestUser({
+      id: 11,
+      roles: ["TenantAdmin"],
+      tenantId: otherTenantAdmin.tenantId,
+    });
+    await stack.http.writeOk(
+      "custom-fields:write:define-tenant-field",
+      {
+        entityName: "property",
+        fieldKey: "ownField",
+        serializedField: { type: "text" },
+        required: false,
+        searchable: false,
+        displayOrder: 0,
+      },
+      otherTenantDefiner,
+    );
+
     const res = await stack.http.queryOk<AuditResponse>(
       AuditQueries.list,
       { aggregateType: "field-definition" },
       otherTenantAdmin,
     );
 
-    const leak = res.rows.find((r) => (r.payload["fieldKey"] as string) === "leakyField");
+    // Tenant-2 sees its own event ...
+    const own = res.rows.find((r) => r.payload["fieldKey"] === "ownField");
+    expect(own).toBeDefined();
+    // ... but never tenant-1's.
+    const leak = res.rows.find((r) => r.payload["fieldKey"] === "leakyField");
     expect(leak).toBeUndefined();
   });
 });

package/src/custom-fields/__tests__/cross-tenant-set-write.integration.test.ts

@@ -0,0 +1,178 @@
+// Regression: a custom-field set/clear must only touch the calling tenant's own
+// row. aggregateId is a globally-unique row UUID, so without a tenant_id filter
+// on the projection UPDATE, tenant A could overwrite or clear tenant B's
+// customFields just by passing B's known row UUID as entityId. The set/clear
+// projection writes now scope to the event's own tenant (same guard the
+// fieldDefinition-delete path already uses).
+
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
+import { buildEntityTable } from "@cosmicdrift/kumiko-framework/db";
+import {
+  createEntity,
+  createEntityExecutor,
+  createTextField,
+  defineEntityListHandler,
+  defineFeature,
+  type SessionUser,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createTestUser,
+  setupTestStack,
+  type TestStack,
+  testTenantId,
+  testUserId,
+  unsafeCreateEntityTable,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { z } from "zod";
+import { fieldDefinitionEntity } from "../entity";
+import { createCustomFieldsFeature } from "../feature";
+import { customFieldsField, wireCustomFieldsFor } from "../wire-for-entity";
+
+const propertyEntity = createEntity({
+  table: "read_xt_set_properties",
+  fields: {
+    name: createTextField({ required: true }),
+    customFields: customFieldsField(),
+  },
+});
+const propertyTable = buildEntityTable("property", propertyEntity);
+
+const propertyFeature = defineFeature("property-xt-set", (r) => {
+  r.entity("property", propertyEntity);
+  r.requires("custom-fields");
+  wireCustomFieldsFor(r, "property", propertyTable);
+
+  const { executor: propertyExecutor } = createEntityExecutor("property", propertyEntity);
+  r.writeHandler({
+    name: "property:create",
+    schema: z.object({ id: z.string(), name: z.string() }),
+    access: { roles: ["TenantAdmin"] },
+    handler: async (event, ctx) => {
+      const payload = event.payload as { id: string; name: string };
+      return propertyExecutor.create(
+        { id: payload.id, name: payload.name, customFields: {} },
+        event.user,
+        ctx.db,
+      );
+    },
+  });
+
+  r.queryHandler(
+    defineEntityListHandler("property", propertyEntity, { access: { roles: ["TenantAdmin"] } }),
+  );
+});
+
+const customFieldsFeature = createCustomFieldsFeature();
+
+let stack: TestStack;
+
+const adminA = createTestUser({
+  id: testUserId(1),
+  tenantId: testTenantId(1),
+  roles: ["TenantAdmin"],
+});
+const adminB = createTestUser({
+  id: testUserId(10),
+  tenantId: testTenantId(2),
+  roles: ["TenantAdmin"],
+});
+
+const PROP_A = "aaaaaaaa-aaaa-4000-8000-000000000001";
+const PROP_B = "bbbbbbbb-bbbb-4000-8000-000000000002";
+
+beforeAll(async () => {
+  stack = await setupTestStack({ features: [customFieldsFeature, propertyFeature] });
+  await unsafeCreateEntityTable(stack.db, fieldDefinitionEntity);
+  await unsafeCreateEntityTable(stack.db, propertyEntity);
+  await createEventsTable(stack.db);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+async function defineField(user: SessionUser, fieldKey: string) {
+  return stack.http.writeOk(
+    "custom-fields:write:define-tenant-field",
+    {
+      entityName: "property",
+      fieldKey,
+      serializedField: { type: "text" },
+      required: false,
+      searchable: false,
+      displayOrder: 0,
+    },
+    user,
+  );
+}
+
+async function setField(user: SessionUser, entityId: string, fieldKey: string, value: unknown) {
+  return stack.http.writeOk(
+    "custom-fields:write:set-custom-field",
+    { entityName: "property", entityId, fieldKey, value },
+    user,
+  );
+}
+
+async function clearField(user: SessionUser, entityId: string, fieldKey: string) {
+  return stack.http.writeOk(
+    "custom-fields:write:clear-custom-field",
+    { entityName: "property", entityId, fieldKey },
+    user,
+  );
+}
+
+async function createProperty(user: SessionUser, id: string, name: string) {
+  return stack.http.writeOk("property-xt-set:write:property:create", { id, name }, user);
+}
+
+async function priorityOf(user: SessionUser, id: string): Promise<unknown> {
+  const { rows } = (await stack.http.queryOk("property-xt-set:query:property:list", {}, user)) as {
+    rows: Array<Record<string, unknown>>;
+  };
+  return rows.find((r) => r["id"] === id)?.["priority"];
+}
+
+describe("custom-fields cross-tenant isolation — set/clear write", () => {
+  beforeEach(async () => {
+    await asRawClient(stack.db).unsafe(`DELETE FROM kumiko_events`);
+    await asRawClient(stack.db).unsafe(`DELETE FROM read_xt_set_properties`);
+    await asRawClient(stack.db).unsafe(`DELETE FROM read_custom_field_definitions`);
+
+    // Both tenants independently define their own "priority" field and own a row.
+    await defineField(adminA, "priority");
+    await defineField(adminB, "priority");
+    await createProperty(adminA, PROP_A, "A-Prop");
+    await createProperty(adminB, PROP_B, "B-Prop");
+    await setField(adminA, PROP_A, "priority", "A-value");
+    await setField(adminB, PROP_B, "priority", "B-value");
+    await stack.eventDispatcher?.runOnce();
+    expect(await priorityOf(adminB, PROP_B)).toBe("B-value");
+  });
+
+  test("tenant A cannot overwrite tenant B's row via a known entityId (set)", async () => {
+    // The set-handler runs as A (its own field-definition + RBAC pass) and emits
+    // on A's stream; the projection's tenant filter must keep it off B's row.
+    await setField(adminA, PROP_B, "priority", "HACKED");
+    await stack.eventDispatcher?.runOnce();
+
+    expect(await priorityOf(adminB, PROP_B)).toBe("B-value");
+  });
+
+  test("tenant A cannot clear tenant B's row via a known entityId (clear)", async () => {
+    await clearField(adminA, PROP_B, "priority");
+    await stack.eventDispatcher?.runOnce();
+
+    expect(await priorityOf(adminB, PROP_B)).toBe("B-value");
+  });
+
+  test("a tenant's own set still applies (filter does not block the legitimate path)", async () => {
+    await setField(adminA, PROP_A, "priority", "A-updated");
+    await stack.eventDispatcher?.runOnce();
+
+    expect(await priorityOf(adminA, PROP_A)).toBe("A-updated");
+    expect(await priorityOf(adminB, PROP_B)).toBe("B-value");
+  });
+});