feat(api): field-level set_fields 422 body (#28); enum-type SearchHitView.visibility (#38)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

crates/api/tests/admin_objects.rs

@@ -434,6 +434,52 @@ async fn set_fields_and_list_field_definitions(pool: PgPool) {
     assert_eq!(bad.status(), StatusCode::UNPROCESSABLE_ENTITY);
 }
 
+#[sqlx::test(migrations = "../db/migrations")]
+async fn set_fields_unknown_field_returns_field_detail(pool: PgPool) {
+    migrate_sessions(&db::Db::from_pool(pool.clone()))
+        .await
+        .unwrap();
+
+    seed_user(&pool, "ed@example.com", "pw-editor-123", Role::Editor).await;
+
+    let db = db::Db::from_pool(pool.clone());
+    let mut tx = db.pool().begin().await.unwrap();
+
+    let id = catalog::create_object(
+        &mut tx,
+        AuditActor::System,
+        &obj("A-1", "amphora", Visibility::Draft),
+    )
+    .await
+    .unwrap();
+
+    tx.commit().await.unwrap();
+
+    let app = build_app(state(pool));
+    let cookie = login(&app, "ed@example.com", "pw-editor-123").await;
+
+    let resp = app
+        .oneshot(
+            Request::builder()
+                .method("PUT")
+                .uri(format!("/api/admin/objects/{id}/fields"))
+                .header(header::COOKIE, &cookie)
+                .header(header::CONTENT_TYPE, "application/json")
+                .body(Body::from(r#"{"definitely_not_a_field":"x"}"#))
+                .unwrap(),
+        )
+        .await
+        .unwrap();
+
+    assert_eq!(resp.status(), StatusCode::UNPROCESSABLE_ENTITY);
+
+    let body: serde_json::Value =
+        serde_json::from_slice(&resp.into_body().collect().await.unwrap().to_bytes()).unwrap();
+
+    assert_eq!(body["field"], "definitely_not_a_field");
+    assert_eq!(body["code"], "unknown");
+}
+
 #[sqlx::test(migrations = "../db/migrations")]
 async fn create_requires_auth(pool: PgPool) {
     migrate_sessions(&db::Db::from_pool(pool.clone()))