@opensaas/stack-core 0.24.0 → 0.25.0

package/src/context/write-pipeline.ts

@@ -16,8 +16,15 @@ import {
   ValidationError,
 } from '../hooks/index.js'
 import { hookPipeline } from './hook-pipeline.js'
-import { processNestedOperations } from './nested-operations.js'
+import { processNestedOperations, runAfterTasks } from './nested-operations.js'
+import type { AfterTask } from './nested-operations.js'
+import { enumerateInvolvedLists, runWithTransactionBoundary } from './transaction-boundary.js'
 import { getDbKey } from '../lib/case-utils.js'
+// NOTE: `index.ts` imports from this module too — this is an intentional cyclic
+// dependency. It is safe because `buildDbDelegate` is only INVOKED at write
+// time (never during module evaluation), so by the time it runs the export is
+// fully initialised.
+import { buildDbDelegate } from './index.js'
 
 /**
  * Write Pipeline — the single module that runs the canonical, secured write
@@ -57,10 +64,14 @@ export interface PrismaModel {
   findUnique: (args: { where: Record<string, unknown> }) => Promise<Record<string, unknown> | null>
   findFirst: (args: { where: Record<string, unknown> }) => Promise<Record<string, unknown> | null>
   count: () => Promise<number>
-  create: (args: { data: Record<string, unknown> }) => Promise<Record<string, unknown>>
+  create: (args: {
+    data: Record<string, unknown>
+    include?: Record<string, unknown>
+  }) => Promise<Record<string, unknown>>
   update: (args: {
     where: Record<string, unknown>
     data: Record<string, unknown>
+    include?: Record<string, unknown>
   }) => Promise<Record<string, unknown>>
   delete: (args: { where: Record<string, unknown> }) => Promise<Record<string, unknown>>
 }
@@ -95,8 +106,14 @@ export interface WriteStrategy {
   /**
    * Axis 3: execute the database write and return the persisted/deleted row.
    * `data` is the fully-resolved write payload (empty object for delete).
+   * `include` (create/update) asks the DB to return nested relations so nested
+   * `afterOperation` can recover its persisted `item`; delete ignores it.
    */
-  persist(model: PrismaModel, data: Record<string, unknown>): Promise<Record<string, unknown>>
+  persist(
+    model: PrismaModel,
+    data: Record<string, unknown>,
+    include?: Record<string, unknown>,
+  ): Promise<Record<string, unknown>>
 }
 
 /**
@@ -112,6 +129,43 @@ function getModel<TPrisma extends PrismaClientLike>(
   return (prisma as any)[getDbKey(listName)] as PrismaModel
 }
 
+/**
+ * Minimal shape of a Prisma interactive-transaction-capable client.
+ *
+ * The transaction client `tx` is dynamically typed exactly like the model
+ * surface above (model names are generated at runtime), so the cast is kept
+ * localized and commented per the house rules.
+ */
+interface TransactionCapable {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- $transaction callback receives a dynamically-typed tx client
+  $transaction?: (fn: (tx: any) => Promise<unknown>) => Promise<unknown>
+}
+
+/**
+ * Run `fn` inside ONE interactive transaction (ADR-0010: every write is
+ * transactional, so the hook contract does not depend on whether a write
+ * happened to be nested). The transaction client `tx` is passed to `fn` and
+ * used as the persistence target for the parent + all nested writes, so they
+ * are atomic and a throwing hook rolls the whole write back.
+ *
+ * If the client does not expose `$transaction` (e.g. a test mock), `fn` runs
+ * directly against the client — the hook ordering and arguments are identical;
+ * only the rollback guarantee is provided by the real transaction.
+ */
+async function runInTransaction<TPrisma extends PrismaClientLike>(
+  prisma: TPrisma,
+  fn: (tx: TPrisma) => Promise<Record<string, unknown> | null>,
+): Promise<Record<string, unknown> | null> {
+  const client = prisma as unknown as TransactionCapable
+  if (typeof client.$transaction === 'function') {
+    return (await client.$transaction(async (tx) => fn(tx as TPrisma))) as Record<
+      string,
+      unknown
+    > | null
+  }
+  return fn(prisma)
+}
+
 /**
  * Check if a list is configured as a singleton.
  */
@@ -134,6 +188,16 @@ export interface WritePipelineArgs<TPrisma extends PrismaClientLike> {
   inputData: Record<string, unknown> | undefined
   /** The per-operation strategy supplying the three variation axes. */
   strategy: WriteStrategy
+  /**
+   * The target resolution computed ONCE before the transaction opened (#590).
+   *
+   * The transaction-boundary bracket resolves the top-level target + access
+   * before opening the transaction (both to gate silent-failures without firing
+   * boundary hooks, and to supply `originalItem` to `beforeTransaction`). To
+   * avoid a second resolution inside the transaction, the in-transaction body
+   * reuses this result instead of calling `strategy.resolveTarget` again.
+   */
+  preResolvedTarget?: TargetResolution
 }
 
 /**
@@ -165,14 +229,120 @@ export interface WritePipelineArgs<TPrisma extends PrismaClientLike> {
 export async function runWritePipeline<TPrisma extends PrismaClientLike>(
   args: WritePipelineArgs<TPrisma>,
 ): Promise<Record<string, unknown> | null> {
-  const { listName, listConfig, prisma, context, config, inputData, strategy } = args
+  const { prisma, listName, listConfig, context, config, inputData, strategy } = args
+
+  // ── Pre-transaction access gate (#590) ──────────────────────────────────────
+  // Resolve the TOP-LEVEL target + operation-level access OUTSIDE the
+  // transaction first, using the NON-transactional client. A
+  // denied/missing/filter-non-match target short-circuits to `null` (silent
+  // failure) WITHOUT firing any transaction-boundary hooks — a denied write
+  // opens no transaction and takes no external action, so it must not run
+  // beforeTransaction/afterTransaction. This resolution also yields the
+  // top-level `originalItem` the boundary hooks receive for update/delete.
+  // The result is passed into the transaction as `preResolvedTarget` and REUSED
+  // there (the in-transaction resolveTarget does NOT re-run), so the target is
+  // read exactly once — #569's resolveTarget call-count semantics are preserved.
+  const gate = await strategy.resolveTarget(getModel(prisma, listName))
+  if (gate.status === 'denied') {
+    return null
+  }
+
+  // ── Enumerate involved lists from the input tree (no DB reads) ──────────────
+  const involvedLists = enumerateInvolvedLists({
+    listName,
+    listConfig,
+    operation: strategy.operation,
+    inputData,
+    topLevelOriginalItem: gate.originalItem,
+    config,
+  })
+
+  // ── Bracket the transaction with beforeTransaction/afterTransaction (#590) ──
+  // beforeTransaction runs before the transaction opens; afterTransaction runs
+  // after it settles (commit or rollback), per the symmetric-bracket rule.
+  return runWithTransactionBoundary({
+    involvedLists,
+    context,
+    runTransaction: () =>
+      // ADR-0010: every write runs inside ONE interactive transaction. The
+      // parent and ALL nested writes share this transaction's client `tx` as
+      // their persistence target, so they are atomic and a throwing
+      // `beforeOperation`/`afterOperation` (or validation) rolls the whole write
+      // back. `runWriteInTransaction` resolves the target row, runs the full
+      // hook pipeline, persists, and runs nested + own `afterOperation` — all
+      // against `tx`.
+      runInTransaction(prisma, (tx) =>
+        runWriteInTransaction({
+          ...args,
+          prisma: tx,
+          // Reuse the pre-transaction target resolution (computed above) so the
+          // target is read exactly once (#569 call-count semantics preserved).
+          preResolvedTarget: gate,
+          // ADR-0010 atomicity: hooks that write via `context.db` must hit the
+          // SAME transaction, or those writes would commit independently and
+          // survive a rollback. Rebind the context's `db` (and `prisma`) to the
+          // transaction client `tx` so before/afterOperation `context.db` writes
+          // participate in — and roll back with — this write's transaction.
+          context: bindContextToTransaction(args, tx),
+        }),
+      ),
+  })
+}
+
+/**
+ * Build an {@link AccessContext} whose `db`/`prisma` target the transaction
+ * client `tx`, so any `context.db` write a hook performs runs inside this
+ * write's transaction and rolls back with it (ADR-0010).
+ *
+ * The access-controlled `db` delegates capture their Prisma client at
+ * construction, so the request-time `context.db` is bound to the ORIGINAL
+ * client. We rebuild the delegates against `tx` via {@link buildDbDelegate},
+ * reusing the request context's `session`, `storage`, `plugins`, `_isSudo`, and
+ * the shared `_resolveOutputCounter` reference (so resolveOutput depth tracking
+ * is preserved). Plugin runtimes are NOT re-executed; the existing
+ * `plugins` object is reused as-is.
+ */
+function bindContextToTransaction<TPrisma extends PrismaClientLike>(
+  args: WritePipelineArgs<TPrisma>,
+  tx: TPrisma,
+): AccessContext<TPrisma> {
+  const { context, config } = args
+  const txContext: AccessContext<TPrisma> = {
+    session: context.session,
+    prisma: tx,
+    db: context.db,
+    storage: context.storage,
+    plugins: context.plugins,
+    _isSudo: context._isSudo,
+    _resolveOutputCounter: context._resolveOutputCounter,
+  }
+  // Rebuild the db delegate against `tx`, pointing back at `txContext` so hooks
+  // reached through it also see the transactional context.
+  txContext.db = buildDbDelegate(config, tx, txContext)
+  return txContext
+}
+
+/**
+ * The body of one secured write, executed against the transaction client `tx`
+ * (passed in as `args.prisma`). Returns `null` for the silent-failure cases and
+ * the Field-Visibility-filtered row otherwise. Any throw here propagates out of
+ * `runInTransaction` and rolls the transaction back.
+ */
+async function runWriteInTransaction<TPrisma extends PrismaClientLike>(
+  args: WritePipelineArgs<TPrisma>,
+): Promise<Record<string, unknown> | null> {
+  const { listName, listConfig, prisma: tx, context, config, inputData, strategy } = args
   const { operation } = strategy
-  const model = getModel(prisma, listName)
+  const model = getModel(tx, listName)
 
   // ── Phase 1: resolve target + operation-level access ──────────────────────
   // Short-circuits to `null` (silent failure) for missing target, denied
   // access, or filter non-match — before any hook side effects or the DB call.
-  const resolution = await strategy.resolveTarget(model)
+  // The transaction-boundary bracket (#590) already resolved this once before
+  // opening the transaction; reuse that result rather than reading the target
+  // twice. (When invoked without the bracket — e.g. a direct unit test — fall
+  // back to resolving here against the tx model.)
+  const resolution = args.preResolvedTarget ?? (await strategy.resolveTarget(model))
   if (resolution.status === 'denied') {
     return null
   }
@@ -214,12 +384,24 @@ export async function runWritePipeline<TPrisma extends PrismaClientLike>(
   })
 
   // ── Phase 5.5: process nested relationship operations ───────────────────────
-  const data = await processNestedOperations(
+  // This runs each nested record's resolveInput/validate/field-rules AND its
+  // `beforeOperation` (inside this transaction), returning the transformed
+  // payload plus deferred `afterOperation` tasks and the relation fields to
+  // `include` so those tasks can recover their persisted `item`. All nested DB
+  // reads/persistence go through `tx`.
+  const { data, afterTasks, includeFields } = await processNestedOperations(
     filteredData,
     listConfig.fields,
     config,
-    { ...context, prisma },
+    { ...context, prisma: tx },
     writeOp,
+    listName,
+    originalItem,
+    // Pass the enclosing write's `inputData` (the SAME value the Phase-5
+    // `filterWritableFields` call above uses) so the connect-site owning-field
+    // gate evaluates item-/inputData-dependent field rules identically to Phase 5
+    // and the two cannot diverge into a spurious connect denial (#588 finding).
+    input,
   )
 
   // ── Phase 6: field-level beforeOperation (side effects only) ────────────────
@@ -255,7 +437,10 @@ export async function runWritePipeline<TPrisma extends PrismaClientLike>(
   )
 
   // ── Phase 8: DB write ───────────────────────────────────────────────────────
-  const item = await strategy.persist(model, data)
+  // Ask the DB to return the nested relations that have deferred
+  // `afterOperation` tasks so they can recover their persisted `item`.
+  const include = buildIncludeFromFields(includeFields)
+  const item = await strategy.persist(model, data, include)
 
   // ── Phase 9: list-level afterOperation ──────────────────────────────────────
   await executeAfterOperation(
@@ -293,6 +478,12 @@ export async function runWritePipeline<TPrisma extends PrismaClientLike>(
     originalItem, // undefined for create, original row for update
   )
 
+  // ── Phase 10.5: nested afterOperation (deferred, in this transaction) ────────
+  // Each nested create/update/delete's `afterOperation` fires now, with the
+  // persisted nested row recovered from the parent's included relations. A throw
+  // here rolls the whole transaction back (parent write included).
+  await runNestedAfterTasks(afterTasks, item)
+
   // ── Phase 11: Field Visibility (filter readable fields + resolveOutput) ─────
   return filterReadableFields(
     item,
@@ -307,6 +498,36 @@ export async function runWritePipeline<TPrisma extends PrismaClientLike>(
   )
 }
 
+/**
+ * Build a Prisma `include` from the set of relation field names that have
+ * deferred nested `afterOperation` tasks, so the parent write returns those
+ * relations and the tasks can recover their persisted `item`.
+ */
+function buildIncludeFromFields(includeFields: Set<string>): Record<string, unknown> | undefined {
+  if (includeFields.size === 0) return undefined
+  const include: Record<string, unknown> = {}
+  for (const field of includeFields) {
+    include[field] = true
+  }
+  return include
+}
+
+/**
+ * Run the deferred nested `afterOperation` tasks against the persisted parent
+ * row. The persisted parent is always a record here; the `?? {}` is only a
+ * type-narrowing guard. Each task recovers its OWN nested row from `item` by
+ * id-diff (create) or known id (update); if a created row cannot be recovered
+ * the task THROWS rather than firing `afterOperation` with a fabricated item
+ * (see `recoverCreatedRows`/the create task in `nested-operations.ts`).
+ */
+async function runNestedAfterTasks(
+  afterTasks: AfterTask[],
+  item: Record<string, unknown>,
+): Promise<void> {
+  if (afterTasks.length === 0) return
+  await runAfterTasks(afterTasks, item ?? {})
+}
+
 /**
  * The delete tail of the pipeline: skips the input-shaping phases and runs only
  * validate/field-validate before the DB delete, then the after-hooks. Returns
@@ -434,10 +655,10 @@ export function createWriteStrategy(
 
       return { status: 'ok', originalItem: undefined }
     },
-    async persist(model, data) {
+    async persist(model, data, include) {
       // Singleton lists use Int @id with value always 1 (matching Keystone 6).
       const createData = singleton ? { id: 1, ...data } : data
-      return model.create({ data: createData })
+      return model.create(include ? { data: createData, include } : { data: createData })
     },
   }
 }
@@ -504,8 +725,8 @@ export function updateWriteStrategy(
     operation: 'update',
     runInputPhases: true,
     resolveTarget: resolveExistingTarget(listConfig, context, where, 'update'),
-    async persist(model, data) {
-      return model.update({ where, data })
+    async persist(model, data, include) {
+      return model.update(include ? { where, data, include } : { where, data })
     },
   }
 }

package/src/fields/calendar-day.test.ts

@@ -0,0 +1,140 @@
+import { describe, it, expect, expectTypeOf } from 'vitest'
+import { calendarDay } from './index.js'
+import { generateZodSchema, validateWithZod } from '../validation/schema.js'
+import type { FieldConfig } from '../config/types.js'
+
+/**
+ * calendarDay is a YYYY-MM-DD string end-to-end (Keystone's CalendarDay
+ * scalar). Type, validation, and runtime read value must all agree on `string`.
+ * See issue #571.
+ */
+describe('calendarDay field (YYYY-MM-DD string end-to-end)', () => {
+  describe('getTypeScriptType', () => {
+    it('returns string (not Date), driving the entity + input types', () => {
+      const field = calendarDay()
+      expect(field.getTypeScriptType?.()).toEqual({ type: 'string', optional: true })
+    })
+
+    it('is non-optional when required and not nullable', () => {
+      const field = calendarDay({ validation: { isRequired: true } })
+      expect(field.getTypeScriptType?.()).toEqual({ type: 'string', optional: false })
+    })
+
+    it('type-level: the declared type is the literal "string"', () => {
+      const field = calendarDay()
+      const tsType = field.getTypeScriptType?.()
+      // The entity/read type and the standalone generated CreateInput/UpdateInput
+      // types are emitted from this literal, so asserting it is exactly 'string'
+      // pins those types to `string`. (At the context.db write path a Date is
+      // rejected at runtime by validation, not at compile time — tracked in #599.)
+      expectTypeOf(tsType).toEqualTypeOf<{ type: string; optional: boolean } | undefined>()
+      if (tsType) {
+        expectTypeOf(tsType.type).toEqualTypeOf<string>()
+        expect(tsType.type).toBe('string')
+        // @ts-expect-error - the runtime type is 'string', never 'Date'
+        const _notDate: 'Date' = tsType.type
+        void _notDate
+      }
+    })
+  })
+
+  describe('getPrismaType (unchanged — stays DateTime @db.Date)', () => {
+    it('keeps DateTime storage with @db.Date on non-sqlite providers', () => {
+      const field = calendarDay({ validation: { isRequired: true } })
+      const prisma = field.getPrismaType?.('startsOn', 'postgresql')
+      expect(prisma?.type).toBe('DateTime')
+      expect(prisma?.modifiers).toContain('@db.Date')
+    })
+
+    it('omits @db.Date on sqlite (TEXT fallback)', () => {
+      const field = calendarDay({ validation: { isRequired: true } })
+      const prisma = field.getPrismaType?.('startsOn', 'sqlite')
+      expect(prisma?.type).toBe('DateTime')
+      expect(prisma?.modifiers ?? '').not.toContain('@db.Date')
+    })
+  })
+
+  describe('write validation (string-only)', () => {
+    const fields: Record<string, FieldConfig> = {
+      startsOn: calendarDay({ validation: { isRequired: true } }),
+    }
+
+    it('accepts a valid YYYY-MM-DD string on create', () => {
+      const result = validateWithZod({ startsOn: '2025-01-15' }, fields, 'create')
+      expect(result.success).toBe(true)
+    })
+
+    it('rejects a malformed string with a clear message', () => {
+      const result = validateWithZod({ startsOn: '15/01/2025' }, fields, 'create')
+      expect(result.success).toBe(false)
+      if (!result.success) {
+        expect(result.errors).toHaveProperty('startsOn')
+        expect(result.errors.startsOn).toMatch(/YYYY-MM-DD/)
+      }
+    })
+
+    it('rejects a Date instance at runtime (not a string)', () => {
+      // A typed caller cannot reach here (input type is `string`), but the
+      // validator is string-only as a runtime backstop.
+      const result = validateWithZod(
+        { startsOn: new Date('2025-01-15') } as unknown as Record<string, unknown>,
+        fields,
+        'create',
+      )
+      expect(result.success).toBe(false)
+    })
+
+    it('zod schema for the field validates the YYYY-MM-DD shape', () => {
+      const schema = generateZodSchema(fields, 'create')
+      expect(schema.safeParse({ startsOn: '2025-12-31' }).success).toBe(true)
+      expect(schema.safeParse({ startsOn: 'nope' }).success).toBe(false)
+    })
+  })
+
+  describe('read transform (resolveOutput returns a YYYY-MM-DD string)', () => {
+    // The read pipeline calls fieldConfig.hooks.resolveOutput({ value, ... }).
+    // We exercise that hook directly with the value shapes Prisma can return.
+    function readValue(value: unknown): unknown {
+      const field = calendarDay()
+      const hook = field.hooks?.resolveOutput
+      if (!hook) throw new Error('calendarDay must define a resolveOutput hook')
+      // Cast to the runtime call shape used by field-visibility.ts.
+      return (hook as unknown as (args: { value: unknown }) => unknown)({ value })
+    }
+
+    it('formats a Date (Postgres/MySQL @db.Date) to YYYY-MM-DD', () => {
+      expect(readValue(new Date('2025-01-15T00:00:00.000Z'))).toBe('2025-01-15')
+    })
+
+    it('is timezone-safe — a late-UTC Date does not drift a day', () => {
+      // 23:59:59Z is the same UTC calendar day; UTC-based formatting keeps it.
+      expect(readValue(new Date('2025-01-15T23:59:59.999Z'))).toBe('2025-01-15')
+    })
+
+    it('passes through an already-formatted string (SQLite TEXT)', () => {
+      expect(readValue('2025-01-15')).toBe('2025-01-15')
+    })
+
+    it('takes the date-only prefix of a full ISO string (SQLite TEXT)', () => {
+      expect(readValue('2025-01-15T00:00:00.000Z')).toBe('2025-01-15')
+    })
+
+    it('passes null/undefined through unchanged', () => {
+      expect(readValue(null)).toBeNull()
+      expect(readValue(undefined)).toBeUndefined()
+    })
+  })
+
+  describe('user-provided hooks are preserved', () => {
+    it('merges a user resolveOutput over the default (last wins)', () => {
+      const field = calendarDay({
+        hooks: {
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any -- test hook
+          resolveOutput: ({ value }: { value: any }) => `custom:${value}`,
+        },
+      })
+      const hook = field.hooks?.resolveOutput as unknown as (args: { value: unknown }) => unknown
+      expect(hook({ value: '2025-01-15' })).toBe('custom:2025-01-15')
+    })
+  })
+})

package/src/fields/index.ts

@@ -84,7 +84,7 @@ export function text<
           : withMin
 
       if (isRequired && operation === 'update') {
-        return z.union([withMax, z.undefined()])
+        return withMax.optional()
       }
 
       return !isRequired ? withMax.optional().nullable() : withMax
@@ -514,11 +514,23 @@ export function timestamp<
 /**
  * Calendar Day field - date only (no time) in ISO8601 format
  *
+ * Mirrors Keystone's `CalendarDay` scalar: the wire format through
+ * `context.db.*` is a `YYYY-MM-DD` **string** in both directions (read and
+ * write). The field's TypeScript type — entity, `CreateInput`, and
+ * `UpdateInput` — is `string`, so passing a `Date` is a compile-time error.
+ *
  * **Features:**
  * - Stores date values only (no time component)
  * - PostgreSQL/MySQL: Uses native DATE type via @db.Date
  * - SQLite: Uses String representation
- * - Accepts ISO8601 date strings (YYYY-MM-DD format)
+ * - **Writes:** accept only a `YYYY-MM-DD` string; a malformed string or a
+ *   `Date` is rejected at runtime by validation (a `ValidationError`). Genuine
+ *   compile-time rejection at the `context.db` call site is tracked in #599.
+ * - **Reads:** always return a `YYYY-MM-DD` string. Even though the underlying
+ *   `@db.Date` column hands Prisma a `Date`, a `resolveOutput` transform
+ *   normalises it back to a `YYYY-MM-DD` string so the runtime value matches
+ *   the declared `string` type. UTC components are used to avoid timezone
+ *   off-by-one errors.
  * - Optional validation for required fields
  * - Database column mapping and nullability control
  * - Index support (boolean or 'unique')
@@ -539,13 +551,17 @@ export function timestamp<
  *   })
  * }
  *
- * // Creating with date values
+ * // Creating with date values — pass YYYY-MM-DD strings (NOT Date objects)
  * const event = await context.db.event.create({
  *   data: {
  *     startDate: '2025-01-15',
  *     endDate: '2025-01-20'
  *   }
  * })
+ *
+ * // Reading — values come back as YYYY-MM-DD strings
+ * const e = await context.db.event.findUnique({ where: { id } })
+ * e?.startDate // => '2025-01-15' (a string, not a Date)
  * ```
  *
  * @param options - Field configuration options
@@ -557,6 +573,19 @@ export function calendarDay<
   return {
     type: 'calendarDay',
     ...options,
+    // Reads: the underlying @db.Date column hands Prisma a Date (or a TEXT
+    // string under the SQLite fallback). Normalise to a YYYY-MM-DD string so the
+    // runtime value matches the declared `string` type. UTC components are used
+    // so the formatting never drifts a day in non-UTC timezones.
+    // Cast hooks to any since field builders are generic and can't know the
+    // specific TFieldKey (same pattern as password()).
+    hooks: {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Field builder hooks must be generic
+      resolveOutput: ({ value }: { value: any }) => formatCalendarDay(value),
+      // Merge with user-provided hooks if any
+      ...options?.hooks,
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Hook object needs type assertion for field builder
+    } as any,
     getZodSchema: (fieldName: string, operation: 'create' | 'update') => {
       const validation = options?.validation
       const isRequired = validation?.isRequired
@@ -574,8 +603,8 @@ export function calendarDay<
       if (isRequired && operation === 'create') {
         return dateSchema
       } else if (isRequired && operation === 'update') {
-        // Required in update mode: can be undefined for partial updates
-        return z.union([dateSchema, z.undefined()])
+        // Required in update mode: omitted keys pass; present values must be valid
+        return dateSchema.optional()
       } else {
         return dateSchema.optional().nullable()
       }
@@ -628,14 +657,49 @@ export function calendarDay<
       const isRequired = validation?.isRequired
       const isNullable = db?.isNullable ?? !isRequired
 
+      // calendarDay is a YYYY-MM-DD string end-to-end (Keystone's CalendarDay
+      // scalar). Returning 'string' here makes the entity/read type and the
+      // standalone generated CreateInput/UpdateInput types `string`. At the
+      // context.db write path a Date is still rejected at runtime by validation
+      // (the generated db method `data` type derives from Prisma's `Date | string`
+      // input — making it a compile-time error is tracked in #599).
       return {
-        type: 'Date',
+        type: 'string',
         optional: isNullable,
       }
     },
   }
 }
 
+/**
+ * Format a stored calendar-day value to a `YYYY-MM-DD` string.
+ *
+ * Handles the value being a `Date` (Postgres/MySQL `@db.Date`), an already
+ * formatted string (SQLite TEXT fallback), or null/undefined. Dates are
+ * formatted from their UTC components so the result never drifts a day in
+ * non-UTC timezones.
+ */
+function formatCalendarDay(value: unknown): string | null | undefined {
+  if (value === null || value === undefined) {
+    return value as null | undefined
+  }
+
+  if (value instanceof Date) {
+    // toISOString() is UTC; the YYYY-MM-DD prefix is timezone-safe.
+    return value.toISOString().slice(0, 10)
+  }
+
+  if (typeof value === 'string') {
+    // SQLite stores DateTime as TEXT. The value may already be YYYY-MM-DD or a
+    // full ISO timestamp — take the date-only prefix either way.
+    return value.slice(0, 10)
+  }
+
+  // Any other shape is unexpected for a @db.Date column; surface it untouched
+  // by returning undefined so callers see the field as absent rather than wrong.
+  return undefined
+}
+
 /**
  * Password field (automatically hashed using bcrypt)
  *
@@ -752,13 +816,13 @@ export function password<TTypeInfo extends import('../config/types.js').TypeInfo
             message: `${formatFieldName(fieldName)} is required`,
           })
       } else if (isRequired && operation === 'update') {
-        // Required in update mode: if provided, reject empty strings
-        return z.union([
-          z.string().min(1, {
+        // Required in update mode: omitted keys pass; if provided, reject empty strings
+        return z
+          .string()
+          .min(1, {
             message: `${formatFieldName(fieldName)} is required`,
-          }),
-          z.undefined(),
-        ])
+          })
+          .optional()
       } else {
         // Not required: can be undefined or any string
         return z
@@ -1312,11 +1376,27 @@ export function json<
       const baseSchema = z.unknown()
 
       if (isRequired && operation === 'create') {
-        // Required in create mode: value must be provided
-        return baseSchema
+        // Required in create mode: a value must be provided and it must be
+        // non-null (issue #604 — a required json field means non-null). A bare
+        // z.unknown() is treated as optional inside z.object(), so an omitted
+        // key would silently pass; the refinement makes the key genuinely
+        // required by rejecting undefined (which also covers an absent key) and
+        // rejecting a present null, while still accepting any other present
+        // JSON value (object, array, primitive, including falsy 0/""/false).
+        return baseSchema.refine((value) => value !== undefined && value !== null, {
+          message: `${formatFieldName(fieldName)} is required`,
+        })
       } else if (isRequired && operation === 'update') {
-        // Required in update mode: can be undefined for partial updates
-        return z.union([baseSchema, z.undefined()])
+        // Required in update mode: omitted keys still pass (issue #570 — partial
+        // updates may leave the field untouched), but a present null is rejected
+        // (issue #604 — required json means non-null). The `.refine()` runs
+        // before `.optional()` short-circuits on undefined: absent/undefined
+        // passes, a present null is rejected, and other present values pass.
+        return baseSchema
+          .refine((value) => value !== null, {
+            message: `${formatFieldName(fieldName)} is required`,
+          })
+          .optional()
       } else {
         // Not required: can be undefined or null
         return baseSchema.optional().nullable()